summaryrefslogtreecommitdiffstats
path: root/contrib/bind9/doc
diff options
context:
space:
mode:
authordougb <dougb@FreeBSD.org>2007-06-02 23:21:47 +0000
committerdougb <dougb@FreeBSD.org>2007-06-02 23:21:47 +0000
commit6df9693fc1899de774712d6421c2fc401db2eadd (patch)
tree6e65ba28d6d850f4d5c07cd37f26842e97b4aecf /contrib/bind9/doc
parentfb8cb3b3a3d2367752c01dc81b68c0b7390f7760 (diff)
downloadFreeBSD-src-6df9693fc1899de774712d6421c2fc401db2eadd.zip
FreeBSD-src-6df9693fc1899de774712d6421c2fc401db2eadd.tar.gz
Vendor import of BIND 9.4.1
Diffstat (limited to 'contrib/bind9/doc')
-rw-r--r--contrib/bind9/doc/Makefile.in2
-rw-r--r--contrib/bind9/doc/arm/Bv9ARM-book.xml17415
-rw-r--r--contrib/bind9/doc/arm/Bv9ARM.ch01.html684
-rw-r--r--contrib/bind9/doc/arm/Bv9ARM.ch02.html130
-rw-r--r--contrib/bind9/doc/arm/Bv9ARM.ch03.html828
-rw-r--r--contrib/bind9/doc/arm/Bv9ARM.ch04.html1236
-rw-r--r--contrib/bind9/doc/arm/Bv9ARM.ch05.html110
-rw-r--r--contrib/bind9/doc/arm/Bv9ARM.ch06.html8149
-rw-r--r--contrib/bind9/doc/arm/Bv9ARM.ch07.html243
-rw-r--r--contrib/bind9/doc/arm/Bv9ARM.ch08.html107
-rw-r--r--contrib/bind9/doc/arm/Bv9ARM.ch09.html666
-rw-r--r--contrib/bind9/doc/arm/Bv9ARM.ch10.html102
-rw-r--r--contrib/bind9/doc/arm/Bv9ARM.html211
-rwxr-xr-xcontrib/bind9/doc/arm/Bv9ARM.pdf14021
-rw-r--r--contrib/bind9/doc/arm/Makefile.in48
-rw-r--r--contrib/bind9/doc/arm/README-SGML2
-rw-r--r--contrib/bind9/doc/arm/isc-logo.eps12253
-rw-r--r--contrib/bind9/doc/arm/isc-logo.pdfbin0 -> 21981 bytes
-rw-r--r--contrib/bind9/doc/arm/man.dig.html665
-rw-r--r--contrib/bind9/doc/arm/man.dnssec-keygen.html269
-rw-r--r--contrib/bind9/doc/arm/man.dnssec-signzone.html318
-rw-r--r--contrib/bind9/doc/arm/man.host.html249
-rw-r--r--contrib/bind9/doc/arm/man.named-checkconf.html129
-rw-r--r--contrib/bind9/doc/arm/man.named-checkzone.html293
-rw-r--r--contrib/bind9/doc/arm/man.named.html280
-rw-r--r--contrib/bind9/doc/arm/man.rndc-confgen.html222
-rw-r--r--contrib/bind9/doc/arm/man.rndc.conf.html255
-rw-r--r--contrib/bind9/doc/arm/man.rndc.html203
-rw-r--r--contrib/bind9/doc/draft/draft-ietf-dnsext-dhcid-rr-12.txt674
-rw-r--r--contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-online-signing-02.txt616
-rw-r--r--contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-rsasha256-00.txt392
-rw-r--r--contrib/bind9/doc/draft/draft-ietf-dnsext-ds-sha256-05.txt504
-rw-r--r--contrib/bind9/doc/draft/draft-ietf-dnsext-nsec3-04.txt2352
-rw-r--r--contrib/bind9/doc/draft/draft-ietf-dnsext-nsid-01.txt840
-rw-r--r--contrib/bind9/doc/draft/draft-ietf-dnsext-trustupdate-threshold-00.txt2
-rw-r--r--contrib/bind9/doc/draft/draft-ietf-dnsext-trustupdate-timers-02.txt730
-rw-r--r--contrib/bind9/doc/draft/draft-ietf-dnsext-tsig-sha-06.txt522
-rw-r--r--contrib/bind9/doc/draft/draft-ietf-dnsext-wcard-clarify-10.txt1063
-rw-r--r--contrib/bind9/doc/draft/draft-ietf-dnsop-bad-dns-res-05.txt1232
-rw-r--r--contrib/bind9/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-08.txt2016
-rw-r--r--contrib/bind9/doc/draft/draft-ietf-dnsop-serverid-06.txt618
-rw-r--r--contrib/bind9/doc/draft/draft-schlitt-spf-classic-02.txt3136
-rw-r--r--contrib/bind9/doc/misc/Makefile.in23
-rw-r--r--contrib/bind9/doc/misc/dnssec2
-rw-r--r--contrib/bind9/doc/misc/format-options.pl2
-rw-r--r--contrib/bind9/doc/misc/ipv62
-rw-r--r--contrib/bind9/doc/misc/migration2
-rw-r--r--contrib/bind9/doc/misc/migration-4to92
-rw-r--r--contrib/bind9/doc/misc/options117
-rw-r--r--contrib/bind9/doc/misc/rfc-compliance2
-rw-r--r--contrib/bind9/doc/misc/roadmap2
-rw-r--r--contrib/bind9/doc/misc/sdb2
-rw-r--r--contrib/bind9/doc/rfc/index5
-rw-r--r--contrib/bind9/doc/rfc/rfc4193.txt899
-rw-r--r--contrib/bind9/doc/rfc/rfc4255.txt507
-rw-r--r--contrib/bind9/doc/rfc/rfc4343.txt563
-rw-r--r--contrib/bind9/doc/rfc/rfc4367.txt955
-rw-r--r--contrib/bind9/doc/rfc/rfc4431.txt227
58 files changed, 61754 insertions, 15345 deletions
diff --git a/contrib/bind9/doc/Makefile.in b/contrib/bind9/doc/Makefile.in
index 1e69dab..f307f41 100644
--- a/contrib/bind9/doc/Makefile.in
+++ b/contrib/bind9/doc/Makefile.in
@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.4.206.3 2005/09/13 00:34:54 marka Exp $
+# $Id: Makefile.in,v 1.5.18.2 2005/07/23 04:35:12 marka Exp $
# This Makefile is a placeholder. It exists merely to make
# sure that its directory gets created in the object directory
diff --git a/contrib/bind9/doc/arm/Bv9ARM-book.xml b/contrib/bind9/doc/arm/Bv9ARM-book.xml
index bccb088..17e778d 100644
--- a/contrib/bind9/doc/arm/Bv9ARM-book.xml
+++ b/contrib/bind9/doc/arm/Bv9ARM-book.xml
@@ -1,8 +1,8 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
- "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
@@ -18,16 +18,16 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- File: $Id: Bv9ARM-book.xml,v 1.155.2.27.2.74 2006/11/14 22:38:53 sra Exp $ -->
-
-<book>
-<title>BIND 9 Administrator Reference Manual</title>
+<!-- File: $Id: Bv9ARM-book.xml,v 1.241.18.66 2007/01/29 23:57:20 marka Exp $ -->
+<book xmlns:xi="http://www.w3.org/2001/XInclude">
+ <title>BIND 9 Administrator Reference Manual</title>
<bookinfo>
<copyright>
<year>2004</year>
<year>2005</year>
<year>2006</year>
+ <year>2007</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
@@ -40,421 +40,636 @@
</bookinfo>
<chapter id="Bv9ARM.ch01">
- <title>Introduction </title>
- <para>The Internet Domain Name System (<acronym>DNS</acronym>) consists of the syntax
- to specify the names of entities in the Internet in a hierarchical
- manner, the rules used for delegating authority over names, and the
- system implementation that actually maps names to Internet
- addresses. <acronym>DNS</acronym> data is maintained in a group of distributed
- hierarchical databases.</para>
-
- <sect1>
- <title>Scope of Document</title>
-
- <para>The Berkeley Internet Name Domain (<acronym>BIND</acronym>) implements a
- domain name server for a number of operating systems. This
- document provides basic information about the installation and
- care of the Internet Software Consortium (<acronym>ISC</acronym>)
- <acronym>BIND</acronym> version 9 software package for system
- administrators.</para>
-
- <para>This version of the manual corresponds to BIND version 9.3.</para>
-
- </sect1>
- <sect1><title>Organization of This Document</title>
- <para>In this document, <emphasis>Section 1</emphasis> introduces
- the basic <acronym>DNS</acronym> and <acronym>BIND</acronym> concepts. <emphasis>Section 2</emphasis>
- describes resource requirements for running <acronym>BIND</acronym> in various
- environments. Information in <emphasis>Section 3</emphasis> is
- <emphasis>task-oriented</emphasis> in its presentation and is
- organized functionally, to aid in the process of installing the
- <acronym>BIND</acronym> 9 software. The task-oriented section is followed by
- <emphasis>Section 4</emphasis>, which contains more advanced
- concepts that the system administrator may need for implementing
- certain options. <emphasis>Section 5</emphasis>
- describes the <acronym>BIND</acronym> 9 lightweight
- resolver. The contents of <emphasis>Section 6</emphasis> are
- organized as in a reference manual to aid in the ongoing
- maintenance of the software. <emphasis>Section 7
- </emphasis>addresses security considerations, and
- <emphasis>Section 8</emphasis> contains troubleshooting help. The
- main body of the document is followed by several
- <emphasis>Appendices</emphasis> which contain useful reference
- information, such as a <emphasis>Bibliography</emphasis> and
- historic information related to <acronym>BIND</acronym> and the Domain Name
- System.</para>
- </sect1>
- <sect1><title>Conventions Used in This Document</title>
-
- <para>In this document, we use the following general typographic
- conventions:</para>
-
-<informaltable>
- <tgroup cols = "2">
- <colspec colname = "1" colnum = "1" colwidth = "3.000in"/>
- <colspec colname = "2" colnum = "2" colwidth = "2.625in"/>
+ <title>Introduction</title>
+ <para>
+ The Internet Domain Name System (<acronym>DNS</acronym>)
+ consists of the syntax
+ to specify the names of entities in the Internet in a hierarchical
+ manner, the rules used for delegating authority over names, and the
+ system implementation that actually maps names to Internet
+ addresses. <acronym>DNS</acronym> data is maintained in a
+ group of distributed
+ hierarchical databases.
+ </para>
+
+ <sect1>
+ <title>Scope of Document</title>
+
+ <para>
+ The Berkeley Internet Name Domain
+ (<acronym>BIND</acronym>) implements a
+ domain name server for a number of operating systems. This
+ document provides basic information about the installation and
+ care of the Internet Systems Consortium (<acronym>ISC</acronym>)
+ <acronym>BIND</acronym> version 9 software package for
+ system administrators.
+ </para>
+
+ <para>
+ This version of the manual corresponds to BIND version 9.4.
+ </para>
+
+ </sect1>
+ <sect1>
+ <title>Organization of This Document</title>
+ <para>
+ In this document, <emphasis>Section 1</emphasis> introduces
+ the basic <acronym>DNS</acronym> and <acronym>BIND</acronym> concepts. <emphasis>Section 2</emphasis>
+ describes resource requirements for running <acronym>BIND</acronym> in various
+ environments. Information in <emphasis>Section 3</emphasis> is
+ <emphasis>task-oriented</emphasis> in its presentation and is
+ organized functionally, to aid in the process of installing the
+ <acronym>BIND</acronym> 9 software. The task-oriented
+ section is followed by
+ <emphasis>Section 4</emphasis>, which contains more advanced
+ concepts that the system administrator may need for implementing
+ certain options. <emphasis>Section 5</emphasis>
+ describes the <acronym>BIND</acronym> 9 lightweight
+ resolver. The contents of <emphasis>Section 6</emphasis> are
+ organized as in a reference manual to aid in the ongoing
+ maintenance of the software. <emphasis>Section 7</emphasis> addresses
+ security considerations, and
+ <emphasis>Section 8</emphasis> contains troubleshooting help. The
+ main body of the document is followed by several
+ <emphasis>Appendices</emphasis> which contain useful reference
+ information, such as a <emphasis>Bibliography</emphasis> and
+ historic information related to <acronym>BIND</acronym>
+ and the Domain Name
+ System.
+ </para>
+ </sect1>
+ <sect1>
+ <title>Conventions Used in This Document</title>
+
+ <para>
+ In this document, we use the following general typographic
+ conventions:
+ </para>
+
+ <informaltable>
+ <tgroup cols="2">
+ <colspec colname="1" colnum="1" colwidth="3.000in"/>
+ <colspec colname="2" colnum="2" colwidth="2.625in"/>
<tbody>
<row>
- <entry colname = "1">
-<para><emphasis>To
-describe:</emphasis></para></entry>
- <entry colname = "2">
-<para><emphasis>We use the style:</emphasis></para></entry>
+ <entry colname="1">
+ <para>
+ <emphasis>To describe:</emphasis>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ <emphasis>We use the style:</emphasis>
+ </para>
+ </entry>
</row>
<row>
- <entry colname = "1">
-<para>a pathname, filename, URL, hostname,
-mailing list name, or new term or concept</para></entry>
- <entry colname = "2"><para><filename>Fixed width</filename></para></entry>
+ <entry colname="1">
+ <para>
+ a pathname, filename, URL, hostname,
+ mailing list name, or new term or concept
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ <filename>Fixed width</filename>
+ </para>
+ </entry>
</row>
<row>
- <entry colname = "1"><para>literal user
-input</para></entry>
- <entry colname = "2"><para><userinput>Fixed Width Bold</userinput></para></entry>
+ <entry colname="1">
+ <para>
+ literal user
+ input
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ <userinput>Fixed Width Bold</userinput>
+ </para>
+ </entry>
</row>
<row>
- <entry colname = "1"><para>program output</para></entry>
- <entry colname = "2"><para><computeroutput>Fixed Width</computeroutput></para></entry>
+ <entry colname="1">
+ <para>
+ program output
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ <computeroutput>Fixed Width</computeroutput>
+ </para>
+ </entry>
</row>
</tbody>
</tgroup>
-</informaltable>
-
- <para>The following conventions are used in descriptions of the
-<acronym>BIND</acronym> configuration file:<informaltable colsep = "0" frame = "all" rowsep = "0">
- <tgroup cols = "2" colsep = "0" rowsep = "0"
- tgroupstyle = "2Level-table">
- <colspec colname = "1" colnum = "1" colsep = "0" colwidth = "3.000in"/>
- <colspec colname = "2" colnum = "2" colsep = "0" colwidth = "2.625in"/>
- <tbody>
- <row rowsep = "0">
- <entry colname = "1" colsep = "1" rowsep = "1"><para><emphasis>To
-describe:</emphasis></para></entry>
- <entry colname = "2" rowsep = "1"><para><emphasis>We use the style:</emphasis></para></entry>
- </row>
- <row rowsep = "0">
- <entry colname = "1" colsep = "1" rowsep = "1"><para>keywords</para></entry>
- <entry colname = "2" rowsep = "1"><para><literal>Fixed Width</literal></para></entry>
- </row>
- <row rowsep = "0">
- <entry colname = "1" colsep = "1" rowsep = "1"><para>variables</para></entry>
- <entry colname = "2" rowsep = "1"><para><varname>Fixed Width</varname></para></entry>
- </row>
-<row rowsep = "0">
-<entry colname = "1" colsep = "1"><para>Optional input</para></entry>
- <entry colname = "2"><para><optional>Text is enclosed in square brackets</optional></para></entry>
-</row>
-</tbody>
-</tgroup></informaltable></para></sect1>
-<sect1><title>The Domain Name System (<acronym>DNS</acronym>)</title>
-<para>The purpose of this document is to explain the installation
-and upkeep of the <acronym>BIND</acronym> software package, and we
-begin by reviewing the fundamentals of the Domain Name System
-(<acronym>DNS</acronym>) as they relate to <acronym>BIND</acronym>.
-</para>
-
-<sect2>
-<title>DNS Fundamentals</title>
-
-<para>The Domain Name System (DNS) is the hierarchical, distributed
-database. It stores information for mapping Internet host names to IP
-addresses and vice versa, mail routing information, and other data
-used by Internet applications.</para>
-
-<para>Clients look up information in the DNS by calling a
-<emphasis>resolver</emphasis> library, which sends queries to one or
-more <emphasis>name servers</emphasis> and interprets the responses.
-The <acronym>BIND</acronym> 9 software distribution contains a
-name server, <command>named</command>, and two resolver
-libraries, <command>liblwres</command> and <command>libbind</command>.
-</para>
-
-</sect2><sect2>
-<title>Domains and Domain Names</title>
-
-<para>The data stored in the DNS is identified by <emphasis>domain
-names</emphasis> that are organized as a tree according to
-organizational or administrative boundaries. Each node of the tree,
-called a <emphasis>domain</emphasis>, is given a label. The domain name of the
-node is the concatenation of all the labels on the path from the
-node to the <emphasis>root</emphasis> node. This is represented
-in written form as a string of labels listed from right to left and
-separated by dots. A label need only be unique within its parent
-domain.</para>
-
-<para>For example, a domain name for a host at the
-company <emphasis>Example, Inc.</emphasis> could be
-<literal>mail.example.com</literal>,
-where <literal>com</literal> is the
-top level domain to which
-<literal>ourhost.example.com</literal> belongs,
-<literal>example</literal> is
-a subdomain of <literal>com</literal>, and
-<literal>ourhost</literal> is the
-name of the host.</para>
-
-<para>For administrative purposes, the name space is partitioned into
-areas called <emphasis>zones</emphasis>, each starting at a node and
-extending down to the leaf nodes or to nodes where other zones start.
-The data for each zone is stored in a <emphasis>name
-server</emphasis>, which answers queries about the zone using the
-<emphasis>DNS protocol</emphasis>.
-</para>
-
-<para>The data associated with each domain name is stored in the
-form of <emphasis>resource records</emphasis> (<acronym>RR</acronym>s).
-Some of the supported resource record types are described in
-<xref linkend="types_of_resource_records_and_when_to_use_them"/>.</para>
-
-<para>For more detailed information about the design of the DNS and
-the DNS protocol, please refer to the standards documents listed in
-<xref linkend="rfcs"/>.</para>
-</sect2>
-
-<sect2><title>Zones</title>
-<para>To properly operate a name server, it is important to understand
-the difference between a <emphasis>zone</emphasis>
-and a <emphasis>domain</emphasis>.</para>
-
-<para>As we stated previously, a zone is a point of delegation in
-the <acronym>DNS</acronym> tree. A zone consists of
-those contiguous parts of the domain
-tree for which a name server has complete information and over which
-it has authority. It contains all domain names from a certain point
-downward in the domain tree except those which are delegated to
-other zones. A delegation point is marked by one or more
-<emphasis>NS records</emphasis> in the
-parent zone, which should be matched by equivalent NS records at
-the root of the delegated zone.</para>
-
-<para>For instance, consider the <literal>example.com</literal>
-domain which includes names
-such as <literal>host.aaa.example.com</literal> and
-<literal>host.bbb.example.com</literal> even though
-the <literal>example.com</literal> zone includes
-only delegations for the <literal>aaa.example.com</literal> and
-<literal>bbb.example.com</literal> zones. A zone can map
-exactly to a single domain, but could also include only part of a
-domain, the rest of which could be delegated to other
-name servers. Every name in the <acronym>DNS</acronym> tree is a
-<emphasis>domain</emphasis>, even if it is
-<emphasis>terminal</emphasis>, that is, has no
-<emphasis>subdomains</emphasis>. Every subdomain is a domain and
-every domain except the root is also a subdomain. The terminology is
-not intuitive and we suggest that you read RFCs 1033, 1034 and 1035 to
-gain a complete understanding of this difficult and subtle
-topic.</para>
-
-<para>Though <acronym>BIND</acronym> is called a "domain name server",
-it deals primarily in terms of zones. The master and slave
-declarations in the <filename>named.conf</filename> file specify
-zones, not domains. When you ask some other site if it is willing to
-be a slave server for your <emphasis>domain</emphasis>, you are
-actually asking for slave service for some collection of zones.</para>
-</sect2>
-
-<sect2><title>Authoritative Name Servers</title>
-
-<para>Each zone is served by at least
-one <emphasis>authoritative name server</emphasis>,
-which contains the complete data for the zone.
-To make the DNS tolerant of server and network failures,
-most zones have two or more authoritative servers.
-</para>
-
-<para>Responses from authoritative servers have the "authoritative
-answer" (AA) bit set in the response packets. This makes them
-easy to identify when debugging DNS configurations using tools like
-<command>dig</command> (<xref linkend="diagnostic_tools"/>).</para>
-
-<sect3><title>The Primary Master</title>
-
-<para>
-The authoritative server where the master copy of the zone data is maintained is
-called the <emphasis>primary master</emphasis> server, or simply the
-<emphasis>primary</emphasis>. It loads the zone contents from some
-local file edited by humans or perhaps generated mechanically from
-some other local file which is edited by humans. This file is called
-the <emphasis>zone file</emphasis> or <emphasis>master file</emphasis>.</para>
-</sect3>
-
-<sect3><title>Slave Servers</title>
-<para>The other authoritative servers, the <emphasis>slave</emphasis>
-servers (also known as <emphasis>secondary</emphasis> servers) load
-the zone contents from another server using a replication process
-known as a <emphasis>zone transfer</emphasis>. Typically the data are
-transferred directly from the primary master, but it is also possible
-to transfer it from another slave. In other words, a slave server
-may itself act as a master to a subordinate slave server.</para>
-</sect3>
-
-<sect3><title>Stealth Servers</title>
-
-<para>Usually all of the zone's authoritative servers are listed in
-NS records in the parent zone. These NS records constitute
-a <emphasis>delegation</emphasis> of the zone from the parent.
-The authoritative servers are also listed in the zone file itself,
-at the <emphasis>top level</emphasis> or <emphasis>apex</emphasis>
-of the zone. You can list servers in the zone's top-level NS
-records that are not in the parent's NS delegation, but you cannot
-list servers in the parent's delegation that are not present at
-the zone's top level.</para>
-
-<para>A <emphasis>stealth server</emphasis> is a server that is
-authoritative for a zone but is not listed in that zone's NS
-records. Stealth servers can be used for keeping a local copy of a
-zone to speed up access to the zone's records or to make sure that the
-zone is available even if all the "official" servers for the zone are
-inaccessible.</para>
-
-<para>A configuration where the primary master server itself is a
-stealth server is often referred to as a "hidden primary"
-configuration. One use for this configuration is when the primary master
-is behind a firewall and therefore unable to communicate directly
-with the outside world.</para>
-
-</sect3>
-
-</sect2>
-<sect2>
-
-<title>Caching Name Servers</title>
-
-<para>The resolver libraries provided by most operating systems are
-<emphasis>stub resolvers</emphasis>, meaning that they are not capable of
-performing the full DNS resolution process by themselves by talking
-directly to the authoritative servers. Instead, they rely on a local
-name server to perform the resolution on their behalf. Such a server
-is called a <emphasis>recursive</emphasis> name server; it performs
-<emphasis>recursive lookups</emphasis> for local clients.</para>
-
-<para>To improve performance, recursive servers cache the results of
-the lookups they perform. Since the processes of recursion and
-caching are intimately connected, the terms
-<emphasis>recursive server</emphasis> and
-<emphasis>caching server</emphasis> are often used synonymously.</para>
-
-<para>The length of time for which a record may be retained in
-the cache of a caching name server is controlled by the
-Time To Live (TTL) field associated with each resource record.
-</para>
-
-<sect3><title>Forwarding</title>
-
-<para>Even a caching name server does not necessarily perform
-the complete recursive lookup itself. Instead, it can
-<emphasis>forward</emphasis> some or all of the queries
-that it cannot satisfy from its cache to another caching name server,
-commonly referred to as a <emphasis>forwarder</emphasis>.
-</para>
-
-<para>There may be one or more forwarders,
-and they are queried in turn until the list is exhausted or an answer
-is found. Forwarders are typically used when you do not
-wish all the servers at a given site to interact directly with the rest of
-the Internet servers. A typical scenario would involve a number
-of internal <acronym>DNS</acronym> servers and an Internet firewall. Servers unable
-to pass packets through the firewall would forward to the server
-that can do it, and that server would query the Internet <acronym>DNS</acronym> servers
-on the internal server's behalf. An added benefit of using the forwarding
-feature is that the central machine develops a much more complete
-cache of information that all the clients can take advantage
-of.</para>
-</sect3>
-
-</sect2>
-
-<sect2><title>Name Servers in Multiple Roles</title>
-
-<para>The <acronym>BIND</acronym> name server can simultaneously act as
-a master for some zones, a slave for other zones, and as a caching
-(recursive) server for a set of local clients.</para>
-
-<para>However, since the functions of authoritative name service
-and caching/recursive name service are logically separate, it is
-often advantageous to run them on separate server machines.
-
-A server that only provides authoritative name service
-(an <emphasis>authoritative-only</emphasis> server) can run with
-recursion disabled, improving reliability and security.
-
-A server that is not authoritative for any zones and only provides
-recursive service to local
-clients (a <emphasis>caching-only</emphasis> server)
-does not need to be reachable from the Internet at large and can
-be placed inside a firewall.</para>
-
- </sect2>
- </sect1>
-
-</chapter>
-
-<chapter id="Bv9ARM.ch02"><title><acronym>BIND</acronym> Resource Requirements</title>
-
-<sect1>
-<title>Hardware requirements</title>
-
-<para><acronym>DNS</acronym> hardware requirements have traditionally been quite modest.
-For many installations, servers that have been pensioned off from
-active duty have performed admirably as <acronym>DNS</acronym> servers.</para>
-<para>The DNSSEC and IPv6 features of <acronym>BIND</acronym> 9 may prove to be quite
-CPU intensive however, so organizations that make heavy use of these
-features may wish to consider larger systems for these applications.
-<acronym>BIND</acronym> 9 is fully multithreaded, allowing full utilization of
-multiprocessor systems for installations that need it.</para></sect1>
-<sect1><title>CPU Requirements</title>
-<para>CPU requirements for <acronym>BIND</acronym> 9 range from i486-class machines
-for serving of static zones without caching, to enterprise-class
-machines if you intend to process many dynamic updates and DNSSEC
-signed zones, serving many thousands of queries per second.</para></sect1>
-
-<sect1><title>Memory Requirements</title>
-<para>The memory of the server has to be large enough to fit the
-cache and zones loaded off disk. The <command>max-cache-size</command>
-option can be used to limit the amount of memory used by the cache,
-at the expense of reducing cache hit rates and causing more <acronym>DNS</acronym>
-traffic. It is still good practice to have enough memory to load
-all zone and cache data into memory &mdash; unfortunately, the best way
-to determine this for a given installation is to watch the name server
-in operation. After a few weeks the server process should reach
-a relatively stable size where entries are expiring from the cache as
-fast as they are being inserted.</para></sect1>
-
-<sect1><title>Name Server Intensive Environment Issues</title>
-<para>For name server intensive environments, there are two alternative
-configurations that may be used. The first is where clients and
-any second-level internal name servers query a main name server, which
-has enough memory to build a large cache. This approach minimizes
-the bandwidth used by external name lookups. The second alternative
-is to set up second-level internal name servers to make queries independently.
-In this configuration, none of the individual machines needs to
-have as much memory or CPU power as in the first alternative, but
-this has the disadvantage of making many more external queries,
-as none of the name servers share their cached data.</para></sect1>
-
-<sect1><title>Supported Operating Systems</title>
-<para>ISC <acronym>BIND</acronym> 9 compiles and runs on a large number
-of Unix-like operating system and on Windows NT / 2000. For an up-to-date
-list of supported systems, see the README file in the top level directory
-of the BIND 9 source distribution.</para>
-</sect1>
-</chapter>
-
-<chapter id="Bv9ARM.ch03">
-<title>Name Server Configuration</title>
-<para>In this section we provide some suggested configurations along
-with guidelines for their use. We also address the topic of reasonable
-option setting.</para>
-
-<sect1 id="sample_configuration">
-<title>Sample Configurations</title>
-<sect2>
-<title>A Caching-only Name Server</title>
-<para>The following sample configuration is appropriate for a caching-only
-name server for use by clients internal to a corporation. All queries
-from outside clients are refused using the <command>allow-query</command>
-option. Alternatively, the same effect could be achieved using suitable
-firewall rules.</para>
+ </informaltable>
+
+ <para>
+ The following conventions are used in descriptions of the
+ <acronym>BIND</acronym> configuration file:<informaltable colsep="0" frame="all" rowsep="0">
+ <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="2Level-table">
+ <colspec colname="1" colnum="1" colsep="0" colwidth="3.000in"/>
+ <colspec colname="2" colnum="2" colsep="0" colwidth="2.625in"/>
+ <tbody>
+ <row rowsep="0">
+ <entry colname="1" colsep="1" rowsep="1">
+ <para>
+ <emphasis>To describe:</emphasis>
+ </para>
+ </entry>
+ <entry colname="2" rowsep="1">
+ <para>
+ <emphasis>We use the style:</emphasis>
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1" colsep="1" rowsep="1">
+ <para>
+ keywords
+ </para>
+ </entry>
+ <entry colname="2" rowsep="1">
+ <para>
+ <literal>Fixed Width</literal>
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1" colsep="1" rowsep="1">
+ <para>
+ variables
+ </para>
+ </entry>
+ <entry colname="2" rowsep="1">
+ <para>
+ <varname>Fixed Width</varname>
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1" colsep="1">
+ <para>
+ Optional input
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ <optional>Text is enclosed in square brackets</optional>
+ </para>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+ </para>
+ </sect1>
+ <sect1>
+ <title>The Domain Name System (<acronym>DNS</acronym>)</title>
+ <para>
+ The purpose of this document is to explain the installation
+ and upkeep of the <acronym>BIND</acronym> software
+ package, and we
+ begin by reviewing the fundamentals of the Domain Name System
+ (<acronym>DNS</acronym>) as they relate to <acronym>BIND</acronym>.
+ </para>
+
+ <sect2>
+ <title>DNS Fundamentals</title>
+
+ <para>
+ The Domain Name System (DNS) is a hierarchical, distributed
+ database. It stores information for mapping Internet host names to
+ IP
+ addresses and vice versa, mail routing information, and other data
+ used by Internet applications.
+ </para>
+
+ <para>
+ Clients look up information in the DNS by calling a
+ <emphasis>resolver</emphasis> library, which sends queries to one or
+ more <emphasis>name servers</emphasis> and interprets the responses.
+ The <acronym>BIND</acronym> 9 software distribution
+ contains a
+ name server, <command>named</command>, and two resolver
+ libraries, <command>liblwres</command> and <command>libbind</command>.
+ </para>
+
+ </sect2><sect2>
+ <title>Domains and Domain Names</title>
+
+ <para>
+ The data stored in the DNS is identified by <emphasis>domain names</emphasis> that are organized as a tree according to
+ organizational or administrative boundaries. Each node of the tree,
+ called a <emphasis>domain</emphasis>, is given a label. The domain
+ name of the
+ node is the concatenation of all the labels on the path from the
+ node to the <emphasis>root</emphasis> node. This is represented
+ in written form as a string of labels listed from right to left and
+ separated by dots. A label need only be unique within its parent
+ domain.
+ </para>
+
+ <para>
+ For example, a domain name for a host at the
+ company <emphasis>Example, Inc.</emphasis> could be
+ <literal>ourhost.example.com</literal>,
+ where <literal>com</literal> is the
+ top level domain to which
+ <literal>ourhost.example.com</literal> belongs,
+ <literal>example</literal> is
+ a subdomain of <literal>com</literal>, and
+ <literal>ourhost</literal> is the
+ name of the host.
+ </para>
+
+ <para>
+ For administrative purposes, the name space is partitioned into
+ areas called <emphasis>zones</emphasis>, each starting at a node and
+ extending down to the leaf nodes or to nodes where other zones
+ start.
+ The data for each zone is stored in a <emphasis>name server</emphasis>, which answers queries about the zone using the
+ <emphasis>DNS protocol</emphasis>.
+ </para>
+
+ <para>
+ The data associated with each domain name is stored in the
+ form of <emphasis>resource records</emphasis> (<acronym>RR</acronym>s).
+ Some of the supported resource record types are described in
+ <xref linkend="types_of_resource_records_and_when_to_use_them"/>.
+ </para>
+
+ <para>
+ For more detailed information about the design of the DNS and
+ the DNS protocol, please refer to the standards documents listed in
+ <xref linkend="rfcs"/>.
+ </para>
+ </sect2>
+
+ <sect2>
+ <title>Zones</title>
+ <para>
+ To properly operate a name server, it is important to understand
+ the difference between a <emphasis>zone</emphasis>
+ and a <emphasis>domain</emphasis>.
+ </para>
+
+ <para>
+ As stated previously, a zone is a point of delegation in
+ the <acronym>DNS</acronym> tree. A zone consists of
+ those contiguous parts of the domain
+ tree for which a name server has complete information and over which
+ it has authority. It contains all domain names from a certain point
+ downward in the domain tree except those which are delegated to
+ other zones. A delegation point is marked by one or more
+ <emphasis>NS records</emphasis> in the
+ parent zone, which should be matched by equivalent NS records at
+ the root of the delegated zone.
+ </para>
+
+ <para>
+ For instance, consider the <literal>example.com</literal>
+ domain which includes names
+ such as <literal>host.aaa.example.com</literal> and
+ <literal>host.bbb.example.com</literal> even though
+ the <literal>example.com</literal> zone includes
+ only delegations for the <literal>aaa.example.com</literal> and
+ <literal>bbb.example.com</literal> zones. A zone can
+ map
+ exactly to a single domain, but could also include only part of a
+ domain, the rest of which could be delegated to other
+ name servers. Every name in the <acronym>DNS</acronym>
+ tree is a
+ <emphasis>domain</emphasis>, even if it is
+ <emphasis>terminal</emphasis>, that is, has no
+ <emphasis>subdomains</emphasis>. Every subdomain is a domain and
+ every domain except the root is also a subdomain. The terminology is
+ not intuitive and we suggest that you read RFCs 1033, 1034 and 1035
+ to
+ gain a complete understanding of this difficult and subtle
+ topic.
+ </para>
+
+ <para>
+ Though <acronym>BIND</acronym> is called a "domain name
+ server",
+ it deals primarily in terms of zones. The master and slave
+ declarations in the <filename>named.conf</filename> file
+ specify
+ zones, not domains. When you ask some other site if it is willing to
+ be a slave server for your <emphasis>domain</emphasis>, you are
+ actually asking for slave service for some collection of zones.
+ </para>
+ </sect2>
+
+ <sect2>
+ <title>Authoritative Name Servers</title>
+
+ <para>
+ Each zone is served by at least
+ one <emphasis>authoritative name server</emphasis>,
+ which contains the complete data for the zone.
+ To make the DNS tolerant of server and network failures,
+ most zones have two or more authoritative servers, on
+ different networks.
+ </para>
+
+ <para>
+ Responses from authoritative servers have the "authoritative
+ answer" (AA) bit set in the response packets. This makes them
+ easy to identify when debugging DNS configurations using tools like
+ <command>dig</command> (<xref linkend="diagnostic_tools"/>).
+ </para>
+
+ <sect3>
+ <title>The Primary Master</title>
+
+ <para>
+ The authoritative server where the master copy of the zone
+ data is maintained is called the
+ <emphasis>primary master</emphasis> server, or simply the
+ <emphasis>primary</emphasis>. Typically it loads the zone
+ contents from some local file edited by humans or perhaps
+ generated mechanically from some other local file which is
+ edited by humans. This file is called the
+ <emphasis>zone file</emphasis> or
+ <emphasis>master file</emphasis>.
+ </para>
+
+ <para>
+ In some cases, however, the master file may not be edited
+ by humans at all, but may instead be the result of
+ <emphasis>dynamic update</emphasis> operations.
+ </para>
+ </sect3>
+
+ <sect3>
+ <title>Slave Servers</title>
+ <para>
+ The other authoritative servers, the <emphasis>slave</emphasis>
+ servers (also known as <emphasis>secondary</emphasis> servers)
+ load
+ the zone contents from another server using a replication process
+ known as a <emphasis>zone transfer</emphasis>. Typically the data
+ are
+ transferred directly from the primary master, but it is also
+ possible
+ to transfer it from another slave. In other words, a slave server
+ may itself act as a master to a subordinate slave server.
+ </para>
+ </sect3>
+
+ <sect3>
+ <title>Stealth Servers</title>
+
+ <para>
+ Usually all of the zone's authoritative servers are listed in
+ NS records in the parent zone. These NS records constitute
+ a <emphasis>delegation</emphasis> of the zone from the parent.
+ The authoritative servers are also listed in the zone file itself,
+ at the <emphasis>top level</emphasis> or <emphasis>apex</emphasis>
+ of the zone. You can list servers in the zone's top-level NS
+ records that are not in the parent's NS delegation, but you cannot
+ list servers in the parent's delegation that are not present at
+ the zone's top level.
+ </para>
+
+ <para>
+ A <emphasis>stealth server</emphasis> is a server that is
+ authoritative for a zone but is not listed in that zone's NS
+ records. Stealth servers can be used for keeping a local copy of
+ a
+ zone to speed up access to the zone's records or to make sure that
+ the
+ zone is available even if all the "official" servers for the zone
+ are
+ inaccessible.
+ </para>
+
+ <para>
+ A configuration where the primary master server itself is a
+ stealth server is often referred to as a "hidden primary"
+ configuration. One use for this configuration is when the primary
+ master
+ is behind a firewall and therefore unable to communicate directly
+ with the outside world.
+ </para>
+
+ </sect3>
+
+ </sect2>
+ <sect2>
+
+ <title>Caching Name Servers</title>
+
+ <!--
+ - Terminology here is inconsistant. Probably ought to
+ - convert to using "recursive name server" everywhere
+ - with just a note about "caching" terminology.
+ -->
+
+ <para>
+ The resolver libraries provided by most operating systems are
+ <emphasis>stub resolvers</emphasis>, meaning that they are not
+ capable of
+ performing the full DNS resolution process by themselves by talking
+ directly to the authoritative servers. Instead, they rely on a
+ local
+ name server to perform the resolution on their behalf. Such a
+ server
+ is called a <emphasis>recursive</emphasis> name server; it performs
+ <emphasis>recursive lookups</emphasis> for local clients.
+ </para>
+
+ <para>
+ To improve performance, recursive servers cache the results of
+ the lookups they perform. Since the processes of recursion and
+ caching are intimately connected, the terms
+ <emphasis>recursive server</emphasis> and
+ <emphasis>caching server</emphasis> are often used synonymously.
+ </para>
+
+ <para>
+ The length of time for which a record may be retained in
+ the cache of a caching name server is controlled by the
+ Time To Live (TTL) field associated with each resource record.
+ </para>
+
+ <sect3>
+ <title>Forwarding</title>
+
+ <para>
+ Even a caching name server does not necessarily perform
+ the complete recursive lookup itself. Instead, it can
+ <emphasis>forward</emphasis> some or all of the queries
+ that it cannot satisfy from its cache to another caching name
+ server,
+ commonly referred to as a <emphasis>forwarder</emphasis>.
+ </para>
+
+ <para>
+ There may be one or more forwarders,
+ and they are queried in turn until the list is exhausted or an
+ answer
+ is found. Forwarders are typically used when you do not
+ wish all the servers at a given site to interact directly with the
+ rest of
+ the Internet servers. A typical scenario would involve a number
+ of internal <acronym>DNS</acronym> servers and an
+ Internet firewall. Servers unable
+ to pass packets through the firewall would forward to the server
+ that can do it, and that server would query the Internet <acronym>DNS</acronym> servers
+ on the internal server's behalf.
+ </para>
+ </sect3>
+
+ </sect2>
+
+ <sect2>
+ <title>Name Servers in Multiple Roles</title>
+
+ <para>
+ The <acronym>BIND</acronym> name server can
+ simultaneously act as
+ a master for some zones, a slave for other zones, and as a caching
+ (recursive) server for a set of local clients.
+ </para>
+
+ <para>
+ However, since the functions of authoritative name service
+ and caching/recursive name service are logically separate, it is
+ often advantageous to run them on separate server machines.
+
+ A server that only provides authoritative name service
+ (an <emphasis>authoritative-only</emphasis> server) can run with
+ recursion disabled, improving reliability and security.
+
+ A server that is not authoritative for any zones and only provides
+ recursive service to local
+ clients (a <emphasis>caching-only</emphasis> server)
+ does not need to be reachable from the Internet at large and can
+ be placed inside a firewall.
+ </para>
+
+ </sect2>
+ </sect1>
+
+ </chapter>
+
+ <chapter id="Bv9ARM.ch02">
+ <title><acronym>BIND</acronym> Resource Requirements</title>
+
+ <sect1>
+ <title>Hardware requirements</title>
+
+ <para>
+ <acronym>DNS</acronym> hardware requirements have
+ traditionally been quite modest.
+ For many installations, servers that have been pensioned off from
+ active duty have performed admirably as <acronym>DNS</acronym> servers.
+ </para>
+ <para>
+ The DNSSEC features of <acronym>BIND</acronym> 9
+ may prove to be quite
+ CPU intensive however, so organizations that make heavy use of these
+ features may wish to consider larger systems for these applications.
+ <acronym>BIND</acronym> 9 is fully multithreaded, allowing
+ full utilization of
+ multiprocessor systems for installations that need it.
+ </para>
+ </sect1>
+ <sect1>
+ <title>CPU Requirements</title>
+ <para>
+ CPU requirements for <acronym>BIND</acronym> 9 range from
+ i486-class machines
+ for serving of static zones without caching, to enterprise-class
+ machines if you intend to process many dynamic updates and DNSSEC
+ signed zones, serving many thousands of queries per second.
+ </para>
+ </sect1>
+
+ <sect1>
+ <title>Memory Requirements</title>
+ <para>
+ The memory of the server has to be large enough to fit the
+ cache and zones loaded off disk. The <command>max-cache-size</command>
+ option can be used to limit the amount of memory used by the cache,
+ at the expense of reducing cache hit rates and causing more <acronym>DNS</acronym>
+ traffic.
+ Additionally, if additional section caching
+ (<xref linkend="acache"/>) is enabled,
+ the <command>max-acache-size</command> can be used to
+ limit the amount
+ of memory used by the mechanism.
+ It is still good practice to have enough memory to load
+ all zone and cache data into memory &mdash; unfortunately, the best
+ way
+ to determine this for a given installation is to watch the name server
+ in operation. After a few weeks the server process should reach
+ a relatively stable size where entries are expiring from the cache as
+ fast as they are being inserted.
+ </para>
+ <!--
+ - Add something here about leaving overhead for attacks?
+ - How much overhead? Percentage?
+ -->
+ </sect1>
+
+ <sect1>
+ <title>Name Server Intensive Environment Issues</title>
+ <para>
+ For name server intensive environments, there are two alternative
+ configurations that may be used. The first is where clients and
+ any second-level internal name servers query a main name server, which
+ has enough memory to build a large cache. This approach minimizes
+ the bandwidth used by external name lookups. The second alternative
+ is to set up second-level internal name servers to make queries
+ independently.
+ In this configuration, none of the individual machines needs to
+ have as much memory or CPU power as in the first alternative, but
+ this has the disadvantage of making many more external queries,
+ as none of the name servers share their cached data.
+ </para>
+ </sect1>
+
+ <sect1>
+ <title>Supported Operating Systems</title>
+ <para>
+ ISC <acronym>BIND</acronym> 9 compiles and runs on a large
+ number
+ of Unix-like operating system and on NT-derived versions of
+ Microsoft Windows such as Windows 2000 and Windows XP. For an
+ up-to-date
+ list of supported systems, see the README file in the top level
+ directory
+ of the BIND 9 source distribution.
+ </para>
+ </sect1>
+ </chapter>
+
+ <chapter id="Bv9ARM.ch03">
+ <title>Name Server Configuration</title>
+ <para>
+ In this section we provide some suggested configurations along
+ with guidelines for their use. We suggest reasonable values for
+ certain option settings.
+ </para>
+
+ <sect1 id="sample_configuration">
+ <title>Sample Configurations</title>
+ <sect2>
+ <title>A Caching-only Name Server</title>
+ <para>
+ The following sample configuration is appropriate for a caching-only
+ name server for use by clients internal to a corporation. All
+ queries
+ from outside clients are refused using the <command>allow-query</command>
+ option. Alternatively, the same effect could be achieved using
+ suitable
+ firewall rules.
+ </para>
<programlisting>
// Two corporate subnets we wish to allow queries from.
@@ -470,17 +685,21 @@ zone "0.0.127.in-addr.arpa" {
notify no;
};
</programlisting>
-</sect2>
-<sect2>
-<title>An Authoritative-only Name Server</title>
-<para>This sample configuration is for an authoritative-only server
-that is the master server for "<filename>example.com</filename>"
-and a slave for the subdomain "<filename>eng.example.com</filename>".</para>
+ </sect2>
+
+ <sect2>
+ <title>An Authoritative-only Name Server</title>
+ <para>
+ This sample configuration is for an authoritative-only server
+ that is the master server for "<filename>example.com</filename>"
+ and a slave for the subdomain "<filename>eng.example.com</filename>".
+ </para>
<programlisting>
options {
directory "/etc/namedb"; // Working directory
+ allow-query-cache { none; }; // Do not allow access to cache
allow-query { any; }; // This is the default
recursion no; // Do not provide recursive service
};
@@ -509,415 +728,743 @@ zone "eng.example.com" {
masters { 192.168.4.12; };
};
</programlisting>
-</sect2>
-</sect1>
-
-<sect1>
-<title>Load Balancing</title>
-
-<para>A primitive form of load balancing can be achieved in
-the <acronym>DNS</acronym> by using multiple A records for one name.</para>
-
-<para>For example, if you have three WWW servers with network addresses
-of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
-following means that clients will connect to each machine one third
-of the time:</para>
-
-<informaltable colsep = "0" rowsep = "0">
-<tgroup cols = "5" colsep = "0" rowsep = "0" tgroupstyle = "2Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.875in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "0.500in"/>
-<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "0.750in"/>
-<colspec colname = "4" colnum = "4" colsep = "0" colwidth = "0.750in"/>
-<colspec colname = "5" colnum = "5" colsep = "0" colwidth = "2.028in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para>Name</para></entry>
-<entry colname = "2"><para>TTL</para></entry>
-<entry colname = "3"><para>CLASS</para></entry>
-<entry colname = "4"><para>TYPE</para></entry>
-<entry colname = "5"><para>Resource Record (RR) Data</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><literal>www</literal></para></entry>
-<entry colname = "2"><para><literal>600</literal></para></entry>
-<entry colname = "3"><para><literal>IN</literal></para></entry>
-<entry colname = "4"><para><literal>A</literal></para></entry>
-<entry colname = "5"><para><literal>10.0.0.1</literal></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para></para></entry>
-<entry colname = "2"><para><literal>600</literal></para></entry>
-<entry colname = "3"><para><literal>IN</literal></para></entry>
-<entry colname = "4"><para><literal>A</literal></para></entry>
-<entry colname = "5"><para><literal>10.0.0.2</literal></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para></para></entry>
-<entry colname = "2"><para><literal>600</literal></para></entry>
-<entry colname = "3"><para><literal>IN</literal></para></entry>
-<entry colname = "4"><para><literal>A</literal></para></entry>
-<entry colname = "5"><para><literal>10.0.0.3</literal></para></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
- <para>When a resolver queries for these records, <acronym>BIND</acronym> will rotate
- them and respond to the query with the records in a different
- order. In the example above, clients will randomly receive
- records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
- will use the first record returned and discard the rest.</para>
- <para>For more detail on ordering responses, check the
- <command>rrset-order</command> substatement in the
- <command>options</command> statement, see
- <xref endterm="rrset_ordering_title" linkend="rrset_ordering"/>.
- This substatement is not supported in
- <acronym>BIND</acronym> 9, and only the ordering scheme described above is
- available.</para>
-
-</sect1>
-
-<sect1>
-<title>Name Server Operations</title>
-
-<sect2>
-<title>Tools for Use With the Name Server Daemon</title>
-<para>There are several indispensable diagnostic, administrative
-and monitoring tools available to the system administrator for controlling
-and debugging the name server daemon. We describe several in this
-section </para>
-<sect3 id="diagnostic_tools">
-<title>Diagnostic Tools</title>
-<para>The <command>dig</command>, <command>host</command>, and
-<command>nslookup</command> programs are all command line tools
-for manually querying name servers. They differ in style and
-output format.
-</para>
-
-<variablelist>
-<varlistentry>
-<term id="dig"><command>dig</command></term>
-<listitem>
-<para>The domain information groper (<command>dig</command>)
-is the most versatile and complete of these lookup tools.
-It has two modes: simple interactive
-mode for a single query, and batch mode which executes a query for
-each in a list of several query lines. All query options are accessible
-from the command line.</para>
-<cmdsynopsis label="Usage">
- <command>dig</command>
- <arg>@<replaceable>server</replaceable></arg>
- <arg choice="plain"><replaceable>domain</replaceable></arg>
- <arg><replaceable>query-type</replaceable></arg>
- <arg><replaceable>query-class</replaceable></arg>
- <arg>+<replaceable>query-option</replaceable></arg>
- <arg>-<replaceable>dig-option</replaceable></arg>
- <arg>%<replaceable>comment</replaceable></arg>
-</cmdsynopsis>
-<para>The usual simple use of dig will take the form</para>
-<simpara><command>dig @server domain query-type query-class</command></simpara>
-<para>For more information and a list of available commands and
-options, see the <command>dig</command> man page.</para>
-</listitem>
-</varlistentry>
-
-<varlistentry>
-<term><command>host</command></term>
-<listitem>
-<para>The <command>host</command> utility emphasizes simplicity
-and ease of use. By default, it converts
-between host names and Internet addresses, but its functionality
-can be extended with the use of options.</para>
-<cmdsynopsis label="Usage">
- <command>host</command>
- <arg>-aCdlrTwv</arg>
- <arg>-c <replaceable>class</replaceable></arg>
- <arg>-N <replaceable>ndots</replaceable></arg>
- <arg>-t <replaceable>type</replaceable></arg>
- <arg>-W <replaceable>timeout</replaceable></arg>
- <arg>-R <replaceable>retries</replaceable></arg>
- <arg choice="plain"><replaceable>hostname</replaceable></arg>
- <arg><replaceable>server</replaceable></arg>
-</cmdsynopsis>
-<para>For more information and a list of available commands and
-options, see the <command>host</command> man page.</para>
-</listitem>
-</varlistentry>
-
-<varlistentry>
-<term><command>nslookup</command></term>
-<listitem>
-<para><command>nslookup</command> has two modes: interactive
-and non-interactive. Interactive mode allows the user to query name servers
-for information about various hosts and domains or to print a list
-of hosts in a domain. Non-interactive mode is used to print just
-the name and requested information for a host or domain.</para>
-<cmdsynopsis label="Usage">
- <command>nslookup</command>
- <arg rep="repeat">-option</arg>
- <group>
- <arg><replaceable>host-to-find</replaceable></arg>
- <arg>- <arg>server</arg></arg>
- </group>
-</cmdsynopsis>
-<para>Interactive mode is entered when no arguments are given (the
-default name server will be used) or when the first argument is a
-hyphen (`-') and the second argument is the host name or Internet address
-of a name server.</para>
-<para>Non-interactive mode is used when the name or Internet address
-of the host to be looked up is given as the first argument. The
-optional second argument specifies the host name or address of a name server.</para>
-<para>Due to its arcane user interface and frequently inconsistent
-behavior, we do not recommend the use of <command>nslookup</command>.
-Use <command>dig</command> instead.</para>
-</listitem>
-
-</varlistentry>
-</variablelist>
-</sect3>
-
-<sect3 id="admin_tools">
- <title>Administrative Tools</title>
- <para>Administrative tools play an integral part in the management
-of a server.</para>
- <variablelist>
- <varlistentry id="named-checkconf" xreflabel="Named Configuration Checking application">
- <term><command>named-checkconf</command></term>
- <listitem>
- <para>The <command>named-checkconf</command> program
- checks the syntax of a <filename>named.conf</filename> file.</para>
- <cmdsynopsis label="Usage">
- <command>named-checkconf</command>
- <arg>-jvz</arg>
- <arg>-t <replaceable>directory</replaceable></arg>
- <arg><replaceable>filename</replaceable></arg>
- </cmdsynopsis>
- </listitem>
- </varlistentry>
- <varlistentry id="named-checkzone" xreflabel="Zone Checking application">
- <term><command>named-checkzone</command></term>
- <listitem>
- <para>The <command>named-checkzone</command> program checks a master file for
- syntax and consistency.</para>
- <cmdsynopsis label="Usage">
- <command>named-checkzone</command>
- <arg>-djqvD</arg>
- <arg>-c <replaceable>class</replaceable></arg>
- <arg>-o <replaceable>output</replaceable></arg>
- <arg>-t <replaceable>directory</replaceable></arg>
- <arg>-w <replaceable>directory</replaceable></arg>
- <arg>-k <replaceable>(ignore|warn|fail)</replaceable></arg>
- <arg>-n <replaceable>(ignore|warn|fail)</replaceable></arg>
- <arg choice="plain"><replaceable>zone</replaceable></arg>
- <arg><replaceable>filename</replaceable></arg>
- </cmdsynopsis>
- </listitem>
- </varlistentry>
- <varlistentry id="rndc" xreflabel="Remote Name Daemon Control application">
- <term><command>rndc</command></term>
- <listitem>
- <para>The remote name daemon control
- (<command>rndc</command>) program allows the system
- administrator to control the operation of a name server.
- If you run <command>rndc</command> without any options
- it will display a usage message as follows:</para>
- <cmdsynopsis label="Usage">
- <command>rndc</command>
- <arg>-c <replaceable>config</replaceable></arg>
- <arg>-s <replaceable>server</replaceable></arg>
- <arg>-p <replaceable>port</replaceable></arg>
- <arg>-y <replaceable>key</replaceable></arg>
- <arg choice="plain"><replaceable>command</replaceable></arg>
- <arg rep="repeat"><replaceable>command</replaceable></arg>
- </cmdsynopsis>
- <para>The <command>command</command> is one of the following:</para>
-
-<variablelist>
-
- <varlistentry><term><userinput>reload</userinput></term>
- <listitem><para>Reload configuration file and zones.</para></listitem>
- </varlistentry>
-
- <varlistentry><term><userinput>reload <replaceable>zone</replaceable>
- <optional><replaceable>class</replaceable>
- <optional><replaceable>view</replaceable></optional></optional></userinput></term>
- <listitem><para>Reload the given zone.</para></listitem>
- </varlistentry>
- <varlistentry><term><userinput>refresh <replaceable>zone</replaceable>
- <optional><replaceable>class</replaceable>
+ </sect2>
+ </sect1>
+
+ <sect1>
+ <title>Load Balancing</title>
+ <!--
+ - Add explanation of why load balancing is fragile at best
+ - and completely pointless in the general case.
+ -->
+
+ <para>
+ A primitive form of load balancing can be achieved in
+ the <acronym>DNS</acronym> by using multiple A records for
+ one name.
+ </para>
+
+ <para>
+ For example, if you have three WWW servers with network addresses
+ of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
+ following means that clients will connect to each machine one third
+ of the time:
+ </para>
+
+ <informaltable colsep="0" rowsep="0">
+ <tgroup cols="5" colsep="0" rowsep="0" tgroupstyle="2Level-table">
+ <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
+ <colspec colname="2" colnum="2" colsep="0" colwidth="0.500in"/>
+ <colspec colname="3" colnum="3" colsep="0" colwidth="0.750in"/>
+ <colspec colname="4" colnum="4" colsep="0" colwidth="0.750in"/>
+ <colspec colname="5" colnum="5" colsep="0" colwidth="2.028in"/>
+ <tbody>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ Name
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ TTL
+ </para>
+ </entry>
+ <entry colname="3">
+ <para>
+ CLASS
+ </para>
+ </entry>
+ <entry colname="4">
+ <para>
+ TYPE
+ </para>
+ </entry>
+ <entry colname="5">
+ <para>
+ Resource Record (RR) Data
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <literal>www</literal>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ <literal>600</literal>
+ </para>
+ </entry>
+ <entry colname="3">
+ <para>
+ <literal>IN</literal>
+ </para>
+ </entry>
+ <entry colname="4">
+ <para>
+ <literal>A</literal>
+ </para>
+ </entry>
+ <entry colname="5">
+ <para>
+ <literal>10.0.0.1</literal>
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para/>
+ </entry>
+ <entry colname="2">
+ <para>
+ <literal>600</literal>
+ </para>
+ </entry>
+ <entry colname="3">
+ <para>
+ <literal>IN</literal>
+ </para>
+ </entry>
+ <entry colname="4">
+ <para>
+ <literal>A</literal>
+ </para>
+ </entry>
+ <entry colname="5">
+ <para>
+ <literal>10.0.0.2</literal>
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para/>
+ </entry>
+ <entry colname="2">
+ <para>
+ <literal>600</literal>
+ </para>
+ </entry>
+ <entry colname="3">
+ <para>
+ <literal>IN</literal>
+ </para>
+ </entry>
+ <entry colname="4">
+ <para>
+ <literal>A</literal>
+ </para>
+ </entry>
+ <entry colname="5">
+ <para>
+ <literal>10.0.0.3</literal>
+ </para>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+ <para>
+ When a resolver queries for these records, <acronym>BIND</acronym> will rotate
+ them and respond to the query with the records in a different
+ order. In the example above, clients will randomly receive
+ records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
+ will use the first record returned and discard the rest.
+ </para>
+ <para>
+ For more detail on ordering responses, check the
+ <command>rrset-order</command> substatement in the
+ <command>options</command> statement, see
+ <xref endterm="rrset_ordering_title" linkend="rrset_ordering"/>.
+ </para>
+
+ </sect1>
+
+ <sect1>
+ <title>Name Server Operations</title>
+
+ <sect2>
+ <title>Tools for Use With the Name Server Daemon</title>
+ <para>
+ This section describes several indispensable diagnostic,
+ administrative and monitoring tools available to the system
+ administrator for controlling and debugging the name server
+ daemon.
+ </para>
+ <sect3 id="diagnostic_tools">
+ <title>Diagnostic Tools</title>
+ <para>
+ The <command>dig</command>, <command>host</command>, and
+ <command>nslookup</command> programs are all command
+ line tools
+ for manually querying name servers. They differ in style and
+ output format.
+ </para>
+
+ <variablelist>
+ <varlistentry>
+ <term id="dig"><command>dig</command></term>
+ <listitem>
+ <para>
+ The domain information groper (<command>dig</command>)
+ is the most versatile and complete of these lookup tools.
+ It has two modes: simple interactive
+ mode for a single query, and batch mode which executes a
+ query for
+ each in a list of several query lines. All query options are
+ accessible
+ from the command line.
+ </para>
+ <cmdsynopsis label="Usage">
+ <command>dig</command>
+ <arg>@<replaceable>server</replaceable></arg>
+ <arg choice="plain"><replaceable>domain</replaceable></arg>
+ <arg><replaceable>query-type</replaceable></arg>
+ <arg><replaceable>query-class</replaceable></arg>
+ <arg>+<replaceable>query-option</replaceable></arg>
+ <arg>-<replaceable>dig-option</replaceable></arg>
+ <arg>%<replaceable>comment</replaceable></arg>
+ </cmdsynopsis>
+ <para>
+ The usual simple use of dig will take the form
+ </para>
+ <simpara>
+ <command>dig @server domain query-type query-class</command>
+ </simpara>
+ <para>
+ For more information and a list of available commands and
+ options, see the <command>dig</command> man
+ page.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>host</command></term>
+ <listitem>
+ <para>
+ The <command>host</command> utility emphasizes
+ simplicity
+ and ease of use. By default, it converts
+ between host names and Internet addresses, but its
+ functionality
+ can be extended with the use of options.
+ </para>
+ <cmdsynopsis label="Usage">
+ <command>host</command>
+ <arg>-aCdlrTwv</arg>
+ <arg>-c <replaceable>class</replaceable></arg>
+ <arg>-N <replaceable>ndots</replaceable></arg>
+ <arg>-t <replaceable>type</replaceable></arg>
+ <arg>-W <replaceable>timeout</replaceable></arg>
+ <arg>-R <replaceable>retries</replaceable></arg>
+ <arg choice="plain"><replaceable>hostname</replaceable></arg>
+ <arg><replaceable>server</replaceable></arg>
+ </cmdsynopsis>
+ <para>
+ For more information and a list of available commands and
+ options, see the <command>host</command> man
+ page.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>nslookup</command></term>
+ <listitem>
+ <para><command>nslookup</command>
+ has two modes: interactive and
+ non-interactive. Interactive mode allows the user to
+ query name servers for information about various
+ hosts and domains or to print a list of hosts in a
+ domain. Non-interactive mode is used to print just
+ the name and requested information for a host or
+ domain.
+ </para>
+ <cmdsynopsis label="Usage">
+ <command>nslookup</command>
+ <arg rep="repeat">-option</arg>
+ <group>
+ <arg><replaceable>host-to-find</replaceable></arg>
+ <arg>- <arg>server</arg></arg>
+ </group>
+ </cmdsynopsis>
+ <para>
+ Interactive mode is entered when no arguments are given (the
+ default name server will be used) or when the first argument
+ is a
+ hyphen (`-') and the second argument is the host name or
+ Internet address
+ of a name server.
+ </para>
+ <para>
+ Non-interactive mode is used when the name or Internet
+ address
+ of the host to be looked up is given as the first argument.
+ The
+ optional second argument specifies the host name or address
+ of a name server.
+ </para>
+ <para>
+ Due to its arcane user interface and frequently inconsistent
+ behavior, we do not recommend the use of <command>nslookup</command>.
+ Use <command>dig</command> instead.
+ </para>
+ </listitem>
+
+ </varlistentry>
+ </variablelist>
+ </sect3>
+
+ <sect3 id="admin_tools">
+ <title>Administrative Tools</title>
+ <para>
+ Administrative tools play an integral part in the management
+ of a server.
+ </para>
+ <variablelist>
+ <varlistentry id="named-checkconf" xreflabel="Named Configuration Checking application">
+
+ <term><command>named-checkconf</command></term>
+ <listitem>
+ <para>
+ The <command>named-checkconf</command> program
+ checks the syntax of a <filename>named.conf</filename> file.
+ </para>
+ <cmdsynopsis label="Usage">
+ <command>named-checkconf</command>
+ <arg>-jvz</arg>
+ <arg>-t <replaceable>directory</replaceable></arg>
+ <arg><replaceable>filename</replaceable></arg>
+ </cmdsynopsis>
+ </listitem>
+ </varlistentry>
+ <varlistentry id="named-checkzone" xreflabel="Zone Checking application">
+
+ <term><command>named-checkzone</command></term>
+ <listitem>
+ <para>
+ The <command>named-checkzone</command> program
+ checks a master file for
+ syntax and consistency.
+ </para>
+ <cmdsynopsis label="Usage">
+ <command>named-checkzone</command>
+ <arg>-djqvD</arg>
+ <arg>-c <replaceable>class</replaceable></arg>
+ <arg>-o <replaceable>output</replaceable></arg>
+ <arg>-t <replaceable>directory</replaceable></arg>
+ <arg>-w <replaceable>directory</replaceable></arg>
+ <arg>-k <replaceable>(ignore|warn|fail)</replaceable></arg>
+ <arg>-n <replaceable>(ignore|warn|fail)</replaceable></arg>
+ <arg>-W <replaceable>(ignore|warn)</replaceable></arg>
+ <arg choice="plain"><replaceable>zone</replaceable></arg>
+ <arg><replaceable>filename</replaceable></arg>
+ </cmdsynopsis>
+ </listitem>
+ </varlistentry>
+ <varlistentry id="named-compilezone" xreflabel="Zone Compilation aplication">
+ <term><command>named-compilezone</command></term>
+ <listitem>
+ <para>
+ Similar to <command>named-checkzone,</command> but
+ it always dumps the zone content to a specified file
+ (typically in a different format).
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry id="rndc" xreflabel="Remote Name Daemon Control application">
+
+ <term><command>rndc</command></term>
+ <listitem>
+ <para>
+ The remote name daemon control
+ (<command>rndc</command>) program allows the
+ system
+ administrator to control the operation of a name server.
+ If you run <command>rndc</command> without any
+ options
+ it will display a usage message as follows:
+ </para>
+ <cmdsynopsis label="Usage">
+ <command>rndc</command>
+ <arg>-c <replaceable>config</replaceable></arg>
+ <arg>-s <replaceable>server</replaceable></arg>
+ <arg>-p <replaceable>port</replaceable></arg>
+ <arg>-y <replaceable>key</replaceable></arg>
+ <arg choice="plain"><replaceable>command</replaceable></arg>
+ <arg rep="repeat"><replaceable>command</replaceable></arg>
+ </cmdsynopsis>
+ <para>The <command>command</command>
+ is one of the following:
+ </para>
+
+ <variablelist>
+
+ <varlistentry>
+ <term><userinput>reload</userinput></term>
+ <listitem>
+ <para>
+ Reload configuration file and zones.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><userinput>reload <replaceable>zone</replaceable>
+ <optional><replaceable>class</replaceable>
+ <optional><replaceable>view</replaceable></optional></optional></userinput></term>
+ <listitem>
+ <para>
+ Reload the given zone.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><userinput>refresh <replaceable>zone</replaceable>
+ <optional><replaceable>class</replaceable>
<optional><replaceable>view</replaceable></optional></optional></userinput></term>
- <listitem><para>Schedule zone maintenance for the given zone.</para></listitem>
- </varlistentry>
+ <listitem>
+ <para>
+ Schedule zone maintenance for the given zone.
+ </para>
+ </listitem>
+ </varlistentry>
- <varlistentry><term><userinput>retransfer <replaceable>zone</replaceable>
- <optional><replaceable>class</replaceable>
+ <varlistentry>
+ <term><userinput>retransfer <replaceable>zone</replaceable>
+
+ <optional><replaceable>class</replaceable>
<optional><replaceable>view</replaceable></optional></optional></userinput></term>
- <listitem><para>Retransfer the given zone from the master.</para></listitem>
- </varlistentry>
+ <listitem>
+ <para>
+ Retransfer the given zone from the master.
+ </para>
+ </listitem>
+ </varlistentry>
- <varlistentry> <term><userinput>freeze <optional><replaceable>zone</replaceable>
+ <varlistentry>
+
+ <term><userinput>freeze
+ <optional><replaceable>zone</replaceable>
<optional><replaceable>class</replaceable>
<optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
- <listitem><para>Suspend updates to a dynamic zone. If no zone is specified,
- then all zones are suspended. This allows manual
- edits to be made to a zone normally updated by dynamic update. It
- also causes changes in the journal file to be synced into the master
- and the journal file to be removed. All dynamic update attempts will
- be refused while the zone is frozen.</para></listitem>
- </varlistentry>
-
- <varlistentry><term><userinput>thaw <optional><replaceable>zone</replaceable>
+ <listitem>
+ <para>
+ Suspend updates to a dynamic zone. If no zone is
+ specified,
+ then all zones are suspended. This allows manual
+ edits to be made to a zone normally updated by dynamic
+ update. It
+ also causes changes in the journal file to be synced
+ into the master
+ and the journal file to be removed. All dynamic
+ update attempts will
+ be refused while the zone is frozen.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><userinput>thaw
+ <optional><replaceable>zone</replaceable>
<optional><replaceable>class</replaceable>
<optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
- <listitem><para>Enable updates to a frozen dynamic zone. If no zone is
- specified, then all frozen zones are enabled. This causes
- the server to reload the zone from disk, and re-enables dynamic updates
- after the load has completed. After a zone is thawed, dynamic updates
- will no longer be refused.</para></listitem>
- </varlistentry>
-
- <varlistentry><term><userinput>reconfig</userinput></term>
- <listitem><para>Reload the configuration file and load new zones,
- but do not reload existing zone files even if they have changed.
- This is faster than a full <command>reload</command> when there
- is a large number of zones because it avoids the need to examine the
- modification times of the zones files.
- </para></listitem>
- </varlistentry>
-
- <varlistentry><term><userinput>stats</userinput></term>
- <listitem><para>Write server statistics to the statistics file.</para></listitem>
- </varlistentry>
-
- <varlistentry><term><userinput>querylog</userinput></term>
- <listitem><para>Toggle query logging. Query logging can also be enabled
- by explicitly directing the <command>queries</command>
- <command>category</command> to a <command>channel</command> in the
- <command>logging</command> section of
- <filename>named.conf</filename>.</para></listitem></varlistentry>
-
- <varlistentry><term><userinput>dumpdb <optional>-all|-cache|-zone</optional> <optional><replaceable>view ...</replaceable></optional></userinput></term>
- <listitem><para>Dump the server's caches (default) and / or zones to the
- dump file for the specified views. If no view is specified, all
- views are dumped.</para></listitem></varlistentry>
-
- <varlistentry><term><userinput>stop <optional>-p</optional></userinput></term>
- <listitem><para>Stop the server, making sure any recent changes
- made through dynamic update or IXFR are first saved to the master files
- of the updated zones. If -p is specified named's process id is returned.
- This allows an external process to determine when named had completed stopping.</para></listitem></varlistentry>
-
- <varlistentry><term><userinput>halt <optional>-p</optional></userinput></term>
- <listitem><para>Stop the server immediately. Recent changes
- made through dynamic update or IXFR are not saved to the master files,
- but will be rolled forward from the journal files when the server
- is restarted. If -p is specified named's process id is returned.
- This allows an external process to determine when named had completed
- stopping.</para></listitem></varlistentry>
-
- <varlistentry><term><userinput>trace</userinput></term>
- <listitem><para>Increment the servers debugging level by one. </para></listitem></varlistentry>
-
- <varlistentry><term><userinput>trace <replaceable>level</replaceable></userinput></term>
- <listitem><para>Sets the server's debugging level to an explicit
- value.</para></listitem></varlistentry>
-
- <varlistentry><term><userinput>notrace</userinput></term>
- <listitem><para>Sets the server's debugging level to 0.</para></listitem></varlistentry>
-
- <varlistentry><term><userinput>flush</userinput></term>
- <listitem><para>Flushes the server's cache.</para></listitem></varlistentry>
-
- <varlistentry><term><userinput>flushname</userinput> <replaceable>name</replaceable></term>
- <listitem><para>Flushes the given name from the server's cache.</para></listitem></varlistentry>
-
- <varlistentry><term><userinput>status</userinput></term>
- <listitem><para>Display status of the server.
-Note that the number of zones includes the internal <command>bind/CH</command> zone
-and the default <command>./IN</command> hint zone if there is not an
-explicit root zone configured.</para></listitem></varlistentry>
-
- <varlistentry><term><userinput>recursing</userinput></term>
- <listitem><para>Dump the list of queries named is currently recursing
- on.
- </para></listitem></varlistentry>
-
-</variablelist>
-
-<para>In <acronym>BIND</acronym> 9.2, <command>rndc</command>
-supports all the commands of the BIND 8 <command>ndc</command>
-utility except <command>ndc start</command> and
-<command>ndc restart</command>, which were also
-not supported in <command>ndc</command>'s channel mode.</para>
-
-<para>A configuration file is required, since all
-communication with the server is authenticated with
-digital signatures that rely on a shared secret, and
-there is no way to provide that secret other than with a
-configuration file. The default location for the
-<command>rndc</command> configuration file is
-<filename>/etc/rndc.conf</filename>, but an alternate
-location can be specified with the <option>-c</option>
-option. If the configuration file is not found,
-<command>rndc</command> will also look in
-<filename>/etc/rndc.key</filename> (or whatever
-<varname>sysconfdir</varname> was defined when
-the <acronym>BIND</acronym> build was configured).
-The <filename>rndc.key</filename> file is generated by
-running <command>rndc-confgen -a</command> as described in
-<xref linkend="controls_statement_definition_and_usage"/>.</para>
-
-<para>The format of the configuration file is similar to
-that of <filename>named.conf</filename>, but limited to
-only four statements, the <command>options</command>,
-<command>key</command>, <command>server</command> and
-<command>include</command>
-statements. These statements are what associate the
-secret keys to the servers with which they are meant to
-be shared. The order of statements is not
-significant.</para>
-
-<para>The <command>options</command> statement has three clauses:
-<command>default-server</command>, <command>default-key</command>,
-and <command>default-port</command>.
-<command>default-server</command> takes a
-host name or address argument and represents the server that will
-be contacted if no <option>-s</option>
-option is provided on the command line.
-<command>default-key</command> takes
-the name of a key as its argument, as defined by a <command>key</command> statement.
-<command>default-port</command> specifies the port to which
-<command>rndc</command> should connect if no
-port is given on the command line or in a
-<command>server</command> statement.</para>
-
-<para>The <command>key</command> statement defines a key to be used
-by <command>rndc</command> when authenticating with
-<command>named</command>. Its syntax is identical to the
-<command>key</command> statement in named.conf.
-The keyword <userinput>key</userinput> is
-followed by a key name, which must be a valid
-domain name, though it need not actually be hierarchical; thus,
-a string like "<userinput>rndc_key</userinput>" is a valid name.
-The <command>key</command> statement has two clauses:
-<command>algorithm</command> and <command>secret</command>.
-While the configuration parser will accept any string as the argument
-to algorithm, currently only the string "<userinput>hmac-md5</userinput>"
-has any meaning. The secret is a base-64 encoded string.</para>
-
-<para>The <command>server</command> statement associates a key
-defined using the <command>key</command> statement with a server.
-The keyword <userinput>server</userinput> is followed by a
-host name or address. The <command>server</command> statement
-has two clauses: <command>key</command> and <command>port</command>.
-The <command>key</command> clause specifies the name of the key
-to be used when communicating with this server, and the
-<command>port</command> clause can be used to
-specify the port <command>rndc</command> should connect
-to on the server.</para>
-
-<para>A sample minimal configuration file is as follows:</para>
+ <listitem>
+ <para>
+ Enable updates to a frozen dynamic zone. If no zone
+ is
+ specified, then all frozen zones are enabled. This
+ causes
+ the server to reload the zone from disk, and
+ re-enables dynamic updates
+ after the load has completed. After a zone is thawed,
+ dynamic updates
+ will no longer be refused.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><userinput>notify <replaceable>zone</replaceable>
+ <optional><replaceable>class</replaceable>
+ <optional><replaceable>view</replaceable></optional></optional></userinput></term>
+ <listitem>
+ <para>
+ Resend NOTIFY messages for the zone.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><userinput>reconfig</userinput></term>
+ <listitem>
+ <para>
+ Reload the configuration file and load new zones,
+ but do not reload existing zone files even if they
+ have changed.
+ This is faster than a full <command>reload</command> when there
+ is a large number of zones because it avoids the need
+ to examine the
+ modification times of the zones files.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><userinput>stats</userinput></term>
+ <listitem>
+ <para>
+ Write server statistics to the statistics file.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><userinput>querylog</userinput></term>
+ <listitem>
+ <para>
+ Toggle query logging. Query logging can also be enabled
+ by explicitly directing the <command>queries</command>
+ <command>category</command> to a
+ <command>channel</command> in the
+ <command>logging</command> section of
+ <filename>named.conf</filename> or by specifying
+ <command>querylog yes;</command> in the
+ <command>options</command> section of
+ <filename>named.conf</filename>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><userinput>dumpdb
+ <optional>-all|-cache|-zone</optional>
+ <optional><replaceable>view ...</replaceable></optional></userinput></term>
+ <listitem>
+ <para>
+ Dump the server's caches (default) and/or zones to
+ the
+ dump file for the specified views. If no view is
+ specified, all
+ views are dumped.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><userinput>stop <optional>-p</optional></userinput></term>
+ <listitem>
+ <para>
+ Stop the server, making sure any recent changes
+ made through dynamic update or IXFR are first saved to
+ the master files of the updated zones.
+ If -p is specified named's process id is returned.
+ This allows an external process to determine when named
+ had completed stopping.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><userinput>halt <optional>-p</optional></userinput></term>
+ <listitem>
+ <para>
+ Stop the server immediately. Recent changes
+ made through dynamic update or IXFR are not saved to
+ the master files, but will be rolled forward from the
+ journal files when the server is restarted.
+ If -p is specified named's process id is returned.
+ This allows an external process to determine when named
+ had completed halting.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><userinput>trace</userinput></term>
+ <listitem>
+ <para>
+ Increment the servers debugging level by one.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><userinput>trace <replaceable>level</replaceable></userinput></term>
+ <listitem>
+ <para>
+ Sets the server's debugging level to an explicit
+ value.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><userinput>notrace</userinput></term>
+ <listitem>
+ <para>
+ Sets the server's debugging level to 0.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><userinput>flush</userinput></term>
+ <listitem>
+ <para>
+ Flushes the server's cache.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><userinput>flushname</userinput> <replaceable>name</replaceable></term>
+ <listitem>
+ <para>
+ Flushes the given name from the server's cache.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><userinput>status</userinput></term>
+ <listitem>
+ <para>
+ Display status of the server.
+ Note that the number of zones includes the internal <command>bind/CH</command> zone
+ and the default <command>./IN</command>
+ hint zone if there is not an
+ explicit root zone configured.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><userinput>recursing</userinput></term>
+ <listitem>
+ <para>
+ Dump the list of queries named is currently recursing
+ on.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+
+ <para>
+ In <acronym>BIND</acronym> 9.2, <command>rndc</command>
+ supports all the commands of the BIND 8 <command>ndc</command>
+ utility except <command>ndc start</command> and
+ <command>ndc restart</command>, which were also
+ not supported in <command>ndc</command>'s
+ channel mode.
+ </para>
+
+ <para>
+ A configuration file is required, since all
+ communication with the server is authenticated with
+ digital signatures that rely on a shared secret, and
+ there is no way to provide that secret other than with a
+ configuration file. The default location for the
+ <command>rndc</command> configuration file is
+ <filename>/etc/rndc.conf</filename>, but an
+ alternate
+ location can be specified with the <option>-c</option>
+ option. If the configuration file is not found,
+ <command>rndc</command> will also look in
+ <filename>/etc/rndc.key</filename> (or whatever
+ <varname>sysconfdir</varname> was defined when
+ the <acronym>BIND</acronym> build was
+ configured).
+ The <filename>rndc.key</filename> file is
+ generated by
+ running <command>rndc-confgen -a</command> as
+ described in
+ <xref linkend="controls_statement_definition_and_usage"/>.
+ </para>
+
+ <para>
+ The format of the configuration file is similar to
+ that of <filename>named.conf</filename>, but
+ limited to
+ only four statements, the <command>options</command>,
+ <command>key</command>, <command>server</command> and
+ <command>include</command>
+ statements. These statements are what associate the
+ secret keys to the servers with which they are meant to
+ be shared. The order of statements is not
+ significant.
+ </para>
+
+ <para>
+ The <command>options</command> statement has
+ three clauses:
+ <command>default-server</command>, <command>default-key</command>,
+ and <command>default-port</command>.
+ <command>default-server</command> takes a
+ host name or address argument and represents the server
+ that will
+ be contacted if no <option>-s</option>
+ option is provided on the command line.
+ <command>default-key</command> takes
+ the name of a key as its argument, as defined by a <command>key</command> statement.
+ <command>default-port</command> specifies the
+ port to which
+ <command>rndc</command> should connect if no
+ port is given on the command line or in a
+ <command>server</command> statement.
+ </para>
+
+ <para>
+ The <command>key</command> statement defines a
+ key to be used
+ by <command>rndc</command> when authenticating
+ with
+ <command>named</command>. Its syntax is
+ identical to the
+ <command>key</command> statement in named.conf.
+ The keyword <userinput>key</userinput> is
+ followed by a key name, which must be a valid
+ domain name, though it need not actually be hierarchical;
+ thus,
+ a string like "<userinput>rndc_key</userinput>" is a valid
+ name.
+ The <command>key</command> statement has two
+ clauses:
+ <command>algorithm</command> and <command>secret</command>.
+ While the configuration parser will accept any string as the
+ argument
+ to algorithm, currently only the string "<userinput>hmac-md5</userinput>"
+ has any meaning. The secret is a base-64 encoded string
+ as specified in RFC 3548.
+ </para>
+
+ <para>
+ The <command>server</command> statement
+ associates a key
+ defined using the <command>key</command>
+ statement with a server.
+ The keyword <userinput>server</userinput> is followed by a
+ host name or address. The <command>server</command> statement
+ has two clauses: <command>key</command> and <command>port</command>.
+ The <command>key</command> clause specifies the
+ name of the key
+ to be used when communicating with this server, and the
+ <command>port</command> clause can be used to
+ specify the port <command>rndc</command> should
+ connect
+ to on the server.
+ </para>
+
+ <para>
+ A sample minimal configuration file is as follows:
+ </para>
+
<programlisting>
key rndc_key {
algorithm "hmac-md5";
@@ -929,275 +1476,418 @@ options {
};
</programlisting>
-<para>This file, if installed as <filename>/etc/rndc.conf</filename>,
-would allow the command:</para>
+ <para>
+ This file, if installed as <filename>/etc/rndc.conf</filename>,
+ would allow the command:
+ </para>
+
+ <para>
+ <prompt>$ </prompt><userinput>rndc reload</userinput>
+ </para>
-<para><prompt>$ </prompt><userinput>rndc reload</userinput></para>
+ <para>
+ to connect to 127.0.0.1 port 953 and cause the name server
+ to reload, if a name server on the local machine were
+ running with
+ following controls statements:
+ </para>
-<para>to connect to 127.0.0.1 port 953 and cause the name server
-to reload, if a name server on the local machine were running with
-following controls statements:</para>
<programlisting>
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
};
</programlisting>
-<para>and it had an identical key statement for
-<literal>rndc_key</literal>.</para>
-
-<para>Running the <command>rndc-confgen</command> program will
-conveniently create a <filename>rndc.conf</filename>
-file for you, and also display the
-corresponding <command>controls</command> statement that you need to
-add to <filename>named.conf</filename>. Alternatively,
-you can run <command>rndc-confgen -a</command> to set up
-a <filename>rndc.key</filename> file and not modify
-<filename>named.conf</filename> at all.
-</para>
- </listitem>
- </varlistentry>
- </variablelist>
+ <para>
+ and it had an identical key statement for
+ <literal>rndc_key</literal>.
+ </para>
+
+ <para>
+ Running the <command>rndc-confgen</command>
+ program will
+ conveniently create a <filename>rndc.conf</filename>
+ file for you, and also display the
+ corresponding <command>controls</command>
+ statement that you need to
+ add to <filename>named.conf</filename>.
+ Alternatively,
+ you can run <command>rndc-confgen -a</command>
+ to set up
+ a <filename>rndc.key</filename> file and not
+ modify
+ <filename>named.conf</filename> at all.
+ </para>
- </sect3>
- </sect2>
-<sect2>
-
-<title>Signals</title>
-<para>Certain UNIX signals cause the name server to take specific
-actions, as described in the following table. These signals can
-be sent using the <command>kill</command> command.</para>
-<informaltable frame = "all" ><tgroup cols = "2">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.125in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.000in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para><command>SIGHUP</command></para></entry>
-<entry colname = "2"><para>Causes the server to read <filename>named.conf</filename> and
-reload the database. </para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>SIGTERM</command></para></entry>
-<entry colname = "2"><para>Causes the server to clean up and exit.</para></entry>
- </row>
- <row rowsep = "0">
- <entry colname = "1">
-<para><command>SIGINT</command></para>
-</entry>
- <entry colname = "2"><para>Causes the server to clean up and exit.</para></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
- </sect2>
- </sect1>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+
+ </sect3>
+ </sect2>
+ <sect2>
+
+ <title>Signals</title>
+ <para>
+ Certain UNIX signals cause the name server to take specific
+ actions, as described in the following table. These signals can
+ be sent using the <command>kill</command> command.
+ </para>
+ <informaltable frame="all">
+ <tgroup cols="2">
+ <colspec colname="1" colnum="1" colsep="0" colwidth="1.125in"/>
+ <colspec colname="2" colnum="2" colsep="0" colwidth="4.000in"/>
+ <tbody>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>SIGHUP</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Causes the server to read <filename>named.conf</filename> and
+ reload the database.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>SIGTERM</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Causes the server to clean up and exit.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>SIGINT</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Causes the server to clean up and exit.
+ </para>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+ </sect2>
+ </sect1>
</chapter>
-<chapter id="Bv9ARM.ch04">
-<title>Advanced DNS Features</title>
-
-<sect1 id="notify">
-
-<title>Notify</title>
-<para><acronym>DNS</acronym> NOTIFY is a mechanism that allows master
-servers to notify their slave servers of changes to a zone's data. In
-response to a <command>NOTIFY</command> from a master server, the
-slave will check to see that its version of the zone is the
-current version and, if not, initiate a zone transfer.</para>
-
-<para><acronym>DNS</acronym>
-For more information about
-<command>NOTIFY</command>, see the description of the
-<command>notify</command> option in <xref linkend="boolean_options"/> and
-the description of the zone option <command>also-notify</command> in
-<xref linkend="zone_transfers"/>. The <command>NOTIFY</command>
-protocol is specified in RFC 1996.
-</para>
-
-</sect1>
-
-<sect1 id="dynamic_update">
-<title>Dynamic Update</title>
-
- <para>Dynamic Update is a method for adding, replacing or deleting
- records in a master server by sending it a special form of DNS
- messages. The format and meaning of these messages is specified
- in RFC 2136.</para>
-
- <para>Dynamic update is enabled on a zone-by-zone basis, by
- including an <command>allow-update</command> or
- <command>update-policy</command> clause in the
- <command>zone</command> statement.</para>
-
- <para>Updating of secure zones (zones using DNSSEC) follows
- RFC 3007: RRSIG and NSEC records affected by updates are automatically
- regenerated by the server using an online zone key.
- Update authorization is based
- on transaction signatures and an explicit server policy.</para>
-
- <sect2 id="journal">
- <title>The journal file</title>
-
- <para>All changes made to a zone using dynamic update are stored in the
- zone's journal file. This file is automatically created by the
- server when the first dynamic update takes place. The name of
- the journal file is formed by appending the
- extension <filename>.jnl</filename> to the
- name of the corresponding zone file. The journal file is in a
- binary format and should not be edited manually.</para>
-
- <para>The server will also occasionally write ("dump")
- the complete contents of the updated zone to its zone file.
- This is not done immediately after
- each dynamic update, because that would be too slow when a large
- zone is updated frequently. Instead, the dump is delayed by
- up to 15 minutes, allowing additional updates to take place.</para>
-
- <para>When a server is restarted after a shutdown or crash, it will replay
- the journal file to incorporate into the zone any updates that took
- place after the last zone dump.</para>
-
- <para>Changes that result from incoming incremental zone transfers are also
- journalled in a similar way.</para>
-
- <para>The zone files of dynamic zones cannot normally be edited by
- hand because they are not guaranteed to contain the most recent
- dynamic changes &mdash; those are only in the journal file.
- The only way to ensure that the zone file of a dynamic zone
- is up to date is to run <command>rndc stop</command>.</para>
-
- <para>If you have to make changes to a dynamic zone
- manually, the following procedure will work: Disable dynamic updates
- to the zone using
- <command>rndc freeze <replaceable>zone</replaceable></command>.
- This will also remove the zone's <filename>.jnl</filename> file
- and update the master file. Edit the zone file. Run
- <command>rndc thaw <replaceable>zone</replaceable></command>
- to reload the changed zone and re-enable dynamic updates.</para>
-
- </sect2>
-
-</sect1>
-
-<sect1 id="incremental_zone_transfers">
-<title>Incremental Zone Transfers (IXFR)</title>
-
-<para>The incremental zone transfer (IXFR) protocol is a way for
-slave servers to transfer only changed data, instead of having to
-transfer the entire zone. The IXFR protocol is specified in RFC
-1995. See <xref linkend="proposed_standards"/>.</para>
-
-<para>When acting as a master, <acronym>BIND</acronym> 9
-supports IXFR for those zones
-where the necessary change history information is available. These
-include master zones maintained by dynamic update and slave zones
-whose data was obtained by IXFR. For manually maintained master
-zones, and for slave zones obtained by performing a full zone
-transfer (AXFR), IXFR is supported only if the option
-<command>ixfr-from-differences</command> is set
-to <userinput>yes</userinput>.
-</para>
-
-<para>When acting as a slave, <acronym>BIND</acronym> 9 will
-attempt to use IXFR unless
-it is explicitly disabled. For more information about disabling
-IXFR, see the description of the <command>request-ixfr</command> clause
-of the <command>server</command> statement.</para>
-</sect1>
-
-<sect1><title>Split DNS</title>
-<para>Setting up different views, or visibility, of the DNS space to
-internal and external resolvers is usually referred to as a <emphasis>Split
-DNS</emphasis> setup. There are several reasons an organization
-would want to set up its DNS this way.</para>
-<para>One common reason for setting up a DNS system this way is
-to hide "internal" DNS information from "external" clients on the
-Internet. There is some debate as to whether or not this is actually useful.
-Internal DNS information leaks out in many ways (via email headers,
-for example) and most savvy "attackers" can find the information
-they need using other means.</para>
-<para>Another common reason for setting up a Split DNS system is
-to allow internal networks that are behind filters or in RFC 1918
-space (reserved IP space, as documented in RFC 1918) to resolve DNS
-on the Internet. Split DNS can also be used to allow mail from outside
-back in to the internal network.</para>
-<para>Here is an example of a split DNS setup:</para>
-<para>Let's say a company named <emphasis>Example, Inc.</emphasis>
-(<literal>example.com</literal>)
-has several corporate sites that have an internal network with reserved
-Internet Protocol (IP) space and an external demilitarized zone (DMZ),
-or "outside" section of a network, that is available to the public.</para>
-<para><emphasis>Example, Inc.</emphasis> wants its internal clients
-to be able to resolve external hostnames and to exchange mail with
-people on the outside. The company also wants its internal resolvers
-to have access to certain internal-only zones that are not available
-at all outside of the internal network.</para>
-<para>In order to accomplish this, the company will set up two sets
-of name servers. One set will be on the inside network (in the reserved
-IP space) and the other set will be on bastion hosts, which are "proxy"
-hosts that can talk to both sides of its network, in the DMZ.</para>
-<para>The internal servers will be configured to forward all queries,
-except queries for <filename>site1.internal</filename>, <filename>site2.internal</filename>, <filename>site1.example.com</filename>,
-and <filename>site2.example.com</filename>, to the servers in the
-DMZ. These internal servers will have complete sets of information
-for <filename>site1.example.com</filename>, <filename>site2.example.com</filename>,<emphasis> </emphasis><filename>site1.internal</filename>,
-and <filename>site2.internal</filename>.</para>
-<para>To protect the <filename>site1.internal</filename> and <filename>site2.internal</filename> domains,
-the internal name servers must be configured to disallow all queries
-to these domains from any external hosts, including the bastion
-hosts.</para>
-<para>The external servers, which are on the bastion hosts, will
-be configured to serve the "public" version of the <filename>site1</filename> and <filename>site2.example.com</filename> zones.
-This could include things such as the host records for public servers
-(<filename>www.example.com</filename> and <filename>ftp.example.com</filename>),
-and mail exchange (MX) records (<filename>a.mx.example.com</filename> and <filename>b.mx.example.com</filename>).</para>
-<para>In addition, the public <filename>site1</filename> and <filename>site2.example.com</filename> zones
-should have special MX records that contain wildcard (`*') records
-pointing to the bastion hosts. This is needed because external mail
-servers do not have any other way of looking up how to deliver mail
-to those internal hosts. With the wildcard records, the mail will
-be delivered to the bastion host, which can then forward it on to
-internal hosts.</para>
-<para>Here's an example of a wildcard MX record:</para>
-<programlisting>* IN MX 10 external1.example.com.</programlisting>
-<para>Now that they accept mail on behalf of anything in the internal
-network, the bastion hosts will need to know how to deliver mail
-to internal hosts. In order for this to work properly, the resolvers on
-the bastion hosts will need to be configured to point to the internal
-name servers for DNS resolution.</para>
-<para>Queries for internal hostnames will be answered by the internal
-servers, and queries for external hostnames will be forwarded back
-out to the DNS servers on the bastion hosts.</para>
-<para>In order for all this to work properly, internal clients will
-need to be configured to query <emphasis>only</emphasis> the internal
-name servers for DNS queries. This could also be enforced via selective
-filtering on the network.</para>
-<para>If everything has been set properly, <emphasis>Example, Inc.</emphasis>'s
-internal clients will now be able to:</para>
-<itemizedlist><listitem>
- <simpara>Look up any hostnames in the <literal>site1</literal> and
-<literal>site2.example.com</literal> zones.</simpara></listitem>
-<listitem>
- <simpara>Look up any hostnames in the <literal>site1.internal</literal> and
-<literal>site2.internal</literal> domains.</simpara></listitem>
-<listitem>
- <simpara>Look up any hostnames on the Internet.</simpara></listitem>
-<listitem>
- <simpara>Exchange mail with both internal AND external people.</simpara></listitem></itemizedlist>
-<para>Hosts on the Internet will be able to:</para>
-<itemizedlist><listitem>
- <simpara>Look up any hostnames in the <literal>site1</literal> and
-<literal>site2.example.com</literal> zones.</simpara></listitem>
-<listitem>
- <simpara>Exchange mail with anyone in the <literal>site1</literal> and
-<literal>site2.example.com</literal> zones.</simpara></listitem></itemizedlist>
-
- <para>Here is an example configuration for the setup we just
- described above. Note that this is only configuration information;
- for information on how to configure your zone files, see <xref
- linkend="sample_configuration"/>.</para>
-
-<para>Internal DNS server config:</para>
+ <chapter id="Bv9ARM.ch04">
+ <title>Advanced DNS Features</title>
+
+ <sect1 id="notify">
+
+ <title>Notify</title>
+ <para>
+ <acronym>DNS</acronym> NOTIFY is a mechanism that allows master
+ servers to notify their slave servers of changes to a zone's data. In
+ response to a <command>NOTIFY</command> from a master server, the
+ slave will check to see that its version of the zone is the
+ current version and, if not, initiate a zone transfer.
+ </para>
+
+ <para>
+ For more information about <acronym>DNS</acronym>
+ <command>NOTIFY</command>, see the description of the
+ <command>notify</command> option in <xref linkend="boolean_options"/> and
+ the description of the zone option <command>also-notify</command> in
+ <xref linkend="zone_transfers"/>. The <command>NOTIFY</command>
+ protocol is specified in RFC 1996.
+ </para>
+
+ <note>
+ As a slave zone can also be a master to other slaves, named,
+ by default, sends <command>NOTIFY</command> messages for every zone
+ it loads. Specifying <command>notify master-only;</command> will
+ cause named to only send <command>NOTIFY</command> for master
+ zones that it loads.
+ </note>
+
+ </sect1>
+
+ <sect1 id="dynamic_update">
+ <title>Dynamic Update</title>
+
+ <para>
+ Dynamic Update is a method for adding, replacing or deleting
+ records in a master server by sending it a special form of DNS
+ messages. The format and meaning of these messages is specified
+ in RFC 2136.
+ </para>
+
+ <para>
+ Dynamic update is enabled by
+ including an <command>allow-update</command> or
+ <command>update-policy</command> clause in the
+ <command>zone</command> statement.
+ </para>
+
+ <para>
+ Updating of secure zones (zones using DNSSEC) follows
+ RFC 3007: RRSIG and NSEC records affected by updates are automatically
+ regenerated by the server using an online zone key.
+ Update authorization is based
+ on transaction signatures and an explicit server policy.
+ </para>
+
+ <sect2 id="journal">
+ <title>The journal file</title>
+
+ <para>
+ All changes made to a zone using dynamic update are stored
+ in the zone's journal file. This file is automatically created
+ by the server when the first dynamic update takes place.
+ The name of the journal file is formed by appending the extension
+ <filename>.jnl</filename> to the name of the
+ corresponding zone
+ file unless specifically overridden. The journal file is in a
+ binary format and should not be edited manually.
+ </para>
+
+ <para>
+ The server will also occasionally write ("dump")
+ the complete contents of the updated zone to its zone file.
+ This is not done immediately after
+ each dynamic update, because that would be too slow when a large
+ zone is updated frequently. Instead, the dump is delayed by
+ up to 15 minutes, allowing additional updates to take place.
+ </para>
+
+ <para>
+ When a server is restarted after a shutdown or crash, it will replay
+ the journal file to incorporate into the zone any updates that
+ took
+ place after the last zone dump.
+ </para>
+
+ <para>
+ Changes that result from incoming incremental zone transfers are
+ also
+ journalled in a similar way.
+ </para>
+
+ <para>
+ The zone files of dynamic zones cannot normally be edited by
+ hand because they are not guaranteed to contain the most recent
+ dynamic changes &mdash; those are only in the journal file.
+ The only way to ensure that the zone file of a dynamic zone
+ is up to date is to run <command>rndc stop</command>.
+ </para>
+
+ <para>
+ If you have to make changes to a dynamic zone
+ manually, the following procedure will work: Disable dynamic updates
+ to the zone using
+ <command>rndc freeze <replaceable>zone</replaceable></command>.
+ This will also remove the zone's <filename>.jnl</filename> file
+ and update the master file. Edit the zone file. Run
+ <command>rndc thaw <replaceable>zone</replaceable></command>
+ to reload the changed zone and re-enable dynamic updates.
+ </para>
+
+ </sect2>
+
+ </sect1>
+
+ <sect1 id="incremental_zone_transfers">
+ <title>Incremental Zone Transfers (IXFR)</title>
+
+ <para>
+ The incremental zone transfer (IXFR) protocol is a way for
+ slave servers to transfer only changed data, instead of having to
+ transfer the entire zone. The IXFR protocol is specified in RFC
+ 1995. See <xref linkend="proposed_standards"/>.
+ </para>
+
+ <para>
+ When acting as a master, <acronym>BIND</acronym> 9
+ supports IXFR for those zones
+ where the necessary change history information is available. These
+ include master zones maintained by dynamic update and slave zones
+ whose data was obtained by IXFR. For manually maintained master
+ zones, and for slave zones obtained by performing a full zone
+ transfer (AXFR), IXFR is supported only if the option
+ <command>ixfr-from-differences</command> is set
+ to <userinput>yes</userinput>.
+ </para>
+
+ <para>
+ When acting as a slave, <acronym>BIND</acronym> 9 will
+ attempt to use IXFR unless
+ it is explicitly disabled. For more information about disabling
+ IXFR, see the description of the <command>request-ixfr</command> clause
+ of the <command>server</command> statement.
+ </para>
+ </sect1>
+
+ <sect1>
+ <title>Split DNS</title>
+ <para>
+ Setting up different views, or visibility, of the DNS space to
+ internal and external resolvers is usually referred to as a
+ <emphasis>Split DNS</emphasis> setup. There are several
+ reasons an organization would want to set up its DNS this way.
+ </para>
+ <para>
+ One common reason for setting up a DNS system this way is
+ to hide "internal" DNS information from "external" clients on the
+ Internet. There is some debate as to whether or not this is actually
+ useful.
+ Internal DNS information leaks out in many ways (via email headers,
+ for example) and most savvy "attackers" can find the information
+ they need using other means.
+ However, since listing addresses of internal servers that
+ external clients cannot possibly reach can result in
+ connection delays and other annoyances, an organization may
+ choose to use a Split DNS to present a consistant view of itself
+ to the outside world.
+ </para>
+ <para>
+ Another common reason for setting up a Split DNS system is
+ to allow internal networks that are behind filters or in RFC 1918
+ space (reserved IP space, as documented in RFC 1918) to resolve DNS
+ on the Internet. Split DNS can also be used to allow mail from outside
+ back in to the internal network.
+ </para>
+ <para>
+ Here is an example of a split DNS setup:
+ </para>
+ <para>
+ Let's say a company named <emphasis>Example, Inc.</emphasis>
+ (<literal>example.com</literal>)
+ has several corporate sites that have an internal network with
+ reserved
+ Internet Protocol (IP) space and an external demilitarized zone (DMZ),
+ or "outside" section of a network, that is available to the public.
+ </para>
+ <para>
+ <emphasis>Example, Inc.</emphasis> wants its internal clients
+ to be able to resolve external hostnames and to exchange mail with
+ people on the outside. The company also wants its internal resolvers
+ to have access to certain internal-only zones that are not available
+ at all outside of the internal network.
+ </para>
+ <para>
+ In order to accomplish this, the company will set up two sets
+ of name servers. One set will be on the inside network (in the
+ reserved
+ IP space) and the other set will be on bastion hosts, which are
+ "proxy"
+ hosts that can talk to both sides of its network, in the DMZ.
+ </para>
+ <para>
+ The internal servers will be configured to forward all queries,
+ except queries for <filename>site1.internal</filename>, <filename>site2.internal</filename>, <filename>site1.example.com</filename>,
+ and <filename>site2.example.com</filename>, to the servers
+ in the
+ DMZ. These internal servers will have complete sets of information
+ for <filename>site1.example.com</filename>, <filename>site2.example.com</filename>,<emphasis/> <filename>site1.internal</filename>,
+ and <filename>site2.internal</filename>.
+ </para>
+ <para>
+ To protect the <filename>site1.internal</filename> and <filename>site2.internal</filename> domains,
+ the internal name servers must be configured to disallow all queries
+ to these domains from any external hosts, including the bastion
+ hosts.
+ </para>
+ <para>
+ The external servers, which are on the bastion hosts, will
+ be configured to serve the "public" version of the <filename>site1</filename> and <filename>site2.example.com</filename> zones.
+ This could include things such as the host records for public servers
+ (<filename>www.example.com</filename> and <filename>ftp.example.com</filename>),
+ and mail exchange (MX) records (<filename>a.mx.example.com</filename> and <filename>b.mx.example.com</filename>).
+ </para>
+ <para>
+ In addition, the public <filename>site1</filename> and <filename>site2.example.com</filename> zones
+ should have special MX records that contain wildcard (`*') records
+ pointing to the bastion hosts. This is needed because external mail
+ servers do not have any other way of looking up how to deliver mail
+ to those internal hosts. With the wildcard records, the mail will
+ be delivered to the bastion host, which can then forward it on to
+ internal hosts.
+ </para>
+ <para>
+ Here's an example of a wildcard MX record:
+ </para>
+ <programlisting>* IN MX 10 external1.example.com.</programlisting>
+ <para>
+ Now that they accept mail on behalf of anything in the internal
+ network, the bastion hosts will need to know how to deliver mail
+ to internal hosts. In order for this to work properly, the resolvers
+ on
+ the bastion hosts will need to be configured to point to the internal
+ name servers for DNS resolution.
+ </para>
+ <para>
+ Queries for internal hostnames will be answered by the internal
+ servers, and queries for external hostnames will be forwarded back
+ out to the DNS servers on the bastion hosts.
+ </para>
+ <para>
+ In order for all this to work properly, internal clients will
+ need to be configured to query <emphasis>only</emphasis> the internal
+ name servers for DNS queries. This could also be enforced via
+ selective
+ filtering on the network.
+ </para>
+ <para>
+ If everything has been set properly, <emphasis>Example, Inc.</emphasis>'s
+ internal clients will now be able to:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <simpara>
+ Look up any hostnames in the <literal>site1</literal>
+ and
+ <literal>site2.example.com</literal> zones.
+ </simpara>
+ </listitem>
+ <listitem>
+ <simpara>
+ Look up any hostnames in the <literal>site1.internal</literal> and
+ <literal>site2.internal</literal> domains.
+ </simpara>
+ </listitem>
+ <listitem>
+ <simpara>Look up any hostnames on the Internet.</simpara>
+ </listitem>
+ <listitem>
+ <simpara>Exchange mail with both internal and external people.</simpara>
+ </listitem>
+ </itemizedlist>
+ <para>
+ Hosts on the Internet will be able to:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <simpara>
+ Look up any hostnames in the <literal>site1</literal>
+ and
+ <literal>site2.example.com</literal> zones.
+ </simpara>
+ </listitem>
+ <listitem>
+ <simpara>
+ Exchange mail with anyone in the <literal>site1</literal> and
+ <literal>site2.example.com</literal> zones.
+ </simpara>
+ </listitem>
+ </itemizedlist>
+
+ <para>
+ Here is an example configuration for the setup we just
+ described above. Note that this is only configuration information;
+ for information on how to configure your zone files, see <xref linkend="sample_configuration"/>.
+ </para>
+
+ <para>
+ Internal DNS server config:
+ </para>
+
<programlisting>
acl internals { 172.16.72.0/24; 192.168.1.0/24; };
@@ -1209,7 +1899,7 @@ options {
...
forward only;
forwarders { // forward to external servers
- <varname>bastion-ips-go-here</varname>;
+ <varname>bastion-ips-go-here</varname>;
};
allow-transfer { none; }; // sample allow-transfer (no one)
allow-query { internals; externals; }; // restrict query access
@@ -1253,7 +1943,11 @@ zone "site2.internal" {
allow-transfer { internals; }
};
</programlisting>
- <para>External (bastion host) DNS server config:</para>
+
+ <para>
+ External (bastion host) DNS server config:
+ </para>
+
<programlisting>
acl internals { 172.16.72.0/24; 192.168.1.0/24; };
@@ -1263,7 +1957,8 @@ options {
...
...
allow-transfer { none; }; // sample allow-transfer (no one)
- allow-query { internals; externals; }; // restrict query access
+ allow-query { any; }; // default query access
+ allow-query-cache { internals; externals; }; // restrict cache access
allow-recursion { internals; externals; }; // restrict recursion
...
...
@@ -1272,7 +1967,6 @@ options {
zone "site1.example.com" { // sample slave zone
type master;
file "m/site1.foo.com";
- allow-query { any; };
allow-transfer { internals; externals; };
};
@@ -1280,317 +1974,458 @@ zone "site2.example.com" {
type slave;
file "s/site2.foo.com";
masters { another_bastion_host_maybe; };
- allow-query { any; };
allow-transfer { internals; externals; }
};
</programlisting>
-<para>In the <filename>resolv.conf</filename> (or equivalent) on
-the bastion host(s):</para>
+
+ <para>
+ In the <filename>resolv.conf</filename> (or equivalent) on
+ the bastion host(s):
+ </para>
+
<programlisting>
search ...
nameserver 172.16.72.2
nameserver 172.16.72.3
nameserver 172.16.72.4
</programlisting>
-</sect1>
-<sect1 id="tsig"><title>TSIG</title>
-<para>This is a short guide to setting up Transaction SIGnatures
-(TSIG) based transaction security in <acronym>BIND</acronym>. It describes changes
-to the configuration file as well as what changes are required for
-different features, including the process of creating transaction
-keys and using transaction signatures with <acronym>BIND</acronym>.</para>
-<para><acronym>BIND</acronym> primarily supports TSIG for server to server communication.
-This includes zone transfer, notify, and recursive query messages.
-Resolvers based on newer versions of <acronym>BIND</acronym> 8 have limited support
-for TSIG.</para>
-
- <para>TSIG might be most useful for dynamic update. A primary
- server for a dynamic zone should use access control to control
- updates, but IP-based access control is insufficient.
- The cryptographic access control provided by TSIG
- is far superior. The <command>nsupdate</command>
- program supports TSIG via the <option>-k</option> and
- <option>-y</option> command line options.</para>
-
-<sect2><title>Generate Shared Keys for Each Pair of Hosts</title>
-<para>A shared secret is generated to be shared between <emphasis>host1</emphasis> and <emphasis>host2</emphasis>.
-An arbitrary key name is chosen: "host1-host2.". The key name must
-be the same on both hosts.</para>
-<sect3><title>Automatic Generation</title>
-<para>The following command will generate a 128-bit (16 byte) HMAC-MD5
-key as described above. Longer keys are better, but shorter keys
-are easier to read. Note that the maximum key length is 512 bits;
-keys longer than that will be digested with MD5 to produce a
-128-bit key.</para>
- <para><userinput>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</userinput></para>
-<para>The key is in the file <filename>Khost1-host2.+157+00000.private</filename>.
-Nothing directly uses this file, but the base-64 encoded string
-following "<literal>Key:</literal>"
-can be extracted from the file and used as a shared secret:</para>
-<programlisting>Key: La/E5CjG9O+os1jq0a2jdA==</programlisting>
-<para>The string "<literal>La/E5CjG9O+os1jq0a2jdA==</literal>" can
-be used as the shared secret.</para></sect3>
-<sect3><title>Manual Generation</title>
-<para>The shared secret is simply a random sequence of bits, encoded
-in base-64. Most ASCII strings are valid base-64 strings (assuming
-the length is a multiple of 4 and only valid characters are used),
-so the shared secret can be manually generated.</para>
-<para>Also, a known string can be run through <command>mmencode</command> or
-a similar program to generate base-64 encoded data.</para></sect3></sect2>
-<sect2><title>Copying the Shared Secret to Both Machines</title>
-<para>This is beyond the scope of DNS. A secure transport mechanism
-should be used. This could be secure FTP, ssh, telephone, etc.</para></sect2>
-<sect2><title>Informing the Servers of the Key's Existence</title>
-<para>Imagine <emphasis>host1</emphasis> and <emphasis>host 2</emphasis> are
-both servers. The following is added to each server's <filename>named.conf</filename> file:</para>
+
+ </sect1>
+ <sect1 id="tsig">
+ <title>TSIG</title>
+ <para>
+ This is a short guide to setting up Transaction SIGnatures
+ (TSIG) based transaction security in <acronym>BIND</acronym>. It describes changes
+ to the configuration file as well as what changes are required for
+ different features, including the process of creating transaction
+ keys and using transaction signatures with <acronym>BIND</acronym>.
+ </para>
+ <para>
+ <acronym>BIND</acronym> primarily supports TSIG for server
+ to server communication.
+ This includes zone transfer, notify, and recursive query messages.
+ Resolvers based on newer versions of <acronym>BIND</acronym> 8 have limited support
+ for TSIG.
+ </para>
+
+ <para>
+ TSIG can also be useful for dynamic update. A primary
+ server for a dynamic zone should control access to the dynamic
+ update service, but IP-based access control is insufficient.
+ The cryptographic access control provided by TSIG
+ is far superior. The <command>nsupdate</command>
+ program supports TSIG via the <option>-k</option> and
+ <option>-y</option> command line options or inline by use
+ of the <command>key</command>.
+ </para>
+
+ <sect2>
+ <title>Generate Shared Keys for Each Pair of Hosts</title>
+ <para>
+ A shared secret is generated to be shared between <emphasis>host1</emphasis> and <emphasis>host2</emphasis>.
+ An arbitrary key name is chosen: "host1-host2.". The key name must
+ be the same on both hosts.
+ </para>
+ <sect3>
+ <title>Automatic Generation</title>
+ <para>
+ The following command will generate a 128-bit (16 byte) HMAC-MD5
+ key as described above. Longer keys are better, but shorter keys
+ are easier to read. Note that the maximum key length is 512 bits;
+ keys longer than that will be digested with MD5 to produce a
+ 128-bit key.
+ </para>
+ <para>
+ <userinput>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</userinput>
+ </para>
+ <para>
+ The key is in the file <filename>Khost1-host2.+157+00000.private</filename>.
+ Nothing directly uses this file, but the base-64 encoded string
+ following "<literal>Key:</literal>"
+ can be extracted from the file and used as a shared secret:
+ </para>
+ <programlisting>Key: La/E5CjG9O+os1jq0a2jdA==</programlisting>
+ <para>
+ The string "<literal>La/E5CjG9O+os1jq0a2jdA==</literal>" can
+ be used as the shared secret.
+ </para>
+ </sect3>
+ <sect3>
+ <title>Manual Generation</title>
+ <para>
+ The shared secret is simply a random sequence of bits, encoded
+ in base-64. Most ASCII strings are valid base-64 strings (assuming
+ the length is a multiple of 4 and only valid characters are used),
+ so the shared secret can be manually generated.
+ </para>
+ <para>
+ Also, a known string can be run through <command>mmencode</command> or
+ a similar program to generate base-64 encoded data.
+ </para>
+ </sect3>
+ </sect2>
+ <sect2>
+ <title>Copying the Shared Secret to Both Machines</title>
+ <para>
+ This is beyond the scope of DNS. A secure transport mechanism
+ should be used. This could be secure FTP, ssh, telephone, etc.
+ </para>
+ </sect2>
+ <sect2>
+ <title>Informing the Servers of the Key's Existence</title>
+ <para>
+ Imagine <emphasis>host1</emphasis> and <emphasis>host 2</emphasis>
+ are
+ both servers. The following is added to each server's <filename>named.conf</filename> file:
+ </para>
+
<programlisting>
key host1-host2. {
algorithm hmac-md5;
secret "La/E5CjG9O+os1jq0a2jdA==";
};
</programlisting>
-<para>The algorithm, hmac-md5, is the only one supported by <acronym>BIND</acronym>.
-The secret is the one generated above. Since this is a secret, it
-is recommended that either <filename>named.conf</filename> be non-world
-readable, or the key directive be added to a non-world readable
-file that is included by <filename>named.conf</filename>.</para>
-<para>At this point, the key is recognized. This means that if the
-server receives a message signed by this key, it can verify the
-signature. If the signature is successfully verified, the
-response is signed by the same key.</para></sect2>
-
-<sect2><title>Instructing the Server to Use the Key</title>
-<para>Since keys are shared between two hosts only, the server must
-be told when keys are to be used. The following is added to the <filename>named.conf</filename> file
-for <emphasis>host1</emphasis>, if the IP address of <emphasis>host2</emphasis> is
-10.1.2.3:</para>
+
+ <para>
+ The algorithm, hmac-md5, is the only one supported by <acronym>BIND</acronym>.
+ The secret is the one generated above. Since this is a secret, it
+ is recommended that either <filename>named.conf</filename> be non-world
+ readable, or the key directive be added to a non-world readable
+ file that is included by
+ <filename>named.conf</filename>.
+ </para>
+ <para>
+ At this point, the key is recognized. This means that if the
+ server receives a message signed by this key, it can verify the
+ signature. If the signature is successfully verified, the
+ response is signed by the same key.
+ </para>
+ </sect2>
+
+ <sect2>
+ <title>Instructing the Server to Use the Key</title>
+ <para>
+ Since keys are shared between two hosts only, the server must
+ be told when keys are to be used. The following is added to the <filename>named.conf</filename> file
+ for <emphasis>host1</emphasis>, if the IP address of <emphasis>host2</emphasis> is
+ 10.1.2.3:
+ </para>
+
<programlisting>
server 10.1.2.3 {
keys { host1-host2. ;};
};
</programlisting>
-<para>Multiple keys may be present, but only the first is used.
-This directive does not contain any secrets, so it may be in a world-readable
-file.</para>
-<para>If <emphasis>host1</emphasis> sends a message that is a request
-to that address, the message will be signed with the specified key. <emphasis>host1</emphasis> will
-expect any responses to signed messages to be signed with the same
-key.</para>
-<para>A similar statement must be present in <emphasis>host2</emphasis>'s
-configuration file (with <emphasis>host1</emphasis>'s address) for <emphasis>host2</emphasis> to
-sign request messages to <emphasis>host1</emphasis>.</para></sect2>
-<sect2><title>TSIG Key Based Access Control</title>
-<para><acronym>BIND</acronym> allows IP addresses and ranges to be specified in ACL
-definitions and
-<command>allow-{ query | transfer | update }</command> directives.
-This has been extended to allow TSIG keys also. The above key would
-be denoted <command>key host1-host2.</command></para>
-<para>An example of an allow-update directive would be:</para>
+
+ <para>
+ Multiple keys may be present, but only the first is used.
+ This directive does not contain any secrets, so it may be in a
+ world-readable
+ file.
+ </para>
+ <para>
+ If <emphasis>host1</emphasis> sends a message that is a request
+ to that address, the message will be signed with the specified key. <emphasis>host1</emphasis> will
+ expect any responses to signed messages to be signed with the same
+ key.
+ </para>
+ <para>
+ A similar statement must be present in <emphasis>host2</emphasis>'s
+ configuration file (with <emphasis>host1</emphasis>'s address) for <emphasis>host2</emphasis> to
+ sign request messages to <emphasis>host1</emphasis>.
+ </para>
+ </sect2>
+ <sect2>
+ <title>TSIG Key Based Access Control</title>
+ <para>
+ <acronym>BIND</acronym> allows IP addresses and ranges
+ to be specified in ACL
+ definitions and
+ <command>allow-{ query | transfer | update }</command>
+ directives.
+ This has been extended to allow TSIG keys also. The above key would
+ be denoted <command>key host1-host2.</command>
+ </para>
+ <para>
+ An example of an allow-update directive would be:
+ </para>
+
<programlisting>
allow-update { key host1-host2. ;};
</programlisting>
- <para>This allows dynamic updates to succeed only if the request
- was signed by a key named
- "<command>host1-host2.</command>".</para> <para>You may want to read about the more
- powerful <command>update-policy</command> statement in <xref
- linkend="dynamic_update_policies"/>.</para>
-
- </sect2>
- <sect2>
- <title>Errors</title>
-
- <para>The processing of TSIG signed messages can result in
- several errors. If a signed message is sent to a non-TSIG
- aware server, a FORMERR (format error) will be returned, since
- the server will not understand the record. This is a result
- of misconfiguration, since the server must be explicitly
- configured to send a TSIG signed message to a specific
- server.</para>
-
- <para>If a TSIG aware server receives a message signed by an
- unknown key, the response will be unsigned with the TSIG
- extended error code set to BADKEY. If a TSIG aware server
- receives a message with a signature that does not validate, the
- response will be unsigned with the TSIG extended error code set
- to BADSIG. If a TSIG aware server receives a message with a time
- outside of the allowed range, the response will be signed with
- the TSIG extended error code set to BADTIME, and the time values
- will be adjusted so that the response can be successfully
- verified. In any of these cases, the message's rcode is set to
- NOTAUTH (not authenticated).</para>
-
- </sect2>
- </sect1>
- <sect1>
- <title>TKEY</title>
-
- <para><command>TKEY</command> is a mechanism for automatically
- generating a shared secret between two hosts. There are several
- "modes" of <command>TKEY</command> that specify how the key is
- generated or assigned. <acronym>BIND</acronym> 9
- implements only one of these modes,
- the Diffie-Hellman key exchange. Both hosts are required to have
- a Diffie-Hellman KEY record (although this record is not required
- to be present in a zone). The <command>TKEY</command> process
- must use signed messages, signed either by TSIG or SIG(0). The
- result of <command>TKEY</command> is a shared secret that can be
- used to sign messages with TSIG. <command>TKEY</command> can also
- be used to delete shared secrets that it had previously
- generated.</para>
-
- <para>The <command>TKEY</command> process is initiated by a client
- or server by sending a signed <command>TKEY</command> query
- (including any appropriate KEYs) to a TKEY-aware server. The
- server response, if it indicates success, will contain a
- <command>TKEY</command> record and any appropriate keys. After
- this exchange, both participants have enough information to
- determine the shared secret; the exact process depends on the
- <command>TKEY</command> mode. When using the Diffie-Hellman
- <command>TKEY</command> mode, Diffie-Hellman keys are exchanged,
- and the shared secret is derived by both participants.</para>
-
- </sect1>
- <sect1>
- <title>SIG(0)</title>
-
- <para><acronym>BIND</acronym> 9 partially supports DNSSEC SIG(0)
- transaction signatures as specified in RFC 2535 and RFC2931. SIG(0)
- uses public/private keys to authenticate messages. Access control
- is performed in the same manner as TSIG keys; privileges can be
- granted or denied based on the key name.</para>
-
- <para>When a SIG(0) signed message is received, it will only be
- verified if the key is known and trusted by the server; the server
- will not attempt to locate and / or validate the key.</para>
-
- <para>SIG(0) signing of multiple-message TCP streams is not
- supported.</para>
-
- <para>The only tool shipped with <acronym>BIND</acronym> 9 that
- generates SIG(0) signed messages is <command>nsupdate</command>.</para>
-
- </sect1>
- <sect1 id="DNSSEC">
- <title>DNSSEC</title>
-
- <para>Cryptographic authentication of DNS information is possible
- through the DNS Security (<emphasis>DNSSEC-bis</emphasis>)
- extensions, defined in RFC 4033, RFC4034 and RFC4035. This
- section describes the creation and use of DNSSEC signed
- zones.</para>
-
- <para>In order to set up a DNSSEC secure zone, there are a series
- of steps which must be followed. <acronym>BIND</acronym> 9 ships
- with several tools
- that are used in this process, which are explained in more detail
- below. In all cases, the <option>-h</option> option prints a
- full list of parameters. Note that the DNSSEC tools require the
- keyset files to be in the working directory or the
- directory specified by the <option>-h</option> option, and
- that the tools shipped with BIND 9.2.x and earlier are not compatible
- with the current ones.</para>
-
- <para>There must also be communication with the administrators of
- the parent and/or child zone to transmit keys. A zone's security
- status must be indicated by the parent zone for a DNSSEC capable
- resolver to trust its data. This is done through the presence
- or absence of a <literal>DS</literal> record at the delegation
- point.</para>
-
- <para>For other servers to trust data in this zone, they must
- either be statically configured with this zone's zone key or the
- zone key of another zone above this one in the DNS tree.</para>
-
- <sect2>
- <title>Generating Keys</title>
-
- <para>The <command>dnssec-keygen</command> program is used to
- generate keys.</para>
-
- <para>A secure zone must contain one or more zone keys. The
- zone keys will sign all other records in the zone, as well as
- the zone keys of any secure delegated zones. Zone keys must
- have the same name as the zone, a name type of
- <command>ZONE</command>, and must be usable for authentication.
- It is recommended that zone keys use a cryptographic algorithm
- designated as "mandatory to implement" by the IETF; currently
- the only one is RSASHA1.</para>
-
- <para>The following command will generate a 768-bit RSASHA1 key for
- the <filename>child.example</filename> zone:</para>
-
- <para><userinput>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</userinput></para>
-
- <para>Two output files will be produced:
- <filename>Kchild.example.+005+12345.key</filename> and
- <filename>Kchild.example.+005+12345.private</filename> (where
- 12345 is an example of a key tag). The key file names contain
- the key name (<filename>child.example.</filename>), algorithm (3
- is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in this case).
- The private key (in the <filename>.private</filename> file) is
- used to generate signatures, and the public key (in the
- <filename>.key</filename> file) is used for signature
- verification.</para>
-
- <para>To generate another key with the same properties (but with
- a different key tag), repeat the above command.</para>
-
- <para>The public keys should be inserted into the zone file by
- including the <filename>.key</filename> files using
- <command>$INCLUDE</command> statements.
+ <para>
+ This allows dynamic updates to succeed only if the request
+ was signed by a key named
+ "<command>host1-host2.</command>".
+ </para>
+ <para>
+ You may want to read about the more
+ powerful <command>update-policy</command> statement in <xref linkend="dynamic_update_policies"/>.
+ </para>
+
+ </sect2>
+ <sect2>
+ <title>Errors</title>
+
+ <para>
+ The processing of TSIG signed messages can result in
+ several errors. If a signed message is sent to a non-TSIG aware
+ server, a FORMERR (format error) will be returned, since the server will not
+ understand the record. This is a result of misconfiguration,
+ since the server must be explicitly configured to send a TSIG
+ signed message to a specific server.
+ </para>
+
+ <para>
+ If a TSIG aware server receives a message signed by an
+ unknown key, the response will be unsigned with the TSIG
+ extended error code set to BADKEY. If a TSIG aware server
+ receives a message with a signature that does not validate, the
+ response will be unsigned with the TSIG extended error code set
+ to BADSIG. If a TSIG aware server receives a message with a time
+ outside of the allowed range, the response will be signed with
+ the TSIG extended error code set to BADTIME, and the time values
+ will be adjusted so that the response can be successfully
+ verified. In any of these cases, the message's rcode is set to
+ NOTAUTH (not authenticated).
+ </para>
+
+ </sect2>
+ </sect1>
+ <sect1>
+ <title>TKEY</title>
+
+ <para><command>TKEY</command>
+ is a mechanism for automatically generating a shared secret
+ between two hosts. There are several "modes" of
+ <command>TKEY</command> that specify how the key is generated
+ or assigned. <acronym>BIND</acronym> 9 implements only one of
+ these modes, the Diffie-Hellman key exchange. Both hosts are
+ required to have a Diffie-Hellman KEY record (although this
+ record is not required to be present in a zone). The
+ <command>TKEY</command> process must use signed messages,
+ signed either by TSIG or SIG(0). The result of
+ <command>TKEY</command> is a shared secret that can be used to
+ sign messages with TSIG. <command>TKEY</command> can also be
+ used to delete shared secrets that it had previously
+ generated.
</para>
- </sect2>
- <sect2>
- <title>Signing the Zone</title>
+ <para>
+ The <command>TKEY</command> process is initiated by a
+ client
+ or server by sending a signed <command>TKEY</command>
+ query
+ (including any appropriate KEYs) to a TKEY-aware server. The
+ server response, if it indicates success, will contain a
+ <command>TKEY</command> record and any appropriate keys.
+ After
+ this exchange, both participants have enough information to
+ determine the shared secret; the exact process depends on the
+ <command>TKEY</command> mode. When using the
+ Diffie-Hellman
+ <command>TKEY</command> mode, Diffie-Hellman keys are
+ exchanged,
+ and the shared secret is derived by both participants.
+ </para>
- <para>The <command>dnssec-signzone</command> program is used to
- sign a zone.</para>
+ </sect1>
+ <sect1>
+ <title>SIG(0)</title>
- <para>Any <filename>keyset</filename> files corresponding
- to secure subzones should be present. The zone signer will
- generate <literal>NSEC</literal> and <literal>RRSIG</literal>
- records for the zone, as well as <literal>DS</literal> for
- the child zones if <literal>'-d'</literal> is specified.
- If <literal>'-d'</literal> is not specified, then DS RRsets for
- the secure child zones need to be added manually.</para>
+ <para>
+ <acronym>BIND</acronym> 9 partially supports DNSSEC SIG(0)
+ transaction signatures as specified in RFC 2535 and RFC2931.
+ SIG(0)
+ uses public/private keys to authenticate messages. Access control
+ is performed in the same manner as TSIG keys; privileges can be
+ granted or denied based on the key name.
+ </para>
- <para>The following command signs the zone, assuming it is in a
- file called <filename>zone.child.example</filename>. By
- default, all zone keys which have an available private key are
- used to generate signatures.</para>
+ <para>
+ When a SIG(0) signed message is received, it will only be
+ verified if the key is known and trusted by the server; the server
+ will not attempt to locate and/or validate the key.
+ </para>
-<para><userinput>dnssec-signzone -o child.example zone.child.example</userinput></para>
+ <para>
+ SIG(0) signing of multiple-message TCP streams is not
+ supported.
+ </para>
- <para>One output file is produced:
- <filename>zone.child.example.signed</filename>. This file
- should be referenced by <filename>named.conf</filename> as the
- input file for the zone.</para>
+ <para>
+ The only tool shipped with <acronym>BIND</acronym> 9 that
+ generates SIG(0) signed messages is <command>nsupdate</command>.
+ </para>
- <para><command>dnssec-signzone</command> will also produce a
- keyset and dsset files and optionally a dlvset file. These
- are used to provide the parent zone administators with the
- <literal>DNSKEYs</literal> (or their corresponding <literal>DS</literal>
- records) that are the secure entry point to the zone.</para>
+ </sect1>
+ <sect1 id="DNSSEC">
+ <title>DNSSEC</title>
- </sect2>
+ <para>
+ Cryptographic authentication of DNS information is possible
+ through the DNS Security (<emphasis>DNSSEC-bis</emphasis>) extensions,
+ defined in RFC 4033, RFC 4034 and RFC 4035.
+ This section describes the creation and use of DNSSEC signed zones.
+ </para>
+
+ <para>
+ In order to set up a DNSSEC secure zone, there are a series
+ of steps which must be followed. <acronym>BIND</acronym>
+ 9 ships
+ with several tools
+ that are used in this process, which are explained in more detail
+ below. In all cases, the <option>-h</option> option prints a
+ full list of parameters. Note that the DNSSEC tools require the
+ keyset files to be in the working directory or the
+ directory specified by the <option>-d</option> option, and
+ that the tools shipped with BIND 9.2.x and earlier are not compatible
+ with the current ones.
+ </para>
-<sect2><title>Configuring Servers</title>
+ <para>
+ There must also be communication with the administrators of
+ the parent and/or child zone to transmit keys. A zone's security
+ status must be indicated by the parent zone for a DNSSEC capable
+ resolver to trust its data. This is done through the presence
+ or absence of a <literal>DS</literal> record at the
+ delegation
+ point.
+ </para>
+
+ <para>
+ For other servers to trust data in this zone, they must
+ either be statically configured with this zone's zone key or the
+ zone key of another zone above this one in the DNS tree.
+ </para>
+
+ <sect2>
+ <title>Generating Keys</title>
+
+ <para>
+ The <command>dnssec-keygen</command> program is used to
+ generate keys.
+ </para>
+
+ <para>
+ A secure zone must contain one or more zone keys. The
+ zone keys will sign all other records in the zone, as well as
+ the zone keys of any secure delegated zones. Zone keys must
+ have the same name as the zone, a name type of
+ <command>ZONE</command>, and must be usable for
+ authentication.
+ It is recommended that zone keys use a cryptographic algorithm
+ designated as "mandatory to implement" by the IETF; currently
+ the only one is RSASHA1.
+ </para>
+
+ <para>
+ The following command will generate a 768-bit RSASHA1 key for
+ the <filename>child.example</filename> zone:
+ </para>
+
+ <para>
+ <userinput>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</userinput>
+ </para>
+
+ <para>
+ Two output files will be produced:
+ <filename>Kchild.example.+005+12345.key</filename> and
+ <filename>Kchild.example.+005+12345.private</filename>
+ (where
+ 12345 is an example of a key tag). The key file names contain
+ the key name (<filename>child.example.</filename>),
+ algorithm (3
+ is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
+ this case).
+ The private key (in the <filename>.private</filename>
+ file) is
+ used to generate signatures, and the public key (in the
+ <filename>.key</filename> file) is used for signature
+ verification.
+ </para>
+
+ <para>
+ To generate another key with the same properties (but with
+ a different key tag), repeat the above command.
+ </para>
+
+ <para>
+ The public keys should be inserted into the zone file by
+ including the <filename>.key</filename> files using
+ <command>$INCLUDE</command> statements.
+ </para>
+
+ </sect2>
+ <sect2>
+ <title>Signing the Zone</title>
+
+ <para>
+ The <command>dnssec-signzone</command> program is used
+ to
+ sign a zone.
+ </para>
+
+ <para>
+ Any <filename>keyset</filename> files corresponding
+ to secure subzones should be present. The zone signer will
+ generate <literal>NSEC</literal> and <literal>RRSIG</literal>
+ records for the zone, as well as <literal>DS</literal>
+ for
+ the child zones if <literal>'-d'</literal> is specified.
+ If <literal>'-d'</literal> is not specified, then
+ DS RRsets for
+ the secure child zones need to be added manually.
+ </para>
+
+ <para>
+ The following command signs the zone, assuming it is in a
+ file called <filename>zone.child.example</filename>. By
+ default, all zone keys which have an available private key are
+ used to generate signatures.
+ </para>
+
+ <para>
+ <userinput>dnssec-signzone -o child.example zone.child.example</userinput>
+ </para>
+
+ <para>
+ One output file is produced:
+ <filename>zone.child.example.signed</filename>. This
+ file
+ should be referenced by <filename>named.conf</filename>
+ as the
+ input file for the zone.
+ </para>
+
+ <para><command>dnssec-signzone</command>
+ will also produce a keyset and dsset files and optionally a
+ dlvset file. These are used to provide the parent zone
+ administators with the <literal>DNSKEYs</literal> (or their
+ corresponding <literal>DS</literal> records) that are the
+ secure entry point to the zone.
+ </para>
+
+ </sect2>
+
+ <sect2>
+ <title>Configuring Servers</title>
<para>
To enable <command>named</command> to respond appropriately
to DNS requests from DNSSEC aware clients,
<command>dnssec-enable</command> must be set to yes.
- </para>
-
+ </para>
+
<para>
To enable <command>named</command> to validate answers from
- other servers <command>dnssec-enable</command> and
- some <command>trusted-keys</command> must be configured
+ other servers both <command>dnssec-enable</command> and
+ <command>dnssec-validate</command> must be set and some
+ <command>trusted-keys</command> must be configured
into <filename>named.conf</filename>.
- </para>
-
+ </para>
+
<para>
<command>trusted-keys</command> are copies of DNSKEY RRs
for zones that are used to form the first link in the
@@ -1658,6 +2493,7 @@ example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
options {
...
dnssec-enable yes;
+ dnssec-validation yes;
};
</programlisting>
@@ -1666,710 +2502,1168 @@ options {
the root key is not valid.
</note>
-</sect2>
-
-</sect1>
- <sect1>
- <title>IPv6 Support in <acronym>BIND</acronym> 9</title>
-
- <para><acronym>BIND</acronym> 9 fully supports all currently defined forms of IPv6
- name to address and address to name lookups. It will also use
- IPv6 addresses to make queries when running on an IPv6 capable
- system.</para>
-
- <para>For forward lookups, <acronym>BIND</acronym> 9 supports only AAAA
- records. The use of A6 records is deprecated by RFC 3363, and the
- support for forward lookups in <acronym>BIND</acronym> 9 is
- removed accordingly.
- However, authoritative <acronym>BIND</acronym> 9 name servers still
- load zone files containing A6 records correctly, answer queries
- for A6 records, and accept zone transfer for a zone containing A6
- records.</para>
-
- <para>For IPv6 reverse lookups, <acronym>BIND</acronym> 9 supports
- the traditional "nibble" format used in the
- <emphasis>ip6.arpa</emphasis> domain, as well as the older, deprecated
- <emphasis>ip6.int</emphasis> domain.
- <acronym>BIND</acronym> 9 formerly
- supported the "binary label" (also known as "bitstring") format.
- The support of binary labels, however, is now completely removed
- according to the changes in RFC 3363.
- Any applications in <acronym>BIND</acronym> 9 do not understand
- the format any more, and will return an error if given.
- In particular, an authoritative <acronym>BIND</acronym> 9 name
- server rejects to load a zone file containing binary labels.</para>
-
- <para>For an overview of the format and structure of IPv6 addresses,
- see <xref linkend="ipv6addresses"/>.</para>
-
- <sect2>
- <title>Address Lookups Using AAAA Records</title>
-
- <para>The AAAA record is a parallel to the IPv4 A record. It
- specifies the entire address in a single record. For
- example,</para>
+ </sect2>
+
+ </sect1>
+ <sect1>
+ <title>IPv6 Support in <acronym>BIND</acronym> 9</title>
+
+ <para>
+ <acronym>BIND</acronym> 9 fully supports all currently
+ defined forms of IPv6
+ name to address and address to name lookups. It will also use
+ IPv6 addresses to make queries when running on an IPv6 capable
+ system.
+ </para>
+
+ <para>
+ For forward lookups, <acronym>BIND</acronym> 9 supports
+ only AAAA records. RFC 3363 deprecated the use of A6 records,
+ and client-side support for A6 records was accordingly removed
+ from <acronym>BIND</acronym> 9.
+ However, authoritative <acronym>BIND</acronym> 9 name servers still
+ load zone files containing A6 records correctly, answer queries
+ for A6 records, and accept zone transfer for a zone containing A6
+ records.
+ </para>
+
+ <para>
+ For IPv6 reverse lookups, <acronym>BIND</acronym> 9 supports
+ the traditional "nibble" format used in the
+ <emphasis>ip6.arpa</emphasis> domain, as well as the older, deprecated
+ <emphasis>ip6.int</emphasis> domain.
+ Older versions of <acronym>BIND</acronym> 9
+ supported the "binary label" (also known as "bitstring") format,
+ but support of binary labels has been completely removed per
+ RFC 3363.
+ Many applications in <acronym>BIND</acronym> 9 do not understand
+ the binary label format at all any more, and will return an
+ error if given.
+ In particular, an authoritative <acronym>BIND</acronym> 9
+ name server will not load a zone file containing binary labels.
+ </para>
+
+ <para>
+ For an overview of the format and structure of IPv6 addresses,
+ see <xref linkend="ipv6addresses"/>.
+ </para>
+
+ <sect2>
+ <title>Address Lookups Using AAAA Records</title>
+
+ <para>
+ The IPv6 AAAA record is a parallel to the IPv4 A record,
+ and, unlike the deprecated A6 record, specifies the entire
+ IPv6 address in a single record. For example,
+ </para>
<programlisting>
$ORIGIN example.com.
host 3600 IN AAAA 2001:db8::1
</programlisting>
- <para>It is recommended that IPv4-in-IPv6 mapped addresses not
- be used. If a host has an IPv4 address, use an A record, not
- a AAAA, with <literal>::ffff:192.168.42.1</literal> as the
- address.</para>
- </sect2>
- <sect2>
- <title>Address to Name Lookups Using Nibble Format</title>
-
- <para>When looking up an address in nibble format, the address
- components are simply reversed, just as in IPv4, and
- <literal>ip6.arpa.</literal> is appended to the resulting name.
- For example, the following would provide reverse name lookup for
- a host with address
- <literal>2001:db8::1</literal>.</para>
+ <para>
+ Use of IPv4-in-IPv6 mapped addresses is not recommended.
+ If a host has an IPv4 address, use an A record, not
+ a AAAA, with <literal>::ffff:192.168.42.1</literal> as
+ the address.
+ </para>
+ </sect2>
+ <sect2>
+ <title>Address to Name Lookups Using Nibble Format</title>
+
+ <para>
+ When looking up an address in nibble format, the address
+ components are simply reversed, just as in IPv4, and
+ <literal>ip6.arpa.</literal> is appended to the
+ resulting name.
+ For example, the following would provide reverse name lookup for
+ a host with address
+ <literal>2001:db8::1</literal>.
+ </para>
<programlisting>
$ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 14400 IN PTR host.example.com.
</programlisting>
- </sect2>
- </sect1>
+
+ </sect2>
+ </sect1>
+ </chapter>
+
+ <chapter id="Bv9ARM.ch05">
+ <title>The <acronym>BIND</acronym> 9 Lightweight Resolver</title>
+ <sect1>
+ <title>The Lightweight Resolver Library</title>
+ <para>
+ Traditionally applications have been linked with a stub resolver
+ library that sends recursive DNS queries to a local caching name
+ server.
+ </para>
+ <para>
+ IPv6 once introduced new complexity into the resolution process,
+ such as following A6 chains and DNAME records, and simultaneous
+ lookup of IPv4 and IPv6 addresses. Though most of the complexity was
+ then removed, these are hard or impossible
+ to implement in a traditional stub resolver.
+ </para>
+ <para>
+ <acronym>BIND</acronym> 9 therefore can also provide resolution
+ services to local clients
+ using a combination of a lightweight resolver library and a resolver
+ daemon process running on the local host. These communicate using
+ a simple UDP-based protocol, the "lightweight resolver protocol"
+ that is distinct from and simpler than the full DNS protocol.
+ </para>
+ </sect1>
+ <sect1 id="lwresd">
+ <title>Running a Resolver Daemon</title>
+
+ <para>
+ To use the lightweight resolver interface, the system must
+ run the resolver daemon <command>lwresd</command> or a
+ local
+ name server configured with a <command>lwres</command>
+ statement.
+ </para>
+
+ <para>
+ By default, applications using the lightweight resolver library will
+ make
+ UDP requests to the IPv4 loopback address (127.0.0.1) on port 921.
+ The
+ address can be overridden by <command>lwserver</command>
+ lines in
+ <filename>/etc/resolv.conf</filename>.
+ </para>
+
+ <para>
+ The daemon currently only looks in the DNS, but in the future
+ it may use other sources such as <filename>/etc/hosts</filename>,
+ NIS, etc.
+ </para>
+
+ <para>
+ The <command>lwresd</command> daemon is essentially a
+ caching-only name server that responds to requests using the
+ lightweight
+ resolver protocol rather than the DNS protocol. Because it needs
+ to run on each host, it is designed to require no or minimal
+ configuration.
+ Unless configured otherwise, it uses the name servers listed on
+ <command>nameserver</command> lines in <filename>/etc/resolv.conf</filename>
+ as forwarders, but is also capable of doing the resolution
+ autonomously if
+ none are specified.
+ </para>
+ <para>
+ The <command>lwresd</command> daemon may also be
+ configured with a
+ <filename>named.conf</filename> style configuration file,
+ in
+ <filename>/etc/lwresd.conf</filename> by default. A name
+ server may also
+ be configured to act as a lightweight resolver daemon using the
+ <command>lwres</command> statement in <filename>named.conf</filename>.
+ </para>
+
+ </sect1>
</chapter>
- <chapter id="Bv9ARM.ch05"><title>The <acronym>BIND</acronym> 9 Lightweight Resolver</title>
-<sect1><title>The Lightweight Resolver Library</title>
-<para>Traditionally applications have been linked with a stub resolver
-library that sends recursive DNS queries to a local caching name
-server.</para>
-<para>IPv6 once introduced new complexity into the resolution process,
-such as following A6 chains and DNAME records, and simultaneous
-lookup of IPv4 and IPv6 addresses. Though most of the complexity was
-then removed, these are hard or impossible
-to implement in a traditional stub resolver.</para>
-<para>Instead, <acronym>BIND</acronym> 9 provides resolution services to local clients
-using a combination of a lightweight resolver library and a resolver
-daemon process running on the local host. These communicate using
-a simple UDP-based protocol, the "lightweight resolver protocol"
-that is distinct from and simpler than the full DNS protocol.</para></sect1>
-<sect1 id="lwresd"><title>Running a Resolver Daemon</title>
-
-<para>To use the lightweight resolver interface, the system must
-run the resolver daemon <command>lwresd</command> or a local
-name server configured with a <command>lwres</command> statement.</para>
-
-<para>By default, applications using the lightweight resolver library will make
-UDP requests to the IPv4 loopback address (127.0.0.1) on port 921. The
-address can be overridden by <command>lwserver</command> lines in
-<filename>/etc/resolv.conf</filename>.</para>
-
-<para>The daemon currently only looks in the DNS, but in the future
-it may use other sources such as <filename>/etc/hosts</filename>,
-NIS, etc.</para>
-
-<para>The <command>lwresd</command> daemon is essentially a
-caching-only name server that responds to requests using the lightweight
-resolver protocol rather than the DNS protocol. Because it needs
-to run on each host, it is designed to require no or minimal configuration.
-Unless configured otherwise, it uses the name servers listed on
-<command>nameserver</command> lines in <filename>/etc/resolv.conf</filename>
-as forwarders, but is also capable of doing the resolution autonomously if
-none are specified.</para>
-<para>The <command>lwresd</command> daemon may also be configured with a
-<filename>named.conf</filename> style configuration file, in
-<filename>/etc/lwresd.conf</filename> by default. A name server may also
-be configured to act as a lightweight resolver daemon using the
-<command>lwres</command> statement in <filename>named.conf</filename>.</para>
-
-</sect1></chapter>
-
-<chapter id="Bv9ARM.ch06"><title><acronym>BIND</acronym> 9 Configuration Reference</title>
-
-<para><acronym>BIND</acronym> 9 configuration is broadly similar
-to <acronym>BIND</acronym> 8; however, there are a few new areas
-of configuration, such as views. <acronym>BIND</acronym>
-8 configuration files should work with few alterations in <acronym>BIND</acronym>
-9, although more complex configurations should be reviewed to check
-if they can be more efficiently implemented using the new features
-found in <acronym>BIND</acronym> 9.</para>
-
-<para><acronym>BIND</acronym> 4 configuration files can be converted to the new format
-using the shell script
-<filename>contrib/named-bootconf/named-bootconf.sh</filename>.</para>
-<sect1 id="configuration_file_elements"><title>Configuration File Elements</title>
-<para>Following is a list of elements used throughout the <acronym>BIND</acronym> configuration
-file documentation:</para>
-<informaltable colsep = "0" rowsep = "0"><tgroup cols = "2"
- colsep = "0" rowsep = "0" tgroupstyle = "2Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.855in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.770in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>acl_name</varname></para></entry>
-<entry colname = "2"><para>The name of an <varname>address_match_list</varname> as
-defined by the <command>acl</command> statement.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>address_match_list</varname></para></entry>
-<entry colname = "2"><para>A list of one or more <varname>ip_addr</varname>,
-<varname>ip_prefix</varname>, <varname>key_id</varname>,
-or <varname>acl_name</varname> elements, see
-<xref linkend="address_match_lists"/>.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>domain_name</varname></para></entry>
-<entry colname = "2"><para>A quoted string which will be used as
-a DNS name, for example "<literal>my.test.domain</literal>".</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>dotted_decimal</varname></para></entry>
-<entry colname = "2"><para>One to four integers valued 0 through
-255 separated by dots (`.'), such as <command>123</command>,
-<command>45.67</command> or <command>89.123.45.67</command>.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>ip4_addr</varname></para></entry>
-<entry colname = "2"><para>An IPv4 address with exactly four elements
-in <varname>dotted_decimal</varname> notation.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>ip6_addr</varname></para></entry>
-<entry colname = "2"><para>An IPv6 address, such as <command>2001:db8::1234</command>.
-IPv6 scoped addresses that have ambiguity on their scope zones must be
-disambiguated by an appropriate zone ID with the percent character
-(`%') as delimiter.
-It is strongly recommended to use string zone names rather than
-numeric identifiers, in order to be robust against system
-configuration changes.
-However, since there is no standard mapping for such names and
-identifier values, currently only interface names as link identifiers
-are supported, assuming one-to-one mapping between interfaces and links.
-For example, a link-local address <command>fe80::1</command> on the
-link attached to the interface <command>ne0</command>
-can be specified as <command>fe80::1%ne0</command>.
-Note that on most systems link-local addresses always have the
-ambiguity, and need to be disambiguated.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>ip_addr</varname></para></entry>
-<entry colname = "2"><para>An <varname>ip4_addr</varname> or <varname>ip6_addr</varname>.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>ip_port</varname></para></entry>
-<entry colname = "2"><para>An IP port <varname>number</varname>.
-<varname>number</varname> is limited to 0 through 65535, with values
-below 1024 typically restricted to use by processes running as root.
-In some cases, an asterisk (`*') character can be used as a placeholder to
-select a random high-numbered port.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>ip_prefix</varname></para></entry>
-<entry colname = "2"><para>An IP network specified as an <varname>ip_addr</varname>,
-followed by a slash (`/') and then the number of bits in the netmask.
-Trailing zeros in a <varname>ip_addr</varname> may omitted.
-For example, <command>127/8</command> is the network <command>127.0.0.0</command> with
-netmask <command>255.0.0.0</command> and <command>1.2.3.0/28</command> is
-network <command>1.2.3.0</command> with netmask <command>255.255.255.240</command>.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>key_id</varname></para></entry>
-<entry colname = "2"><para>A <varname>domain_name</varname> representing
-the name of a shared key, to be used for transaction security.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>key_list</varname></para></entry>
-<entry colname = "2"><para>A list of one or more <varname>key_id</varname>s,
-separated by semicolons and ending with a semicolon.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>number</varname></para></entry>
-<entry colname = "2"><para>A non-negative 32-bit integer
-(i.e., a number between 0 and 4294967295, inclusive).
-Its acceptable value might further
-be limited by the context in which it is used.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>path_name</varname></para></entry>
-<entry colname = "2"><para>A quoted string which will be used as
-a pathname, such as <filename>zones/master/my.test.domain</filename>.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>size_spec</varname></para></entry>
-<entry colname = "2"><para>A number, the word <userinput>unlimited</userinput>,
-or the word <userinput>default</userinput>.</para><para>
-An <varname>unlimited</varname> <varname>size_spec</varname> requests unlimited
-use, or the maximum available amount. A <varname>default size_spec</varname> uses
-the limit that was in force when the server was started.</para><para>A <varname>number</varname> can
-optionally be followed by a scaling factor: <userinput>K</userinput> or <userinput>k</userinput> for
-kilobytes, <userinput>M</userinput> or <userinput>m</userinput> for
-megabytes, and <userinput>G</userinput> or <userinput>g</userinput> for gigabytes,
-which scale by 1024, 1024*1024, and 1024*1024*1024 respectively.</para>
-<para>The value must be representable as a 64-bit unsigned integer
-(0 to 18446744073709551615, inclusive).
-Using <varname>unlimited</varname> is the best way
-to safely set a really large number.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>yes_or_no</varname></para></entry>
-<entry colname = "2"><para>Either <userinput>yes</userinput> or <userinput>no</userinput>.
-The words <userinput>true</userinput> and <userinput>false</userinput> are
-also accepted, as are the numbers <userinput>1</userinput> and <userinput>0</userinput>.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>dialup_option</varname></para></entry>
-<entry colname = "2"><para>One of <userinput>yes</userinput>,
-<userinput>no</userinput>, <userinput>notify</userinput>,
-<userinput>notify-passive</userinput>, <userinput>refresh</userinput> or
-<userinput>passive</userinput>.
-When used in a zone, <userinput>notify-passive</userinput>,
-<userinput>refresh</userinput>, and <userinput>passive</userinput>
-are restricted to slave and stub zones.</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-<sect2 id="address_match_lists"><title>Address Match Lists</title>
-<sect3><title>Syntax</title>
- <programlisting><varname>address_match_list</varname> = address_match_list_element ;
+ <chapter id="Bv9ARM.ch06">
+ <title><acronym>BIND</acronym> 9 Configuration Reference</title>
+
+ <para>
+ <acronym>BIND</acronym> 9 configuration is broadly similar
+ to <acronym>BIND</acronym> 8; however, there are a few new
+ areas
+ of configuration, such as views. <acronym>BIND</acronym>
+ 8 configuration files should work with few alterations in <acronym>BIND</acronym>
+ 9, although more complex configurations should be reviewed to check
+ if they can be more efficiently implemented using the new features
+ found in <acronym>BIND</acronym> 9.
+ </para>
+
+ <para>
+ <acronym>BIND</acronym> 4 configuration files can be
+ converted to the new format
+ using the shell script
+ <filename>contrib/named-bootconf/named-bootconf.sh</filename>.
+ </para>
+ <sect1 id="configuration_file_elements">
+ <title>Configuration File Elements</title>
+ <para>
+ Following is a list of elements used throughout the <acronym>BIND</acronym> configuration
+ file documentation:
+ </para>
+ <informaltable colsep="0" rowsep="0">
+ <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="2Level-table">
+ <colspec colname="1" colnum="1" colsep="0" colwidth="1.855in"/>
+ <colspec colname="2" colnum="2" colsep="0" colwidth="3.770in"/>
+ <tbody>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>acl_name</varname>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ The name of an <varname>address_match_list</varname> as
+ defined by the <command>acl</command> statement.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>address_match_list</varname>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ A list of one or more
+ <varname>ip_addr</varname>,
+ <varname>ip_prefix</varname>, <varname>key_id</varname>,
+ or <varname>acl_name</varname> elements, see
+ <xref linkend="address_match_lists"/>.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>masters_list</varname>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ A named list of one or more <varname>ip_addr</varname>
+ with optional <varname>key_id</varname> and/or
+ <varname>ip_port</varname>.
+ A <varname>masters_list</varname> may include other
+ <varname>masters_lists</varname>.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>domain_name</varname>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ A quoted string which will be used as
+ a DNS name, for example "<literal>my.test.domain</literal>".
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>dotted_decimal</varname>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ One to four integers valued 0 through
+ 255 separated by dots (`.'), such as <command>123</command>,
+ <command>45.67</command> or <command>89.123.45.67</command>.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>ip4_addr</varname>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ An IPv4 address with exactly four elements
+ in <varname>dotted_decimal</varname> notation.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>ip6_addr</varname>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ An IPv6 address, such as <command>2001:db8::1234</command>.
+ IPv6 scoped addresses that have ambiguity on their scope
+ zones must be
+ disambiguated by an appropriate zone ID with the percent
+ character
+ (`%') as delimiter.
+ It is strongly recommended to use string zone names rather
+ than
+ numeric identifiers, in order to be robust against system
+ configuration changes.
+ However, since there is no standard mapping for such names
+ and
+ identifier values, currently only interface names as link
+ identifiers
+ are supported, assuming one-to-one mapping between
+ interfaces and links.
+ For example, a link-local address <command>fe80::1</command> on the
+ link attached to the interface <command>ne0</command>
+ can be specified as <command>fe80::1%ne0</command>.
+ Note that on most systems link-local addresses always have
+ the
+ ambiguity, and need to be disambiguated.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>ip_addr</varname>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ An <varname>ip4_addr</varname> or <varname>ip6_addr</varname>.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>ip_port</varname>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ An IP port <varname>number</varname>.
+ <varname>number</varname> is limited to 0
+ through 65535, with values
+ below 1024 typically restricted to use by processes running
+ as root.
+ In some cases, an asterisk (`*') character can be used as a
+ placeholder to
+ select a random high-numbered port.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>ip_prefix</varname>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ An IP network specified as an <varname>ip_addr</varname>,
+ followed by a slash (`/') and then the number of bits in the
+ netmask.
+ Trailing zeros in a <varname>ip_addr</varname>
+ may omitted.
+ For example, <command>127/8</command> is the
+ network <command>127.0.0.0</command> with
+ netmask <command>255.0.0.0</command> and <command>1.2.3.0/28</command> is
+ network <command>1.2.3.0</command> with netmask <command>255.255.255.240</command>.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>key_id</varname>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ A <varname>domain_name</varname> representing
+ the name of a shared key, to be used for transaction
+ security.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>key_list</varname>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ A list of one or more
+ <varname>key_id</varname>s,
+ separated by semicolons and ending with a semicolon.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>number</varname>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ A non-negative 32-bit integer
+ (i.e., a number between 0 and 4294967295, inclusive).
+ Its acceptable value might further
+ be limited by the context in which it is used.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>path_name</varname>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ A quoted string which will be used as
+ a pathname, such as <filename>zones/master/my.test.domain</filename>.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>size_spec</varname>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ A number, the word <userinput>unlimited</userinput>,
+ or the word <userinput>default</userinput>.
+ </para>
+ <para>
+ An <varname>unlimited</varname> <varname>size_spec</varname> requests unlimited
+ use, or the maximum available amount. A <varname>default size_spec</varname> uses
+ the limit that was in force when the server was started.
+ </para>
+ <para>
+ A <varname>number</varname> can optionally be
+ followed by a scaling factor:
+ <userinput>K</userinput> or <userinput>k</userinput>
+ for kilobytes,
+ <userinput>M</userinput> or <userinput>m</userinput>
+ for megabytes, and
+ <userinput>G</userinput> or <userinput>g</userinput> for gigabytes,
+ which scale by 1024, 1024*1024, and 1024*1024*1024
+ respectively.
+ </para>
+ <para>
+ The value must be representable as a 64-bit unsigned integer
+ (0 to 18446744073709551615, inclusive).
+ Using <varname>unlimited</varname> is the best
+ way
+ to safely set a really large number.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>yes_or_no</varname>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Either <userinput>yes</userinput> or <userinput>no</userinput>.
+ The words <userinput>true</userinput> and <userinput>false</userinput> are
+ also accepted, as are the numbers <userinput>1</userinput>
+ and <userinput>0</userinput>.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>dialup_option</varname>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ One of <userinput>yes</userinput>,
+ <userinput>no</userinput>, <userinput>notify</userinput>,
+ <userinput>notify-passive</userinput>, <userinput>refresh</userinput> or
+ <userinput>passive</userinput>.
+ When used in a zone, <userinput>notify-passive</userinput>,
+ <userinput>refresh</userinput>, and <userinput>passive</userinput>
+ are restricted to slave and stub zones.
+ </para>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+ <sect2 id="address_match_lists">
+ <title>Address Match Lists</title>
+ <sect3>
+ <title>Syntax</title>
+
+<programlisting><varname>address_match_list</varname> = address_match_list_element ;
<optional> address_match_list_element; ... </optional>
<varname>address_match_list_element</varname> = <optional> ! </optional> (ip_address <optional>/length</optional> |
key key_id | acl_name | { address_match_list } )
</programlisting>
-</sect3>
-<sect3><title>Definition and Usage</title>
-<para>Address match lists are primarily used to determine access
-control for various server operations. They are also used in
-the <command>listen-on</command> and <command>sortlist</command>
-statements. The elements
-which constitute an address match list can be any of the following:</para>
-<itemizedlist><listitem>
- <simpara>an IP address (IPv4 or IPv6)</simpara></listitem>
-<listitem>
- <simpara>an IP prefix (in `/' notation)</simpara></listitem>
-<listitem>
- <simpara>a key ID, as defined by the <command>key</command> statement</simpara></listitem>
-<listitem>
- <simpara>the name of an address match list defined with
-the <command>acl</command> statement</simpara></listitem>
-<listitem>
- <simpara>a nested address match list enclosed in braces</simpara></listitem></itemizedlist>
-
-<para>Elements can be negated with a leading exclamation mark (`!'),
-and the match list names "any", "none", "localhost", and "localnets"
-are predefined. More information on those names can be found in
-the description of the acl statement.</para>
-
-<para>The addition of the key clause made the name of this syntactic
-element something of a misnomer, since security keys can be used
-to validate access without regard to a host or network address. Nonetheless,
-the term "address match list" is still used throughout the documentation.</para>
-
-<para>When a given IP address or prefix is compared to an address
-match list, the list is traversed in order until an element matches.
-The interpretation of a match depends on whether the list is being used
-for access control, defining listen-on ports, or in a sortlist,
-and whether the element was negated.</para>
-
-<para>When used as an access control list, a non-negated match allows
-access and a negated match denies access. If there is no match,
-access is denied. The clauses <command>allow-notify</command>,
-<command>allow-query</command>, <command>allow-transfer</command>,
-<command>allow-update</command>, <command>allow-update-forwarding</command>,
-and <command>blackhole</command> all
-use address match lists this. Similarly, the listen-on option will cause
-the server to not accept queries on any of the machine's addresses
-which do not match the list.</para>
-
-<para>Because of the first-match aspect of the algorithm, an element
-that defines a subset of another element in the list should come
-before the broader element, regardless of whether either is negated. For
-example, in
-<command>1.2.3/24; ! 1.2.3.13;</command> the 1.2.3.13 element is
-completely useless because the algorithm will match any lookup for
-1.2.3.13 to the 1.2.3/24 element.
-Using <command>! 1.2.3.13; 1.2.3/24</command> fixes
-that problem by having 1.2.3.13 blocked by the negation but all
-other 1.2.3.* hosts fall through.</para>
-</sect3>
-</sect2>
-
-<sect2>
-<title>Comment Syntax</title>
-
-<para>The <acronym>BIND</acronym> 9 comment syntax allows for comments to appear
-anywhere that white space may appear in a <acronym>BIND</acronym> configuration
-file. To appeal to programmers of all kinds, they can be written
-in the C, C++, or shell/perl style.</para>
-
-<sect3>
-<title>Syntax</title>
-
-<para><programlisting>/* This is a <acronym>BIND</acronym> comment as in C */</programlisting>
-<programlisting>// This is a <acronym>BIND</acronym> comment as in C++</programlisting>
-<programlisting># This is a <acronym>BIND</acronym> comment as in common UNIX shells and perl</programlisting>
- </para>
- </sect3>
- <sect3>
- <title>Definition and Usage</title>
-<para>Comments may appear anywhere that white space may appear in
-a <acronym>BIND</acronym> configuration file.</para>
-<para>C-style comments start with the two characters /* (slash,
-star) and end with */ (star, slash). Because they are completely
-delimited with these characters, they can be used to comment only
-a portion of a line or to span multiple lines.</para>
-<para>C-style comments cannot be nested. For example, the following
-is not valid because the entire comment ends with the first */:</para>
- <para><programlisting>/* This is the start of a comment.
+
+ </sect3>
+ <sect3>
+ <title>Definition and Usage</title>
+ <para>
+ Address match lists are primarily used to determine access
+ control for various server operations. They are also used in
+ the <command>listen-on</command> and <command>sortlist</command>
+ statements. The elements
+ which constitute an address match list can be any of the
+ following:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <simpara>an IP address (IPv4 or IPv6)</simpara>
+ </listitem>
+ <listitem>
+ <simpara>an IP prefix (in `/' notation)</simpara>
+ </listitem>
+ <listitem>
+ <simpara>
+ a key ID, as defined by the <command>key</command>
+ statement
+ </simpara>
+ </listitem>
+ <listitem>
+ <simpara>the name of an address match list defined with
+ the <command>acl</command> statement
+ </simpara>
+ </listitem>
+ <listitem>
+ <simpara>a nested address match list enclosed in braces</simpara>
+ </listitem>
+ </itemizedlist>
+
+ <para>
+ Elements can be negated with a leading exclamation mark (`!'),
+ and the match list names "any", "none", "localhost", and
+ "localnets"
+ are predefined. More information on those names can be found in
+ the description of the acl statement.
+ </para>
+
+ <para>
+ The addition of the key clause made the name of this syntactic
+ element something of a misnomer, since security keys can be used
+ to validate access without regard to a host or network address.
+ Nonetheless,
+ the term "address match list" is still used throughout the
+ documentation.
+ </para>
+
+ <para>
+ When a given IP address or prefix is compared to an address
+ match list, the list is traversed in order until an element
+ matches.
+ The interpretation of a match depends on whether the list is being
+ used
+ for access control, defining listen-on ports, or in a sortlist,
+ and whether the element was negated.
+ </para>
+
+ <para>
+ When used as an access control list, a non-negated match
+ allows access and a negated match denies access. If
+ there is no match, access is denied. The clauses
+ <command>allow-notify</command>,
+ <command>allow-query</command>,
+ <command>allow-query-cache</command>,
+ <command>allow-transfer</command>,
+ <command>allow-update</command>,
+ <command>allow-update-forwarding</command>, and
+ <command>blackhole</command> all use address match
+ lists. Similarly, the listen-on option will cause the
+ server to not accept queries on any of the machine's
+ addresses which do not match the list.
+ </para>
+
+ <para>
+ Because of the first-match aspect of the algorithm, an element
+ that defines a subset of another element in the list should come
+ before the broader element, regardless of whether either is
+ negated. For
+ example, in
+ <command>1.2.3/24; ! 1.2.3.13;</command> the 1.2.3.13
+ element is
+ completely useless because the algorithm will match any lookup for
+ 1.2.3.13 to the 1.2.3/24 element.
+ Using <command>! 1.2.3.13; 1.2.3/24</command> fixes
+ that problem by having 1.2.3.13 blocked by the negation but all
+ other 1.2.3.* hosts fall through.
+ </para>
+ </sect3>
+ </sect2>
+
+ <sect2>
+ <title>Comment Syntax</title>
+
+ <para>
+ The <acronym>BIND</acronym> 9 comment syntax allows for
+ comments to appear
+ anywhere that white space may appear in a <acronym>BIND</acronym> configuration
+ file. To appeal to programmers of all kinds, they can be written
+ in the C, C++, or shell/perl style.
+ </para>
+
+ <sect3>
+ <title>Syntax</title>
+
+ <para>
+ <programlisting>/* This is a <acronym>BIND</acronym> comment as in C */</programlisting>
+ <programlisting>// This is a <acronym>BIND</acronym> comment as in C++</programlisting>
+ <programlisting># This is a <acronym>BIND</acronym> comment as in common UNIX shells and perl</programlisting>
+ </para>
+ </sect3>
+ <sect3>
+ <title>Definition and Usage</title>
+ <para>
+ Comments may appear anywhere that white space may appear in
+ a <acronym>BIND</acronym> configuration file.
+ </para>
+ <para>
+ C-style comments start with the two characters /* (slash,
+ star) and end with */ (star, slash). Because they are completely
+ delimited with these characters, they can be used to comment only
+ a portion of a line or to span multiple lines.
+ </para>
+ <para>
+ C-style comments cannot be nested. For example, the following
+ is not valid because the entire comment ends with the first */:
+ </para>
+ <para>
+
+<programlisting>/* This is the start of a comment.
This is still part of the comment.
/* This is an incorrect attempt at nesting a comment. */
This is no longer in any comment. */
-</programlisting></para>
-
-<para>C++-style comments start with the two characters // (slash,
-slash) and continue to the end of the physical line. They cannot
-be continued across multiple physical lines; to have one logical
-comment span multiple lines, each line must use the // pair.</para>
-<para>For example:</para>
- <para><programlisting>// This is the start of a comment. The next line
+</programlisting>
+
+ </para>
+
+ <para>
+ C++-style comments start with the two characters // (slash,
+ slash) and continue to the end of the physical line. They cannot
+ be continued across multiple physical lines; to have one logical
+ comment span multiple lines, each line must use the // pair.
+ </para>
+ <para>
+ For example:
+ </para>
+ <para>
+
+<programlisting>// This is the start of a comment. The next line
// is a new comment, even though it is logically
// part of the previous comment.
-</programlisting></para>
-<para>Shell-style (or perl-style, if you prefer) comments start
-with the character <literal>#</literal> (number sign) and continue to the end of the
-physical line, as in C++ comments.</para>
-<para>For example:</para>
+</programlisting>
-<para><programlisting># This is the start of a comment. The next line
+ </para>
+ <para>
+ Shell-style (or perl-style, if you prefer) comments start
+ with the character <literal>#</literal> (number sign)
+ and continue to the end of the
+ physical line, as in C++ comments.
+ </para>
+ <para>
+ For example:
+ </para>
+
+ <para>
+
+<programlisting># This is the start of a comment. The next line
# is a new comment, even though it is logically
# part of the previous comment.
</programlisting>
-</para>
-
-<warning>
- <para>You cannot use the semicolon (`;') character
- to start a comment such as you would in a zone file. The
- semicolon indicates the end of a configuration
- statement.</para>
-</warning>
-</sect3>
-</sect2>
-</sect1>
-
-<sect1 id="Configuration_File_Grammar">
-<title>Configuration File Grammar</title>
-
- <para>A <acronym>BIND</acronym> 9 configuration consists of statements and comments.
- Statements end with a semicolon. Statements and comments are the
- only elements that can appear without enclosing braces. Many
- statements contain a block of sub-statements, which are also
- terminated with a semicolon.</para>
-
- <para>The following statements are supported:</para>
-
- <informaltable colsep = "0" rowsep = "0">
- <tgroup cols = "2" colsep = "0" rowsep = "0" tgroupstyle =
- "2Level-table">
- <colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.336in"/>
- <colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.778in"/>
- <tbody>
- <row rowsep = "0">
- <entry colname = "1"><para><command>acl</command></para></entry>
- <entry colname = "2"><para>defines a named IP address
-matching list, for access control and other uses.</para></entry>
- </row>
- <row rowsep = "0">
- <entry colname = "1"><para><command>controls</command></para></entry>
- <entry colname = "2"><para>declares control channels to be used
-by the <command>rndc</command> utility.</para></entry>
- </row>
- <row rowsep = "0">
- <entry colname = "1"><para><command>include</command></para></entry>
- <entry colname = "2"><para>includes a file.</para></entry>
- </row>
- <row rowsep = "0">
- <entry colname = "1"><para><command>key</command></para></entry>
- <entry colname = "2"><para>specifies key information for use in
-authentication and authorization using TSIG.</para></entry>
- </row>
- <row rowsep = "0">
- <entry colname = "1"><para><command>logging</command></para></entry>
- <entry colname = "2"><para>specifies what the server logs, and where
-the log messages are sent.</para></entry>
- </row>
- <row rowsep = "0">
- <entry colname = "1"><para><command>lwres</command></para></entry>
- <entry colname = "2"><para>configures <command>named</command> to
-also act as a light-weight resolver daemon (<command>lwresd</command>).</para></entry>
- </row>
- <row rowsep = "0">
- <entry colname = "1"><para><command>masters</command></para></entry>
- <entry colname = "2"><para>defines a named masters list for
-inclusion in stub and slave zone masters clauses.</para></entry>
- </row>
- <row rowsep = "0">
- <entry colname = "1"><para><command>options</command></para></entry>
- <entry colname = "2"><para>controls global server configuration
-options and sets defaults for other statements.</para></entry>
- </row>
- <row rowsep = "0">
- <entry colname = "1"><para><command>server</command></para></entry>
- <entry colname = "2"><para>sets certain configuration options on
-a per-server basis.</para></entry>
- </row>
- <row rowsep = "0">
- <entry colname = "1"><para><command>trusted-keys</command></para></entry>
- <entry colname = "2"><para>defines trusted DNSSEC keys.</para></entry>
- </row>
- <row rowsep = "0">
- <entry colname = "1"><para><command>view</command></para></entry>
- <entry colname = "2"><para>defines a view.</para></entry>
- </row>
- <row rowsep = "0">
- <entry colname = "1"><para><command>zone</command></para></entry>
- <entry colname = "2"><para>defines a zone.</para></entry>
- </row>
- </tbody>
- </tgroup></informaltable>
-
- <para>The <command>logging</command> and
- <command>options</command> statements may only occur once per
- configuration.</para>
-
- <sect2>
- <title><command>acl</command> Statement Grammar</title>
-
- <programlisting><command>acl</command> acl-name {
- address_match_list
+
+ </para>
+
+ <warning>
+ <para>
+ You cannot use the semicolon (`;') character
+ to start a comment such as you would in a zone file. The
+ semicolon indicates the end of a configuration
+ statement.
+ </para>
+ </warning>
+ </sect3>
+ </sect2>
+ </sect1>
+
+ <sect1 id="Configuration_File_Grammar">
+ <title>Configuration File Grammar</title>
+
+ <para>
+ A <acronym>BIND</acronym> 9 configuration consists of
+ statements and comments.
+ Statements end with a semicolon. Statements and comments are the
+ only elements that can appear without enclosing braces. Many
+ statements contain a block of sub-statements, which are also
+ terminated with a semicolon.
+ </para>
+
+ <para>
+ The following statements are supported:
+ </para>
+
+ <informaltable colsep="0" rowsep="0">
+ <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="2Level-table">
+ <colspec colname="1" colnum="1" colsep="0" colwidth="1.336in"/>
+ <colspec colname="2" colnum="2" colsep="0" colwidth="3.778in"/>
+ <tbody>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>acl</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ defines a named IP address
+ matching list, for access control and other uses.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>controls</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ declares control channels to be used
+ by the <command>rndc</command> utility.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>include</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ includes a file.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>key</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ specifies key information for use in
+ authentication and authorization using TSIG.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>logging</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ specifies what the server logs, and where
+ the log messages are sent.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>lwres</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ configures <command>named</command> to
+ also act as a light-weight resolver daemon (<command>lwresd</command>).
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>masters</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ defines a named masters list for
+ inclusion in stub and slave zone masters clauses.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>options</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ controls global server configuration
+ options and sets defaults for other statements.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>server</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ sets certain configuration options on
+ a per-server basis.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>trusted-keys</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ defines trusted DNSSEC keys.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>view</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ defines a view.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>zone</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ defines a zone.
+ </para>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>
+ The <command>logging</command> and
+ <command>options</command> statements may only occur once
+ per
+ configuration.
+ </para>
+
+ <sect2>
+ <title><command>acl</command> Statement Grammar</title>
+
+<programlisting><command>acl</command> acl-name {
+ address_match_list
};
</programlisting>
- </sect2>
- <sect2 id="acl">
- <title><command>acl</command> Statement Definition and
-Usage</title>
-
- <para>The <command>acl</command> statement assigns a symbolic
- name to an address match list. It gets its name from a primary
- use of address match lists: Access Control Lists (ACLs).</para>
-
- <para>Note that an address match list's name must be defined
- with <command>acl</command> before it can be used elsewhere; no
- forward references are allowed.</para>
-
- <para>The following ACLs are built-in:</para>
-
-<informaltable colsep = "0" rowsep = "0"><tgroup cols = "2"
- colsep = "0" rowsep = "0" tgroupstyle = "3Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.130in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.000in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para><command>any</command></para></entry>
-<entry colname = "2"><para>Matches all hosts.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>none</command></para></entry>
-<entry colname = "2"><para>Matches no hosts.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>localhost</command></para></entry>
-<entry colname = "2"><para>Matches the IPv4 and IPv6 addresses of all network
-interfaces on the system.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>localnets</command></para></entry>
-<entry colname = "2"><para>Matches any host on an IPv4 or IPv6 network
-for which the system has an interface.
-Some systems do not provide a way to determine the prefix lengths of
-local IPv6 addresses.
-In such a case, <command>localnets</command> only matches the local
-IPv6 addresses, just like <command>localhost</command>.
-</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-
-</sect2>
-<sect2>
- <title><command>controls</command> Statement Grammar</title>
+
+ </sect2>
+ <sect2 id="acl">
+ <title><command>acl</command> Statement Definition and
+ Usage</title>
+
+ <para>
+ The <command>acl</command> statement assigns a symbolic
+ name to an address match list. It gets its name from a primary
+ use of address match lists: Access Control Lists (ACLs).
+ </para>
+
+ <para>
+ Note that an address match list's name must be defined
+ with <command>acl</command> before it can be used
+ elsewhere; no
+ forward references are allowed.
+ </para>
+
+ <para>
+ The following ACLs are built-in:
+ </para>
+
+ <informaltable colsep="0" rowsep="0">
+ <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
+ <colspec colname="1" colnum="1" colsep="0" colwidth="1.130in"/>
+ <colspec colname="2" colnum="2" colsep="0" colwidth="4.000in"/>
+ <tbody>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>any</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Matches all hosts.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>none</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Matches no hosts.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>localhost</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Matches the IPv4 and IPv6 addresses of all network
+ interfaces on the system.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>localnets</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Matches any host on an IPv4 or IPv6 network
+ for which the system has an interface.
+ Some systems do not provide a way to determine the prefix
+ lengths of
+ local IPv6 addresses.
+ In such a case, <command>localnets</command>
+ only matches the local
+ IPv6 addresses, just like <command>localhost</command>.
+ </para>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ </sect2>
+ <sect2>
+ <title><command>controls</command> Statement Grammar</title>
+
<programlisting><command>controls</command> {
- inet ( ip_addr | * ) <optional> port ip_port </optional> allow { <replaceable> address_match_list </replaceable> }
- keys { <replaceable> key_list </replaceable> };
- <optional> inet ...; </optional>
+ [ inet ( ip_addr | * ) [ port ip_port ] allow { <replaceable> address_match_list </replaceable> }
+ keys { <replaceable>key_list</replaceable> }; ]
+ [ inet ...; ]
+ [ unix <replaceable>path</replaceable> perm <replaceable>number</replaceable> owner <replaceable>number</replaceable> group <replaceable>number</replaceable> keys { <replaceable>key_list</replaceable> }; ]
+ [ unix ...; ]
};
</programlisting>
-</sect2>
-
-<sect2 id="controls_statement_definition_and_usage">
-<title><command>controls</command> Statement Definition and Usage</title>
-
- <para>The <command>controls</command> statement declares control
- channels to be used by system administrators to control the
- operation of the name server. These control channels are
- used by the <command>rndc</command> utility to send commands to
- and retrieve non-DNS results from a name server.</para>
-
- <para>An <command>inet</command> control channel is a TCP
- socket listening at the specified
- <command>ip_port</command> on the specified
- <command>ip_addr</command>, which can be an IPv4 or IPv6
- address. An <command>ip_addr</command>
- of <literal>*</literal> (asterisk) is interpreted as the IPv4 wildcard
- address; connections will be accepted on any of the system's
- IPv4 addresses. To listen on the IPv6 wildcard address,
- use an <command>ip_addr</command> of <literal>::</literal>.
- If you will only use <command>rndc</command> on the local host,
- using the loopback address (<literal>127.0.0.1</literal>
- or <literal>::1</literal>) is recommended for maximum
- security.
- </para>
- <para>
- If no port is specified, port 953
- is used. The asterisk "<literal>*</literal>" cannot be used for
- <command>ip_port</command>.</para>
-
- <para>The ability to issue commands over the control channel is
- restricted by the <command>allow</command> and
- <command>keys</command> clauses. Connections to the control
- channel are permitted based on the
- <command>address_match_list</command>. This is for simple
- IP address based filtering only; any <command>key_id</command>
- elements of the <command>address_match_list</command> are
- ignored.
- </para>
+ </sect2>
+
+ <sect2 id="controls_statement_definition_and_usage">
+ <title><command>controls</command> Statement Definition and
+ Usage</title>
+
+ <para>
+ The <command>controls</command> statement declares control
+ channels to be used by system administrators to control the
+ operation of the name server. These control channels are
+ used by the <command>rndc</command> utility to send
+ commands to and retrieve non-DNS results from a name server.
+ </para>
+
+ <para>
+ An <command>inet</command> control channel is a TCP socket
+ listening at the specified <command>ip_port</command> on the
+ specified <command>ip_addr</command>, which can be an IPv4 or IPv6
+ address. An <command>ip_addr</command> of <literal>*</literal> (asterisk) is
+ interpreted as the IPv4 wildcard address; connections will be
+ accepted on any of the system's IPv4 addresses.
+ To listen on the IPv6 wildcard address,
+ use an <command>ip_addr</command> of <literal>::</literal>.
+ If you will only use <command>rndc</command> on the local host,
+ using the loopback address (<literal>127.0.0.1</literal>
+ or <literal>::1</literal>) is recommended for maximum security.
+ </para>
+
+ <para>
+ If no port is specified, port 953 is used. The asterisk
+ "<literal>*</literal>" cannot be used for <command>ip_port</command>.
+ </para>
+
+ <para>
+ The ability to issue commands over the control channel is
+ restricted by the <command>allow</command> and
+ <command>keys</command> clauses.
+ Connections to the control channel are permitted based on the
+ <command>address_match_list</command>. This is for simple
+ IP address based filtering only; any <command>key_id</command>
+ elements of the <command>address_match_list</command>
+ are ignored.
+ </para>
+
+ <para>
+ A <command>unix</command> control channel is a UNIX domain
+ socket listening at the specified path in the file system.
+ Access to the socket is specified by the <command>perm</command>,
+ <command>owner</command> and <command>group</command> clauses.
+ Note on some platforms (SunOS and Solaris) the permissions
+ (<command>perm</command>) are applied to the parent directory
+ as the permissions on the socket itself are ignored.
+ </para>
- <para>The primary authorization mechanism of the command
- channel is the <command>key_list</command>, which contains
- a list of <command>key_id</command>s.
- Each <command>key_id</command> in
- the <command>key_list</command> is authorized to execute
- commands over the control channel.
- See <xref linkend="rndc"/> in
- <xref linkend="admin_tools"/>) for information about
- configuring keys in <command>rndc</command>.</para>
-
-<para>
-If no <command>controls</command> statement is present,
-<command>named</command> will set up a default
-control channel listening on the loopback address 127.0.0.1
-and its IPv6 counterpart ::1.
-In this case, and also when the <command>controls</command> statement
-is present but does not have a <command>keys</command> clause,
-<command>named</command> will attempt to load the command channel key
-from the file <filename>rndc.key</filename> in
-<filename>/etc</filename> (or whatever <varname>sysconfdir</varname>
-was specified as when <acronym>BIND</acronym> was built).
-To create a <filename>rndc.key</filename> file, run
-<userinput>rndc-confgen -a</userinput>.
-</para>
-
- <para>The <filename>rndc.key</filename> feature was created to
- ease the transition of systems from <acronym>BIND</acronym> 8,
- which did not have digital signatures on its command channel messages
- and thus did not have a <command>keys</command> clause.
-
-It makes it possible to use an existing <acronym>BIND</acronym> 8
-configuration file in <acronym>BIND</acronym> 9 unchanged,
-and still have <command>rndc</command> work the same way
-<command>ndc</command> worked in BIND 8, simply by executing the
-command <userinput>rndc-confgen -a</userinput> after BIND 9 is
-installed.
-</para>
+ <para>
+ The primary authorization mechanism of the command
+ channel is the <command>key_list</command>, which
+ contains a list of <command>key_id</command>s.
+ Each <command>key_id</command> in the <command>key_list</command>
+ is authorized to execute commands over the control channel.
+ See <xref linkend="rndc"/> in <xref linkend="admin_tools"/>)
+ for information about configuring keys in <command>rndc</command>.
+ </para>
+
+ <para>
+ If no <command>controls</command> statement is present,
+ <command>named</command> will set up a default
+ control channel listening on the loopback address 127.0.0.1
+ and its IPv6 counterpart ::1.
+ In this case, and also when the <command>controls</command> statement
+ is present but does not have a <command>keys</command> clause,
+ <command>named</command> will attempt to load the command channel key
+ from the file <filename>rndc.key</filename> in
+ <filename>/etc</filename> (or whatever <varname>sysconfdir</varname>
+ was specified as when <acronym>BIND</acronym> was built).
+ To create a <filename>rndc.key</filename> file, run
+ <userinput>rndc-confgen -a</userinput>.
+ </para>
+
+ <para>
+ The <filename>rndc.key</filename> feature was created to
+ ease the transition of systems from <acronym>BIND</acronym> 8,
+ which did not have digital signatures on its command channel
+ messages and thus did not have a <command>keys</command> clause.
+
+ It makes it possible to use an existing <acronym>BIND</acronym> 8
+ configuration file in <acronym>BIND</acronym> 9 unchanged,
+ and still have <command>rndc</command> work the same way
+ <command>ndc</command> worked in BIND 8, simply by executing the
+ command <userinput>rndc-confgen -a</userinput> after BIND 9 is
+ installed.
+ </para>
+
+ <para>
+ Since the <filename>rndc.key</filename> feature
+ is only intended to allow the backward-compatible usage of
+ <acronym>BIND</acronym> 8 configuration files, this
+ feature does not
+ have a high degree of configurability. You cannot easily change
+ the key name or the size of the secret, so you should make a
+ <filename>rndc.conf</filename> with your own key if you
+ wish to change
+ those things. The <filename>rndc.key</filename> file
+ also has its
+ permissions set such that only the owner of the file (the user that
+ <command>named</command> is running as) can access it.
+ If you
+ desire greater flexibility in allowing other users to access
+ <command>rndc</command> commands, then you need to create
+ a
+ <filename>rndc.conf</filename> file and make it group
+ readable by a group
+ that contains the users who should have access.
+ </para>
+
+ <para>
+ To disable the command channel, use an empty
+ <command>controls</command> statement:
+ <command>controls { };</command>.
+ </para>
+
+ </sect2>
+ <sect2>
+ <title><command>include</command> Statement Grammar</title>
+ <programlisting>include <replaceable>filename</replaceable>;</programlisting>
+ </sect2>
+ <sect2>
+ <title><command>include</command> Statement Definition and
+ Usage</title>
+
+ <para>
+ The <command>include</command> statement inserts the
+ specified file at the point where the <command>include</command>
+ statement is encountered. The <command>include</command>
+ statement facilitates the administration of configuration
+ files
+ by permitting the reading or writing of some things but not
+ others. For example, the statement could include private keys
+ that are readable only by the name server.
+ </para>
+
+ </sect2>
+ <sect2>
+ <title><command>key</command> Statement Grammar</title>
- <para>
- Since the <filename>rndc.key</filename> feature
- is only intended to allow the backward-compatible usage of
- <acronym>BIND</acronym> 8 configuration files, this feature does not
- have a high degree of configurability. You cannot easily change
- the key name or the size of the secret, so you should make a
- <filename>rndc.conf</filename> with your own key if you wish to change
- those things. The <filename>rndc.key</filename> file also has its
- permissions set such that only the owner of the file (the user that
- <command>named</command> is running as) can access it. If you
- desire greater flexibility in allowing other users to access
- <command>rndc</command> commands, then you need to create a
- <filename>rndc.conf</filename> file and make it group readable by a group
- that contains the users who should have access.</para>
-
- <para>The UNIX control channel type of <acronym>BIND</acronym> 8 is not supported
- in <acronym>BIND</acronym> 9.0, <acronym>BIND</acronym> 9.1,
- <acronym>BIND</acronym> 9.2 and <acronym>BIND</acronym> 9.3.
- If it is present in the controls statement from a
- <acronym>BIND</acronym> 8 configuration file, it is ignored
- and a warning is logged.</para>
-
-<para>
-To disable the command channel, use an empty <command>controls</command>
-statement: <command>controls { };</command>.
-</para>
-
- </sect2>
- <sect2>
- <title><command>include</command> Statement Grammar</title>
- <programlisting>include <replaceable>filename</replaceable>;</programlisting>
- </sect2>
- <sect2>
- <title><command>include</command> Statement Definition and Usage</title>
-
- <para>The <command>include</command> statement inserts the
- specified file at the point where the <command>include</command>
- statement is encountered. The <command>include</command>
- statement facilitates the administration of configuration files
- by permitting the reading or writing of some things but not
- others. For example, the statement could include private keys
- that are readable only by the name server.</para>
-
- </sect2>
- <sect2>
- <title><command>key</command> Statement Grammar</title>
<programlisting>key <replaceable>key_id</replaceable> {
algorithm <replaceable>string</replaceable>;
secret <replaceable>string</replaceable>;
};
</programlisting>
- </sect2>
-
-<sect2>
-<title><command>key</command> Statement Definition and Usage</title>
-
-<para>The <command>key</command> statement defines a shared
-secret key for use with TSIG (see <xref linkend="tsig"/>)
-or the command channel
-(see <xref linkend="controls_statement_definition_and_usage"/>).
-</para>
-
-<para>
-The <command>key</command> statement can occur at the top level
-of the configuration file or inside a <command>view</command>
-statement. Keys defined in top-level <command>key</command>
-statements can be used in all views. Keys intended for use in
-a <command>controls</command> statement
-(see <xref linkend="controls_statement_definition_and_usage"/>)
-must be defined at the top level.
-</para>
-
-<para>The <replaceable>key_id</replaceable>, also known as the
-key name, is a domain name uniquely identifying the key. It can
-be used in a <command>server</command>
-statement to cause requests sent to that
-server to be signed with this key, or in address match lists to
-verify that incoming requests have been signed with a key
-matching this name, algorithm, and secret.</para>
-
-<para>The <replaceable>algorithm_id</replaceable> is a string
-that specifies a security/authentication algorithm. The only
-algorithm currently supported with TSIG authentication is
-<literal>hmac-md5</literal>. The
-<replaceable>secret_string</replaceable> is the secret to be
-used by the algorithm, and is treated as a base-64 encoded
-string.</para>
-
-</sect2>
- <sect2>
- <title><command>logging</command> Statement Grammar</title>
- <programlisting><command>logging</command> {
+
+ </sect2>
+
+ <sect2>
+ <title><command>key</command> Statement Definition and Usage</title>
+
+ <para>
+ The <command>key</command> statement defines a shared
+ secret key for use with TSIG (see <xref linkend="tsig"/>)
+ or the command channel
+ (see <xref linkend="controls_statement_definition_and_usage"/>).
+ </para>
+
+ <para>
+ The <command>key</command> statement can occur at the
+ top level
+ of the configuration file or inside a <command>view</command>
+ statement. Keys defined in top-level <command>key</command>
+ statements can be used in all views. Keys intended for use in
+ a <command>controls</command> statement
+ (see <xref linkend="controls_statement_definition_and_usage"/>)
+ must be defined at the top level.
+ </para>
+
+ <para>
+ The <replaceable>key_id</replaceable>, also known as the
+ key name, is a domain name uniquely identifying the key. It can
+ be used in a <command>server</command>
+ statement to cause requests sent to that
+ server to be signed with this key, or in address match lists to
+ verify that incoming requests have been signed with a key
+ matching this name, algorithm, and secret.
+ </para>
+
+ <para>
+ The <replaceable>algorithm_id</replaceable> is a string
+ that specifies a security/authentication algorithm. Named
+ supports <literal>hmac-md5</literal>,
+ <literal>hmac-sha1</literal>, <literal>hmac-sha224</literal>,
+ <literal>hmac-sha256</literal>, <literal>hmac-sha384</literal>
+ and <literal>hmac-sha512</literal> TSIG authentication.
+ Truncated hashes are supported by appending the minimum
+ number of required bits preceeded by a dash, e.g.
+ <literal>hmac-sha1-80</literal>. The
+ <replaceable>secret_string</replaceable> is the secret
+ to be used by the algorithm, and is treated as a base-64
+ encoded string.
+ </para>
+
+ </sect2>
+ <sect2>
+ <title><command>logging</command> Statement Grammar</title>
+
+<programlisting><command>logging</command> {
[ <command>channel</command> <replaceable>channel_name</replaceable> {
( <command>file</command> <replaceable>path name</replaceable>
- [ <command>versions</command> ( <replaceable>number</replaceable> | <literal>unlimited</literal> ) ]
+ [ <command>versions</command> ( <replaceable>number</replaceable> | <command>unlimited</command> ) ]
[ <command>size</command> <replaceable>size spec</replaceable> ]
| <command>syslog</command> <replaceable>syslog_facility</replaceable>
| <command>stderr</command>
@@ -2381,24 +3675,32 @@ string.</para>
[ <command>print-time</command> <option>yes</option> or <option>no</option>; ]
}; ]
[ <command>category</command> <replaceable>category_name</replaceable> {
- <replaceable>channel_name</replaceable> ; [ <replaceable>channel_nam</replaceable>e ; ... ]
+ <replaceable>channel_name</replaceable> ; [ <replaceable>channel_name</replaceable> ; ... ]
}; ]
...
};
</programlisting>
-</sect2>
-
-<sect2>
-<title><command>logging</command> Statement Definition and Usage</title>
-<para>The <command>logging</command> statement configures a wide
-variety of logging options for the name server. Its <command>channel</command> phrase
-associates output methods, format options and severity levels with
-a name that can then be used with the <command>category</command> phrase
-to select how various classes of messages are logged.</para>
-<para>Only one <command>logging</command> statement is used to define
-as many channels and categories as are wanted. If there is no <command>logging</command> statement,
-the logging configuration will be:</para>
+ </sect2>
+
+ <sect2>
+ <title><command>logging</command> Statement Definition and
+ Usage</title>
+
+ <para>
+ The <command>logging</command> statement configures a
+ wide
+ variety of logging options for the name server. Its <command>channel</command> phrase
+ associates output methods, format options and severity levels with
+ a name that can then be used with the <command>category</command> phrase
+ to select how various classes of messages are logged.
+ </para>
+ <para>
+ Only one <command>logging</command> statement is used to
+ define
+ as many channels and categories as are wanted. If there is no <command>logging</command> statement,
+ the logging configuration will be:
+ </para>
<programlisting>logging {
category default { default_syslog; default_debug; };
@@ -2406,65 +3708,98 @@ the logging configuration will be:</para>
};
</programlisting>
-<para>In <acronym>BIND</acronym> 9, the logging configuration is only established when
-the entire configuration file has been parsed. In <acronym>BIND</acronym> 8, it was
-established as soon as the <command>logging</command> statement
-was parsed. When the server is starting up, all logging messages
-regarding syntax errors in the configuration file go to the default
-channels, or to standard error if the "<option>-g</option>" option
-was specified.</para>
-
-<sect3>
-<title>The <command>channel</command> Phrase</title>
-
-<para>All log output goes to one or more <emphasis>channels</emphasis>;
-you can make as many of them as you want.</para>
-
-<para>Every channel definition must include a destination clause that
-says whether messages selected for the channel go to a file, to a
-particular syslog facility, to the standard error stream, or are
-discarded. It can optionally also limit the message severity level
-that will be accepted by the channel (the default is
-<command>info</command>), and whether to include a
-<command>named</command>-generated time stamp, the category name
-and/or severity level (the default is not to include any).</para>
-
-<para>The <command>null</command> destination clause
-causes all messages sent to the channel to be discarded;
-in that case, other options for the channel are meaningless.</para>
-
-<para>The <command>file</command> destination clause directs the channel
-to a disk file. It can include limitations
-both on how large the file is allowed to become, and how many versions
-of the file will be saved each time the file is opened.</para>
-
-<para>If you use the <command>versions</command> log file option, then
-<command>named</command> will retain that many backup versions of the file by
-renaming them when opening. For example, if you choose to keep three old versions
-of the file <filename>lamers.log</filename>, then just before it is opened
-<filename>lamers.log.1</filename> is renamed to
-<filename>lamers.log.2</filename>, <filename>lamers.log.0</filename> is renamed
-to <filename>lamers.log.1</filename>, and <filename>lamers.log</filename> is
-renamed to <filename>lamers.log.0</filename>.
-You can say <command>versions unlimited</command> to not limit
-the number of versions.
-If a <command>size</command> option is associated with the log file,
-then renaming is only done when the file being opened exceeds the
-indicated size. No backup versions are kept by default; any existing
-log file is simply appended.</para>
-
-<para>The <command>size</command> option for files is used to limit log
-growth. If the file ever exceeds the size, then <command>named</command> will
-stop writing to the file unless it has a <command>versions</command> option
-associated with it. If backup versions are kept, the files are rolled as
-described above and a new one begun. If there is no
-<command>versions</command> option, no more data will be written to the log
-until some out-of-band mechanism removes or truncates the log to less than the
-maximum size. The default behavior is not to limit the size of the
-file.</para>
-
-<para>Example usage of the <command>size</command> and
-<command>versions</command> options:</para>
+ <para>
+ In <acronym>BIND</acronym> 9, the logging configuration
+ is only established when
+ the entire configuration file has been parsed. In <acronym>BIND</acronym> 8, it was
+ established as soon as the <command>logging</command>
+ statement
+ was parsed. When the server is starting up, all logging messages
+ regarding syntax errors in the configuration file go to the default
+ channels, or to standard error if the "<option>-g</option>" option
+ was specified.
+ </para>
+
+ <sect3>
+ <title>The <command>channel</command> Phrase</title>
+
+ <para>
+ All log output goes to one or more <emphasis>channels</emphasis>;
+ you can make as many of them as you want.
+ </para>
+
+ <para>
+ Every channel definition must include a destination clause that
+ says whether messages selected for the channel go to a file, to a
+ particular syslog facility, to the standard error stream, or are
+ discarded. It can optionally also limit the message severity level
+ that will be accepted by the channel (the default is
+ <command>info</command>), and whether to include a
+ <command>named</command>-generated time stamp, the
+ category name
+ and/or severity level (the default is not to include any).
+ </para>
+
+ <para>
+ The <command>null</command> destination clause
+ causes all messages sent to the channel to be discarded;
+ in that case, other options for the channel are meaningless.
+ </para>
+
+ <para>
+ The <command>file</command> destination clause directs
+ the channel
+ to a disk file. It can include limitations
+ both on how large the file is allowed to become, and how many
+ versions
+ of the file will be saved each time the file is opened.
+ </para>
+
+ <para>
+ If you use the <command>versions</command> log file
+ option, then
+ <command>named</command> will retain that many backup
+ versions of the file by
+ renaming them when opening. For example, if you choose to keep
+ three old versions
+ of the file <filename>lamers.log</filename>, then just
+ before it is opened
+ <filename>lamers.log.1</filename> is renamed to
+ <filename>lamers.log.2</filename>, <filename>lamers.log.0</filename> is renamed
+ to <filename>lamers.log.1</filename>, and <filename>lamers.log</filename> is
+ renamed to <filename>lamers.log.0</filename>.
+ You can say <command>versions unlimited</command> to
+ not limit
+ the number of versions.
+ If a <command>size</command> option is associated with
+ the log file,
+ then renaming is only done when the file being opened exceeds the
+ indicated size. No backup versions are kept by default; any
+ existing
+ log file is simply appended.
+ </para>
+
+ <para>
+ The <command>size</command> option for files is used
+ to limit log
+ growth. If the file ever exceeds the size, then <command>named</command> will
+ stop writing to the file unless it has a <command>versions</command> option
+ associated with it. If backup versions are kept, the files are
+ rolled as
+ described above and a new one begun. If there is no
+ <command>versions</command> option, no more data will
+ be written to the log
+ until some out-of-band mechanism removes or truncates the log to
+ less than the
+ maximum size. The default behavior is not to limit the size of
+ the
+ file.
+ </para>
+
+ <para>
+ Example usage of the <command>size</command> and
+ <command>versions</command> options:
+ </para>
<programlisting>channel an_example_channel {
file "example.log" versions 3 size 20m;
@@ -2473,80 +3808,117 @@ file.</para>
};
</programlisting>
-<para>The <command>syslog</command> destination clause directs the
-channel to the system log. Its argument is a
-syslog facility as described in the <command>syslog</command> man
-page. Known facilities are <command>kern</command>, <command>user</command>,
-<command>mail</command>, <command>daemon</command>, <command>auth</command>,
-<command>syslog</command>, <command>lpr</command>, <command>news</command>,
-<command>uucp</command>, <command>cron</command>, <command>authpriv</command>,
-<command>ftp</command>, <command>local0</command>, <command>local1</command>,
-<command>local2</command>, <command>local3</command>, <command>local4</command>,
-<command>local5</command>, <command>local6</command> and
-<command>local7</command>, however not all facilities are supported on
-all operating systems.
-How <command>syslog</command> will handle messages sent to
-this facility is described in the <command>syslog.conf</command> man
-page. If you have a system which uses a very old version of <command>syslog</command> that
-only uses two arguments to the <command>openlog()</command> function,
-then this clause is silently ignored.</para>
-<para>The <command>severity</command> clause works like <command>syslog</command>'s
-"priorities", except that they can also be used if you are writing
-straight to a file rather than using <command>syslog</command>.
-Messages which are not at least of the severity level given will
-not be selected for the channel; messages of higher severity levels
-will be accepted.</para>
-<para>If you are using <command>syslog</command>, then the <command>syslog.conf</command> priorities
-will also determine what eventually passes through. For example,
-defining a channel facility and severity as <command>daemon</command> and <command>debug</command> but
-only logging <command>daemon.warning</command> via <command>syslog.conf</command> will
-cause messages of severity <command>info</command> and <command>notice</command> to
-be dropped. If the situation were reversed, with <command>named</command> writing
-messages of only <command>warning</command> or higher, then <command>syslogd</command> would
-print all messages it received from the channel.</para>
-
-<para>The <command>stderr</command> destination clause directs the
-channel to the server's standard error stream. This is intended for
-use when the server is running as a foreground process, for example
-when debugging a configuration.</para>
-
-<para>The server can supply extensive debugging information when
-it is in debugging mode. If the server's global debug level is greater
-than zero, then debugging mode will be active. The global debug
-level is set either by starting the <command>named</command> server
-with the <option>-d</option> flag followed by a positive integer,
-or by running <command>rndc trace</command>.
-The global debug level
-can be set to zero, and debugging mode turned off, by running <command>rndc
+ <para>
+ The <command>syslog</command> destination clause
+ directs the
+ channel to the system log. Its argument is a
+ syslog facility as described in the <command>syslog</command> man
+ page. Known facilities are <command>kern</command>, <command>user</command>,
+ <command>mail</command>, <command>daemon</command>, <command>auth</command>,
+ <command>syslog</command>, <command>lpr</command>, <command>news</command>,
+ <command>uucp</command>, <command>cron</command>, <command>authpriv</command>,
+ <command>ftp</command>, <command>local0</command>, <command>local1</command>,
+ <command>local2</command>, <command>local3</command>, <command>local4</command>,
+ <command>local5</command>, <command>local6</command> and
+ <command>local7</command>, however not all facilities
+ are supported on
+ all operating systems.
+ How <command>syslog</command> will handle messages
+ sent to
+ this facility is described in the <command>syslog.conf</command> man
+ page. If you have a system which uses a very old version of <command>syslog</command> that
+ only uses two arguments to the <command>openlog()</command> function,
+ then this clause is silently ignored.
+ </para>
+ <para>
+ The <command>severity</command> clause works like <command>syslog</command>'s
+ "priorities", except that they can also be used if you are writing
+ straight to a file rather than using <command>syslog</command>.
+ Messages which are not at least of the severity level given will
+ not be selected for the channel; messages of higher severity
+ levels
+ will be accepted.
+ </para>
+ <para>
+ If you are using <command>syslog</command>, then the <command>syslog.conf</command> priorities
+ will also determine what eventually passes through. For example,
+ defining a channel facility and severity as <command>daemon</command> and <command>debug</command> but
+ only logging <command>daemon.warning</command> via <command>syslog.conf</command> will
+ cause messages of severity <command>info</command> and
+ <command>notice</command> to
+ be dropped. If the situation were reversed, with <command>named</command> writing
+ messages of only <command>warning</command> or higher,
+ then <command>syslogd</command> would
+ print all messages it received from the channel.
+ </para>
+
+ <para>
+ The <command>stderr</command> destination clause
+ directs the
+ channel to the server's standard error stream. This is intended
+ for
+ use when the server is running as a foreground process, for
+ example
+ when debugging a configuration.
+ </para>
+
+ <para>
+ The server can supply extensive debugging information when
+ it is in debugging mode. If the server's global debug level is
+ greater
+ than zero, then debugging mode will be active. The global debug
+ level is set either by starting the <command>named</command> server
+ with the <option>-d</option> flag followed by a positive integer,
+ or by running <command>rndc trace</command>.
+ The global debug level
+ can be set to zero, and debugging mode turned off, by running <command>rndc
notrace</command>. All debugging messages in the server have a debug
-level, and higher debug levels give more detailed output. Channels
-that specify a specific debug severity, for example:</para>
+ level, and higher debug levels give more detailed output. Channels
+ that specify a specific debug severity, for example:
+ </para>
+
<programlisting>channel specific_debug_level {
file "foo";
severity debug 3;
};
</programlisting>
- <para>will get debugging output of level 3 or less any time the
-server is in debugging mode, regardless of the global debugging
-level. Channels with <command>dynamic</command> severity use the
-server's global debug level to determine what messages to print.</para>
- <para>If <command>print-time</command> has been turned on, then
-the date and time will be logged. <command>print-time</command> may
-be specified for a <command>syslog</command> channel, but is usually
-pointless since <command>syslog</command> also prints the date and
-time. If <command>print-category</command> is requested, then the
-category of the message will be logged as well. Finally, if <command>print-severity</command> is
-on, then the severity level of the message will be logged. The <command>print-</command> options may
-be used in any combination, and will always be printed in the following
-order: time, category, severity. Here is an example where all three <command>print-</command> options
-are on:</para>
-
-<para><computeroutput>28-Feb-2000 15:05:32.863 general: notice: running</computeroutput></para>
-
-<para>There are four predefined channels that are used for
-<command>named</command>'s default logging as follows. How they are
-used is described in <xref linkend="the_category_phrase"/>.
-</para>
+
+ <para>
+ will get debugging output of level 3 or less any time the
+ server is in debugging mode, regardless of the global debugging
+ level. Channels with <command>dynamic</command>
+ severity use the
+ server's global debug level to determine what messages to print.
+ </para>
+ <para>
+ If <command>print-time</command> has been turned on,
+ then
+ the date and time will be logged. <command>print-time</command> may
+ be specified for a <command>syslog</command> channel,
+ but is usually
+ pointless since <command>syslog</command> also prints
+ the date and
+ time. If <command>print-category</command> is
+ requested, then the
+ category of the message will be logged as well. Finally, if <command>print-severity</command> is
+ on, then the severity level of the message will be logged. The <command>print-</command> options may
+ be used in any combination, and will always be printed in the
+ following
+ order: time, category, severity. Here is an example where all
+ three <command>print-</command> options
+ are on:
+ </para>
+
+ <para>
+ <computeroutput>28-Feb-2000 15:05:32.863 general: notice: running</computeroutput>
+ </para>
+
+ <para>
+ There are four predefined channels that are used for
+ <command>named</command>'s default logging as follows.
+ How they are
+ used is described in <xref linkend="the_category_phrase"/>.
+ </para>
<programlisting>channel default_syslog {
syslog daemon; // send to syslog's daemon
@@ -2578,37 +3950,56 @@ channel null {
};
</programlisting>
-<para>The <command>default_debug</command> channel has the special
-property that it only produces output when the server's debug level is
-nonzero. It normally writes to a file called <filename>named.run</filename>
-in the server's working directory.</para>
-
-<para>For security reasons, when the "<option>-u</option>"
-command line option is used, the <filename>named.run</filename> file
-is created only after <command>named</command> has changed to the
-new UID, and any debug output generated while <command>named</command> is
-starting up and still running as root is discarded. If you need
-to capture this output, you must run the server with the "<option>-g</option>"
-option and redirect standard error to a file.</para>
-
-<para>Once a channel is defined, it cannot be redefined. Thus you
-cannot alter the built-in channels directly, but you can modify
-the default logging by pointing categories at channels you have defined.</para>
-</sect3>
-
-<sect3 id="the_category_phrase"><title>The <command>category</command> Phrase</title>
-
-<para>There are many categories, so you can send the logs you want
-to see wherever you want, without seeing logs you don't want. If
-you don't specify a list of channels for a category, then log messages
-in that category will be sent to the <command>default</command> category
-instead. If you don't specify a default category, the following
-"default default" is used:</para>
+ <para>
+ The <command>default_debug</command> channel has the
+ special
+ property that it only produces output when the server's debug
+ level is
+ nonzero. It normally writes to a file called <filename>named.run</filename>
+ in the server's working directory.
+ </para>
+
+ <para>
+ For security reasons, when the "<option>-u</option>"
+ command line option is used, the <filename>named.run</filename> file
+ is created only after <command>named</command> has
+ changed to the
+ new UID, and any debug output generated while <command>named</command> is
+ starting up and still running as root is discarded. If you need
+ to capture this output, you must run the server with the "<option>-g</option>"
+ option and redirect standard error to a file.
+ </para>
+
+ <para>
+ Once a channel is defined, it cannot be redefined. Thus you
+ cannot alter the built-in channels directly, but you can modify
+ the default logging by pointing categories at channels you have
+ defined.
+ </para>
+ </sect3>
+
+ <sect3 id="the_category_phrase">
+ <title>The <command>category</command> Phrase</title>
+
+ <para>
+ There are many categories, so you can send the logs you want
+ to see wherever you want, without seeing logs you don't want. If
+ you don't specify a list of channels for a category, then log
+ messages
+ in that category will be sent to the <command>default</command> category
+ instead. If you don't specify a default category, the following
+ "default default" is used:
+ </para>
+
<programlisting>category default { default_syslog; default_debug; };
</programlisting>
-<para>As an example, let's say you want to log security events to
-a file, but you also want keep the default logging behavior. You'd
-specify the following:</para>
+
+ <para>
+ As an example, let's say you want to log security events to
+ a file, but you also want keep the default logging behavior. You'd
+ specify the following:
+ </para>
+
<programlisting>channel my_security_channel {
file "my_security_file";
severity info;
@@ -2618,138 +4009,269 @@ category security {
default_syslog;
default_debug;
};</programlisting>
-<para>To discard all messages in a category, specify the <command>null</command> channel:</para>
+
+ <para>
+ To discard all messages in a category, specify the <command>null</command> channel:
+ </para>
+
<programlisting>category xfer-out { null; };
category notify { null; };
</programlisting>
-<para>Following are the available categories and brief descriptions
-of the types of log information they contain. More
-categories may be added in future <acronym>BIND</acronym> releases.</para>
-<informaltable
- colsep = "0" rowsep = "0"><tgroup cols = "2"
- colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.150in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.350in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para><command>default</command></para></entry>
-<entry colname = "2"><para>The default category defines the logging
-options for those categories where no specific configuration has been
-defined.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>general</command></para></entry>
-<entry colname = "2"><para>The catch-all. Many things still aren't
-classified into categories, and they all end up here.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>database</command></para></entry>
-<entry colname = "2"><para>Messages relating to the databases used
-internally by the name server to store zone and cache data.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>security</command></para></entry>
-<entry colname = "2"><para>Approval and denial of requests.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>config</command></para></entry>
-<entry colname = "2"><para>Configuration file parsing and processing.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>resolver</command></para></entry>
-<entry colname = "2"><para>DNS resolution, such as the recursive
-lookups performed on behalf of clients by a caching name server.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>xfer-in</command></para></entry>
-<entry colname = "2"><para>Zone transfers the server is receiving.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>xfer-out</command></para></entry>
-<entry colname = "2"><para>Zone transfers the server is sending.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>notify</command></para></entry>
-<entry colname = "2"><para>The NOTIFY protocol.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>client</command></para></entry>
-<entry colname = "2"><para>Processing of client requests.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>unmatched</command></para></entry>
-<entry colname = "2"><para>Messages that named was unable to determine the
-class of or for which there was no matching <command>view</command>.
-A one line summary is also logged to the <command>client</command> category.
-This category is best sent to a file or stderr, by default it is sent to
-the <command>null</command> channel.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>network</command></para></entry>
-<entry colname = "2"><para>Network operations.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>update</command></para></entry>
-<entry colname = "2"><para>Dynamic updates.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>update-security</command></para></entry>
-<entry colname = "2"><para>Approval and denial of update requests.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>queries</command></para></entry>
-<entry colname = "2"><para>Specify where queries should be logged to.</para>
-<para>
-At startup, specifying the category <command>queries</command> will also
-enable query logging unless <command>querylog</command> option has been
-specified.
-</para>
-<para>
-The query log entry reports the client's IP address and port number, and the
-query name, class and type. It also reports whether the Recursion Desired
-flag was set (+ if set, - if not set), EDNS was in use (E) or if the
-query was signed (S).</para>
-<para><computeroutput>client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</computeroutput>
-</para>
-<para><computeroutput>client ::1#62537: query: www.example.net IN AAAA -SE</computeroutput>
-</para>
-</entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>dispatch</command></para></entry>
-<entry colname = "2"><para>Dispatching of incoming packets to the
-server modules where they are to be processed.
-</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>dnssec</command></para></entry>
-<entry colname = "2"><para>DNSSEC and TSIG protocol processing.
-</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>lame-servers</command></para></entry>
-<entry colname = "2"><para>Lame servers. These are misconfigurations
-in remote servers, discovered by BIND 9 when trying to query
-those servers during resolution.
-</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>delegation-only</command></para></entry>
-<entry colname = "2"><para>Delegation only. Logs queries that have have
-been forced to NXDOMAIN as the result of a delegation-only zone or
-a <command>delegation-only</command> in a hint or stub zone declaration.
-</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-</sect3>
-</sect2>
-
-<sect2>
-<title><command>lwres</command> Statement Grammar</title>
-
-<para> This is the grammar of the <command>lwres</command>
-statement in the <filename>named.conf</filename> file:</para>
+
+ <para>
+ Following are the available categories and brief descriptions
+ of the types of log information they contain. More
+ categories may be added in future <acronym>BIND</acronym> releases.
+ </para>
+ <informaltable colsep="0" rowsep="0">
+ <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
+ <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
+ <colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
+ <tbody>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>default</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ The default category defines the logging
+ options for those categories where no specific
+ configuration has been
+ defined.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>general</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ The catch-all. Many things still aren't
+ classified into categories, and they all end up here.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>database</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Messages relating to the databases used
+ internally by the name server to store zone and cache
+ data.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>security</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Approval and denial of requests.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>config</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Configuration file parsing and processing.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>resolver</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ DNS resolution, such as the recursive
+ lookups performed on behalf of clients by a caching name
+ server.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>xfer-in</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Zone transfers the server is receiving.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>xfer-out</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Zone transfers the server is sending.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>notify</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ The NOTIFY protocol.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>client</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Processing of client requests.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>unmatched</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Messages that named was unable to determine the
+ class of or for which there was no matching <command>view</command>.
+ A one line summary is also logged to the <command>client</command> category.
+ This category is best sent to a file or stderr, by
+ default it is sent to
+ the <command>null</command> channel.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>network</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Network operations.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>update</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Dynamic updates.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>update-security</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Approval and denial of update requests.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>queries</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Specify where queries should be logged to.
+ </para>
+ <para>
+ At startup, specifying the category <command>queries</command> will also
+ enable query logging unless <command>querylog</command> option has been
+ specified.
+ </para>
+ <para>
+ The query log entry reports the client's IP address and
+ port number, and the
+ query name, class and type. It also reports whether the
+ Recursion Desired
+ flag was set (+ if set, - if not set), EDNS was in use
+ (E) or if the
+ query was signed (S).
+ </para>
+ <para>
+ <computeroutput>client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</computeroutput>
+ </para>
+ <para>
+ <computeroutput>client ::1#62537: query: www.example.net IN AAAA -SE</computeroutput>
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>dispatch</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Dispatching of incoming packets to the
+ server modules where they are to be processed.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>dnssec</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ DNSSEC and TSIG protocol processing.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>lame-servers</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Lame servers. These are misconfigurations
+ in remote servers, discovered by BIND 9 when trying to
+ query
+ those servers during resolution.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>delegation-only</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Delegation only. Logs queries that have have
+ been forced to NXDOMAIN as the result of a
+ delegation-only zone or
+ a <command>delegation-only</command> in a
+ hint or stub zone declaration.
+ </para>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+ </sect3>
+ </sect2>
+
+ <sect2>
+ <title><command>lwres</command> Statement Grammar</title>
+
+ <para>
+ This is the grammar of the <command>lwres</command>
+ statement in the <filename>named.conf</filename> file:
+ </para>
<programlisting><command>lwres</command> {
<optional> listen-on { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
@@ -2759,55 +4281,87 @@ statement in the <filename>named.conf</filename> file:</para>
};
</programlisting>
-</sect2>
-<sect2>
-<title><command>lwres</command> Statement Definition and Usage</title>
-
-<para>The <command>lwres</command> statement configures the name
-server to also act as a lightweight resolver server. (See
-<xref linkend="lwresd"/>.) There may be be multiple
-<command>lwres</command> statements configuring
-lightweight resolver servers with different properties.</para>
-
-<para>The <command>listen-on</command> statement specifies a list of
-addresses (and ports) that this instance of a lightweight resolver daemon
-should accept requests on. If no port is specified, port 921 is used.
-If this statement is omitted, requests will be accepted on 127.0.0.1,
-port 921.</para>
-
-<para>The <command>view</command> statement binds this instance of a
-lightweight resolver daemon to a view in the DNS namespace, so that the
-response will be constructed in the same manner as a normal DNS query
-matching this view. If this statement is omitted, the default view is
-used, and if there is no default view, an error is triggered.</para>
-
-<para>The <command>search</command> statement is equivalent to the
-<command>search</command> statement in
-<filename>/etc/resolv.conf</filename>. It provides a list of domains
-which are appended to relative names in queries.</para>
-
-<para>The <command>ndots</command> statement is equivalent to the
-<command>ndots</command> statement in
-<filename>/etc/resolv.conf</filename>. It indicates the minimum
-number of dots in a relative domain name that should result in an
-exact match lookup before search path elements are appended.</para>
-</sect2>
-<sect2>
- <title><command>masters</command> Statement Grammar</title>
+ </sect2>
+ <sect2>
+ <title><command>lwres</command> Statement Definition and Usage</title>
+
+ <para>
+ The <command>lwres</command> statement configures the
+ name
+ server to also act as a lightweight resolver server. (See
+ <xref linkend="lwresd"/>.) There may be be multiple
+ <command>lwres</command> statements configuring
+ lightweight resolver servers with different properties.
+ </para>
+
+ <para>
+ The <command>listen-on</command> statement specifies a
+ list of
+ addresses (and ports) that this instance of a lightweight resolver
+ daemon
+ should accept requests on. If no port is specified, port 921 is
+ used.
+ If this statement is omitted, requests will be accepted on
+ 127.0.0.1,
+ port 921.
+ </para>
+
+ <para>
+ The <command>view</command> statement binds this
+ instance of a
+ lightweight resolver daemon to a view in the DNS namespace, so that
+ the
+ response will be constructed in the same manner as a normal DNS
+ query
+ matching this view. If this statement is omitted, the default view
+ is
+ used, and if there is no default view, an error is triggered.
+ </para>
+
+ <para>
+ The <command>search</command> statement is equivalent to
+ the
+ <command>search</command> statement in
+ <filename>/etc/resolv.conf</filename>. It provides a
+ list of domains
+ which are appended to relative names in queries.
+ </para>
+
+ <para>
+ The <command>ndots</command> statement is equivalent to
+ the
+ <command>ndots</command> statement in
+ <filename>/etc/resolv.conf</filename>. It indicates the
+ minimum
+ number of dots in a relative domain name that should result in an
+ exact match lookup before search path elements are appended.
+ </para>
+ </sect2>
+ <sect2>
+ <title><command>masters</command> Statement Grammar</title>
+
<programlisting>
-<command>masters</command> <replaceable>name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> } ;
+<command>masters</command> <replaceable>name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> };
</programlisting>
-</sect2>
-<sect2>
- <title><command>masters</command> Statement Definition and Usage </title>
-<para><command>masters</command> lists allow for a common set of masters
-to be easily used by multiple stub and slave zones.</para>
-</sect2>
-<sect2>
-<title><command>options</command> Statement Grammar</title>
-
-<para>This is the grammar of the <command>options</command>
-statement in the <filename>named.conf</filename> file:</para>
+
+ </sect2>
+
+ <sect2>
+ <title><command>masters</command> Statement Definition and
+ Usage</title>
+ <para><command>masters</command>
+ lists allow for a common set of masters to be easily used by
+ multiple stub and slave zones.
+ </para>
+ </sect2>
+
+ <sect2>
+ <title><command>options</command> Statement Grammar</title>
+
+ <para>
+ This is the grammar of the <command>options</command>
+ statement in the <filename>named.conf</filename> file:
+ </para>
<programlisting>options {
<optional> version <replaceable>version_string</replaceable>; </optional>
@@ -2835,31 +4389,52 @@ statement in the <filename>named.conf</filename> file:</para>
<optional> host-statistics-max <replaceable>number</replaceable>; </optional>
<optional> minimal-responses <replaceable>yes_or_no</replaceable>; </optional>
<optional> multiple-cnames <replaceable>yes_or_no</replaceable>; </optional>
- <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable>; </optional>
+ <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable>; </optional>
<optional> recursion <replaceable>yes_or_no</replaceable>; </optional>
<optional> rfc2308-type1 <replaceable>yes_or_no</replaceable>; </optional>
<optional> use-id-pool <replaceable>yes_or_no</replaceable>; </optional>
<optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable>; </optional>
<optional> dnssec-enable <replaceable>yes_or_no</replaceable>; </optional>
+ <optional> dnssec-validation <replaceable>yes_or_no</replaceable>; </optional>
<optional> dnssec-lookaside <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable>; </optional>
<optional> dnssec-must-be-secure <replaceable>domain yes_or_no</replaceable>; </optional>
+ <optional> dnssec-accept-expired <replaceable>yes_or_no</replaceable>; </optional>
<optional> forward ( <replaceable>only</replaceable> | <replaceable>first</replaceable> ); </optional>
<optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
- <optional> dual-stack-servers <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>domain_name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ) ; ... }; </optional>
- <optional> check-names ( <replaceable>master</replaceable> | <replaceable>slave</replaceable> | <replaceable>response</replaceable> )( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
+ <optional> dual-stack-servers <optional>port <replaceable>ip_port</replaceable></optional> {
+ ( <replaceable>domain_name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> |
+ <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ) ;
+ ... }; </optional>
+ <optional> check-names ( <replaceable>master</replaceable> | <replaceable>slave</replaceable> | <replaceable>response</replaceable> )
+ ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
+ <optional> check-mx ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
+ <optional> check-wildcard <replaceable>yes_or_no</replaceable>; </optional>
+ <optional> check-integrity <replaceable>yes_or_no</replaceable>; </optional>
+ <optional> check-mx-cname ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
+ <optional> check-srv-cname ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
+ <optional> check-sibling <replaceable>yes_or_no</replaceable>; </optional>
<optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
+ <optional> allow-query-cache { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-recursion { <replaceable>address_match_list</replaceable> }; </optional>
+ <optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
+ <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
<optional> allow-v6-synthesis { <replaceable>address_match_list</replaceable> }; </optional>
<optional> blackhole { <replaceable>address_match_list</replaceable> }; </optional>
<optional> avoid-v4-udp-ports { <replaceable>port_list</replaceable> }; </optional>
<optional> avoid-v6-udp-ports { <replaceable>port_list</replaceable> }; </optional>
<optional> listen-on <optional> port <replaceable>ip_port</replaceable> </optional> { <replaceable>address_match_list</replaceable> }; </optional>
<optional> listen-on-v6 <optional> port <replaceable>ip_port</replaceable> </optional> { <replaceable>address_match_list</replaceable> }; </optional>
- <optional> query-source <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
- <optional> query-source-v6 <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
+ <optional> query-source ( ( <replaceable>ip4_addr</replaceable> | <replaceable>*</replaceable> )
+ <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> |
+ <optional> address ( <replaceable>ip4_addr</replaceable> | <replaceable>*</replaceable> ) </optional>
+ <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> ) ; </optional>
+ <optional> query-source-v6 ( ( <replaceable>ip6_addr</replaceable> | <replaceable>*</replaceable> )
+ <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> |
+ <optional> address ( <replaceable>ip6_addr</replaceable> | <replaceable>*</replaceable> ) </optional>
+ <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> ) ; </optional>
<optional> max-transfer-time-in <replaceable>number</replaceable>; </optional>
<optional> max-transfer-time-out <replaceable>number</replaceable>; </optional>
<optional> max-transfer-idle-in <replaceable>number</replaceable>; </optional>
@@ -2915,69 +4490,128 @@ statement in the <filename>named.conf</filename> file:</para>
<optional> match-mapped-addresses <replaceable>yes_or_no</replaceable>; </optional>
<optional> preferred-glue ( <replaceable>A</replaceable> | <replaceable>AAAA</replaceable> | <replaceable>NONE</replaceable> ); </optional>
<optional> edns-udp-size <replaceable>number</replaceable>; </optional>
+ <optional> max-udp-size <replaceable>number</replaceable>; </optional>
<optional> root-delegation-only <optional> exclude { <replaceable>namelist</replaceable> } </optional> ; </optional>
<optional> querylog <replaceable>yes_or_no</replaceable> ; </optional>
<optional> disable-algorithms <replaceable>domain</replaceable> { <replaceable>algorithm</replaceable>; <optional> <replaceable>algorithm</replaceable>; </optional> }; </optional>
+ <optional> acache-enable <replaceable>yes_or_no</replaceable> ; </optional>
+ <optional> acache-cleaning-interval <replaceable>number</replaceable>; </optional>
+ <optional> max-acache-size <replaceable>size_spec</replaceable> ; </optional>
+ <optional> clients-per-query <replaceable>number</replaceable> ; </optional>
+ <optional> max-clients-per-query <replaceable>number</replaceable> ; </optional>
+ <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
+ <optional> empty-server <replaceable>name</replaceable> ; </optional>
+ <optional> empty-contact <replaceable>name</replaceable> ; </optional>
+ <optional> empty-zones-enable <replaceable>yes_or_no</replaceable> ; </optional>
+ <optional> disable-empty-zone <replaceable>zone_name</replaceable> ; </optional>
+ <optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
+ <optional> zero-no-soa-ttl-cache <replaceable>yes_or_no</replaceable> ; </optional>
};
</programlisting>
-</sect2>
-
-<sect2 id="options"><title><command>options</command> Statement Definition and Usage</title>
-
-<para>The <command>options</command> statement sets up global options
-to be used by <acronym>BIND</acronym>. This statement may appear only
-once in a configuration file. If there is no <command>options</command>
-statement, an options block with each option set to its default will
-be used.</para>
-
-<variablelist>
-
-<varlistentry><term><command>directory</command></term>
-<listitem><para>The working directory of the server.
-Any non-absolute pathnames in the configuration file will be taken
-as relative to this directory. The default location for most server
-output files (e.g. <filename>named.run</filename>) is this directory.
-If a directory is not specified, the working directory defaults
-to `<filename>.</filename>', the directory from which the server
-was started. The directory specified should be an absolute path.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>key-directory</command></term>
-<listitem><para>When performing dynamic update of secure zones, the
-directory where the public and private key files should be found,
-if different than the current working directory. The directory specified
-must be an absolute path.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>named-xfer</command></term>
-<listitem><para><emphasis>This option is obsolete.</emphasis>
-It was used in <acronym>BIND</acronym> 8 to
-specify the pathname to the <command>named-xfer</command> program.
-In <acronym>BIND</acronym> 9, no separate <command>named-xfer</command> program is
-needed; its functionality is built into the name server.</para>
-
-</listitem></varlistentry>
-
-<varlistentry><term><command>tkey-domain</command></term>
-<listitem><para>The domain appended to the names of all
-shared keys generated with <command>TKEY</command>. When a client
-requests a <command>TKEY</command> exchange, it may or may not specify
-the desired name for the key. If present, the name of the shared
-key will be "<varname>client specified part</varname>" +
-"<varname>tkey-domain</varname>".
-Otherwise, the name of the shared key will be "<varname>random hex
+
+ </sect2>
+
+ <sect2 id="options">
+ <title><command>options</command> Statement Definition and
+ Usage</title>
+
+ <para>
+ The <command>options</command> statement sets up global
+ options
+ to be used by <acronym>BIND</acronym>. This statement
+ may appear only
+ once in a configuration file. If there is no <command>options</command>
+ statement, an options block with each option set to its default will
+ be used.
+ </para>
+
+ <variablelist>
+
+ <varlistentry>
+ <term><command>directory</command></term>
+ <listitem>
+ <para>
+ The working directory of the server.
+ Any non-absolute pathnames in the configuration file will be
+ taken
+ as relative to this directory. The default location for most
+ server
+ output files (e.g. <filename>named.run</filename>)
+ is this directory.
+ If a directory is not specified, the working directory
+ defaults to `<filename>.</filename>', the directory from
+ which the server
+ was started. The directory specified should be an absolute
+ path.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>key-directory</command></term>
+ <listitem>
+ <para>
+ When performing dynamic update of secure zones, the
+ directory where the public and private key files should be
+ found,
+ if different than the current working directory. The
+ directory specified
+ must be an absolute path.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>named-xfer</command></term>
+ <listitem>
+ <para>
+ <emphasis>This option is obsolete.</emphasis>
+ It was used in <acronym>BIND</acronym> 8 to
+ specify the pathname to the <command>named-xfer</command> program.
+ In <acronym>BIND</acronym> 9, no separate <command>named-xfer</command> program is
+ needed; its functionality is built into the name server.
+ </para>
+
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>tkey-domain</command></term>
+ <listitem>
+ <para>
+ The domain appended to the names of all
+ shared keys generated with
+ <command>TKEY</command>. When a client
+ requests a <command>TKEY</command> exchange, it
+ may or may not specify
+ the desired name for the key. If present, the name of the
+ shared
+ key will be "<varname>client specified part</varname>" +
+ "<varname>tkey-domain</varname>".
+ Otherwise, the name of the shared key will be "<varname>random hex
digits</varname>" + "<varname>tkey-domain</varname>". In most cases,
-the <command>domainname</command> should be the server's domain
-name.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>tkey-dhkey</command></term>
-<listitem><para>The Diffie-Hellman key used by the server
-to generate shared keys with clients using the Diffie-Hellman mode
-of <command>TKEY</command>. The server must be able to load the
-public and private keys from files in the working directory. In
-most cases, the keyname should be the server's host name.</para>
-</listitem></varlistentry>
+ the <command>domainname</command> should be the
+ server's domain
+ name.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>tkey-dhkey</command></term>
+ <listitem>
+ <para>
+ The Diffie-Hellman key used by the server
+ to generate shared keys with clients using the Diffie-Hellman
+ mode
+ of <command>TKEY</command>. The server must be
+ able to load the
+ public and private keys from files in the working directory.
+ In
+ most cases, the keyname should be the server's host name.
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term><command>cache-file</command></term>
@@ -2988,877 +4622,1711 @@ most cases, the keyname should be the server's host name.</para>
</listitem>
</varlistentry>
-<varlistentry><term><command>dump-file</command></term>
-<listitem><para>The pathname of the file the server dumps
-the database to when instructed to do so with
-<command>rndc dumpdb</command>.
-If not specified, the default is <filename>named_dump.db</filename>.</para>
-</listitem></varlistentry>
-<varlistentry><term><command>memstatistics-file</command></term>
-<listitem><para>The pathname of the file the server writes memory
-usage statistics to on exit. If not specified,
-the default is <filename>named.memstats</filename>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>pid-file</command></term>
-<listitem><para>The pathname of the file the server writes its process ID
-in. If not specified, the default is <filename>/var/run/named.pid</filename>.
-The pid-file is used by programs that want to send signals to the running
-name server. Specifying <command>pid-file none</command> disables the
-use of a PID file &mdash; no file will be written and any
-existing one will be removed. Note that <command>none</command>
-is a keyword, not a file name, and therefore is not enclosed in
-double quotes.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>statistics-file</command></term>
-<listitem><para>The pathname of the file the server appends statistics
-to when instructed to do so using <command>rndc stats</command>.
-If not specified, the default is <filename>named.stats</filename> in the
-server's current directory. The format of the file is described
-in <xref linkend="statsfile"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>port</command></term>
-<listitem><para>
-The UDP/TCP port number the server uses for
-receiving and sending DNS protocol traffic.
-The default is 53. This option is mainly intended for server testing;
-a server using a port other than 53 will not be able to communicate with
-the global DNS.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>random-device</command></term>
-<listitem><para>
-The source of entropy to be used by the server. Entropy is primarily needed
-for DNSSEC operations, such as TKEY transactions and dynamic update of signed
-zones. This options specifies the device (or file) from which to read
-entropy. If this is a file, operations requiring entropy will fail when the
-file has been exhausted. If not specified, the default value is
-<filename>/dev/random</filename>
-(or equivalent) when present, and none otherwise. The
-<command>random-device</command> option takes effect during
-the initial configuration load at server startup time and
-is ignored on subsequent reloads.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>preferred-glue</command></term>
-<listitem><para>
-If specified, the listed type (A or AAAA) will be emitted before other glue
-in the additional section of a query response.
-The default is not to prefer any type (NONE).
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>root-delegation-only</command></term>
-<listitem><para>
-Turn on enforcement of delegation-only in TLDs (top level domains)
-and root zones with an optional exclude list.
-</para>
-<para>
-Note some TLDs are not delegation only (e.g. "DE", "LV", "US" and "MUSEUM").
-</para>
+ <varlistentry>
+ <term><command>dump-file</command></term>
+ <listitem>
+ <para>
+ The pathname of the file the server dumps
+ the database to when instructed to do so with
+ <command>rndc dumpdb</command>.
+ If not specified, the default is <filename>named_dump.db</filename>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>memstatistics-file</command></term>
+ <listitem>
+ <para>
+ The pathname of the file the server writes memory
+ usage statistics to on exit. If not specified,
+ the default is
+ <filename>named.memstats</filename>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>pid-file</command></term>
+ <listitem>
+ <para>
+ The pathname of the file the server writes its process ID
+ in. If not specified, the default is <filename>/var/run/named.pid</filename>.
+ The pid-file is used by programs that want to send signals to
+ the running
+ name server. Specifying <command>pid-file none</command> disables the
+ use of a PID file &mdash; no file will be written and any
+ existing one will be removed. Note that <command>none</command>
+ is a keyword, not a file name, and therefore is not enclosed
+ in
+ double quotes.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>statistics-file</command></term>
+ <listitem>
+ <para>
+ The pathname of the file the server appends statistics
+ to when instructed to do so using <command>rndc stats</command>.
+ If not specified, the default is <filename>named.stats</filename> in the
+ server's current directory. The format of the file is
+ described
+ in <xref linkend="statsfile"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>port</command></term>
+ <listitem>
+ <para>
+ The UDP/TCP port number the server uses for
+ receiving and sending DNS protocol traffic.
+ The default is 53. This option is mainly intended for server
+ testing;
+ a server using a port other than 53 will not be able to
+ communicate with
+ the global DNS.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>random-device</command></term>
+ <listitem>
+ <para>
+ The source of entropy to be used by the server. Entropy is
+ primarily needed
+ for DNSSEC operations, such as TKEY transactions and dynamic
+ update of signed
+ zones. This options specifies the device (or file) from which
+ to read
+ entropy. If this is a file, operations requiring entropy will
+ fail when the
+ file has been exhausted. If not specified, the default value
+ is
+ <filename>/dev/random</filename>
+ (or equivalent) when present, and none otherwise. The
+ <command>random-device</command> option takes
+ effect during
+ the initial configuration load at server startup time and
+ is ignored on subsequent reloads.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>preferred-glue</command></term>
+ <listitem>
+ <para>
+ If specified, the listed type (A or AAAA) will be emitted
+ before other glue
+ in the additional section of a query response.
+ The default is not to prefer any type (NONE).
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>root-delegation-only</command></term>
+ <listitem>
+ <para>
+ Turn on enforcement of delegation-only in TLDs (top level domains) and root zones
+ with an optional
+ exclude list.
+ </para>
+ <para>
+ Note some TLDs are not delegation only (e.g. "DE", "LV", "US"
+ and "MUSEUM").
+ </para>
+
<programlisting>
options {
root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
};
</programlisting>
-</listitem></varlistentry>
-
-<varlistentry><term><command>disable-algorithms</command></term>
-<listitem><para>
-Disable the specified DNSSEC algorithms at and below the specified name.
-Multiple <command>disable-algorithms</command> statements are allowed.
-Only the most specific will be applied.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>dnssec-lookaside</command></term>
-<listitem><para>
-When set, <command>dnssec-lookaside</command> provides the
-validator with an alternate method to validate DNSKEY records at the
-top of a zone. When a DNSKEY is at or below a domain specified by the
-deepest <command>dnssec-lookaside</command>, and the normal dnssec validation
-has left the key untrusted, the trust-anchor will be append to the key
-name and a DLV record will be looked up to see if it can validate the
-key. If the DLV record validates a DNSKEY (similarly to the way a DS
-record does) the DNSKEY RRset is deemed to be trusted.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>dnssec-must-be-secure</command></term>
-<listitem><para>
-Specify heirarchies which must be or may not be secure (signed and validated).
-If <userinput>yes</userinput>, then named will only accept answers if they
-are secure.
-If <userinput>no</userinput>, then normal dnssec validation applies
-allowing for insecure answers to be accepted.
-The specified domain must be under a <command>trusted-key</command> or
-<command>dnssec-lookaside</command> must be active.
-</para></listitem></varlistentry>
-
-</variablelist>
-
-<sect3 id="boolean_options"><title>Boolean Options</title>
-
-<variablelist>
-
-<varlistentry><term><command>auth-nxdomain</command></term>
-<listitem><para>If <userinput>yes</userinput>, then the <command>AA</command> bit
-is always set on NXDOMAIN responses, even if the server is not actually
-authoritative. The default is <userinput>no</userinput>; this is
-a change from <acronym>BIND</acronym> 8. If you are using very old DNS software, you
-may need to set it to <userinput>yes</userinput>.</para></listitem></varlistentry>
-
-<varlistentry><term><command>deallocate-on-exit</command></term>
-<listitem><para>This option was used in <acronym>BIND</acronym> 8 to enable checking
-for memory leaks on exit. <acronym>BIND</acronym> 9 ignores the option and always performs
-the checks.</para></listitem></varlistentry>
-
-<varlistentry><term><command>dialup</command></term>
-<listitem><para>If <userinput>yes</userinput>, then the
-server treats all zones as if they are doing zone transfers across
-a dial-on-demand dialup link, which can be brought up by traffic
-originating from this server. This has different effects according
-to zone type and concentrates the zone maintenance so that it all
-happens in a short interval, once every <command>heartbeat-interval</command> and
-hopefully during the one call. It also suppresses some of the normal
-zone maintenance traffic. The default is <userinput>no</userinput>.</para>
-<para>The <command>dialup</command> option
-may also be specified in the <command>view</command> and
-<command>zone</command> statements,
-in which case it overrides the global <command>dialup</command>
-option.</para>
-<para>If the zone is a master zone, then the server will send out a NOTIFY
-request to all the slaves (default). This should trigger the zone serial
-number check in the slave (providing it supports NOTIFY) allowing the slave
-to verify the zone while the connection is active.
-The set of servers to which NOTIFY is sent can be controlled by
-<command>notify</command> and <command>also-notify</command>.</para>
-<para>If the
-zone is a slave or stub zone, then the server will suppress the regular
-"zone up to date" (refresh) queries and only perform them when the
-<command>heartbeat-interval</command> expires in addition to sending
-NOTIFY requests.</para><para>Finer control can be achieved by using
-<userinput>notify</userinput> which only sends NOTIFY messages,
-<userinput>notify-passive</userinput> which sends NOTIFY messages and
-suppresses the normal refresh queries, <userinput>refresh</userinput>
-which suppresses normal refresh processing and sends refresh queries
-when the <command>heartbeat-interval</command> expires, and
-<userinput>passive</userinput> which just disables normal refresh
-processing.</para>
-
-<informaltable colsep = "0" rowsep = "0">
-<tgroup cols = "4" colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.150in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "1.150in"/>
-<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "1.150in"/>
-<colspec colname = "4" colnum = "4" colsep = "0" colwidth = "1.150in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para>dialup mode</para></entry>
-<entry colname = "2"><para>normal refresh</para></entry>
-<entry colname = "3"><para>heart-beat refresh</para></entry>
-<entry colname = "4"><para>heart-beat notify</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>no</command> (default)</para></entry>
-<entry colname = "2"><para>yes</para></entry>
-<entry colname = "3"><para>no</para></entry>
-<entry colname = "4"><para>no</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>yes</command></para></entry>
-<entry colname = "2"><para>no</para></entry>
-<entry colname = "3"><para>yes</para></entry>
-<entry colname = "4"><para>yes</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>notify</command></para></entry>
-<entry colname = "2"><para>yes</para></entry>
-<entry colname = "3"><para>no</para></entry>
-<entry colname = "4"><para>yes</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>refresh</command></para></entry>
-<entry colname = "2"><para>no</para></entry>
-<entry colname = "3"><para>yes</para></entry>
-<entry colname = "4"><para>no</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>passive</command></para></entry>
-<entry colname = "2"><para>no</para></entry>
-<entry colname = "3"><para>no</para></entry>
-<entry colname = "4"><para>no</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>notify-passive</command></para></entry>
-<entry colname = "2"><para>no</para></entry>
-<entry colname = "3"><para>no</para></entry>
-<entry colname = "4"><para>yes</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-
-<para>Note that normal NOTIFY processing is not affected by
-<command>dialup</command>.</para>
-
-</listitem></varlistentry>
-
-<varlistentry><term><command>fake-iquery</command></term>
-<listitem><para>In <acronym>BIND</acronym> 8, this option
-enabled simulating the obsolete DNS query type
-IQUERY. <acronym>BIND</acronym> 9 never does IQUERY simulation.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>fetch-glue</command></term>
-<listitem><para>This option is obsolete.
-In BIND 8, <userinput>fetch-glue yes</userinput>
-caused the server to attempt to fetch glue resource records it
-didn't have when constructing the additional
-data section of a response. This is now considered a bad idea
-and BIND 9 never does it.</para></listitem></varlistentry>
-
-<varlistentry><term><command>flush-zones-on-shutdown</command></term>
-<listitem><para>When the nameserver exits due receiving SIGTERM,
-flush or do not flush any pending zone writes. The default is
-<command>flush-zones-on-shutdown</command> <userinput>no</userinput>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>has-old-clients</command></term>
-<listitem><para>This option was incorrectly implemented
-in <acronym>BIND</acronym> 8, and is ignored by <acronym>BIND</acronym> 9.
-To achieve the intended effect
-of
-<command>has-old-clients</command> <userinput>yes</userinput>, specify
-the two separate options <command>auth-nxdomain</command> <userinput>yes</userinput>
-and <command>rfc2308-type1</command> <userinput>no</userinput> instead.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>host-statistics</command></term>
-<listitem><para>In BIND 8, this enables keeping of
-statistics for every host that the name server interacts with.
-Not implemented in BIND 9.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>maintain-ixfr-base</command></term>
-<listitem><para><emphasis>This option is obsolete</emphasis>.
- It was used in <acronym>BIND</acronym> 8 to determine whether a transaction log was
-kept for Incremental Zone Transfer. <acronym>BIND</acronym> 9 maintains a transaction
-log whenever possible. If you need to disable outgoing incremental zone
-transfers, use <command>provide-ixfr</command> <userinput>no</userinput>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>minimal-responses</command></term>
-<listitem><para>If <userinput>yes</userinput>, then when generating
-responses the server will only add records to the authority and
-additional data sections when they are required (e.g. delegations,
-negative responses). This may improve the performance of the server.
-The default is <userinput>no</userinput>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>multiple-cnames</command></term>
-<listitem><para>This option was used in <acronym>BIND</acronym> 8 to allow
-a domain name to have multiple CNAME records in violation of the
-DNS standards. <acronym>BIND</acronym> 9.2 always strictly
-enforces the CNAME rules both in master files and dynamic updates.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>notify</command></term>
-<listitem><para>If <userinput>yes</userinput> (the default),
-DNS NOTIFY messages are sent when a zone the server is authoritative for
-changes, see <xref linkend="notify"/>. The messages are sent to the
-servers listed in the zone's NS records (except the master server identified
-in the SOA MNAME field), and to any servers listed in the
-<command>also-notify</command> option.
-</para><para>
-If <userinput>explicit</userinput>, notifies are sent only to
-servers explicitly listed using <command>also-notify</command>.
-If <userinput>no</userinput>, no notifies are sent.
-</para><para>
-The <command>notify</command> option may also be
-specified in the <command>zone</command> statement,
-in which case it overrides the <command>options notify</command> statement.
-It would only be necessary to turn off this option if it caused slaves
-to crash.</para></listitem></varlistentry>
-
-<varlistentry><term><command>recursion</command></term>
-<listitem><para>If <userinput>yes</userinput>, and a
-DNS query requests recursion, then the server will attempt to do
-all the work required to answer the query. If recursion is off
-and the server does not already know the answer, it will return a
-referral response. The default is <userinput>yes</userinput>.
-Note that setting <command>recursion no</command> does not prevent
-clients from getting data from the server's cache; it only
-prevents new data from being cached as an effect of client queries.
-Caching may still occur as an effect the server's internal
-operation, such as NOTIFY address lookups.
-See also <command>fetch-glue</command> above.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>rfc2308-type1</command></term>
-<listitem><para>Setting this to <userinput>yes</userinput> will
-cause the server to send NS records along with the SOA record for negative
-answers. The default is <userinput>no</userinput>.</para>
-<note><simpara>Not yet implemented in <acronym>BIND</acronym> 9.</simpara></note>
-</listitem></varlistentry>
-
-<varlistentry><term><command>use-id-pool</command></term>
-<listitem><para><emphasis>This option is obsolete</emphasis>.
-<acronym>BIND</acronym> 9 always allocates query IDs from a pool.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>zone-statistics</command></term>
-<listitem><para>If <userinput>yes</userinput>, the server will collect
-statistical data on all zones (unless specifically turned off
-on a per-zone basis by specifying <command>zone-statistics no</command>
-in the <command>zone</command> statement). These statistics may be accessed
-using <command>rndc stats</command>, which will dump them to the file listed
-in the <command>statistics-file</command>. See also <xref linkend="statsfile"/>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>use-ixfr</command></term>
-<listitem><para><emphasis>This option is obsolete</emphasis>.
-If you need to disable IXFR to a particular server or servers see
-the information on the <command>provide-ixfr</command> option
-in <xref linkend="server_statement_definition_and_usage"/>. See also
-<xref linkend="incremental_zone_transfers"/>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>provide-ixfr</command></term>
-<listitem>
-<para>
-See the description of
-<command>provide-ixfr</command> in
-<xref linkend="server_statement_definition_and_usage"/>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>request-ixfr</command></term>
-<listitem>
-<para>
-See the description of
-<command>request-ixfr</command> in
-<xref linkend="server_statement_definition_and_usage"/>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>treat-cr-as-space</command></term>
-<listitem><para>This option was used in <acronym>BIND</acronym> 8 to make
-the server treat carriage return ("<command>\r</command>") characters the same way
-as a space or tab character,
-to facilitate loading of zone files on a UNIX system that were generated
-on an NT or DOS machine. In <acronym>BIND</acronym> 9, both UNIX "<command>\n</command>"
-and NT/DOS "<command>\r\n</command>" newlines are always accepted,
-and the option is ignored.</para></listitem></varlistentry>
-
-<varlistentry>
-<term><command>additional-from-auth</command></term>
-<term><command>additional-from-cache</command></term>
-<listitem>
-
-<para>
-These options control the behavior of an authoritative server when
-answering queries which have additional data, or when following CNAME
-and DNAME chains.
-</para>
-
-<para>
-When both of these options are set to <userinput>yes</userinput>
-(the default) and a
-query is being answered from authoritative data (a zone
-configured into the server), the additional data section of the
-reply will be filled in using data from other authoritative zones
-and from the cache. In some situations this is undesirable, such
-as when there is concern over the correctness of the cache, or
-in servers where slave zones may be added and modified by
-untrusted third parties. Also, avoiding
-the search for this additional data will speed up server operations
-at the possible expense of additional queries to resolve what would
-otherwise be provided in the additional section.
-</para>
-
-<para>
-For example, if a query asks for an MX record for host <literal>foo.example.com</literal>,
-and the record found is "<literal>MX 10 mail.example.net</literal>", normally the address
-records (A and AAAA) for <literal>mail.example.net</literal> will be provided as well,
-if known, even though they are not in the example.com zone.
-Setting these options to <command>no</command> disables this behavior and makes
-the server only search for additional data in the zone it answers from.
-</para>
-
-<para>
-These options are intended for use in authoritative-only
-servers, or in authoritative-only views. Attempts to set
-them to <command>no</command> without also specifying
-<command>recursion no</command> will cause the server to
-ignore the options and log a warning message.
-</para>
-
-<para>
-Specifying <command>additional-from-cache no</command> actually
-disables the use of the cache not only for additional data lookups
-but also when looking up the answer. This is usually the desired
-behavior in an authoritative-only server where the correctness of
-the cached data is an issue.
-</para>
-
-<para>
-When a name server is non-recursively queried for a name that is not
-below the apex of any served zone, it normally answers with an
-"upwards referral" to the root servers or the servers of some other
-known parent of the query name. Since the data in an upwards referral
-comes from the cache, the server will not be able to provide upwards
-referrals when <command>additional-from-cache no</command>
-has been specified. Instead, it will respond to such queries
-with REFUSED. This should not cause any problems since
-upwards referrals are not required for the resolution process.
-</para>
-
-</listitem></varlistentry>
-
-<varlistentry><term><command>match-mapped-addresses</command></term>
-<listitem><para>If <userinput>yes</userinput>, then an
-IPv4-mapped IPv6 address will match any address match
-list entries that match the corresponding IPv4 address.
-Enabling this option is sometimes useful on IPv6-enabled Linux
-systems, to work around a kernel quirk that causes IPv4
-TCP connections such as zone transfers to be accepted
-on an IPv6 socket using mapped addresses, causing
-address match lists designed for IPv4 to fail to match.
-The use of this option for any other purpose is discouraged.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>ixfr-from-differences</command></term>
-<listitem>
-<para>
-When <userinput>yes</userinput> and the server loads a new version of a master
-zone from its zone file or receives a new version of a slave
-file by a non-incremental zone transfer, it will compare
-the new version to the previous one and calculate a set
-of differences. The differences are then logged in the
-zone's journal file such that the changes can be transmitted
-to downstream slaves as an incremental zone transfer.
-</para><para>
-By allowing incremental zone transfers to be used for
-non-dynamic zones, this option saves bandwidth at the
-expense of increased CPU and memory consumption at the master.
-In particular, if the new version of a zone is completely
-different from the previous one, the set of differences
-will be of a size comparable to the combined size of the
-old and new zone version, and the server will need to
-temporarily allocate memory to hold this complete
-difference set.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>multi-master</command></term>
-<listitem>
-<para>
-This should be set when you have multiple masters for a zone and the
-addresses refer to different machines. If <userinput>yes</userinput>, named will not log
-when the serial number on the master is less than what named currently
-has. The default is <userinput>no</userinput>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>dnssec-enable</command></term>
-<listitem>
-<para>
-Enable DNSSEC support in named. Unless set to <userinput>yes</userinput>,
-named behaves as if it does not support DNSSEC.
-The default is <userinput>no</userinput>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>querylog</command></term>
-<listitem>
-<para>
-Specify whether query logging should be started when named starts.
-If <command>querylog</command> is not specified, then the query logging
-is determined by the presence of the logging category <command>queries</command>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>check-names</command></term>
-<listitem>
-<para>
-This option is used to restrict the character set and syntax of
-certain domain names in master files and/or DNS responses received
-from the network. The default varies according to usage area. For
-<command>master</command> zones the default is <command>fail</command>.
-For <command>slave</command> zones the default is <command>warn</command>.
-For answers received from the network (<command>response</command>)
-the default is <command>ignore</command>.
-</para>
-<para>The rules for legal hostnames and mail domains are derived from RFC 952
-and RFC 821 as modified by RFC 1123.
-</para>
-<para><command>check-names</command> applies to the owner names of A, AAA and
-MX records. It also applies to the domain names in the RDATA of NS, SOA and MX
-records. It also applies to the RDATA of PTR records where the owner name
-indicated that it is a reverse lookup of a hostname (the owner name ends in
-IN-ADDR.ARPA, IP6.ARPA, IP6.INT).
-</para>
-</listitem></varlistentry>
-
-</variablelist>
-
-</sect3>
-
-<sect3><title>Forwarding</title>
-<para>The forwarding facility can be used to create a large site-wide
-cache on a few servers, reducing traffic over links to external
-name servers. It can also be used to allow queries by servers that
-do not have direct access to the Internet, but wish to look up exterior
-names anyway. Forwarding occurs only on those queries for which
-the server is not authoritative and does not have the answer in
-its cache.</para>
-
-<variablelist>
-<varlistentry><term><command>forward</command></term>
-<listitem><para>This option is only meaningful if the
-forwarders list is not empty. A value of <varname>first</varname>,
-the default, causes the server to query the forwarders first &mdash; and
-if that doesn't answer the question, the server will then look for
-the answer itself. If <varname>only</varname> is specified, the
-server will only query the forwarders.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>forwarders</command></term>
-<listitem><para>Specifies the IP addresses to be used
-for forwarding. The default is the empty list (no forwarding).
-</para></listitem></varlistentry>
-
-</variablelist>
-
-<para>Forwarding can also be configured on a per-domain basis, allowing
-for the global forwarding options to be overridden in a variety
-of ways. You can set particular domains to use different forwarders,
-or have a different <command>forward only/first</command> behavior,
-or not forward at all, see <xref linkend="zone_statement_grammar"/>.</para>
-</sect3>
-
-<sect3><title>Dual-stack Servers</title>
-<para>Dual-stack servers are used as servers of last resort to work around
-problems in reachability due the lack of support for either IPv4 or IPv6
-on the host machine.</para>
-
-<variablelist>
-<varlistentry><term><command>dual-stack-servers</command></term>
-<listitem><para>Specifies host names or addresses of machines with access to
-both IPv4 and IPv6 transports. If a hostname is used, the server must be able
-to resolve the name using only the transport it has. If the machine is dual
-stacked, then the <command>dual-stack-servers</command> have no effect unless
-access to a transport has been disabled on the command line
-(e.g. <command>named -4</command>).</para></listitem>
-</varlistentry>
-</variablelist>
-</sect3>
-
-<sect3 id="access_control"><title>Access Control</title>
-
-<para>Access to the server can be restricted based on the IP address
-of the requesting system. See <xref linkend="address_match_lists"/> for
-details on how to specify IP address lists.</para>
-
-<variablelist>
-
-<varlistentry><term><command>allow-notify</command></term>
-<listitem><para>Specifies which hosts are allowed to
-notify this server, a slave, of zone changes in addition
-to the zone masters.
-<command>allow-notify</command> may also be specified in the
-<command>zone</command> statement, in which case it overrides the
-<command>options allow-notify</command> statement. It is only meaningful
-for a slave zone. If not specified, the default is to process notify messages
-only from a zone's master.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>allow-query</command></term>
-<listitem><para>Specifies which hosts are allowed to
-ask ordinary DNS questions. <command>allow-query</command> may also
-be specified in the <command>zone</command> statement, in which
-case it overrides the <command>options allow-query</command> statement. If
-not specified, the default is to allow queries from all hosts.</para>
-</listitem></varlistentry>
-
-
-<varlistentry><term><command>allow-recursion</command></term>
-<listitem><para>Specifies which hosts are allowed to
-make recursive queries through this server. If not specified, the
-default is to allow recursive queries from all hosts.
-Note that disallowing recursive queries for a host does not prevent the
-host from retrieving data that is already in the server's cache.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>allow-update-forwarding</command></term>
-<listitem><para>Specifies which hosts are allowed to
-submit Dynamic DNS updates to slave zones to be forwarded to the
-master. The default is <userinput>{ none; }</userinput>, which
-means that no update forwarding will be performed. To enable
-update forwarding, specify
-<userinput>allow-update-forwarding { any; };</userinput>.
-Specifying values other than <userinput>{ none; }</userinput> or
-<userinput>{ any; }</userinput> is usually counterproductive, since
-the responsibility for update access control should rest with the
-master server, not the slaves.</para>
-<para>Note that enabling the update forwarding feature on a slave server
-may expose master servers relying on insecure IP address based
-access control to attacks; see <xref linkend="dynamic_update_security"/>
-for more details.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>allow-v6-synthesis</command></term>
-<listitem><para>This option was introduced for the smooth transition from AAAA
-to A6 and from "nibble labels" to binary labels.
-However, since both A6 and binary labels were then deprecated,
-this option was also deprecated.
-It is now ignored with some warning messages.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>allow-transfer</command></term>
-<listitem><para>Specifies which hosts are allowed to
-receive zone transfers from the server. <command>allow-transfer</command> may
-also be specified in the <command>zone</command> statement, in which
-case it overrides the <command>options allow-transfer</command> statement.
-If not specified, the default is to allow transfers to all hosts.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>blackhole</command></term>
-<listitem><para>Specifies a list of addresses that the
-server will not accept queries from or use to resolve a query. Queries
-from these addresses will not be responded to. The default is <userinput>none</userinput>.</para>
-</listitem></varlistentry>
-
-</variablelist>
-
-</sect3>
-
-<sect3><title>Interfaces</title>
-<para>The interfaces and ports that the server will answer queries
-from may be specified using the <command>listen-on</command> option. <command>listen-on</command> takes
-an optional port, and an <varname>address_match_list</varname>.
-The server will listen on all interfaces allowed by the address
-match list. If a port is not specified, port 53 will be used.</para>
-<para>Multiple <command>listen-on</command> statements are allowed.
-For example,</para>
+
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>disable-algorithms</command></term>
+ <listitem>
+ <para>
+ Disable the specified DNSSEC algorithms at and below the
+ specified name.
+ Multiple <command>disable-algorithms</command>
+ statements are allowed.
+ Only the most specific will be applied.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>dnssec-lookaside</command></term>
+ <listitem>
+ <para>
+ When set, <command>dnssec-lookaside</command>
+ provides the
+ validator with an alternate method to validate DNSKEY records
+ at the
+ top of a zone. When a DNSKEY is at or below a domain
+ specified by the
+ deepest <command>dnssec-lookaside</command>, and
+ the normal dnssec validation
+ has left the key untrusted, the trust-anchor will be append to
+ the key
+ name and a DLV record will be looked up to see if it can
+ validate the
+ key. If the DLV record validates a DNSKEY (similarly to the
+ way a DS
+ record does) the DNSKEY RRset is deemed to be trusted.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>dnssec-must-be-secure</command></term>
+ <listitem>
+ <para>
+ Specify hierarchies which must be or may not be secure (signed and
+ validated).
+ If <userinput>yes</userinput>, then named will only accept
+ answers if they
+ are secure.
+ If <userinput>no</userinput>, then normal dnssec validation
+ applies
+ allowing for insecure answers to be accepted.
+ The specified domain must be under a <command>trusted-key</command> or
+ <command>dnssec-lookaside</command> must be
+ active.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+
+ <sect3 id="boolean_options">
+ <title>Boolean Options</title>
+
+ <variablelist>
+
+ <varlistentry>
+ <term><command>auth-nxdomain</command></term>
+ <listitem>
+ <para>
+ If <userinput>yes</userinput>, then the <command>AA</command> bit
+ is always set on NXDOMAIN responses, even if the server is
+ not actually
+ authoritative. The default is <userinput>no</userinput>;
+ this is
+ a change from <acronym>BIND</acronym> 8. If you
+ are using very old DNS software, you
+ may need to set it to <userinput>yes</userinput>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>deallocate-on-exit</command></term>
+ <listitem>
+ <para>
+ This option was used in <acronym>BIND</acronym>
+ 8 to enable checking
+ for memory leaks on exit. <acronym>BIND</acronym> 9 ignores the option and always performs
+ the checks.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>dialup</command></term>
+ <listitem>
+ <para>
+ If <userinput>yes</userinput>, then the
+ server treats all zones as if they are doing zone transfers
+ across
+ a dial-on-demand dialup link, which can be brought up by
+ traffic
+ originating from this server. This has different effects
+ according
+ to zone type and concentrates the zone maintenance so that
+ it all
+ happens in a short interval, once every <command>heartbeat-interval</command> and
+ hopefully during the one call. It also suppresses some of
+ the normal
+ zone maintenance traffic. The default is <userinput>no</userinput>.
+ </para>
+ <para>
+ The <command>dialup</command> option
+ may also be specified in the <command>view</command> and
+ <command>zone</command> statements,
+ in which case it overrides the global <command>dialup</command>
+ option.
+ </para>
+ <para>
+ If the zone is a master zone, then the server will send out a
+ NOTIFY
+ request to all the slaves (default). This should trigger the
+ zone serial
+ number check in the slave (providing it supports NOTIFY)
+ allowing the slave
+ to verify the zone while the connection is active.
+ The set of servers to which NOTIFY is sent can be controlled
+ by
+ <command>notify</command> and <command>also-notify</command>.
+ </para>
+ <para>
+ If the
+ zone is a slave or stub zone, then the server will suppress
+ the regular
+ "zone up to date" (refresh) queries and only perform them
+ when the
+ <command>heartbeat-interval</command> expires in
+ addition to sending
+ NOTIFY requests.
+ </para>
+ <para>
+ Finer control can be achieved by using
+ <userinput>notify</userinput> which only sends NOTIFY
+ messages,
+ <userinput>notify-passive</userinput> which sends NOTIFY
+ messages and
+ suppresses the normal refresh queries, <userinput>refresh</userinput>
+ which suppresses normal refresh processing and sends refresh
+ queries
+ when the <command>heartbeat-interval</command>
+ expires, and
+ <userinput>passive</userinput> which just disables normal
+ refresh
+ processing.
+ </para>
+
+ <informaltable colsep="0" rowsep="0">
+ <tgroup cols="4" colsep="0" rowsep="0" tgroupstyle="4Level-table">
+ <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
+ <colspec colname="2" colnum="2" colsep="0" colwidth="1.150in"/>
+ <colspec colname="3" colnum="3" colsep="0" colwidth="1.150in"/>
+ <colspec colname="4" colnum="4" colsep="0" colwidth="1.150in"/>
+ <tbody>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ dialup mode
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ normal refresh
+ </para>
+ </entry>
+ <entry colname="3">
+ <para>
+ heart-beat refresh
+ </para>
+ </entry>
+ <entry colname="4">
+ <para>
+ heart-beat notify
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>no</command> (default)</para>
+ </entry>
+ <entry colname="2">
+ <para>
+ yes
+ </para>
+ </entry>
+ <entry colname="3">
+ <para>
+ no
+ </para>
+ </entry>
+ <entry colname="4">
+ <para>
+ no
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>yes</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ no
+ </para>
+ </entry>
+ <entry colname="3">
+ <para>
+ yes
+ </para>
+ </entry>
+ <entry colname="4">
+ <para>
+ yes
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>notify</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ yes
+ </para>
+ </entry>
+ <entry colname="3">
+ <para>
+ no
+ </para>
+ </entry>
+ <entry colname="4">
+ <para>
+ yes
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>refresh</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ no
+ </para>
+ </entry>
+ <entry colname="3">
+ <para>
+ yes
+ </para>
+ </entry>
+ <entry colname="4">
+ <para>
+ no
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>passive</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ no
+ </para>
+ </entry>
+ <entry colname="3">
+ <para>
+ no
+ </para>
+ </entry>
+ <entry colname="4">
+ <para>
+ no
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>notify-passive</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ no
+ </para>
+ </entry>
+ <entry colname="3">
+ <para>
+ no
+ </para>
+ </entry>
+ <entry colname="4">
+ <para>
+ yes
+ </para>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>
+ Note that normal NOTIFY processing is not affected by
+ <command>dialup</command>.
+ </para>
+
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>fake-iquery</command></term>
+ <listitem>
+ <para>
+ In <acronym>BIND</acronym> 8, this option
+ enabled simulating the obsolete DNS query type
+ IQUERY. <acronym>BIND</acronym> 9 never does
+ IQUERY simulation.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>fetch-glue</command></term>
+ <listitem>
+ <para>
+ This option is obsolete.
+ In BIND 8, <userinput>fetch-glue yes</userinput>
+ caused the server to attempt to fetch glue resource records
+ it
+ didn't have when constructing the additional
+ data section of a response. This is now considered a bad
+ idea
+ and BIND 9 never does it.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>flush-zones-on-shutdown</command></term>
+ <listitem>
+ <para>
+ When the nameserver exits due receiving SIGTERM,
+ flush or do not flush any pending zone writes. The default
+ is
+ <command>flush-zones-on-shutdown</command> <userinput>no</userinput>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>has-old-clients</command></term>
+ <listitem>
+ <para>
+ This option was incorrectly implemented
+ in <acronym>BIND</acronym> 8, and is ignored by <acronym>BIND</acronym> 9.
+ To achieve the intended effect
+ of
+ <command>has-old-clients</command> <userinput>yes</userinput>, specify
+ the two separate options <command>auth-nxdomain</command> <userinput>yes</userinput>
+ and <command>rfc2308-type1</command> <userinput>no</userinput> instead.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>host-statistics</command></term>
+ <listitem>
+ <para>
+ In BIND 8, this enables keeping of
+ statistics for every host that the name server interacts
+ with.
+ Not implemented in BIND 9.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>maintain-ixfr-base</command></term>
+ <listitem>
+ <para>
+ <emphasis>This option is obsolete</emphasis>.
+ It was used in <acronym>BIND</acronym> 8 to
+ determine whether a transaction log was
+ kept for Incremental Zone Transfer. <acronym>BIND</acronym> 9 maintains a transaction
+ log whenever possible. If you need to disable outgoing
+ incremental zone
+ transfers, use <command>provide-ixfr</command> <userinput>no</userinput>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>minimal-responses</command></term>
+ <listitem>
+ <para>
+ If <userinput>yes</userinput>, then when generating
+ responses the server will only add records to the authority
+ and additional data sections when they are required (e.g.
+ delegations, negative responses). This may improve the
+ performance of the server.
+ The default is <userinput>no</userinput>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>multiple-cnames</command></term>
+ <listitem>
+ <para>
+ This option was used in <acronym>BIND</acronym> 8 to allow
+ a domain name to have multiple CNAME records in violation of
+ the DNS standards. <acronym>BIND</acronym> 9.2 onwards
+ always strictly enforces the CNAME rules both in master
+ files and dynamic updates.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>notify</command></term>
+ <listitem>
+ <para>
+ If <userinput>yes</userinput> (the default),
+ DNS NOTIFY messages are sent when a zone the server is
+ authoritative for
+ changes, see <xref linkend="notify"/>. The messages are
+ sent to the
+ servers listed in the zone's NS records (except the master
+ server identified
+ in the SOA MNAME field), and to any servers listed in the
+ <command>also-notify</command> option.
+ </para>
+ <para>
+ If <userinput>master-only</userinput>, notifies are only
+ sent
+ for master zones.
+ If <userinput>explicit</userinput>, notifies are sent only
+ to
+ servers explicitly listed using <command>also-notify</command>.
+ If <userinput>no</userinput>, no notifies are sent.
+ </para>
+ <para>
+ The <command>notify</command> option may also be
+ specified in the <command>zone</command>
+ statement,
+ in which case it overrides the <command>options notify</command> statement.
+ It would only be necessary to turn off this option if it
+ caused slaves
+ to crash.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>recursion</command></term>
+ <listitem>
+ <para>
+ If <userinput>yes</userinput>, and a
+ DNS query requests recursion, then the server will attempt
+ to do
+ all the work required to answer the query. If recursion is
+ off
+ and the server does not already know the answer, it will
+ return a
+ referral response. The default is
+ <userinput>yes</userinput>.
+ Note that setting <command>recursion no</command> does not prevent
+ clients from getting data from the server's cache; it only
+ prevents new data from being cached as an effect of client
+ queries.
+ Caching may still occur as an effect the server's internal
+ operation, such as NOTIFY address lookups.
+ See also <command>fetch-glue</command> above.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>rfc2308-type1</command></term>
+ <listitem>
+ <para>
+ Setting this to <userinput>yes</userinput> will
+ cause the server to send NS records along with the SOA
+ record for negative
+ answers. The default is <userinput>no</userinput>.
+ </para>
+ <note>
+ <simpara>
+ Not yet implemented in <acronym>BIND</acronym>
+ 9.
+ </simpara>
+ </note>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>use-id-pool</command></term>
+ <listitem>
+ <para>
+ <emphasis>This option is obsolete</emphasis>.
+ <acronym>BIND</acronym> 9 always allocates query
+ IDs from a pool.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>zone-statistics</command></term>
+ <listitem>
+ <para>
+ If <userinput>yes</userinput>, the server will collect
+ statistical data on all zones (unless specifically turned
+ off
+ on a per-zone basis by specifying <command>zone-statistics no</command>
+ in the <command>zone</command> statement).
+ These statistics may be accessed
+ using <command>rndc stats</command>, which will
+ dump them to the file listed
+ in the <command>statistics-file</command>. See
+ also <xref linkend="statsfile"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>use-ixfr</command></term>
+ <listitem>
+ <para>
+ <emphasis>This option is obsolete</emphasis>.
+ If you need to disable IXFR to a particular server or
+ servers see
+ the information on the <command>provide-ixfr</command> option
+ in <xref linkend="server_statement_definition_and_usage"/>.
+ See also
+ <xref linkend="incremental_zone_transfers"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>provide-ixfr</command></term>
+ <listitem>
+ <para>
+ See the description of
+ <command>provide-ixfr</command> in
+ <xref linkend="server_statement_definition_and_usage"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>request-ixfr</command></term>
+ <listitem>
+ <para>
+ See the description of
+ <command>request-ixfr</command> in
+ <xref linkend="server_statement_definition_and_usage"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>treat-cr-as-space</command></term>
+ <listitem>
+ <para>
+ This option was used in <acronym>BIND</acronym>
+ 8 to make
+ the server treat carriage return ("<command>\r</command>") characters the same way
+ as a space or tab character,
+ to facilitate loading of zone files on a UNIX system that
+ were generated
+ on an NT or DOS machine. In <acronym>BIND</acronym> 9, both UNIX "<command>\n</command>"
+ and NT/DOS "<command>\r\n</command>" newlines
+ are always accepted,
+ and the option is ignored.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>additional-from-auth</command></term>
+ <term><command>additional-from-cache</command></term>
+ <listitem>
+
+ <para>
+ These options control the behavior of an authoritative
+ server when
+ answering queries which have additional data, or when
+ following CNAME
+ and DNAME chains.
+ </para>
+
+ <para>
+ When both of these options are set to <userinput>yes</userinput>
+ (the default) and a
+ query is being answered from authoritative data (a zone
+ configured into the server), the additional data section of
+ the
+ reply will be filled in using data from other authoritative
+ zones
+ and from the cache. In some situations this is undesirable,
+ such
+ as when there is concern over the correctness of the cache,
+ or
+ in servers where slave zones may be added and modified by
+ untrusted third parties. Also, avoiding
+ the search for this additional data will speed up server
+ operations
+ at the possible expense of additional queries to resolve
+ what would
+ otherwise be provided in the additional section.
+ </para>
+
+ <para>
+ For example, if a query asks for an MX record for host <literal>foo.example.com</literal>,
+ and the record found is "<literal>MX 10 mail.example.net</literal>", normally the address
+ records (A and AAAA) for <literal>mail.example.net</literal> will be provided as well,
+ if known, even though they are not in the example.com zone.
+ Setting these options to <command>no</command>
+ disables this behavior and makes
+ the server only search for additional data in the zone it
+ answers from.
+ </para>
+
+ <para>
+ These options are intended for use in authoritative-only
+ servers, or in authoritative-only views. Attempts to set
+ them to <command>no</command> without also
+ specifying
+ <command>recursion no</command> will cause the
+ server to
+ ignore the options and log a warning message.
+ </para>
+
+ <para>
+ Specifying <command>additional-from-cache no</command> actually
+ disables the use of the cache not only for additional data
+ lookups
+ but also when looking up the answer. This is usually the
+ desired
+ behavior in an authoritative-only server where the
+ correctness of
+ the cached data is an issue.
+ </para>
+
+ <para>
+ When a name server is non-recursively queried for a name
+ that is not
+ below the apex of any served zone, it normally answers with
+ an
+ "upwards referral" to the root servers or the servers of
+ some other
+ known parent of the query name. Since the data in an
+ upwards referral
+ comes from the cache, the server will not be able to provide
+ upwards
+ referrals when <command>additional-from-cache no</command>
+ has been specified. Instead, it will respond to such
+ queries
+ with REFUSED. This should not cause any problems since
+ upwards referrals are not required for the resolution
+ process.
+ </para>
+
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>match-mapped-addresses</command></term>
+ <listitem>
+ <para>
+ If <userinput>yes</userinput>, then an
+ IPv4-mapped IPv6 address will match any address match
+ list entries that match the corresponding IPv4 address.
+ Enabling this option is sometimes useful on IPv6-enabled
+ Linux
+ systems, to work around a kernel quirk that causes IPv4
+ TCP connections such as zone transfers to be accepted
+ on an IPv6 socket using mapped addresses, causing
+ address match lists designed for IPv4 to fail to match.
+ The use of this option for any other purpose is discouraged.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>ixfr-from-differences</command></term>
+ <listitem>
+ <para>
+ When <userinput>yes</userinput> and the server loads a new version of a master
+ zone from its zone file or receives a new version of a slave
+ file by a non-incremental zone transfer, it will compare
+ the new version to the previous one and calculate a set
+ of differences. The differences are then logged in the
+ zone's journal file such that the changes can be transmitted
+ to downstream slaves as an incremental zone transfer.
+ </para>
+ <para>
+ By allowing incremental zone transfers to be used for
+ non-dynamic zones, this option saves bandwidth at the
+ expense of increased CPU and memory consumption at the
+ master.
+ In particular, if the new version of a zone is completely
+ different from the previous one, the set of differences
+ will be of a size comparable to the combined size of the
+ old and new zone version, and the server will need to
+ temporarily allocate memory to hold this complete
+ difference set.
+ </para>
+ <para><command>ixfr-from-differences</command>
+ also accepts <command>master</command> and
+ <command>slave</command> at the view and options
+ levels which causes
+ <command>ixfr-from-differences</command> to apply to
+ all <command>master</command> or
+ <command>slave</command> zones respectively.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>multi-master</command></term>
+ <listitem>
+ <para>
+ This should be set when you have multiple masters for a zone
+ and the
+ addresses refer to different machines. If <userinput>yes</userinput>, named will
+ not log
+ when the serial number on the master is less than what named
+ currently
+ has. The default is <userinput>no</userinput>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>dnssec-enable</command></term>
+ <listitem>
+ <para>
+ Enable DNSSEC support in named. Unless set to <userinput>yes</userinput>,
+ named behaves as if it does not support DNSSEC.
+ The default is <userinput>yes</userinput>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>dnssec-validation</command></term>
+ <listitem>
+ <para>
+ Enable DNSSEC validation in named.
+ Note <command>dnssec-enable</command> also needs to be
+ set to <userinput>yes</userinput> to be effective.
+ The default is <userinput>no</userinput>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>dnssec-accept-expired</command></term>
+ <listitem>
+ <para>
+ Accept expired signatures when verifying DNSSEC signatures.
+ The default is <userinput>no</userinput>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>querylog</command></term>
+ <listitem>
+ <para>
+ Specify whether query logging should be started when named
+ starts.
+ If <command>querylog</command> is not specified,
+ then the query logging
+ is determined by the presence of the logging category <command>queries</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>check-names</command></term>
+ <listitem>
+ <para>
+ This option is used to restrict the character set and syntax
+ of
+ certain domain names in master files and/or DNS responses
+ received
+ from the network. The default varies according to usage
+ area. For
+ <command>master</command> zones the default is <command>fail</command>.
+ For <command>slave</command> zones the default
+ is <command>warn</command>.
+ For answers received from the network (<command>response</command>)
+ the default is <command>ignore</command>.
+ </para>
+ <para>
+ The rules for legal hostnames and mail domains are derived
+ from RFC 952 and RFC 821 as modified by RFC 1123.
+ </para>
+ <para><command>check-names</command>
+ applies to the owner names of A, AAA and MX records.
+ It also applies to the domain names in the RDATA of NS, SOA
+ and MX records.
+ It also applies to the RDATA of PTR records where the owner
+ name indicated that it is a reverse lookup of a hostname
+ (the owner name ends in IN-ADDR.ARPA, IP6.ARPA or IP6.INT).
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>check-mx</command></term>
+ <listitem>
+ <para>
+ Check whether the MX record appears to refer to a IP address.
+ The default is to <command>warn</command>. Other possible
+ values are <command>fail</command> and
+ <command>ignore</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>check-wildcard</command></term>
+ <listitem>
+ <para>
+ This option is used to check for non-terminal wildcards.
+ The use of non-terminal wildcards is almost always as a
+ result of a failure
+ to understand the wildcard matching algorithm (RFC 1034).
+ This option
+ affects master zones. The default (<command>yes</command>) is to check
+ for non-terminal wildcards and issue a warning.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>check-integrity</command></term>
+ <listitem>
+ <para>
+ Perform post load zone integrity checks on master
+ zones. This checks that MX and SRV records refer
+ to address (A or AAAA) records and that glue
+ address records exist for delegated zones. For
+ MX and SRV records only in-zone hostnames are
+ checked (for out-of-zone hostnames use named-checkzone).
+ For NS records only names below top of zone are
+ checked (for out-of-zone names and glue consistancy
+ checks use named-checkzone). The default is
+ <command>yes</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>check-mx-cname</command></term>
+ <listitem>
+ <para>
+ If <command>check-integrity</command> is set then
+ fail, warn or ignore MX records that refer
+ to CNAMES. The default is to <command>warn</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>check-srv-cname</command></term>
+ <listitem>
+ <para>
+ If <command>check-integrity</command> is set then
+ fail, warn or ignore SRV records that refer
+ to CNAMES. The default is to <command>warn</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>check-sibling</command></term>
+ <listitem>
+ <para>
+ When performing integrity checks, also check that
+ sibling glue exists. The default is <command>yes</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>zero-no-soa-ttl</command></term>
+ <listitem>
+ <para>
+ When returning authoritative negative responses to
+ SOA queries set the TTL of the SOA recored returned in
+ the authority section to zero.
+ The default is <command>yes</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>zero-no-soa-ttl-cache</command></term>
+ <listitem>
+ <para>
+ When caching a negative response to a SOA query
+ set the TTL to zero.
+ The default is <command>no</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>update-check-ksk</command></term>
+ <listitem>
+ <para>
+ When regenerating the RRSIGs following a UPDATE
+ request to a secure zone, check the KSK flag on
+ the DNSKEY RR to determine if this key should be
+ used to generate the RRSIG. This flag is ignored
+ if there are not DNSKEY RRs both with and without
+ a KSK.
+ The default is <command>yes</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+
+ </sect3>
+
+ <sect3>
+ <title>Forwarding</title>
+ <para>
+ The forwarding facility can be used to create a large site-wide
+ cache on a few servers, reducing traffic over links to external
+ name servers. It can also be used to allow queries by servers that
+ do not have direct access to the Internet, but wish to look up
+ exterior
+ names anyway. Forwarding occurs only on those queries for which
+ the server is not authoritative and does not have the answer in
+ its cache.
+ </para>
+
+ <variablelist>
+ <varlistentry>
+ <term><command>forward</command></term>
+ <listitem>
+ <para>
+ This option is only meaningful if the
+ forwarders list is not empty. A value of <varname>first</varname>,
+ the default, causes the server to query the forwarders
+ first &mdash; and
+ if that doesn't answer the question, the server will then
+ look for
+ the answer itself. If <varname>only</varname> is
+ specified, the
+ server will only query the forwarders.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>forwarders</command></term>
+ <listitem>
+ <para>
+ Specifies the IP addresses to be used
+ for forwarding. The default is the empty list (no
+ forwarding).
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+
+ <para>
+ Forwarding can also be configured on a per-domain basis, allowing
+ for the global forwarding options to be overridden in a variety
+ of ways. You can set particular domains to use different
+ forwarders,
+ or have a different <command>forward only/first</command> behavior,
+ or not forward at all, see <xref linkend="zone_statement_grammar"/>.
+ </para>
+ </sect3>
+
+ <sect3>
+ <title>Dual-stack Servers</title>
+ <para>
+ Dual-stack servers are used as servers of last resort to work
+ around
+ problems in reachability due the lack of support for either IPv4
+ or IPv6
+ on the host machine.
+ </para>
+
+ <variablelist>
+ <varlistentry>
+ <term><command>dual-stack-servers</command></term>
+ <listitem>
+ <para>
+ Specifies host names or addresses of machines with access to
+ both IPv4 and IPv6 transports. If a hostname is used, the
+ server must be able
+ to resolve the name using only the transport it has. If the
+ machine is dual
+ stacked, then the <command>dual-stack-servers</command> have no effect unless
+ access to a transport has been disabled on the command line
+ (e.g. <command>named -4</command>).
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </sect3>
+
+ <sect3 id="access_control">
+ <title>Access Control</title>
+
+ <para>
+ Access to the server can be restricted based on the IP address
+ of the requesting system. See <xref linkend="address_match_lists"/> for
+ details on how to specify IP address lists.
+ </para>
+
+ <variablelist>
+
+ <varlistentry>
+ <term><command>allow-notify</command></term>
+ <listitem>
+ <para>
+ Specifies which hosts are allowed to
+ notify this server, a slave, of zone changes in addition
+ to the zone masters.
+ <command>allow-notify</command> may also be
+ specified in the
+ <command>zone</command> statement, in which case
+ it overrides the
+ <command>options allow-notify</command>
+ statement. It is only meaningful
+ for a slave zone. If not specified, the default is to
+ process notify messages
+ only from a zone's master.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>allow-query</command></term>
+ <listitem>
+ <para>
+ Specifies which hosts are allowed to ask ordinary
+ DNS questions. <command>allow-query</command> may
+ also be specified in the <command>zone</command>
+ statement, in which case it overrides the
+ <command>options allow-query</command> statement.
+ If not specified, the default is to allow queries
+ from all hosts.
+ </para>
+ <note>
+ <para>
+ <command>allow-query-cache</command> is now
+ used to specify access to the cache.
+ </para>
+ </note>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>allow-query-cache</command></term>
+ <listitem>
+ <para>
+ Specifies which hosts are allowed to get answers
+ from the cache. The default is the builtin acls
+ <command>localnets</command> and
+ <command>localhost</command>.
+ </para>
+ <para>
+ The way to set query access to the cache is now
+ via <command>allow-query-cache</command>.
+ This differs from earlier versions which used
+ <command>allow-query</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>allow-recursion</command></term>
+ <listitem>
+ <para>
+ Specifies which hosts are allowed to make recursive
+ queries through this server. If not specified,
+ the default is to allow recursive queries from
+ the builtin acls <command>localnets</command> and
+ <command>localhost</command>.
+ Note that disallowing recursive queries for a
+ host does not prevent the host from retrieving
+ data that is already in the server's cache.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>allow-update</command></term>
+ <listitem>
+ <para>
+ Specifies which hosts are allowed to
+ submit Dynamic DNS updates for master zones. The default is
+ to deny
+ updates from all hosts. Note that allowing updates based
+ on the requestor's IP address is insecure; see
+ <xref linkend="dynamic_update_security"/> for details.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>allow-update-forwarding</command></term>
+ <listitem>
+ <para>
+ Specifies which hosts are allowed to
+ submit Dynamic DNS updates to slave zones to be forwarded to
+ the
+ master. The default is <userinput>{ none; }</userinput>,
+ which
+ means that no update forwarding will be performed. To
+ enable
+ update forwarding, specify
+ <userinput>allow-update-forwarding { any; };</userinput>.
+ Specifying values other than <userinput>{ none; }</userinput> or
+ <userinput>{ any; }</userinput> is usually
+ counterproductive, since
+ the responsibility for update access control should rest
+ with the
+ master server, not the slaves.
+ </para>
+ <para>
+ Note that enabling the update forwarding feature on a slave
+ server
+ may expose master servers relying on insecure IP address
+ based
+ access control to attacks; see <xref linkend="dynamic_update_security"/>
+ for more details.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>allow-v6-synthesis</command></term>
+ <listitem>
+ <para>
+ This option was introduced for the smooth transition from
+ AAAA
+ to A6 and from "nibble labels" to binary labels.
+ However, since both A6 and binary labels were then
+ deprecated,
+ this option was also deprecated.
+ It is now ignored with some warning messages.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>allow-transfer</command></term>
+ <listitem>
+ <para>
+ Specifies which hosts are allowed to
+ receive zone transfers from the server. <command>allow-transfer</command> may
+ also be specified in the <command>zone</command>
+ statement, in which
+ case it overrides the <command>options allow-transfer</command> statement.
+ If not specified, the default is to allow transfers to all
+ hosts.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>blackhole</command></term>
+ <listitem>
+ <para>
+ Specifies a list of addresses that the
+ server will not accept queries from or use to resolve a
+ query. Queries
+ from these addresses will not be responded to. The default
+ is <userinput>none</userinput>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+
+ </sect3>
+
+ <sect3>
+ <title>Interfaces</title>
+ <para>
+ The interfaces and ports that the server will answer queries
+ from may be specified using the <command>listen-on</command> option. <command>listen-on</command> takes
+ an optional port, and an <varname>address_match_list</varname>.
+ The server will listen on all interfaces allowed by the address
+ match list. If a port is not specified, port 53 will be used.
+ </para>
+ <para>
+ Multiple <command>listen-on</command> statements are
+ allowed.
+ For example,
+ </para>
<programlisting>listen-on { 5.6.7.8; };
listen-on port 1234 { !1.2.3.4; 1.2/16; };
</programlisting>
-<para>will enable the name server on port 53 for the IP address
-5.6.7.8, and on port 1234 of an address on the machine in net
-1.2 that is not 1.2.3.4.</para>
+ <para>
+ will enable the name server on port 53 for the IP address
+ 5.6.7.8, and on port 1234 of an address on the machine in net
+ 1.2 that is not 1.2.3.4.
+ </para>
-<para>If no <command>listen-on</command> is specified, the
-server will listen on port 53 on all interfaces.</para>
+ <para>
+ If no <command>listen-on</command> is specified, the
+ server will listen on port 53 on all interfaces.
+ </para>
-<para>The <command>listen-on-v6</command> option is used to
-specify the interfaces and the ports on which the server will listen
-for incoming queries sent using IPv6.</para>
+ <para>
+ The <command>listen-on-v6</command> option is used to
+ specify the interfaces and the ports on which the server will
+ listen
+ for incoming queries sent using IPv6.
+ </para>
-<para>When <programlisting>{ any; }</programlisting> is specified
-as the <varname>address_match_list</varname> for the
-<command>listen-on-v6</command> option,
-the server does not bind a separate socket to each IPv6 interface
-address as it does for IPv4 if the operating system has enough API
-support for IPv6 (specifically if it conforms to RFC 3493 and RFC 3542).
-Instead, it listens on the IPv6 wildcard address.
-If the system only has incomplete API support for IPv6, however,
-the behavior is the same as that for IPv4.</para>
+ <para>
+ When <programlisting>{ any; }</programlisting> is
+ specified
+ as the <varname>address_match_list</varname> for the
+ <command>listen-on-v6</command> option,
+ the server does not bind a separate socket to each IPv6 interface
+ address as it does for IPv4 if the operating system has enough API
+ support for IPv6 (specifically if it conforms to RFC 3493 and RFC
+ 3542).
+ Instead, it listens on the IPv6 wildcard address.
+ If the system only has incomplete API support for IPv6, however,
+ the behavior is the same as that for IPv4.
+ </para>
-<para>A list of particular IPv6 addresses can also be specified, in which case
-the server listens on a separate socket for each specified address,
-regardless of whether the desired API is supported by the system.</para>
+ <para>
+ A list of particular IPv6 addresses can also be specified, in
+ which case
+ the server listens on a separate socket for each specified
+ address,
+ regardless of whether the desired API is supported by the system.
+ </para>
-<para>Multiple <command>listen-on-v6</command> options can be used.
-For example,</para>
+ <para>
+ Multiple <command>listen-on-v6</command> options can
+ be used.
+ For example,
+ </para>
<programlisting>listen-on-v6 { any; };
listen-on-v6 port 1234 { !2001:db8::/32; any; };
</programlisting>
-<para>will enable the name server on port 53 for any IPv6 addresses
-(with a single wildcard socket),
-and on port 1234 of IPv6 addresses that is not in the prefix
-2001:db8::/32 (with separate sockets for each matched address.)</para>
+ <para>
+ will enable the name server on port 53 for any IPv6 addresses
+ (with a single wildcard socket),
+ and on port 1234 of IPv6 addresses that is not in the prefix
+ 2001:db8::/32 (with separate sockets for each matched address.)
+ </para>
+
+ <para>
+ To make the server not listen on any IPv6 address, use
+ </para>
-<para>To make the server not listen on any IPv6 address, use</para>
<programlisting>listen-on-v6 { none; };
</programlisting>
-<para>If no <command>listen-on-v6</command> option is specified,
-the server will not listen on any IPv6 address.</para></sect3>
-
-<sect3><title>Query Address</title>
-<para>If the server doesn't know the answer to a question, it will
-query other name servers. <command>query-source</command> specifies
-the address and port used for such queries. For queries sent over
-IPv6, there is a separate <command>query-source-v6</command> option.
-If <command>address</command> is <command>*</command> (asterisk) or is omitted,
-a wildcard IP address (<command>INADDR_ANY</command>) will be used.
-If <command>port</command> is <command>*</command> or is omitted,
-a random unprivileged port will be used. The <command>avoid-v4-udp-ports</command>
-and <command>avoid-v6-udp-ports</command> options can be used to prevent named
-from selecting certain ports. The defaults are:</para>
+
+ <para>
+ If no <command>listen-on-v6</command> option is
+ specified,
+ the server will not listen on any IPv6 address.
+ </para>
+ </sect3>
+
+ <sect3>
+ <title>Query Address</title>
+ <para>
+ If the server doesn't know the answer to a question, it will
+ query other name servers. <command>query-source</command> specifies
+ the address and port used for such queries. For queries sent over
+ IPv6, there is a separate <command>query-source-v6</command> option.
+ If <command>address</command> is <command>*</command> (asterisk) or is omitted,
+ a wildcard IP address (<command>INADDR_ANY</command>)
+ will be used.
+ If <command>port</command> is <command>*</command> or is omitted,
+ a random unprivileged port will be used. The <command>avoid-v4-udp-ports</command>
+ and <command>avoid-v6-udp-ports</command> options can be used
+ to prevent named
+ from selecting certain ports. The defaults are:
+ </para>
+
<programlisting>query-source address * port *;
query-source-v6 address * port *;
</programlisting>
-<note>
-<para>The address specified in the <command>query-source</command> option
-is used for both UDP and TCP queries, but the port applies only to
-UDP queries. TCP queries always use a random
-unprivileged port.</para></note>
-<note>
-<para>See also <command>transfer-source</command> and
-<command>notify-source</command>.</para></note>
- <note>
- <para>
- Solaris 2.5.1 and earlier does not support setting the source
- address for TCP sockets.
- </para>
- </note>
-</sect3>
-
-<sect3 id="zone_transfers"><title>Zone Transfers</title>
-<para><acronym>BIND</acronym> has mechanisms in place to facilitate zone transfers
-and set limits on the amount of load that transfers place on the
-system. The following options apply to zone transfers.</para>
-
-<variablelist>
-
-<varlistentry><term><command>also-notify</command></term>
-<listitem><para>Defines a global list of IP addresses of name servers
-that are also sent NOTIFY messages whenever a fresh copy of the
-zone is loaded, in addition to the servers listed in the zone's NS records.
-This helps to ensure that copies of the zones will
-quickly converge on stealth servers. If an <command>also-notify</command> list
-is given in a <command>zone</command> statement, it will override
-the <command>options also-notify</command> statement. When a <command>zone notify</command> statement
-is set to <command>no</command>, the IP addresses in the global <command>also-notify</command> list will
-not be sent NOTIFY messages for that zone. The default is the empty
-list (no global notification list).</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>max-transfer-time-in</command></term>
-<listitem><para>Inbound zone transfers running longer than
-this many minutes will be terminated. The default is 120 minutes
-(2 hours). The maximum value is 28 days (40320 minutes).</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>max-transfer-idle-in</command></term>
-<listitem><para>Inbound zone transfers making no progress
-in this many minutes will be terminated. The default is 60 minutes
-(1 hour). The maximum value is 28 days (40320 minutes).</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>max-transfer-time-out</command></term>
-<listitem><para>Outbound zone transfers running longer than
-this many minutes will be terminated. The default is 120 minutes
-(2 hours). The maximum value is 28 days (40320 minutes).</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>max-transfer-idle-out</command></term>
-<listitem><para>Outbound zone transfers making no progress
-in this many minutes will be terminated. The default is 60 minutes (1
-hour). The maximum value is 28 days (40320 minutes).</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>serial-query-rate</command></term>
-<listitem><para>Slave servers will periodically query master servers
-to find out if zone serial numbers have changed. Each such query uses
-a minute amount of the slave server's network bandwidth. To limit the
-amount of bandwidth used, BIND 9 limits the rate at which queries are
-sent. The value of the <command>serial-query-rate</command> option,
-an integer, is the maximum number of queries sent per second.
-The default is 20.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>serial-queries</command></term>
-<listitem><para>In BIND 8, the <command>serial-queries</command> option
-set the maximum number of concurrent serial number queries
-allowed to be outstanding at any given time.
-BIND 9 does not limit the number of outstanding
-serial queries and ignores the <command>serial-queries</command> option.
-Instead, it limits the rate at which the queries are sent
-as defined using the <command>serial-query-rate</command> option.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>transfer-format</command></term>
-<listitem>
-
-<para>
-Zone transfers can be sent using two different formats,
-<command>one-answer</command> and <command>many-answers</command>.
-The <command>transfer-format</command> option is used
-on the master server to determine which format it sends.
-<command>one-answer</command> uses one DNS message per
-resource record transferred.
-<command>many-answers</command> packs as many resource records as
-possible into a message. <command>many-answers</command> is more
-efficient, but is only supported by relatively new slave servers,
-such as <acronym>BIND</acronym> 9, <acronym>BIND</acronym> 8.x and patched
-versions of <acronym>BIND</acronym> 4.9.5. The <command>many-answers</command>
-format is also supported by recent Microsoft Windows nameservers. The default is
-<command>many-answers</command>. <command>transfer-format</command>
-may be overridden on a per-server basis by using the
-<command>server</command> statement.
-</para>
-
-</listitem></varlistentry>
-
-<varlistentry><term><command>transfers-in</command></term>
-<listitem><para>The maximum number of inbound zone transfers
-that can be running concurrently. The default value is <literal>10</literal>.
-Increasing <command>transfers-in</command> may speed up the convergence
-of slave zones, but it also may increase the load on the local system.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>transfers-out</command></term>
-<listitem><para>The maximum number of outbound zone transfers
-that can be running concurrently. Zone transfer requests in excess
-of the limit will be refused. The default value is <literal>10</literal>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>transfers-per-ns</command></term>
-<listitem><para>The maximum number of inbound zone transfers
-that can be concurrently transferring from a given remote name server.
-The default value is <literal>2</literal>. Increasing <command>transfers-per-ns</command> may
-speed up the convergence of slave zones, but it also may increase
-the load on the remote name server. <command>transfers-per-ns</command> may
-be overridden on a per-server basis by using the <command>transfers</command> phrase
-of the <command>server</command> statement.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>transfer-source</command></term>
-<listitem><para><command>transfer-source</command> determines
-which local address will be bound to IPv4 TCP connections used to
-fetch zones transferred inbound by the server. It also determines
-the source IPv4 address, and optionally the UDP port, used for the
-refresh queries and forwarded dynamic updates. If not set, it defaults
-to a system controlled value which will usually be the address of
-the interface "closest to" the remote end. This address must appear
-in the remote end's <command>allow-transfer</command> option for
-the zone being transferred, if one is specified. This statement
-sets the <command>transfer-source</command> for all zones, but can
-be overridden on a per-view or per-zone basis by including a
-<command>transfer-source</command> statement within the
-<command>view</command> or <command>zone</command> block
-in the configuration file.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>transfer-source-v6</command></term>
-<listitem><para>The same as <command>transfer-source</command>,
-except zone transfers are performed using IPv6.</para>
- </listitem></varlistentry>
- <varlistentry>
- <term><command>alt-transfer-source</command></term>
- <listitem>
- <para>
- An alternate transfer source if the one listed in
- <command>transfer-source</command> fails and
- <command>use-alt-transfer-source</command> is
- set.
- </para>
+ <note>
+ <para>
+ The address specified in the <command>query-source</command> option
+ is used for both UDP and TCP queries, but the port applies only
+ to
+ UDP queries. TCP queries always use a random
+ unprivileged port.
+ </para>
+ </note>
+ <note>
+ <para>
+ Solaris 2.5.1 and earlier does not support setting the source
+ address for TCP sockets.
+ </para>
+ </note>
+ <note>
+ <para>
+ See also <command>transfer-source</command> and
+ <command>notify-source</command>.
+ </para>
+ </note>
+ </sect3>
+
+ <sect3 id="zone_transfers">
+ <title>Zone Transfers</title>
+ <para>
+ <acronym>BIND</acronym> has mechanisms in place to
+ facilitate zone transfers
+ and set limits on the amount of load that transfers place on the
+ system. The following options apply to zone transfers.
+ </para>
+
+ <variablelist>
+
+ <varlistentry>
+ <term><command>also-notify</command></term>
+ <listitem>
+ <para>
+ Defines a global list of IP addresses of name servers
+ that are also sent NOTIFY messages whenever a fresh copy of
+ the
+ zone is loaded, in addition to the servers listed in the
+ zone's NS records.
+ This helps to ensure that copies of the zones will
+ quickly converge on stealth servers. If an <command>also-notify</command> list
+ is given in a <command>zone</command> statement,
+ it will override
+ the <command>options also-notify</command>
+ statement. When a <command>zone notify</command>
+ statement
+ is set to <command>no</command>, the IP
+ addresses in the global <command>also-notify</command> list will
+ not be sent NOTIFY messages for that zone. The default is
+ the empty
+ list (no global notification list).
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>max-transfer-time-in</command></term>
+ <listitem>
+ <para>
+ Inbound zone transfers running longer than
+ this many minutes will be terminated. The default is 120
+ minutes
+ (2 hours). The maximum value is 28 days (40320 minutes).
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>max-transfer-idle-in</command></term>
+ <listitem>
+ <para>
+ Inbound zone transfers making no progress
+ in this many minutes will be terminated. The default is 60
+ minutes
+ (1 hour). The maximum value is 28 days (40320 minutes).
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>max-transfer-time-out</command></term>
+ <listitem>
+ <para>
+ Outbound zone transfers running longer than
+ this many minutes will be terminated. The default is 120
+ minutes
+ (2 hours). The maximum value is 28 days (40320 minutes).
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>max-transfer-idle-out</command></term>
+ <listitem>
+ <para>
+ Outbound zone transfers making no progress
+ in this many minutes will be terminated. The default is 60
+ minutes (1
+ hour). The maximum value is 28 days (40320 minutes).
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>serial-query-rate</command></term>
+ <listitem>
+ <para>
+ Slave servers will periodically query master servers
+ to find out if zone serial numbers have changed. Each such
+ query uses
+ a minute amount of the slave server's network bandwidth. To
+ limit the
+ amount of bandwidth used, BIND 9 limits the rate at which
+ queries are
+ sent. The value of the <command>serial-query-rate</command> option,
+ an integer, is the maximum number of queries sent per
+ second.
+ The default is 20.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>serial-queries</command></term>
+ <listitem>
+ <para>
+ In BIND 8, the <command>serial-queries</command>
+ option
+ set the maximum number of concurrent serial number queries
+ allowed to be outstanding at any given time.
+ BIND 9 does not limit the number of outstanding
+ serial queries and ignores the <command>serial-queries</command> option.
+ Instead, it limits the rate at which the queries are sent
+ as defined using the <command>serial-query-rate</command> option.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>transfer-format</command></term>
+ <listitem>
+
+ <para>
+ Zone transfers can be sent using two different formats,
+ <command>one-answer</command> and
+ <command>many-answers</command>.
+ The <command>transfer-format</command> option is used
+ on the master server to determine which format it sends.
+ <command>one-answer</command> uses one DNS message per
+ resource record transferred.
+ <command>many-answers</command> packs as many resource
+ records as possible into a message.
+ <command>many-answers</command> is more efficient, but is
+ only supported by relatively new slave servers,
+ such as <acronym>BIND</acronym> 9, <acronym>BIND</acronym>
+ 8.x and <acronym>BIND</acronym> 4.9.5 onwards.
+ The <command>many-answers</command> format is also supported by
+ recent Microsoft Windows nameservers.
+ The default is <command>many-answers</command>.
+ <command>transfer-format</command> may be overridden on a
+ per-server basis by using the <command>server</command>
+ statement.
+ </para>
+
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>transfers-in</command></term>
+ <listitem>
+ <para>
+ The maximum number of inbound zone transfers
+ that can be running concurrently. The default value is <literal>10</literal>.
+ Increasing <command>transfers-in</command> may
+ speed up the convergence
+ of slave zones, but it also may increase the load on the
+ local system.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>transfers-out</command></term>
+ <listitem>
+ <para>
+ The maximum number of outbound zone transfers
+ that can be running concurrently. Zone transfer requests in
+ excess
+ of the limit will be refused. The default value is <literal>10</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>transfers-per-ns</command></term>
+ <listitem>
+ <para>
+ The maximum number of inbound zone transfers
+ that can be concurrently transferring from a given remote
+ name server.
+ The default value is <literal>2</literal>.
+ Increasing <command>transfers-per-ns</command>
+ may
+ speed up the convergence of slave zones, but it also may
+ increase
+ the load on the remote name server. <command>transfers-per-ns</command> may
+ be overridden on a per-server basis by using the <command>transfers</command> phrase
+ of the <command>server</command> statement.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>transfer-source</command></term>
+ <listitem>
+ <para><command>transfer-source</command>
+ determines which local address will be bound to IPv4
+ TCP connections used to fetch zones transferred
+ inbound by the server. It also determines the
+ source IPv4 address, and optionally the UDP port,
+ used for the refresh queries and forwarded dynamic
+ updates. If not set, it defaults to a system
+ controlled value which will usually be the address
+ of the interface "closest to" the remote end. This
+ address must appear in the remote end's
+ <command>allow-transfer</command> option for the
+ zone being transferred, if one is specified. This
+ statement sets the
+ <command>transfer-source</command> for all zones,
+ but can be overridden on a per-view or per-zone
+ basis by including a
+ <command>transfer-source</command> statement within
+ the <command>view</command> or
+ <command>zone</command> block in the configuration
+ file.
+ </para>
+ <note>
+ <para>
+ Solaris 2.5.1 and earlier does not support setting the
+ source address for TCP sockets.
+ </para>
+ </note>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>transfer-source-v6</command></term>
+ <listitem>
+ <para>
+ The same as <command>transfer-source</command>,
+ except zone transfers are performed using IPv6.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>alt-transfer-source</command></term>
+ <listitem>
+ <para>
+ An alternate transfer source if the one listed in
+ <command>transfer-source</command> fails and
+ <command>use-alt-transfer-source</command> is
+ set.
+ </para>
<note>
If you do not wish the alternate transfer source
to be used, you should set
@@ -3868,310 +6336,482 @@ except zone transfers are performed using IPv6.</para>
query.
</note>
</listitem>
- </varlistentry>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>alt-transfer-source-v6</command></term>
+ <listitem>
+ <para>
+ An alternate transfer source if the one listed in
+ <command>transfer-source-v6</command> fails and
+ <command>use-alt-transfer-source</command> is
+ set.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>use-alt-transfer-source</command></term>
+ <listitem>
+ <para>
+ Use the alternate transfer sources or not. If views are
+ specified this defaults to <command>no</command>
+ otherwise it defaults to
+ <command>yes</command> (for BIND 8
+ compatibility).
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>notify-source</command></term>
+ <listitem>
+ <para><command>notify-source</command>
+ determines which local source address, and
+ optionally UDP port, will be used to send NOTIFY
+ messages. This address must appear in the slave
+ server's <command>masters</command> zone clause or
+ in an <command>allow-notify</command> clause. This
+ statement sets the <command>notify-source</command>
+ for all zones, but can be overridden on a per-zone or
+ per-view basis by including a
+ <command>notify-source</command> statement within
+ the <command>zone</command> or
+ <command>view</command> block in the configuration
+ file.
+ </para>
+ <note>
+ <para>
+ Solaris 2.5.1 and earlier does not support setting the
+ source address for TCP sockets.
+ </para>
+ </note>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>notify-source-v6</command></term>
+ <listitem>
+ <para>
+ Like <command>notify-source</command>,
+ but applies to notify messages sent to IPv6 addresses.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+
+ </sect3>
+
+ <sect3>
+ <title>Bad UDP Port Lists</title>
+ <para><command>avoid-v4-udp-ports</command>
+ and <command>avoid-v6-udp-ports</command> specify a list
+ of IPv4 and IPv6 UDP ports that will not be used as system
+ assigned source ports for UDP sockets. These lists
+ prevent named from choosing as its random source port a
+ port that is blocked by your firewall. If a query went
+ out with such a source port, the answer would not get by
+ the firewall and the name server would have to query
+ again.
+ </para>
+ </sect3>
+
+ <sect3>
+ <title>Operating System Resource Limits</title>
+
+ <para>
+ The server's usage of many system resources can be limited.
+ Scaled values are allowed when specifying resource limits. For
+ example, <command>1G</command> can be used instead of
+ <command>1073741824</command> to specify a limit of
+ one
+ gigabyte. <command>unlimited</command> requests
+ unlimited use, or the
+ maximum available amount. <command>default</command>
+ uses the limit
+ that was in force when the server was started. See the description
+ of <command>size_spec</command> in <xref linkend="configuration_file_elements"/>.
+ </para>
+
+ <para>
+ The following options set operating system resource limits for
+ the name server process. Some operating systems don't support
+ some or
+ any of the limits. On such systems, a warning will be issued if
+ the
+ unsupported limit is used.
+ </para>
+
+ <variablelist>
+
+ <varlistentry>
+ <term><command>coresize</command></term>
+ <listitem>
+ <para>
+ The maximum size of a core dump. The default
+ is <literal>default</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>datasize</command></term>
+ <listitem>
+ <para>
+ The maximum amount of data memory the server
+ may use. The default is <literal>default</literal>.
+ This is a hard limit on server memory usage.
+ If the server attempts to allocate memory in excess of this
+ limit, the allocation will fail, which may in turn leave
+ the server unable to perform DNS service. Therefore,
+ this option is rarely useful as a way of limiting the
+ amount of memory used by the server, but it can be used
+ to raise an operating system data size limit that is
+ too small by default. If you wish to limit the amount
+ of memory used by the server, use the
+ <command>max-cache-size</command> and
+ <command>recursive-clients</command>
+ options instead.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>files</command></term>
+ <listitem>
+ <para>
+ The maximum number of files the server
+ may have open concurrently. The default is <literal>unlimited</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>stacksize</command></term>
+ <listitem>
+ <para>
+ The maximum amount of stack memory the server
+ may use. The default is <literal>default</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+
+ </sect3>
+
+ <sect3>
+ <title>Server Resource Limits</title>
+
+ <para>
+ The following options set limits on the server's
+ resource consumption that are enforced internally by the
+ server rather than the operating system.
+ </para>
+
+ <variablelist>
+
+ <varlistentry>
+ <term><command>max-ixfr-log-size</command></term>
+ <listitem>
+ <para>
+ This option is obsolete; it is accepted
+ and ignored for BIND 8 compatibility. The option
+ <command>max-journal-size</command> performs a
+ similar function in BIND 9.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>max-journal-size</command></term>
+ <listitem>
+ <para>
+ Sets a maximum size for each journal file
+ (see <xref linkend="journal"/>). When the journal file
+ approaches
+ the specified size, some of the oldest transactions in the
+ journal
+ will be automatically removed. The default is
+ <literal>unlimited</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>host-statistics-max</command></term>
+ <listitem>
+ <para>
+ In BIND 8, specifies the maximum number of host statistics
+ entries to be kept.
+ Not implemented in BIND 9.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>recursive-clients</command></term>
+ <listitem>
+ <para>
+ The maximum number of simultaneous recursive lookups
+ the server will perform on behalf of clients. The default
+ is
+ <literal>1000</literal>. Because each recursing
+ client uses a fair
+ bit of memory, on the order of 20 kilobytes, the value of
+ the
+ <command>recursive-clients</command> option may
+ have to be decreased
+ on hosts with limited memory.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>tcp-clients</command></term>
+ <listitem>
+ <para>
+ The maximum number of simultaneous client TCP
+ connections that the server will accept.
+ The default is <literal>100</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>max-cache-size</command></term>
+ <listitem>
+ <para>
+ The maximum amount of memory to use for the
+ server's cache, in bytes. When the amount of data in the
+ cache
+ reaches this limit, the server will cause records to expire
+ prematurely so that the limit is not exceeded. In a server
+ with
+ multiple views, the limit applies separately to the cache of
+ each
+ view. The default is <literal>unlimited</literal>, meaning that
+ records are purged from the cache only when their TTLs
+ expire.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>tcp-listen-queue</command></term>
+ <listitem>
+ <para>
+ The listen queue depth. The default and minimum is 3.
+ If the kernel supports the accept filter "dataready" this
+ also controls how
+ many TCP connections that will be queued in kernel space
+ waiting for
+ some data before being passed to accept. Values less than 3
+ will be
+ silently raised.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+
+ </sect3>
+
+ <sect3>
+ <title>Periodic Task Intervals</title>
+
+ <variablelist>
+
+ <varlistentry>
+ <term><command>cleaning-interval</command></term>
+ <listitem>
+ <para>
+ The server will remove expired resource records
+ from the cache every <command>cleaning-interval</command> minutes.
+ The default is 60 minutes. The maximum value is 28 days
+ (40320 minutes).
+ If set to 0, no periodic cleaning will occur.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>heartbeat-interval</command></term>
+ <listitem>
+ <para>
+ The server will perform zone maintenance tasks
+ for all zones marked as <command>dialup</command> whenever this
+ interval expires. The default is 60 minutes. Reasonable
+ values are up
+ to 1 day (1440 minutes). The maximum value is 28 days
+ (40320 minutes).
+ If set to 0, no zone maintenance for these zones will occur.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>interface-interval</command></term>
+ <listitem>
+ <para>
+ The server will scan the network interface list
+ every <command>interface-interval</command>
+ minutes. The default
+ is 60 minutes. The maximum value is 28 days (40320 minutes).
+ If set to 0, interface scanning will only occur when
+ the configuration file is loaded. After the scan, the
+ server will
+ begin listening for queries on any newly discovered
+ interfaces (provided they are allowed by the
+ <command>listen-on</command> configuration), and
+ will
+ stop listening on interfaces that have gone away.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>statistics-interval</command></term>
+ <listitem>
+ <para>
+ Name server statistics will be logged
+ every <command>statistics-interval</command>
+ minutes. The default is
+ 60. The maximum value is 28 days (40320 minutes).
+ If set to 0, no statistics will be logged.
+ </para><note>
+ <simpara>
+ Not yet implemented in
+ <acronym>BIND</acronym>9.
+ </simpara>
+ </note>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+
+ </sect3>
+
+ <sect3 id="topology">
+ <title>Topology</title>
+
+ <para>
+ All other things being equal, when the server chooses a name
+ server
+ to query from a list of name servers, it prefers the one that is
+ topologically closest to itself. The <command>topology</command> statement
+ takes an <command>address_match_list</command> and
+ interprets it
+ in a special way. Each top-level list element is assigned a
+ distance.
+ Non-negated elements get a distance based on their position in the
+ list, where the closer the match is to the start of the list, the
+ shorter the distance is between it and the server. A negated match
+ will be assigned the maximum distance from the server. If there
+ is no match, the address will get a distance which is further than
+ any non-negated list element, and closer than any negated element.
+ For example,
+ </para>
-<varlistentry><term><command>alt-transfer-source-v6</command></term>
-<listitem><para>An alternate transfer source if the one listed in
-<command>transfer-source-v6</command> fails and
-<command>use-alt-transfer-source</command> is set.</para>
- </listitem></varlistentry>
-
-<varlistentry><term><command>use-alt-transfer-source</command></term>
-<listitem><para>Use the alternate transfer sources or not. If views are
-specified this defaults to <command>no</command> otherwise it defaults to
-<command>yes</command> (for BIND 8 compatibility).</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>notify-source</command></term>
-<listitem><para><command>notify-source</command> determines
-which local source address, and optionally UDP port, will be used to
-send NOTIFY messages.
-This address must appear in the slave server's <command>masters</command>
-zone clause or in an <command>allow-notify</command> clause.
-This statement sets the <command>notify-source</command> for all zones,
-but can be overridden on a per-zone or per-view basis by including a
-<command>notify-source</command> statement within the <command>zone</command>
-or <command>view</command> block in the configuration file.</para>
- <note>
- <para>
- Solaris 2.5.1 and earlier does not support setting the
- source address for TCP sockets.
- </para>
- </note>
-</listitem></varlistentry>
-
-<varlistentry><term><command>notify-source-v6</command></term>
-<listitem><para>Like <command>notify-source</command>,
-but applies to notify messages sent to IPv6 addresses.</para>
-</listitem></varlistentry>
-
-</variablelist>
-
-</sect3>
-
-<sect3>
-<title>Bad UDP Port Lists</title>
-<para>
-<command>avoid-v4-udp-ports</command> and <command>avoid-v6-udp-ports</command>
-specify a list of IPv4 and IPv6 UDP ports that will not be used as system
-assigned source ports for UDP sockets. These lists prevent named
-from choosing as its random source port a port that is blocked by
-your firewall. If a query went out with such a source port, the
-answer would not get by the firewall and the name server would have
-to query again.
-</para>
-</sect3>
-
-<sect3>
-<title>Operating System Resource Limits</title>
-
-<para>The server's usage of many system resources can be limited.
-Scaled values are allowed when specifying resource limits. For
-example, <command>1G</command> can be used instead of
-<command>1073741824</command> to specify a limit of one
-gigabyte. <command>unlimited</command> requests unlimited use, or the
-maximum available amount. <command>default</command> uses the limit
-that was in force when the server was started. See the description
-of <command>size_spec</command> in <xref
-linkend="configuration_file_elements"/>.</para>
-
-<para>The following options set operating system resource limits for
-the name server process. Some operating systems don't support some or
-any of the limits. On such systems, a warning will be issued if the
-unsupported limit is used.</para>
-
-<variablelist>
-
-<varlistentry><term><command>coresize</command></term>
-<listitem><para>The maximum size of a core dump. The default
-is <literal>default</literal>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>datasize</command></term>
-<listitem><para>The maximum amount of data memory the server
-may use. The default is <literal>default</literal>.
-This is a hard limit on server memory usage.
-If the server attempts to allocate memory in excess of this
-limit, the allocation will fail, which may in turn leave
-the server unable to perform DNS service. Therefore,
-this option is rarely useful as a way of limiting the
-amount of memory used by the server, but it can be used
-to raise an operating system data size limit that is
-too small by default. If you wish to limit the amount
-of memory used by the server, use the
-<command>max-cache-size</command> and
-<command>recursive-clients</command>
-options instead.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>files</command></term>
-<listitem><para>The maximum number of files the server
-may have open concurrently. The default is <literal>unlimited</literal>.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>stacksize</command></term>
-<listitem><para>The maximum amount of stack memory the server
-may use. The default is <literal>default</literal>.</para>
-</listitem></varlistentry>
-
-</variablelist>
-
-</sect3>
-
-<sect3>
-<title>Server Resource Limits</title>
-
-<para>The following options set limits on the server's
-resource consumption that are enforced internally by the
-server rather than the operating system.</para>
-
-<variablelist>
-
-<varlistentry><term><command>max-ixfr-log-size</command></term>
-<listitem><para>This option is obsolete; it is accepted
-and ignored for BIND 8 compatibility. The option
-<command>max-journal-size</command> performs a similar
-function in BIND 8.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>max-journal-size</command></term>
-<listitem><para>Sets a maximum size for each journal file
-(see <xref linkend="journal"/>). When the journal file approaches
-the specified size, some of the oldest transactions in the journal
-will be automatically removed. The default is
-<literal>unlimited</literal>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>host-statistics-max</command></term>
-<listitem><para>In BIND 8, specifies the maximum number of host statistics
-entries to be kept.
-Not implemented in BIND 9.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>recursive-clients</command></term>
-<listitem><para>The maximum number of simultaneous recursive lookups
-the server will perform on behalf of clients. The default is
-<literal>1000</literal>. Because each recursing client uses a fair
-bit of memory, on the order of 20 kilobytes, the value of the
-<command>recursive-clients</command> option may have to be decreased
-on hosts with limited memory.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>tcp-clients</command></term>
-<listitem><para>The maximum number of simultaneous client TCP
-connections that the server will accept.
-The default is <literal>100</literal>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>max-cache-size</command></term>
-<listitem><para>The maximum amount of memory to use for the
-server's cache, in bytes. When the amount of data in the cache
-reaches this limit, the server will cause records to expire
-prematurely so that the limit is not exceeded. In a server with
-multiple views, the limit applies separately to the cache of each
-view. The default is <literal>unlimited</literal>, meaning that
-records are purged from the cache only when their TTLs expire.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>tcp-listen-queue</command></term>
-<listitem><para>The listen queue depth. The default and minimum is 3.
-If the kernel supports the accept filter "dataready" this also controls how
-many TCP connections that will be queued in kernel space waiting for
-some data before being passed to accept. Values less than 3 will be
-silently raised.
-</para>
-</listitem></varlistentry>
-
-</variablelist>
-
-</sect3>
-
-<sect3><title>Periodic Task Intervals</title>
-
-<variablelist>
-
-<varlistentry><term><command>cleaning-interval</command></term>
-<listitem><para>The server will remove expired resource records
-from the cache every <command>cleaning-interval</command> minutes.
-The default is 60 minutes. The maximum value is 28 days (40320 minutes).
-If set to 0, no periodic cleaning will occur.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>heartbeat-interval</command></term>
-<listitem><para>The server will perform zone maintenance tasks
-for all zones marked as <command>dialup</command> whenever this
-interval expires. The default is 60 minutes. Reasonable values are up
-to 1 day (1440 minutes). The maximum value is 28 days (40320 minutes).
-If set to 0, no zone maintenance for these zones will occur.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>interface-interval</command></term>
-<listitem><para>The server will scan the network interface list
-every <command>interface-interval</command> minutes. The default
-is 60 minutes. The maximum value is 28 days (40320 minutes).
-If set to 0, interface scanning will only occur when
-the configuration file is loaded. After the scan, the server will
-begin listening for queries on any newly discovered
-interfaces (provided they are allowed by the
-<command>listen-on</command> configuration), and will
-stop listening on interfaces that have gone away.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>statistics-interval</command></term>
-<listitem><para>Name server statistics will be logged
-every <command>statistics-interval</command> minutes. The default is
-60. The maximum value is 28 days (40320 minutes).
-If set to 0, no statistics will be logged.</para><note>
-<simpara>Not yet implemented in <acronym>BIND</acronym>9.</simpara></note>
-</listitem></varlistentry>
-
-</variablelist>
-
-</sect3>
-
-<sect3 id="topology"><title>Topology</title>
-
-<para>All other things being equal, when the server chooses a name server
-to query from a list of name servers, it prefers the one that is
-topologically closest to itself. The <command>topology</command> statement
-takes an <command>address_match_list</command> and interprets it
-in a special way. Each top-level list element is assigned a distance.
-Non-negated elements get a distance based on their position in the
-list, where the closer the match is to the start of the list, the
-shorter the distance is between it and the server. A negated match
-will be assigned the maximum distance from the server. If there
-is no match, the address will get a distance which is further than
-any non-negated list element, and closer than any negated element.
-For example,</para>
<programlisting>topology {
10/8;
!1.2.3/24;
{ 1.2/16; 3/8; };
};</programlisting>
-<para>will prefer servers on network 10 the most, followed by hosts
-on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
-exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
-is preferred least of all.</para>
-<para>The default topology is</para>
+
+ <para>
+ will prefer servers on network 10 the most, followed by hosts
+ on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
+ exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
+ is preferred least of all.
+ </para>
+ <para>
+ The default topology is
+ </para>
+
<programlisting> topology { localhost; localnets; };
</programlisting>
-<note><simpara>The <command>topology</command> option
-is not implemented in <acronym>BIND</acronym> 9.
-</simpara></note>
-</sect3>
-
-<sect3 id="the_sortlist_statement">
-
-<title>The <command>sortlist</command> Statement</title>
-
-<para>The response to a DNS query may consist of multiple resource
-records (RRs) forming a resource records set (RRset).
-The name server will normally return the
-RRs within the RRset in an indeterminate order
-(but see the <command>rrset-order</command>
-statement in <xref linkend="rrset_ordering"/>).
-The client resolver code should rearrange the RRs as appropriate,
-that is, using any addresses on the local net in preference to other addresses.
-However, not all resolvers can do this or are correctly configured.
-When a client is using a local server, the sorting can be performed
-in the server, based on the client's address. This only requires
-configuring the name servers, not all the clients.</para>
-
-<para>The <command>sortlist</command> statement (see below) takes
-an <command>address_match_list</command> and interprets it even
-more specifically than the <command>topology</command> statement
-does (<xref linkend="topology"/>).
-Each top level statement in the <command>sortlist</command> must
-itself be an explicit <command>address_match_list</command> with
-one or two elements. The first element (which may be an IP address,
-an IP prefix, an ACL name or a nested <command>address_match_list</command>)
-of each top level list is checked against the source address of
-the query until a match is found.</para>
-<para>Once the source address of the query has been matched, if
-the top level statement contains only one element, the actual primitive
-element that matched the source address is used to select the address
-in the response to move to the beginning of the response. If the
-statement is a list of two elements, then the second element is
-treated the same as the <command>address_match_list</command> in
-a <command>topology</command> statement. Each top level element
-is assigned a distance and the address in the response with the minimum
-distance is moved to the beginning of the response.</para>
-<para>In the following example, any queries received from any of
-the addresses of the host itself will get responses preferring addresses
-on any of the locally connected networks. Next most preferred are addresses
-on the 192.168.1/24 network, and after that either the 192.168.2/24
-or
-192.168.3/24 network with no preference shown between these two
-networks. Queries received from a host on the 192.168.1/24 network
-will prefer other addresses on that network to the 192.168.2/24
-and
-192.168.3/24 networks. Queries received from a host on the 192.168.4/24
-or the 192.168.5/24 network will only prefer other addresses on
-their directly connected networks.</para>
+
+ <note>
+ <simpara>
+ The <command>topology</command> option
+ is not implemented in <acronym>BIND</acronym> 9.
+ </simpara>
+ </note>
+ </sect3>
+
+ <sect3 id="the_sortlist_statement">
+
+ <title>The <command>sortlist</command> Statement</title>
+
+ <para>
+ The response to a DNS query may consist of multiple resource
+ records (RRs) forming a resource records set (RRset).
+ The name server will normally return the
+ RRs within the RRset in an indeterminate order
+ (but see the <command>rrset-order</command>
+ statement in <xref linkend="rrset_ordering"/>).
+ The client resolver code should rearrange the RRs as appropriate,
+ that is, using any addresses on the local net in preference to
+ other addresses.
+ However, not all resolvers can do this or are correctly
+ configured.
+ When a client is using a local server, the sorting can be performed
+ in the server, based on the client's address. This only requires
+ configuring the name servers, not all the clients.
+ </para>
+
+ <para>
+ The <command>sortlist</command> statement (see below)
+ takes
+ an <command>address_match_list</command> and
+ interprets it even
+ more specifically than the <command>topology</command>
+ statement
+ does (<xref linkend="topology"/>).
+ Each top level statement in the <command>sortlist</command> must
+ itself be an explicit <command>address_match_list</command> with
+ one or two elements. The first element (which may be an IP
+ address,
+ an IP prefix, an ACL name or a nested <command>address_match_list</command>)
+ of each top level list is checked against the source address of
+ the query until a match is found.
+ </para>
+ <para>
+ Once the source address of the query has been matched, if
+ the top level statement contains only one element, the actual
+ primitive
+ element that matched the source address is used to select the
+ address
+ in the response to move to the beginning of the response. If the
+ statement is a list of two elements, then the second element is
+ treated the same as the <command>address_match_list</command> in
+ a <command>topology</command> statement. Each top
+ level element
+ is assigned a distance and the address in the response with the
+ minimum
+ distance is moved to the beginning of the response.
+ </para>
+ <para>
+ In the following example, any queries received from any of
+ the addresses of the host itself will get responses preferring
+ addresses
+ on any of the locally connected networks. Next most preferred are
+ addresses
+ on the 192.168.1/24 network, and after that either the
+ 192.168.2/24
+ or
+ 192.168.3/24 network with no preference shown between these two
+ networks. Queries received from a host on the 192.168.1/24 network
+ will prefer other addresses on that network to the 192.168.2/24
+ and
+ 192.168.3/24 networks. Queries received from a host on the
+ 192.168.4/24
+ or the 192.168.5/24 network will only prefer other addresses on
+ their directly connected networks.
+ </para>
+
<programlisting>sortlist {
{ localhost; // IF the local host
{ localnets; // THEN first fit on the
@@ -4189,410 +6829,1009 @@ their directly connected networks.</para>
{ { 192.168.4/24; 192.168.5/24; }; // if .4 or .5, prefer that net
};
};</programlisting>
-<para>The following example will give reasonable behavior for the
-local host and hosts on directly connected networks. It is similar
-to the behavior of the address sort in <acronym>BIND</acronym> 4.9.x. Responses sent
-to queries from the local host will favor any of the directly connected
-networks. Responses sent to queries from any other hosts on a directly
-connected network will prefer addresses on that same network. Responses
-to other queries will not be sorted.</para>
+
+ <para>
+ The following example will give reasonable behavior for the
+ local host and hosts on directly connected networks. It is similar
+ to the behavior of the address sort in <acronym>BIND</acronym> 4.9.x. Responses sent
+ to queries from the local host will favor any of the directly
+ connected
+ networks. Responses sent to queries from any other hosts on a
+ directly
+ connected network will prefer addresses on that same network.
+ Responses
+ to other queries will not be sorted.
+ </para>
+
<programlisting>sortlist {
{ localhost; localnets; };
{ localnets; };
};
</programlisting>
-</sect3>
-<sect3 id="rrset_ordering"><title id="rrset_ordering_title">RRset Ordering</title>
-<para>When multiple records are returned in an answer it may be
-useful to configure the order of the records placed into the response.
-The <command>rrset-order</command> statement permits configuration
-of the ordering of the records in a multiple record response.
-See also the <command>sortlist</command> statement,
-<xref linkend="the_sortlist_statement"/>.
-</para>
-
-<para>An <command>order_spec</command> is defined as follows:</para>
-<programlisting><optional> class <replaceable>class_name</replaceable> </optional><optional> type <replaceable>type_name</replaceable> </optional><optional> name <replaceable>"domain_name"</replaceable></optional>
- order <replaceable>ordering</replaceable>
-</programlisting>
-<para>If no class is specified, the default is <command>ANY</command>.
-If no type is specified, the default is <command>ANY</command>.
-If no name is specified, the default is "<command>*</command>" (asterisk).</para>
-<para>The legal values for <command>ordering</command> are:</para>
-<informaltable colsep = "0" rowsep = "0"><tgroup cols = "2"
- colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.750in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.750in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para><command>fixed</command></para></entry>
-<entry colname = "2"><para>Records are returned in the order they
-are defined in the zone file.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>random</command></para></entry>
-<entry colname = "2"><para>Records are returned in some random order.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>cyclic</command></para></entry>
-<entry colname = "2"><para>Records are returned in a round-robin
-order.</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-<para>For example:</para>
+
+ </sect3>
+ <sect3 id="rrset_ordering">
+ <title id="rrset_ordering_title">RRset Ordering</title>
+ <para>
+ When multiple records are returned in an answer it may be
+ useful to configure the order of the records placed into the
+ response.
+ The <command>rrset-order</command> statement permits
+ configuration
+ of the ordering of the records in a multiple record response.
+ See also the <command>sortlist</command> statement,
+ <xref linkend="the_sortlist_statement"/>.
+ </para>
+
+ <para>
+ An <command>order_spec</command> is defined as
+ follows:
+ </para>
+ <para>
+ <optional>class <replaceable>class_name</replaceable></optional>
+ <optional>type <replaceable>type_name</replaceable></optional>
+ <optional>name <replaceable>"domain_name"</replaceable></optional>
+ order <replaceable>ordering</replaceable>
+ </para>
+ <para>
+ If no class is specified, the default is <command>ANY</command>.
+ If no type is specified, the default is <command>ANY</command>.
+ If no name is specified, the default is "<command>*</command>" (asterisk).
+ </para>
+ <para>
+ The legal values for <command>ordering</command> are:
+ </para>
+ <informaltable colsep="0" rowsep="0">
+ <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
+ <colspec colname="1" colnum="1" colsep="0" colwidth="0.750in"/>
+ <colspec colname="2" colnum="2" colsep="0" colwidth="3.750in"/>
+ <tbody>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>fixed</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Records are returned in the order they
+ are defined in the zone file.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>random</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Records are returned in some random order.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>cyclic</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Records are returned in a round-robin
+ order.
+ </para>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+ <para>
+ For example:
+ </para>
+
<programlisting>rrset-order {
class IN type A name "host.example.com" order random;
order cyclic;
};
</programlisting>
-<para>will cause any responses for type A records in class IN that
-have "<literal>host.example.com</literal>" as a suffix, to always be returned
-in random order. All other records are returned in cyclic order.</para>
-<para>If multiple <command>rrset-order</command> statements appear,
-they are not combined &mdash; the last one applies.</para>
-
-<note>
-<simpara>The <command>rrset-order</command> statement
-is not yet fully implemented in <acronym>BIND</acronym> 9.
-BIND 9 currently does not support "fixed" ordering.
-</simpara></note>
-</sect3>
-
-<sect3 id="tuning"><title>Tuning</title>
-
-<variablelist>
-
-<varlistentry><term><command>lame-ttl</command></term>
-<listitem><para>Sets the number of seconds to cache a
-lame server indication. 0 disables caching. (This is
-<emphasis role="bold">NOT</emphasis> recommended.)
-The default is <literal>600</literal> (10 minutes) and the maximum value is
-<literal>1800</literal> (30 minutes).</para>
-
-</listitem></varlistentry>
-
-<varlistentry><term><command>max-ncache-ttl</command></term>
-<listitem><para>To reduce network traffic and increase performance,
-the server stores negative answers. <command>max-ncache-ttl</command> is
-used to set a maximum retention time for these answers in the server
-in seconds. The default
-<command>max-ncache-ttl</command> is <literal>10800</literal> seconds (3 hours).
-<command>max-ncache-ttl</command> cannot exceed 7 days and will
-be silently truncated to 7 days if set to a greater value.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>max-cache-ttl</command></term>
-<listitem><para>Sets
-the maximum time for which the server will cache ordinary (positive)
-answers. The default is one week (7 days).</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>min-roots</command></term>
-<listitem><para>The minimum number of root servers that
-is required for a request for the root servers to be accepted. The default
-is <userinput>2</userinput>.</para>
-<note>
-<simpara>Not implemented in <acronym>BIND</acronym> 9.</simpara></note>
-</listitem></varlistentry>
-
-<varlistentry><term><command>sig-validity-interval</command></term>
-<listitem><para>Specifies the number of days into the
-future when DNSSEC signatures automatically generated as a result
-of dynamic updates (<xref linkend="dynamic_update"/>)
-will expire. The default is <literal>30</literal> days.
-The maximum value is 10 years (3660 days). The signature
-inception time is unconditionally set to one hour before the current time
-to allow for a limited amount of clock skew.</para>
-</listitem></varlistentry>
-
-<varlistentry>
-<term><command>min-refresh-time</command></term>
-<term><command>max-refresh-time</command></term>
-<term><command>min-retry-time</command></term>
-<term><command>max-retry-time</command></term>
-<listitem><para>
-These options control the server's behavior on refreshing a zone
-(querying for SOA changes) or retrying failed transfers.
-Usually the SOA values for the zone are used, but these values
-are set by the master, giving slave server administrators little
-control over their contents.
-</para><para>
-These options allow the administrator to set a minimum and maximum
-refresh and retry time either per-zone, per-view, or globally.
-These options are valid for slave and stub zones,
-and clamp the SOA refresh and retry times to the specified values.
-</para></listitem></varlistentry>
-
-<varlistentry>
-<term><command>edns-udp-size</command></term>
-<listitem><para>
-<command>edns-udp-size</command> sets the advertised EDNS UDP buffer
-size in bytes. Valid values are 512 to 4096 bytes (values outside this range will be
-silently adjusted). The default value is 4096. The usual reason for
-setting edns-udp-size to a non-default value it to get UDP answers to
-pass through broken firewalls that block fragmented packets and/or
-block UDP packets that are greater than 512 bytes.
-</para></listitem></varlistentry>
-</variablelist>
-
-</sect3>
-
-<sect3 id="builtin">
-<title>Built-in server information zones</title>
-
-<para>The server provides some helpful diagnostic information
-through a number of built-in zones under the
-pseudo-top-level-domain <literal>bind</literal> in the
-<command>CHAOS</command> class. These zones are part of a
-built-in view (see <xref linkend="view_statement_grammar"/>) of class
-<command>CHAOS</command> which is separate from the default view of
-class <command>IN</command>; therefore, any global server options
-such as <command>allow-query</command> do not apply the these zones.
-If you feel the need to disable these zones, use the options
-below, or hide the built-in <command>CHAOS</command> view by
-defining an explicit view of class <command>CHAOS</command>
-that matches all clients.</para>
-
-<variablelist>
-
-<varlistentry><term><command>version</command></term>
-<listitem><para>The version the server should report
-via a query of the name <literal>version.bind</literal>
-with type <command>TXT</command>, class <command>CHAOS</command>.
-The default is the real version number of this server.
-Specifying <command>version none</command>
-disables processing of the queries.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>hostname</command></term>
-<listitem><para>The hostname the server should report via a query of
-the name <filename>hostname.bind</filename>
-with type <command>TXT</command>, class <command>CHAOS</command>.
-This defaults to the hostname of the machine hosting the name server as
-found by the gethostname() function. The primary purpose of such queries is to
-identify which of a group of anycast servers is actually
-answering your queries. Specifying <command>hostname none;</command>
-disables processing of the queries.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>server-id</command></term>
-<listitem><para>The ID of the server should report via a query of
-the name <filename>ID.SERVER</filename>
-with type <command>TXT</command>, class <command>CHAOS</command>.
-The primary purpose of such queries is to
-identify which of a group of anycast servers is actually
-answering your queries. Specifying <command>server-id none;</command>
-disables processing of the queries.
-Specifying <command>server-id hostname;</command> will cause named to
-use the hostname as found by the gethostname() function.
-The default <command>server-id</command> is <command>none</command>.
-</para>
-</listitem></varlistentry>
-
-</variablelist>
-
-</sect3>
-
-<sect3 id="statsfile">
-<title>The Statistics File</title>
-
-<para>The statistics file generated by <acronym>BIND</acronym> 9
-is similar, but not identical, to that
-generated by <acronym>BIND</acronym> 8.
-</para>
-<para>The statistics dump begins with a line, like:</para>
- <para>
- <command>+++ Statistics Dump +++ (973798949)</command>
- </para>
- <para>The numberr in parentheses is a standard
-Unix-style timestamp, measured as seconds since January 1, 1970. Following
-that line are a series of lines containing a counter type, the value of the
-counter, optionally a zone name, and optionally a view name.
-The lines without view and zone listed are global statistics for the entire server.
-Lines with a zone and view name for the given view and zone (the view name is
-omitted for the default view).
-</para>
-<para>
-The statistics dump ends with the line where the
-number is identical to the number in the beginning line; for example:
-</para>
-<para>
-<command>--- Statistics Dump --- (973798949)</command>
-</para>
-<para>The following statistics counters are maintained:</para>
-<informaltable
- colsep = "0" rowsep = "0"><tgroup cols = "2"
- colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.150in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.350in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para><command>success</command></para></entry>
-<entry colname = "2"><para>The number of
-successful queries made to the server or zone. A successful query
-is defined as query which returns a NOERROR response with at least
-one answer RR.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>referral</command></para></entry>
-<entry colname = "2"><para>The number of queries which resulted
-in referral responses.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>nxrrset</command></para></entry>
-<entry colname = "2"><para>The number of queries which resulted in
-NOERROR responses with no data.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>nxdomain</command></para></entry>
-<entry colname = "2"><para>The number
-of queries which resulted in NXDOMAIN responses.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>failure</command></para></entry>
-<entry colname = "2"><para>The number of queries which resulted in a
-failure response other than those above.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>recursion</command></para></entry>
-<entry colname = "2"><para>The number of queries which caused the server
-to perform recursion in order to find the final answer.</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-
-<para>
-Each query received by the server will cause exactly one of
-<command>success</command>,
-<command>referral</command>,
-<command>nxrrset</command>,
-<command>nxdomain</command>, or
-<command>failure</command>
-to be incremented, and may additionally cause the
-<command>recursion</command> counter to be incremented.
-</para>
-
-</sect3>
-
-</sect2>
-
-<sect2 id="server_statement_grammar">
-<title><command>server</command> Statement Grammar</title>
-
-<programlisting>server <replaceable>ip_addr</replaceable> {
+
+ <para>
+ will cause any responses for type A records in class IN that
+ have "<literal>host.example.com</literal>" as a
+ suffix, to always be returned
+ in random order. All other records are returned in cyclic order.
+ </para>
+ <para>
+ If multiple <command>rrset-order</command> statements
+ appear,
+ they are not combined &mdash; the last one applies.
+ </para>
+
+ <note>
+ <simpara>
+ The <command>rrset-order</command> statement
+ is not yet fully implemented in <acronym>BIND</acronym> 9.
+ BIND 9 currently does not fully support "fixed" ordering.
+ </simpara>
+ </note>
+ </sect3>
+
+ <sect3 id="tuning">
+ <title>Tuning</title>
+
+ <variablelist>
+
+ <varlistentry>
+ <term><command>lame-ttl</command></term>
+ <listitem>
+ <para>
+ Sets the number of seconds to cache a
+ lame server indication. 0 disables caching. (This is
+ <emphasis role="bold">NOT</emphasis> recommended.)
+ The default is <literal>600</literal> (10 minutes) and the
+ maximum value is
+ <literal>1800</literal> (30 minutes).
+ </para>
+
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>max-ncache-ttl</command></term>
+ <listitem>
+ <para>
+ To reduce network traffic and increase performance,
+ the server stores negative answers. <command>max-ncache-ttl</command> is
+ used to set a maximum retention time for these answers in
+ the server
+ in seconds. The default
+ <command>max-ncache-ttl</command> is <literal>10800</literal> seconds (3 hours).
+ <command>max-ncache-ttl</command> cannot exceed
+ 7 days and will
+ be silently truncated to 7 days if set to a greater value.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>max-cache-ttl</command></term>
+ <listitem>
+ <para>
+ Sets the maximum time for which the server will
+ cache ordinary (positive) answers. The default is
+ one week (7 days).
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>min-roots</command></term>
+ <listitem>
+ <para>
+ The minimum number of root servers that
+ is required for a request for the root servers to be
+ accepted. The default
+ is <userinput>2</userinput>.
+ </para>
+ <note>
+ <simpara>
+ Not implemented in <acronym>BIND</acronym> 9.
+ </simpara>
+ </note>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>sig-validity-interval</command></term>
+ <listitem>
+ <para>
+ Specifies the number of days into the
+ future when DNSSEC signatures automatically generated as a
+ result
+ of dynamic updates (<xref linkend="dynamic_update"/>)
+ will expire. The default is <literal>30</literal> days.
+ The maximum value is 10 years (3660 days). The signature
+ inception time is unconditionally set to one hour before the
+ current time
+ to allow for a limited amount of clock skew.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>min-refresh-time</command></term>
+ <term><command>max-refresh-time</command></term>
+ <term><command>min-retry-time</command></term>
+ <term><command>max-retry-time</command></term>
+ <listitem>
+ <para>
+ These options control the server's behavior on refreshing a
+ zone
+ (querying for SOA changes) or retrying failed transfers.
+ Usually the SOA values for the zone are used, but these
+ values
+ are set by the master, giving slave server administrators
+ little
+ control over their contents.
+ </para>
+ <para>
+ These options allow the administrator to set a minimum and
+ maximum
+ refresh and retry time either per-zone, per-view, or
+ globally.
+ These options are valid for slave and stub zones,
+ and clamp the SOA refresh and retry times to the specified
+ values.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>edns-udp-size</command></term>
+ <listitem>
+ <para>
+ Sets the advertised EDNS UDP buffer size in bytes. Valid
+ values are 512 to 4096 (values outside this range
+ will be silently adjusted). The default value is
+ 4096. The usual reason for setting edns-udp-size to
+ a non-default value it to get UDP answers to pass
+ through broken firewalls that block fragmented
+ packets and/or block UDP packets that are greater
+ than 512 bytes.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>max-udp-size</command></term>
+ <listitem>
+ <para>
+ Sets the maximum EDNS UDP message size named will
+ send in bytes. Valid values are 512 to 4096 (values outside
+ this range will be silently adjusted). The default
+ value is 4096. The usual reason for setting
+ max-udp-size to a non-default value is to get UDP
+ answers to pass through broken firewalls that
+ block fragmented packets and/or block UDP packets
+ that are greater than 512 bytes.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>masterfile-format</command></term>
+ <listitem>
+ <para>Specifies
+ the file format of zone files (see
+ <xref linkend="zonefile_format"/>).
+ The default value is <constant>text</constant>, which is the
+ standard textual representation. Files in other formats
+ than <constant>text</constant> are typically expected
+ to be generated by the <command>named-compilezone</command> tool.
+ Note that when a zone file in a different format than
+ <constant>text</constant> is loaded, <command>named</command>
+ may omit some of the checks which would be performed for a
+ file in the <constant>text</constant> format. In particular,
+ <command>check-names</command> checks do not apply
+ for the <constant>raw</constant> format. This means
+ a zone file in the <constant>raw</constant> format
+ must be generated with the same check level as that
+ specified in the <command>named</command> configuration
+ file. This statement sets the
+ <command>masterfile-format</command> for all zones,
+ but can be overridden on a per-zone or per-view basis
+ by including a <command>masterfile-format</command>
+ statement within the <command>zone</command> or
+ <command>view</command> block in the configuration
+ file.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>clients-per-query</command></term>
+ <term><command>max-clients-per-query</command></term>
+ <listitem>
+ <para>These set the
+ initial value (minimum) and maximum number of recursive
+ simultanious clients for any given query
+ (&lt;qname,qtype,qclass&gt;) that the server will accept
+ before dropping additional clients. named will attempt to
+ self tune this value and changes will be logged. The
+ default values are 10 and 100.
+ </para>
+ <para>
+ This value should reflect how many queries come in for
+ a given name in the time it takes to resolve that name.
+ If the number of queries exceed this value, named will
+ assume that it is dealing with a non-responsive zone
+ and will drop additional queries. If it gets a response
+ after dropping queries, it will raise the estimate. The
+ estimate will then be lowered in 20 minutes if it has
+ remained unchanged.
+ </para>
+ <para>
+ If <command>clients-per-query</command> is set to zero,
+ then there is no limit on the number of clients per query
+ and no queries will be dropped.
+ </para>
+ <para>
+ If <command>max-clients-per-query</command> is set to zero,
+ then there is no upper bound other than imposed by
+ <command>recursive-clients</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+
+ </sect3>
+
+ <sect3 id="builtin">
+ <title>Built-in server information zones</title>
+
+ <para>
+ The server provides some helpful diagnostic information
+ through a number of built-in zones under the
+ pseudo-top-level-domain <literal>bind</literal> in the
+ <command>CHAOS</command> class. These zones are part
+ of a
+ built-in view (see <xref linkend="view_statement_grammar"/>) of
+ class
+ <command>CHAOS</command> which is separate from the
+ default view of
+ class <command>IN</command>; therefore, any global
+ server options
+ such as <command>allow-query</command> do not apply
+ the these zones.
+ If you feel the need to disable these zones, use the options
+ below, or hide the built-in <command>CHAOS</command>
+ view by
+ defining an explicit view of class <command>CHAOS</command>
+ that matches all clients.
+ </para>
+
+ <variablelist>
+
+ <varlistentry>
+ <term><command>version</command></term>
+ <listitem>
+ <para>
+ The version the server should report
+ via a query of the name <literal>version.bind</literal>
+ with type <command>TXT</command>, class <command>CHAOS</command>.
+ The default is the real version number of this server.
+ Specifying <command>version none</command>
+ disables processing of the queries.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>hostname</command></term>
+ <listitem>
+ <para>
+ The hostname the server should report via a query of
+ the name <filename>hostname.bind</filename>
+ with type <command>TXT</command>, class <command>CHAOS</command>.
+ This defaults to the hostname of the machine hosting the
+ name server as
+ found by the gethostname() function. The primary purpose of such queries
+ is to
+ identify which of a group of anycast servers is actually
+ answering your queries. Specifying <command>hostname none;</command>
+ disables processing of the queries.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>server-id</command></term>
+ <listitem>
+ <para>
+ The ID of the server should report via a query of
+ the name <filename>ID.SERVER</filename>
+ with type <command>TXT</command>, class <command>CHAOS</command>.
+ The primary purpose of such queries is to
+ identify which of a group of anycast servers is actually
+ answering your queries. Specifying <command>server-id none;</command>
+ disables processing of the queries.
+ Specifying <command>server-id hostname;</command> will cause named to
+ use the hostname as found by the gethostname() function.
+ The default <command>server-id</command> is <command>none</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+
+ </sect3>
+
+ <sect3 id="empty">
+ <title>Built-in Empty Zones</title>
+ <para>
+ Named has some built-in empty zones (SOA and NS records only).
+ These are for zones that should normally be answered locally
+ and which queries should not be sent to the Internet's root
+ servers. The offical servers which cover these namespaces
+ return NXDOMAIN responses to these queries. In particular,
+ these cover the reverse namespace for addresses from RFC 1918 and
+ RFC 3330. They also include the reverse namespace for IPv6 local
+ address (locally assigned), IPv6 link local addresses, the IPv6
+ loopback address and the IPv6 unknown addresss.
+ </para>
+ <para>
+ Named will attempt to determine if a built in zone already exists
+ or is active (covered by a forward-only forwarding declaration)
+ and will not not create a empty zone in that case.
+ </para>
+ <para>
+ The current list of empty zones is:
+ <itemizedlist>
+ <listitem>10.IN-ADDR.ARPA</listitem>
+ <listitem>127.IN-ADDR.ARPA</listitem>
+ <listitem>254.169.IN-ADDR.ARPA</listitem>
+ <listitem>16.172.IN-ADDR.ARPA</listitem>
+ <listitem>17.172.IN-ADDR.ARPA</listitem>
+ <listitem>18.172.IN-ADDR.ARPA</listitem>
+ <listitem>19.172.IN-ADDR.ARPA</listitem>
+ <listitem>20.172.IN-ADDR.ARPA</listitem>
+ <listitem>21.172.IN-ADDR.ARPA</listitem>
+ <listitem>22.172.IN-ADDR.ARPA</listitem>
+ <listitem>23.172.IN-ADDR.ARPA</listitem>
+ <listitem>24.172.IN-ADDR.ARPA</listitem>
+ <listitem>25.172.IN-ADDR.ARPA</listitem>
+ <listitem>26.172.IN-ADDR.ARPA</listitem>
+ <listitem>27.172.IN-ADDR.ARPA</listitem>
+ <listitem>28.172.IN-ADDR.ARPA</listitem>
+ <listitem>29.172.IN-ADDR.ARPA</listitem>
+ <listitem>30.172.IN-ADDR.ARPA</listitem>
+ <listitem>31.172.IN-ADDR.ARPA</listitem>
+ <listitem>168.192.IN-ADDR.ARPA</listitem>
+ <listitem>2.0.192.IN-ADDR.ARPA</listitem>
+ <listitem>0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</listitem>
+ <listitem>1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</listitem>
+ <listitem>D.F.IP6.ARPA</listitem>
+ <listitem>8.E.F.IP6.ARPA</listitem>
+ <listitem>9.E.F.IP6.ARPA</listitem>
+ <listitem>A.E.F.IP6.ARPA</listitem>
+ <listitem>B.E.F.IP6.ARPA</listitem>
+ </itemizedlist>
+ </para>
+ <para>
+ Empty zones are settable at the view level and only apply to
+ views of class IN. Disabled empty zones are only inherited
+ from options if there are no disabled empty zones specified
+ at the view level. To override the options list of disabled
+ zones, you can disable the root zone at the view level, for example:
+<programlisting>
+ disable-empty-zone ".";
+</programlisting>
+ </para>
+ <para>
+ If you are using the address ranges covered here, you should
+ already have reverse zones covering the addresses you use.
+ In practice this appears to not be the case with many queries
+ being made to the infrustructure servers for names in these
+ spaces. So many in fact that sacrificial servers were needed
+ to be deployed to channel the query load away from the
+ infrustructure servers.
+ </para>
+ <note>
+ The real parent servers for these zones should disable all
+ empty zone under the parent zone they serve. For the real
+ root servers, this is all built in empty zones. This will
+ enable them to return referrals to deeper in the tree.
+ </note>
+ <variablelist>
+ <varlistentry>
+ <term><command>empty-server</command></term>
+ <listitem>
+ <para>
+ Specify what server name will appear in the returned
+ SOA record for empty zones. If none is specified, then
+ the zone's name will be used.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>empty-contact</command></term>
+ <listitem>
+ <para>
+ Specify what contact name will appear in the returned
+ SOA record for empty zones. If none is specified, then
+ "." will be used.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>empty-zones-enable</command></term>
+ <listitem>
+ <para>
+ Enable or disable all empty zones. By default they
+ are enabled.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>disable-empty-zone</command></term>
+ <listitem>
+ <para>
+ Disable individual empty zones. By default none are
+ disabled. This option can be specified multiple times.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </sect3>
+
+ <sect3 id="statsfile">
+ <title>The Statistics File</title>
+
+ <para>
+ The statistics file generated by <acronym>BIND</acronym> 9
+ is similar, but not identical, to that
+ generated by <acronym>BIND</acronym> 8.
+ </para>
+ <para>
+ The statistics dump begins with a line, like:
+ </para>
+ <para>
+ <command>+++ Statistics Dump +++ (973798949)</command>
+ </para>
+ <para>
+ The number in parentheses is a standard
+ Unix-style timestamp, measured as seconds since January 1, 1970.
+ Following
+ that line are a series of lines containing a counter type, the
+ value of the
+ counter, optionally a zone name, and optionally a view name.
+ The lines without view and zone listed are global statistics for
+ the entire server.
+ Lines with a zone and view name for the given view and zone (the
+ view name is
+ omitted for the default view).
+ </para>
+ <para>
+ The statistics dump ends with the line where the
+ number is identical to the number in the beginning line; for example:
+ </para>
+ <para>
+ <command>--- Statistics Dump --- (973798949)</command>
+ </para>
+ <para>
+ The following statistics counters are maintained:
+ </para>
+ <informaltable colsep="0" rowsep="0">
+ <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
+ <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
+ <colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
+ <tbody>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>success</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ The number of
+ successful queries made to the server or zone. A
+ successful query
+ is defined as query which returns a NOERROR response
+ with at least
+ one answer RR.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>referral</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ The number of queries which resulted
+ in referral responses.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>nxrrset</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ The number of queries which resulted in
+ NOERROR responses with no data.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>nxdomain</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ The number
+ of queries which resulted in NXDOMAIN responses.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>failure</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ The number of queries which resulted in a
+ failure response other than those above.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>recursion</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ The number of queries which caused the server
+ to perform recursion in order to find the final answer.
+ </para>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>
+ Each query received by the server will cause exactly one of
+ <command>success</command>,
+ <command>referral</command>,
+ <command>nxrrset</command>,
+ <command>nxdomain</command>, or
+ <command>failure</command>
+ to be incremented, and may additionally cause the
+ <command>recursion</command> counter to be
+ incremented.
+ </para>
+
+ </sect3>
+
+ <sect3 id="acache">
+ <title>Additional Section Caching</title>
+
+ <para>
+ The additional section cache, also called <command>acache</command>,
+ is an internal cache to improve the response performance of BIND 9.
+ When additional section caching is enabled, BIND 9 will
+ cache an internal short-cut to the additional section content for
+ each answer RR.
+ Note that <command>acache</command> is an internal caching
+ mechanism of BIND 9, and is not related to the DNS caching
+ server function.
+ </para>
+
+ <para>
+ Additional section caching does not change the
+ response content (except the RRsets ordering of the additional
+ section, see below), but can improve the response performance
+ significantly.
+ It is particularly effective when BIND 9 acts as an authoritative
+ server for a zone that has many delegations with many glue RRs.
+ </para>
+
+ <para>
+ In order to obtain the maximum performance improvement
+ from additional section caching, setting
+ <command>additional-from-cache</command>
+ to <command>no</command> is recommended, since the current
+ implementation of <command>acache</command>
+ does not short-cut of additional section information from the
+ DNS cache data.
+ </para>
+
+ <para>
+ One obvious disadvantage of <command>acache</command> is
+ that it requires much more
+ memory for the internal cached data.
+ Thus, if the response performance does not matter and memory
+ consumption is much more critical, the
+ <command>acache</command> mechanism can be
+ disabled by setting <command>acache-enable</command> to
+ <command>no</command>.
+ It is also possible to specify the upper limit of memory
+ consumption
+ for acache by using <command>max-acache-size</command>.
+ </para>
+
+ <para>
+ Additional section caching also has a minor effect on the
+ RRset ordering in the additional section.
+ Without <command>acache</command>,
+ <command>cyclic</command> order is effective for the additional
+ section as well as the answer and authority sections.
+ However, additional section caching fixes the ordering when it
+ first caches an RRset for the additional section, and the same
+ ordering will be kept in succeeding responses, regardless of the
+ setting of <command>rrset-order</command>.
+ The effect of this should be minor, however, since an
+ RRset in the additional section
+ typically only contains a small number of RRs (and in many cases
+ it only contains a single RR), in which case the
+ ordering does not matter much.
+ </para>
+
+ <para>
+ The following is a summary of options related to
+ <command>acache</command>.
+ </para>
+
+ <variablelist>
+
+ <varlistentry>
+ <term><command>acache-enable</command></term>
+ <listitem>
+ <para>
+ If <command>yes</command>, additional section caching is
+ enabled. The default value is <command>no</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>acache-cleaning-interval</command></term>
+ <listitem>
+ <para>
+ The server will remove stale cache entries, based on an LRU
+ based
+ algorithm, every <command>acache-cleaning-interval</command> minutes.
+ The default is 60 minutes.
+ If set to 0, no periodic cleaning will occur.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>max-acache-size</command></term>
+ <listitem>
+ <para>
+ The maximum amount of memory in bytes to use for the server's acache.
+ When the amount of data in the acache reaches this limit,
+ the server
+ will clean more aggressively so that the limit is not
+ exceeded.
+ In a server with multiple views, the limit applies
+ separately to the
+ acache of each view.
+ The default is <literal>unlimited</literal>,
+ meaning that
+ entries are purged from the acache only at the
+ periodic cleaning time.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+
+ </sect3>
+
+ </sect2>
+
+ <sect2 id="server_statement_grammar">
+ <title><command>server</command> Statement Grammar</title>
+
+<programlisting>server <replaceable>ip_addr[/prefixlen]</replaceable> {
<optional> bogus <replaceable>yes_or_no</replaceable> ; </optional>
<optional> provide-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
<optional> request-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
<optional> edns <replaceable>yes_or_no</replaceable> ; </optional>
+ <optional> edns-udp-size <replaceable>number</replaceable> ; </optional>
+ <optional> max-udp-size <replaceable>number</replaceable> ; </optional>
<optional> transfers <replaceable>number</replaceable> ; </optional>
<optional> transfer-format <replaceable>( one-answer | many-answers )</replaceable> ; ]</optional>
<optional> keys <replaceable>{ string ; <optional> string ; <optional>...</optional></optional> }</replaceable> ; </optional>
<optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
<optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+ <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+ <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+ <optional> query-source <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
+ <optional> query-source-v6 <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
};
</programlisting>
-</sect2>
-
-<sect2 id="server_statement_definition_and_usage">
-<title><command>server</command> Statement Definition and Usage</title>
-
-<para>The <command>server</command> statement defines characteristics
-to be associated with a remote name server.</para>
-
-<para>
-The <command>server</command> statement can occur at the top level of the
-configuration file or inside a <command>view</command> statement.
-If a <command>view</command> statement contains
-one or more <command>server</command> statements, only those
-apply to the view and any top-level ones are ignored.
-If a view contains no <command>server</command> statements,
-any top-level <command>server</command> statements are used as
-defaults.
-</para>
-
-<para>If you discover that a remote server is giving out bad data,
-marking it as bogus will prevent further queries to it. The default
-value of <command>bogus</command> is <command>no</command>.</para>
-<para>The <command>provide-ixfr</command> clause determines whether
-the local server, acting as master, will respond with an incremental
-zone transfer when the given remote server, a slave, requests it.
-If set to <command>yes</command>, incremental transfer will be provided
-whenever possible. If set to <command>no</command>, all transfers
-to the remote server will be non-incremental. If not set, the value
-of the <command>provide-ixfr</command> option in the view or
-global options block is used as a default.</para>
-
-<para>The <command>request-ixfr</command> clause determines whether
-the local server, acting as a slave, will request incremental zone
-transfers from the given remote server, a master. If not set, the
-value of the <command>request-ixfr</command> option in the view or
-global options block is used as a default.</para>
-
-<para>IXFR requests to servers that do not support IXFR will automatically
-fall back to AXFR. Therefore, there is no need to manually list
-which servers support IXFR and which ones do not; the global default
-of <command>yes</command> should always work.
-The purpose of the <command>provide-ixfr</command> and
-<command>request-ixfr</command> clauses is
-to make it possible to disable the use of IXFR even when both master
-and slave claim to support it, for example if one of the servers
-is buggy and crashes or corrupts data when IXFR is used.</para>
-
-<para>The <command>edns</command> clause determines whether the local server
-will attempt to use EDNS when communicating with the remote server. The
-default is <command>yes</command>.</para>
-
-<para>The server supports two zone transfer methods. The first, <command>one-answer</command>,
-uses one DNS message per resource record transferred. <command>many-answers</command> packs
-as many resource records as possible into a message. <command>many-answers</command> is
-more efficient, but is only known to be understood by <acronym>BIND</acronym> 9, <acronym>BIND</acronym>
-8.x, and patched versions of <acronym>BIND</acronym> 4.9.5. You can specify which method
-to use for a server with the <command>transfer-format</command> option.
-If <command>transfer-format</command> is not specified, the <command>transfer-format</command> specified
-by the <command>options</command> statement will be used.</para>
-
-<para><command>transfers</command> is used to limit the number of
-concurrent inbound zone transfers from the specified server. If
-no <command>transfers</command> clause is specified, the limit is
-set according to the <command>transfers-per-ns</command> option.</para>
-
-<para>The <command>keys</command> clause identifies a
-<command>key_id</command> defined by the <command>key</command> statement,
-to be used for transaction security (TSIG, <xref linkend="tsig"/>)
-when talking to the remote server.
-When a request is sent to the remote server, a request signature
-will be generated using the key specified here and appended to the
-message. A request originating from the remote server is not required
-to be signed by this key.</para>
-
-<para>Although the grammar of the <command>keys</command> clause
-allows for multiple keys, only a single key per server is currently
-supported.</para>
-
-<para>The <command>transfer-source</command> and
-<command>transfer-source-v6</command> clauses specify the IPv4 and IPv6 source
-address to be used for zone transfer with the remote server, respectively.
-For an IPv4 remote server, only <command>transfer-source</command> can
-be specified.
-Similarly, for an IPv6 remote server, only
-<command>transfer-source-v6</command> can be specified.
-For more details, see the description of
-<command>transfer-source</command> and
-<command>transfer-source-v6</command> in
-<xref linkend="zone_transfers"/>.</para>
-
-</sect2>
-
-<sect2><title><command>trusted-keys</command> Statement Grammar</title>
+ </sect2>
+
+ <sect2 id="server_statement_definition_and_usage">
+ <title><command>server</command> Statement Definition and
+ Usage</title>
+
+ <para>
+ The <command>server</command> statement defines
+ characteristics
+ to be associated with a remote name server. If a prefix length is
+ specified, then a range of servers is covered. Only the most
+ specific
+ server clause applies regardless of the order in
+ <filename>named.conf</filename>.
+ </para>
+
+ <para>
+ The <command>server</command> statement can occur at
+ the top level of the
+ configuration file or inside a <command>view</command>
+ statement.
+ If a <command>view</command> statement contains
+ one or more <command>server</command> statements, only
+ those
+ apply to the view and any top-level ones are ignored.
+ If a view contains no <command>server</command>
+ statements,
+ any top-level <command>server</command> statements are
+ used as
+ defaults.
+ </para>
+
+ <para>
+ If you discover that a remote server is giving out bad data,
+ marking it as bogus will prevent further queries to it. The
+ default
+ value of <command>bogus</command> is <command>no</command>.
+ </para>
+ <para>
+ The <command>provide-ixfr</command> clause determines
+ whether
+ the local server, acting as master, will respond with an
+ incremental
+ zone transfer when the given remote server, a slave, requests it.
+ If set to <command>yes</command>, incremental transfer
+ will be provided
+ whenever possible. If set to <command>no</command>,
+ all transfers
+ to the remote server will be non-incremental. If not set, the
+ value
+ of the <command>provide-ixfr</command> option in the
+ view or
+ global options block is used as a default.
+ </para>
+
+ <para>
+ The <command>request-ixfr</command> clause determines
+ whether
+ the local server, acting as a slave, will request incremental zone
+ transfers from the given remote server, a master. If not set, the
+ value of the <command>request-ixfr</command> option in
+ the view or
+ global options block is used as a default.
+ </para>
+
+ <para>
+ IXFR requests to servers that do not support IXFR will
+ automatically
+ fall back to AXFR. Therefore, there is no need to manually list
+ which servers support IXFR and which ones do not; the global
+ default
+ of <command>yes</command> should always work.
+ The purpose of the <command>provide-ixfr</command> and
+ <command>request-ixfr</command> clauses is
+ to make it possible to disable the use of IXFR even when both
+ master
+ and slave claim to support it, for example if one of the servers
+ is buggy and crashes or corrupts data when IXFR is used.
+ </para>
+
+ <para>
+ The <command>edns</command> clause determines whether
+ the local server will attempt to use EDNS when communicating
+ with the remote server. The default is <command>yes</command>.
+ </para>
+
+ <para>
+ The <command>edns-udp-size</command> option sets the EDNS UDP size
+ that is advertised by named when querying the remote server.
+ Valid values are 512 to 4096 bytes (values outside this range will be
+ silently adjusted). This option is useful when you wish to
+ advertises a different value to this server than the value you
+ advertise globally, for example, when there is a firewall at the
+ remote site that is blocking large replies.
+ </para>
+
+ <para>
+ The <command>max-udp-size</command> option sets the
+ maximum EDNS UDP message size named will send. Valid
+ values are 512 to 4096 bytes (values outside this range will
+ be silently adjusted). This option is useful when you
+ know that there is a firewall that is blocking large
+ replies from named.
+ </para>
+
+ <para>
+ The server supports two zone transfer methods. The first, <command>one-answer</command>,
+ uses one DNS message per resource record transferred. <command>many-answers</command> packs
+ as many resource records as possible into a message. <command>many-answers</command> is
+ more efficient, but is only known to be understood by <acronym>BIND</acronym> 9, <acronym>BIND</acronym>
+ 8.x, and patched versions of <acronym>BIND</acronym>
+ 4.9.5. You can specify which method
+ to use for a server with the <command>transfer-format</command> option.
+ If <command>transfer-format</command> is not
+ specified, the <command>transfer-format</command>
+ specified
+ by the <command>options</command> statement will be
+ used.
+ </para>
+
+ <para><command>transfers</command>
+ is used to limit the number of concurrent inbound zone
+ transfers from the specified server. If no
+ <command>transfers</command> clause is specified, the
+ limit is set according to the
+ <command>transfers-per-ns</command> option.
+ </para>
+
+ <para>
+ The <command>keys</command> clause identifies a
+ <command>key_id</command> defined by the <command>key</command> statement,
+ to be used for transaction security (TSIG, <xref linkend="tsig"/>)
+ when talking to the remote server.
+ When a request is sent to the remote server, a request signature
+ will be generated using the key specified here and appended to the
+ message. A request originating from the remote server is not
+ required
+ to be signed by this key.
+ </para>
+
+ <para>
+ Although the grammar of the <command>keys</command>
+ clause
+ allows for multiple keys, only a single key per server is
+ currently
+ supported.
+ </para>
+
+ <para>
+ The <command>transfer-source</command> and
+ <command>transfer-source-v6</command> clauses specify
+ the IPv4 and IPv6 source
+ address to be used for zone transfer with the remote server,
+ respectively.
+ For an IPv4 remote server, only <command>transfer-source</command> can
+ be specified.
+ Similarly, for an IPv6 remote server, only
+ <command>transfer-source-v6</command> can be
+ specified.
+ For more details, see the description of
+ <command>transfer-source</command> and
+ <command>transfer-source-v6</command> in
+ <xref linkend="zone_transfers"/>.
+ </para>
+
+ <para>
+ The <command>notify-source</command> and
+ <command>notify-source-v6</command> clauses specify the
+ IPv4 and IPv6 source address to be used for notify
+ messages sent to remote servers, respectively. For an
+ IPv4 remote server, only <command>notify-source</command>
+ can be specified. Similarly, for an IPv6 remote server,
+ only <command>notify-source-v6</command> can be specified.
+ </para>
+
+ <para>
+ The <command>query-source</command> and
+ <command>query-source-v6</command> clauses specify the
+ IPv4 and IPv6 source address to be used for queries
+ sent to remote servers, respectively. For an IPv4
+ remote server, only <command>query-source</command> can
+ be specified. Similarly, for an IPv6 remote server,
+ only <command>query-source-v6</command> can be specified.
+ </para>
+
+ </sect2>
+
+ <sect2>
+ <title><command>trusted-keys</command> Statement Grammar</title>
+
<programlisting>trusted-keys {
<replaceable>string</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ;
<optional> <replaceable>string</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; <optional>...</optional></optional>
};
</programlisting>
-</sect2>
+ </sect2>
<sect2>
<title><command>trusted-keys</command> Statement Definition
and Usage</title>
@@ -4607,15 +7846,15 @@ For more details, see the description of
key, it is treated as if it had been validated and
proven secure. The resolver attempts DNSSEC validation
on all DNS data in subdomains of a security root.
- </para>
- <para>
+ </para>
+ <para>
All keys (and corresponding zones) listed in
<command>trusted-keys</command> are deemed to exist regardless
of what parent zones say. Similarly for all keys listed in
<command>trusted-keys</command> only those keys are
used to validate the DNSKEY RRset. The parent's DS RRset
will not be used.
- </para>
+ </para>
<para>
The <command>trusted-keys</command> statement can contain
multiple key entries, each consisting of the key's
@@ -4624,71 +7863,114 @@ For more details, see the description of
</para>
</sect2>
-<sect2 id="view_statement_grammar">
-<title><command>view</command> Statement Grammar</title>
-<programlisting>view <replaceable>view_name</replaceable>
+ <sect2 id="view_statement_grammar">
+ <title><command>view</command> Statement Grammar</title>
+
+<programlisting>view <replaceable>view_name</replaceable>
<optional><replaceable>class</replaceable></optional> {
- match-clients { <replaceable>address_match_list</replaceable> } ;
- match-destinations { <replaceable>address_match_list</replaceable> } ;
+ match-clients { <replaceable>address_match_list</replaceable> };
+ match-destinations { <replaceable>address_match_list</replaceable> };
match-recursive-only <replaceable>yes_or_no</replaceable> ;
<optional> <replaceable>view_option</replaceable>; ...</optional>
<optional> <replaceable>zone_statement</replaceable>; ...</optional>
};
-</programlisting></sect2>
-<sect2><title><command>view</command> Statement Definition and Usage</title>
-
-<para>The <command>view</command> statement is a powerful new feature
-of <acronym>BIND</acronym> 9 that lets a name server answer a DNS query differently
-depending on who is asking. It is particularly useful for implementing
-split DNS setups without having to run multiple servers.</para>
-
-<para>Each <command>view</command> statement defines a view of the
-DNS namespace that will be seen by a subset of clients. A client matches
-a view if its source IP address matches the
-<varname>address_match_list</varname> of the view's
-<command>match-clients</command> clause and its destination IP address matches
-the <varname>address_match_list</varname> of the view's
-<command>match-destinations</command> clause. If not specified, both
-<command>match-clients</command> and <command>match-destinations</command>
-default to matching all addresses. In addition to checking IP addresses
-<command>match-clients</command> and <command>match-destinations</command>
-can also take <command>keys</command> which provide an mechanism for the
-client to select the view. A view can also be specified
-as <command>match-recursive-only</command>, which means that only recursive
-requests from matching clients will match that view.
-The order of the <command>view</command> statements is significant &mdash;
-a client request will be resolved in the context of the first
-<command>view</command> that it matches.</para>
-
-<para>Zones defined within a <command>view</command> statement will
-be only be accessible to clients that match the <command>view</command>.
- By defining a zone of the same name in multiple views, different
-zone data can be given to different clients, for example, "internal"
-and "external" clients in a split DNS setup.</para>
-
-<para>Many of the options given in the <command>options</command> statement
-can also be used within a <command>view</command> statement, and then
-apply only when resolving queries with that view. When no view-specific
-value is given, the value in the <command>options</command> statement
-is used as a default. Also, zone options can have default values specified
-in the <command>view</command> statement; these view-specific defaults
-take precedence over those in the <command>options</command> statement.</para>
-
-<para>Views are class specific. If no class is given, class IN
-is assumed. Note that all non-IN views must contain a hint zone,
-since only the IN class has compiled-in default hints.</para>
-
-<para>If there are no <command>view</command> statements in the config
-file, a default view that matches any client is automatically created
-in class IN. Any <command>zone</command> statements specified on
-the top level of the configuration file are considered to be part of
-this default view, and the <command>options</command> statement will
-apply to the default view. If any explicit <command>view</command>
-statements are present, all <command>zone</command> statements must
-occur inside <command>view</command> statements.</para>
-
-<para>Here is an example of a typical split DNS setup implemented
-using <command>view</command> statements:</para>
+</programlisting>
+
+ </sect2>
+ <sect2>
+ <title><command>view</command> Statement Definition and Usage</title>
+
+ <para>
+ The <command>view</command> statement is a powerful
+ feature
+ of <acronym>BIND</acronym> 9 that lets a name server
+ answer a DNS query differently
+ depending on who is asking. It is particularly useful for
+ implementing
+ split DNS setups without having to run multiple servers.
+ </para>
+
+ <para>
+ Each <command>view</command> statement defines a view
+ of the
+ DNS namespace that will be seen by a subset of clients. A client
+ matches
+ a view if its source IP address matches the
+ <varname>address_match_list</varname> of the view's
+ <command>match-clients</command> clause and its
+ destination IP address matches
+ the <varname>address_match_list</varname> of the
+ view's
+ <command>match-destinations</command> clause. If not
+ specified, both
+ <command>match-clients</command> and <command>match-destinations</command>
+ default to matching all addresses. In addition to checking IP
+ addresses
+ <command>match-clients</command> and <command>match-destinations</command>
+ can also take <command>keys</command> which provide an
+ mechanism for the
+ client to select the view. A view can also be specified
+ as <command>match-recursive-only</command>, which
+ means that only recursive
+ requests from matching clients will match that view.
+ The order of the <command>view</command> statements is
+ significant &mdash;
+ a client request will be resolved in the context of the first
+ <command>view</command> that it matches.
+ </para>
+
+ <para>
+ Zones defined within a <command>view</command>
+ statement will
+ be only be accessible to clients that match the <command>view</command>.
+ By defining a zone of the same name in multiple views, different
+ zone data can be given to different clients, for example,
+ "internal"
+ and "external" clients in a split DNS setup.
+ </para>
+
+ <para>
+ Many of the options given in the <command>options</command> statement
+ can also be used within a <command>view</command>
+ statement, and then
+ apply only when resolving queries with that view. When no
+ view-specific
+ value is given, the value in the <command>options</command> statement
+ is used as a default. Also, zone options can have default values
+ specified
+ in the <command>view</command> statement; these
+ view-specific defaults
+ take precedence over those in the <command>options</command> statement.
+ </para>
+
+ <para>
+ Views are class specific. If no class is given, class IN
+ is assumed. Note that all non-IN views must contain a hint zone,
+ since only the IN class has compiled-in default hints.
+ </para>
+
+ <para>
+ If there are no <command>view</command> statements in
+ the config
+ file, a default view that matches any client is automatically
+ created
+ in class IN. Any <command>zone</command> statements
+ specified on
+ the top level of the configuration file are considered to be part
+ of
+ this default view, and the <command>options</command>
+ statement will
+ apply to the default view. If any explicit <command>view</command>
+ statements are present, all <command>zone</command>
+ statements must
+ occur inside <command>view</command> statements.
+ </para>
+
+ <para>
+ Here is an example of a typical split DNS setup implemented
+ using <command>view</command> statements:
+ </para>
+
<programlisting>view "internal" {
// This should match our internal networks.
match-clients { 10.0.0.0/8; };
@@ -4719,19 +8001,27 @@ view "external" {
};
};
</programlisting>
-</sect2>
-<sect2 id="zone_statement_grammar"><title><command>zone</command>
-Statement Grammar</title>
-<programlisting>zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
+
+ </sect2>
+ <sect2 id="zone_statement_grammar">
+ <title><command>zone</command>
+ Statement Grammar</title>
+
+<programlisting>zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
type master;
- <optional> allow-query { <replaceable>address_match_list</replaceable> } ; </optional>
- <optional> allow-transfer { <replaceable>address_match_list</replaceable> } ; </optional>
- <optional> allow-update { <replaceable>address_match_list</replaceable> } ; </optional>
- <optional> update-policy { <replaceable>update_policy_rule</replaceable> <optional>...</optional> } ; </optional>
+ <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
+ <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
+ <optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
+ <optional> update-policy { <replaceable>update_policy_rule</replaceable> <optional>...</optional> }; </optional>
<optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
<optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
+ <optional> check-mx (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
+ <optional> check-wildcard <replaceable>yes_or_no</replaceable>; </optional>
+ <optional> check-integrity <replaceable>yes_or_no</replaceable> ; </optional>
<optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
<optional> file <replaceable>string</replaceable> ; </optional>
+ <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
+ <optional> journal <replaceable>string</replaceable> ; </optional>
<optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
<optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
<optional> ixfr-base <replaceable>string</replaceable> ; </optional>
@@ -4740,7 +8030,7 @@ Statement Grammar</title>
<optional> max-ixfr-log-size <replaceable>number</replaceable> ; </optional>
<optional> max-transfer-idle-out <replaceable>number</replaceable> ; </optional>
<optional> max-transfer-time-out <replaceable>number</replaceable> ; </optional>
- <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> ; </optional>
+ <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable> ; </optional>
<optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
<optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
<optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
@@ -4752,30 +8042,34 @@ Statement Grammar</title>
<optional> min-retry-time <replaceable>number</replaceable> ; </optional>
<optional> max-retry-time <replaceable>number</replaceable> ; </optional>
<optional> key-directory <replaceable>path_name</replaceable>; </optional>
+ <optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
};
-zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
+zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
type slave;
- <optional> allow-notify { <replaceable>address_match_list</replaceable> } ; </optional>
- <optional> allow-query { <replaceable>address_match_list</replaceable> } ; </optional>
- <optional> allow-transfer { <replaceable>address_match_list</replaceable> } ; </optional>
- <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> } ; </optional>
+ <optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
+ <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
+ <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
+ <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
+ <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
<optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
<optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
<optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
<optional> file <replaceable>string</replaceable> ; </optional>
+ <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
+ <optional> journal <replaceable>string</replaceable> ; </optional>
<optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
<optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
<optional> ixfr-base <replaceable>string</replaceable> ; </optional>
<optional> ixfr-tmp-file <replaceable>string</replaceable> ; </optional>
<optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable> ; </optional>
- <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> } ; </optional>
+ <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> }; </optional>
<optional> max-ixfr-log-size <replaceable>number</replaceable> ; </optional>
<optional> max-transfer-idle-in <replaceable>number</replaceable> ; </optional>
<optional> max-transfer-idle-out <replaceable>number</replaceable> ; </optional>
<optional> max-transfer-time-in <replaceable>number</replaceable> ; </optional>
<optional> max-transfer-time-out <replaceable>number</replaceable> ; </optional>
- <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> ; </optional>
+ <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable> ; </optional>
<optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
<optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
<optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
@@ -4791,25 +8085,27 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
<optional> min-retry-time <replaceable>number</replaceable> ; </optional>
<optional> max-retry-time <replaceable>number</replaceable> ; </optional>
<optional> multi-master <replaceable>yes_or_no</replaceable> ; </optional>
+ <optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
};
-zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
+zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
type hint;
- <optional> file <replaceable>string</replaceable> ; </optional>
+ file <replaceable>string</replaceable> ;
<optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
<optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; // Not Implemented. </optional>
};
-zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
+zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
type stub;
- <optional> allow-query { <replaceable>address_match_list</replaceable> } ; </optional>
+ <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
<optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
<optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
<optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
<optional> file <replaceable>string</replaceable> ; </optional>
+ <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
<optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
<optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
- <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> } ; </optional>
+ <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> }; </optional>
<optional> max-transfer-idle-in <replaceable>number</replaceable> ; </optional>
<optional> max-transfer-time-in <replaceable>number</replaceable> ; </optional>
<optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
@@ -4819,7 +8115,6 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
<optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
<optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
<optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
- <optional> sig-validity-interval <replaceable>number</replaceable> ; </optional>
<optional> database <replaceable>string</replaceable> ; </optional>
<optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
<optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
@@ -4828,1013 +8123,2258 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
<optional> multi-master <replaceable>yes_or_no</replaceable> ; </optional>
};
-zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
+zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
type forward;
<optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
<optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
<optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
};
-zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
+zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
type delegation-only;
};
+
</programlisting>
-</sect2>
-<sect2><title><command>zone</command> Statement Definition and Usage</title>
-<sect3><title>Zone Types</title>
-<informaltable colsep = "0" rowsep = "0">
-<tgroup cols = "2" colsep = "0" rowsep = "0"
- tgroupstyle = "3Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.908in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.217in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>master</varname></para></entry>
-<entry colname = "2"><para>The server has a master copy of the data
-for the zone and will be able to provide authoritative answers for
-it.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>slave</varname></para></entry>
-<entry colname = "2"><para>A slave zone is a replica of a master
-zone. The <command>masters</command> list specifies one or more IP addresses
-of master servers that the slave contacts to update its copy of the zone.
-Masters list elements can also be names of other masters lists.
-By default, transfers are made from port 53 on the servers; this can
-be changed for all servers by specifying a port number before the
-list of IP addresses, or on a per-server basis after the IP address.
-Authentication to the master can also be done with per-server TSIG keys.
-If a file is specified, then the
-replica will be written to this file whenever the zone is changed,
-and reloaded from this file on a server restart. Use of a file is
-recommended, since it often speeds server startup and eliminates
-a needless waste of bandwidth. Note that for large numbers (in the
-tens or hundreds of thousands) of zones per server, it is best to
-use a two-level naming scheme for zone file names. For example,
-a slave server for the zone <literal>example.com</literal> might place
-the zone contents into a file called
-<filename>ex/example.com</filename> where <filename>ex/</filename> is
-just the first two letters of the zone name. (Most operating systems
-behave very slowly if you put 100 000 files into
-a single directory.)</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>stub</varname></para></entry>
-<entry colname = "2"><para>A stub zone is similar to a slave zone,
-except that it replicates only the NS records of a master zone instead
-of the entire zone. Stub zones are not a standard part of the DNS;
-they are a feature specific to the <acronym>BIND</acronym> implementation.
-</para>
-
-<para>Stub zones can be used to eliminate the need for glue NS record
-in a parent zone at the expense of maintaining a stub zone entry and
-a set of name server addresses in <filename>named.conf</filename>.
-This usage is not recommended for new configurations, and BIND 9
-supports it only in a limited way.
-In <acronym>BIND</acronym> 4/8, zone transfers of a parent zone
-included the NS records from stub children of that zone. This meant
-that, in some cases, users could get away with configuring child stubs
-only in the master server for the parent zone. <acronym>BIND</acronym>
-9 never mixes together zone data from different zones in this
-way. Therefore, if a <acronym>BIND</acronym> 9 master serving a parent
-zone has child stub zones configured, all the slave servers for the
-parent zone also need to have the same child stub zones
-configured.</para>
-
-<para>Stub zones can also be used as a way of forcing the resolution
-of a given domain to use a particular set of authoritative servers.
-For example, the caching name servers on a private network using
-RFC1918 addressing may be configured with stub zones for
-<literal>10.in-addr.arpa</literal>
-to use a set of internal name servers as the authoritative
-servers for that domain.</para>
-</entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>forward</varname></para></entry>
-<entry colname = "2"><para>A "forward zone" is a way to configure
-forwarding on a per-domain basis. A <command>zone</command> statement
-of type <command>forward</command> can contain a <command>forward</command> and/or <command>forwarders</command> statement,
-which will apply to queries within the domain given by the zone
-name. If no <command>forwarders</command> statement is present or
-an empty list for <command>forwarders</command> is given, then no
-forwarding will be done for the domain, canceling the effects of
-any forwarders in the <command>options</command> statement. Thus
-if you want to use this type of zone to change the behavior of the
-global <command>forward</command> option (that is, "forward first"
-to, then "forward only", or vice versa, but want to use the same
-servers as set globally) you need to re-specify the global forwarders.</para>
-</entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>hint</varname></para></entry>
-<entry colname = "2"><para>The initial set of root name servers is
-specified using a "hint zone". When the server starts up, it uses
-the root hints to find a root name server and get the most recent
-list of root name servers. If no hint zone is specified for class
-IN, the server uses a compiled-in default set of root servers hints.
-Classes other than IN have no built-in defaults hints.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>delegation-only</varname></para></entry>
-<entry colname = "2"><para>This is used to enforce the delegation-only
-status of infrastructure zones (e.g. COM, NET, ORG). Any answer that
-is received without an explicit or implicit delegation in the authority
-section will be treated as NXDOMAIN. This does not apply to the zone
-apex. This should not be applied to leaf zones.</para>
-<para><varname>delegation-only</varname> has no effect on answers received
-from forwarders.</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable></sect3>
-
-<sect3><title>Class</title>
-<para>The zone's name may optionally be followed by a class. If
-a class is not specified, class <literal>IN</literal> (for <varname>Internet</varname>),
-is assumed. This is correct for the vast majority of cases.</para>
-<para>The <literal>hesiod</literal> class is
-named for an information service from MIT's Project Athena. It is
-used to share information about various systems databases, such
-as users, groups, printers and so on. The keyword
-<literal>HS</literal> is
-a synonym for hesiod.</para>
-<para>Another MIT development is CHAOSnet, a LAN protocol created
-in the mid-1970s. Zone data for it can be specified with the <literal>CHAOS</literal> class.</para></sect3>
-<sect3>
-
-<title>Zone Options</title>
-
-<variablelist>
-
-<varlistentry><term><command>allow-notify</command></term>
-<listitem><para>See the description of
-<command>allow-notify</command> in <xref linkend="access_control"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>allow-query</command></term>
-<listitem><para>See the description of
-<command>allow-query</command> in <xref linkend="access_control"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>allow-transfer</command></term>
-<listitem><para>See the description of <command>allow-transfer</command>
-in <xref linkend="access_control"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>allow-update</command></term>
-<listitem><para>Specifies which hosts are allowed to
-submit Dynamic DNS updates for master zones. The default is to deny
-updates from all hosts. Note that allowing updates based
-on the requestor's IP address is insecure; see
-<xref linkend="dynamic_update_security"/> for details.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>update-policy</command></term>
-<listitem><para>Specifies a "Simple Secure Update" policy. See
-<xref linkend="dynamic_update_policies"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>allow-update-forwarding</command></term>
-<listitem><para>See the description of <command>allow-update-forwarding</command>
-in <xref linkend="access_control"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>also-notify</command></term>
-<listitem><para>Only meaningful if <command>notify</command> is
-active for this zone. The set of machines that will receive a
-<literal>DNS NOTIFY</literal> message
-for this zone is made up of all the listed name servers (other than
-the primary master) for the zone plus any IP addresses specified
-with <command>also-notify</command>. A port may be specified
-with each <command>also-notify</command> address to send the notify
-messages to a port other than the default of 53.
-<command>also-notify</command> is not meaningful for stub zones.
-The default is the empty list.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>check-names</command></term>
-<listitem><para>
-This option is used to restrict the character set and syntax of
-certain domain names in master files and/or DNS responses received from the
-network. The default varies according to zone type. For <command>master</command> zones the default is <command>fail</command>. For <command>slave</command>
-zones the default is <command>warn</command>.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>database</command></term>
-<listitem><para>Specify the type of database to be used for storing the
-zone data. The string following the <command>database</command> keyword
-is interpreted as a list of whitespace-delimited words. The first word
-identifies the database type, and any subsequent words are passed
-as arguments to the database to be interpreted in a way specific
-to the database type.</para>
-<para>The default is <userinput>"rbt"</userinput>, BIND 9's native in-memory
-red-black-tree database. This database does not take arguments.</para>
-<para>Other values are possible if additional database drivers
-have been linked into the server. Some sample drivers are included
-with the distribution but none are linked in by default.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>dialup</command></term>
-<listitem><para>See the description of
-<command>dialup</command> in <xref linkend="boolean_options"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>delegation-only</command></term>
-<listitem><para>The flag only applies to hint and stub zones. If set
-to <userinput>yes</userinput>, then the zone will also be treated as if it
-is also a delegation-only type zone.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>forward</command></term>
-<listitem><para>Only meaningful if the zone has a forwarders
-list. The <command>only</command> value causes the lookup to fail
-after trying the forwarders and getting no answer, while <command>first</command> would
-allow a normal lookup to be tried.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>forwarders</command></term>
-<listitem><para>Used to override the list of global forwarders.
-If it is not specified in a zone of type <command>forward</command>,
-no forwarding is done for the zone and the global options are not used.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>ixfr-base</command></term>
-<listitem><para>Was used in <acronym>BIND</acronym> 8 to specify the name
-of the transaction log (journal) file for dynamic update and IXFR.
-<acronym>BIND</acronym> 9 ignores the option and constructs the name of the journal
-file by appending "<filename>.jnl</filename>" to the name of the
-zone file.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>ixfr-tmp-file</command></term>
-<listitem><para>Was an undocumented option in <acronym>BIND</acronym> 8.
-Ignored in <acronym>BIND</acronym> 9.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>max-transfer-time-in</command></term>
-<listitem><para>See the description of
-<command>max-transfer-time-in</command> in <xref linkend="zone_transfers"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>max-transfer-idle-in</command></term>
-<listitem><para>See the description of
-<command>max-transfer-idle-in</command> in <xref linkend="zone_transfers"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>max-transfer-time-out</command></term>
-<listitem><para>See the description of
-<command>max-transfer-time-out</command> in <xref linkend="zone_transfers"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>max-transfer-idle-out</command></term>
-<listitem><para>See the description of
-<command>max-transfer-idle-out</command> in <xref linkend="zone_transfers"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>notify</command></term>
-<listitem><para>See the description of
-<command>notify</command> in <xref linkend="boolean_options"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>pubkey</command></term>
-<listitem><para>In <acronym>BIND</acronym> 8, this option was intended for specifying
-a public zone key for verification of signatures in DNSSEC signed
-zones when they are loaded from disk. <acronym>BIND</acronym> 9 does not verify signatures
-on load and ignores the option.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>zone-statistics</command></term>
-<listitem><para>If <userinput>yes</userinput>, the server will keep statistical
-information for this zone, which can be dumped to the
-<command>statistics-file</command> defined in the server options.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>sig-validity-interval</command></term>
-<listitem><para>See the description of
-<command>sig-validity-interval</command> in <xref linkend="tuning"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>transfer-source</command></term>
-<listitem><para>See the description of
-<command>transfer-source</command> in <xref linkend="zone_transfers"/>.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>transfer-source-v6</command></term>
-<listitem><para>See the description of
-<command>transfer-source-v6</command> in <xref linkend="zone_transfers"/>.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>alt-transfer-source</command></term>
-<listitem><para>See the description of
-<command>alt-transfer-source</command> in <xref linkend="zone_transfers"/>.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>alt-transfer-source-v6</command></term>
-<listitem><para>See the description of
-<command>alt-transfer-source-v6</command> in <xref linkend="zone_transfers"/>.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>use-alt-transfer-source</command></term>
-<listitem><para>See the description of
-<command>use-alt-transfer-source</command> in <xref linkend="zone_transfers"/>.
-</para>
-</listitem></varlistentry>
-
-
-<varlistentry><term><command>notify-source</command></term>
-<listitem><para>See the description of
-<command>notify-source</command> in <xref linkend="zone_transfers"/>
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>notify-source-v6</command></term>
-<listitem><para>See the description of
-<command>notify-source-v6</command> in <xref linkend="zone_transfers"/>.
-</para>
-</listitem></varlistentry>
-
-<varlistentry>
-<term><command>min-refresh-time</command></term>
-<term><command>max-refresh-time</command></term>
-<term><command>min-retry-time</command></term>
-<term><command>max-retry-time</command></term>
-<listitem><para>
-See the description in <xref linkend="tuning"/>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>ixfr-from-differences</command></term>
-<listitem><para>See the description of
-<command>ixfr-from-differences</command> in <xref linkend="boolean_options"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>key-directory</command></term>
-<listitem><para>See the description of
-<command>key-directory</command> in <xref linkend="options"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>multi-master</command></term>
-<listitem><para>See the description of
-<command>multi-master</command> in <xref linkend="boolean_options"/>.</para>
-</listitem></varlistentry>
-
-</variablelist>
-
-</sect3>
-<sect3 id="dynamic_update_policies"><title>Dynamic Update Policies</title>
-<para><acronym>BIND</acronym> 9 supports two alternative methods of granting clients
-the right to perform dynamic updates to a zone,
-configured by the <command>allow-update</command> and
-<command>update-policy</command> option, respectively.</para>
-<para>The <command>allow-update</command> clause works the same
-way as in previous versions of <acronym>BIND</acronym>. It grants given clients the
-permission to update any record of any name in the zone.</para>
-<para>The <command>update-policy</command> clause is new in <acronym>BIND</acronym>
-9 and allows more fine-grained control over what updates are allowed.
-A set of rules is specified, where each rule either grants or denies
-permissions for one or more names to be updated by one or more identities.
- If the dynamic update request message is signed (that is, it includes
-either a TSIG or SIG(0) record), the identity of the signer can
-be determined.</para>
-<para>Rules are specified in the <command>update-policy</command> zone
-option, and are only meaningful for master zones. When the <command>update-policy</command> statement
-is present, it is a configuration error for the <command>allow-update</command> statement
-to be present. The <command>update-policy</command> statement only
-examines the signer of a message; the source address is not relevant.</para>
-<para>This is how a rule definition looks:</para>
+
+ </sect2>
+ <sect2>
+ <title><command>zone</command> Statement Definition and Usage</title>
+ <sect3>
+ <title>Zone Types</title>
+ <informaltable colsep="0" rowsep="0">
+ <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
+ <!--colspec colname="1" colnum="1" colsep="0" colwidth="1.108in"/-->
+ <!--colspec colname="2" colnum="2" colsep="0" colwidth="4.017in"/-->
+ <colspec colname="1" colnum="1" colsep="0"/>
+ <colspec colname="2" colnum="2" colsep="0" colwidth="4.017in"/>
+ <tbody>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>master</varname>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ The server has a master copy of the data
+ for the zone and will be able to provide authoritative
+ answers for
+ it.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>slave</varname>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ A slave zone is a replica of a master
+ zone. The <command>masters</command> list
+ specifies one or more IP addresses
+ of master servers that the slave contacts to update
+ its copy of the zone.
+ Masters list elements can also be names of other
+ masters lists.
+ By default, transfers are made from port 53 on the
+ servers; this can
+ be changed for all servers by specifying a port number
+ before the
+ list of IP addresses, or on a per-server basis after
+ the IP address.
+ Authentication to the master can also be done with
+ per-server TSIG keys.
+ If a file is specified, then the
+ replica will be written to this file whenever the zone
+ is changed,
+ and reloaded from this file on a server restart. Use
+ of a file is
+ recommended, since it often speeds server startup and
+ eliminates
+ a needless waste of bandwidth. Note that for large
+ numbers (in the
+ tens or hundreds of thousands) of zones per server, it
+ is best to
+ use a two-level naming scheme for zone file names. For
+ example,
+ a slave server for the zone <literal>example.com</literal> might place
+ the zone contents into a file called
+ <filename>ex/example.com</filename> where <filename>ex/</filename> is
+ just the first two letters of the zone name. (Most
+ operating systems
+ behave very slowly if you put 100 000 files into
+ a single directory.)
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>stub</varname>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ A stub zone is similar to a slave zone,
+ except that it replicates only the NS records of a
+ master zone instead
+ of the entire zone. Stub zones are not a standard part
+ of the DNS;
+ they are a feature specific to the <acronym>BIND</acronym> implementation.
+ </para>
+
+ <para>
+ Stub zones can be used to eliminate the need for glue
+ NS record
+ in a parent zone at the expense of maintaining a stub
+ zone entry and
+ a set of name server addresses in <filename>named.conf</filename>.
+ This usage is not recommended for new configurations,
+ and BIND 9
+ supports it only in a limited way.
+ In <acronym>BIND</acronym> 4/8, zone
+ transfers of a parent zone
+ included the NS records from stub children of that
+ zone. This meant
+ that, in some cases, users could get away with
+ configuring child stubs
+ only in the master server for the parent zone. <acronym>BIND</acronym>
+ 9 never mixes together zone data from different zones
+ in this
+ way. Therefore, if a <acronym>BIND</acronym> 9 master serving a parent
+ zone has child stub zones configured, all the slave
+ servers for the
+ parent zone also need to have the same child stub
+ zones
+ configured.
+ </para>
+
+ <para>
+ Stub zones can also be used as a way of forcing the
+ resolution
+ of a given domain to use a particular set of
+ authoritative servers.
+ For example, the caching name servers on a private
+ network using
+ RFC1918 addressing may be configured with stub zones
+ for
+ <literal>10.in-addr.arpa</literal>
+ to use a set of internal name servers as the
+ authoritative
+ servers for that domain.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>forward</varname>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ A "forward zone" is a way to configure
+ forwarding on a per-domain basis. A <command>zone</command> statement
+ of type <command>forward</command> can
+ contain a <command>forward</command>
+ and/or <command>forwarders</command>
+ statement,
+ which will apply to queries within the domain given by
+ the zone
+ name. If no <command>forwarders</command>
+ statement is present or
+ an empty list for <command>forwarders</command> is given, then no
+ forwarding will be done for the domain, canceling the
+ effects of
+ any forwarders in the <command>options</command> statement. Thus
+ if you want to use this type of zone to change the
+ behavior of the
+ global <command>forward</command> option
+ (that is, "forward first"
+ to, then "forward only", or vice versa, but want to
+ use the same
+ servers as set globally) you need to re-specify the
+ global forwarders.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>hint</varname>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ The initial set of root name servers is
+ specified using a "hint zone". When the server starts
+ up, it uses
+ the root hints to find a root name server and get the
+ most recent
+ list of root name servers. If no hint zone is
+ specified for class
+ IN, the server uses a compiled-in default set of root
+ servers hints.
+ Classes other than IN have no built-in defaults hints.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>delegation-only</varname>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ This is used to enforce the delegation-only
+ status of infrastructure zones (e.g. COM, NET, ORG).
+ Any answer that
+ is received without an explicit or implicit delegation
+ in the authority
+ section will be treated as NXDOMAIN. This does not
+ apply to the zone
+ apex. This should not be applied to leaf zones.
+ </para>
+ <para>
+ <varname>delegation-only</varname> has no
+ effect on answers received
+ from forwarders.
+ </para>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+ </sect3>
+
+ <sect3>
+ <title>Class</title>
+ <para>
+ The zone's name may optionally be followed by a class. If
+ a class is not specified, class <literal>IN</literal> (for <varname>Internet</varname>),
+ is assumed. This is correct for the vast majority of cases.
+ </para>
+ <para>
+ The <literal>hesiod</literal> class is
+ named for an information service from MIT's Project Athena. It
+ is
+ used to share information about various systems databases, such
+ as users, groups, printers and so on. The keyword
+ <literal>HS</literal> is
+ a synonym for hesiod.
+ </para>
+ <para>
+ Another MIT development is CHAOSnet, a LAN protocol created
+ in the mid-1970s. Zone data for it can be specified with the <literal>CHAOS</literal> class.
+ </para>
+ </sect3>
+ <sect3>
+
+ <title>Zone Options</title>
+
+ <variablelist>
+
+ <varlistentry>
+ <term><command>allow-notify</command></term>
+ <listitem>
+ <para>
+ See the description of
+ <command>allow-notify</command> in <xref linkend="access_control"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>allow-query</command></term>
+ <listitem>
+ <para>
+ See the description of
+ <command>allow-query</command> in <xref linkend="access_control"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>allow-transfer</command></term>
+ <listitem>
+ <para>
+ See the description of <command>allow-transfer</command>
+ in <xref linkend="access_control"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>allow-update</command></term>
+ <listitem>
+ <para>
+ See the description of <command>allow-update</command>
+ in <xref linkend="access_control"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>update-policy</command></term>
+ <listitem>
+ <para>
+ Specifies a "Simple Secure Update" policy. See
+ <xref linkend="dynamic_update_policies"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>allow-update-forwarding</command></term>
+ <listitem>
+ <para>
+ See the description of <command>allow-update-forwarding</command>
+ in <xref linkend="access_control"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>also-notify</command></term>
+ <listitem>
+ <para>
+ Only meaningful if <command>notify</command>
+ is
+ active for this zone. The set of machines that will
+ receive a
+ <literal>DNS NOTIFY</literal> message
+ for this zone is made up of all the listed name servers
+ (other than
+ the primary master) for the zone plus any IP addresses
+ specified
+ with <command>also-notify</command>. A port
+ may be specified
+ with each <command>also-notify</command>
+ address to send the notify
+ messages to a port other than the default of 53.
+ <command>also-notify</command> is not
+ meaningful for stub zones.
+ The default is the empty list.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>check-names</command></term>
+ <listitem>
+ <para>
+ This option is used to restrict the character set and
+ syntax of
+ certain domain names in master files and/or DNS responses
+ received from the
+ network. The default varies according to zone type. For <command>master</command> zones the default is <command>fail</command>. For <command>slave</command>
+ zones the default is <command>warn</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>check-mx</command></term>
+ <listitem>
+ <para>
+ See the description of
+ <command>check-mx</command> in <xref linkend="boolean_options"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>check-wildcard</command></term>
+ <listitem>
+ <para>
+ See the description of
+ <command>check-wildcard</command> in <xref linkend="boolean_options"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>check-integrity</command></term>
+ <listitem>
+ <para>
+ See the description of
+ <command>check-integrity</command> in <xref linkend="boolean_options"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>check-sibling</command></term>
+ <listitem>
+ <para>
+ See the description of
+ <command>check-sibling</command> in <xref linkend="boolean_options"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>zero-no-soa-ttl</command></term>
+ <listitem>
+ <para>
+ See the description of
+ <command>zero-no-soa-ttl</command> in <xref linkend="boolean_options"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>update-check-ksk</command></term>
+ <listitem>
+ <para>
+ See the description of
+ <command>update-check-ksk</command> in <xref linkend="boolean_options"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>database</command></term>
+ <listitem>
+ <para>
+ Specify the type of database to be used for storing the
+ zone data. The string following the <command>database</command> keyword
+ is interpreted as a list of whitespace-delimited words.
+ The first word
+ identifies the database type, and any subsequent words are
+ passed
+ as arguments to the database to be interpreted in a way
+ specific
+ to the database type.
+ </para>
+ <para>
+ The default is <userinput>"rbt"</userinput>, BIND 9's
+ native in-memory
+ red-black-tree database. This database does not take
+ arguments.
+ </para>
+ <para>
+ Other values are possible if additional database drivers
+ have been linked into the server. Some sample drivers are
+ included
+ with the distribution but none are linked in by default.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>dialup</command></term>
+ <listitem>
+ <para>
+ See the description of
+ <command>dialup</command> in <xref linkend="boolean_options"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>delegation-only</command></term>
+ <listitem>
+ <para>
+ The flag only applies to hint and stub zones. If set
+ to <userinput>yes</userinput>, then the zone will also be
+ treated as if it
+ is also a delegation-only type zone.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>forward</command></term>
+ <listitem>
+ <para>
+ Only meaningful if the zone has a forwarders
+ list. The <command>only</command> value causes
+ the lookup to fail
+ after trying the forwarders and getting no answer, while <command>first</command> would
+ allow a normal lookup to be tried.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>forwarders</command></term>
+ <listitem>
+ <para>
+ Used to override the list of global forwarders.
+ If it is not specified in a zone of type <command>forward</command>,
+ no forwarding is done for the zone and the global options are
+ not used.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>ixfr-base</command></term>
+ <listitem>
+ <para>
+ Was used in <acronym>BIND</acronym> 8 to
+ specify the name
+ of the transaction log (journal) file for dynamic update
+ and IXFR.
+ <acronym>BIND</acronym> 9 ignores the option
+ and constructs the name of the journal
+ file by appending "<filename>.jnl</filename>"
+ to the name of the
+ zone file.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>ixfr-tmp-file</command></term>
+ <listitem>
+ <para>
+ Was an undocumented option in <acronym>BIND</acronym> 8.
+ Ignored in <acronym>BIND</acronym> 9.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>journal</command></term>
+ <listitem>
+ <para>
+ Allow the default journal's file name to be overridden.
+ The default is the zone's file with "<filename>.jnl</filename>" appended.
+ This is applicable to <command>master</command> and <command>slave</command> zones.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>max-transfer-time-in</command></term>
+ <listitem>
+ <para>
+ See the description of
+ <command>max-transfer-time-in</command> in <xref linkend="zone_transfers"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>max-transfer-idle-in</command></term>
+ <listitem>
+ <para>
+ See the description of
+ <command>max-transfer-idle-in</command> in <xref linkend="zone_transfers"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>max-transfer-time-out</command></term>
+ <listitem>
+ <para>
+ See the description of
+ <command>max-transfer-time-out</command> in <xref linkend="zone_transfers"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>max-transfer-idle-out</command></term>
+ <listitem>
+ <para>
+ See the description of
+ <command>max-transfer-idle-out</command> in <xref linkend="zone_transfers"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>notify</command></term>
+ <listitem>
+ <para>
+ See the description of
+ <command>notify</command> in <xref linkend="boolean_options"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>pubkey</command></term>
+ <listitem>
+ <para>
+ In <acronym>BIND</acronym> 8, this option was
+ intended for specifying
+ a public zone key for verification of signatures in DNSSEC
+ signed
+ zones when they are loaded from disk. <acronym>BIND</acronym> 9 does not verify signatures
+ on load and ignores the option.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>zone-statistics</command></term>
+ <listitem>
+ <para>
+ If <userinput>yes</userinput>, the server will keep
+ statistical
+ information for this zone, which can be dumped to the
+ <command>statistics-file</command> defined in
+ the server options.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>sig-validity-interval</command></term>
+ <listitem>
+ <para>
+ See the description of
+ <command>sig-validity-interval</command> in <xref linkend="tuning"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>transfer-source</command></term>
+ <listitem>
+ <para>
+ See the description of
+ <command>transfer-source</command> in <xref linkend="zone_transfers"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>transfer-source-v6</command></term>
+ <listitem>
+ <para>
+ See the description of
+ <command>transfer-source-v6</command> in <xref linkend="zone_transfers"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>alt-transfer-source</command></term>
+ <listitem>
+ <para>
+ See the description of
+ <command>alt-transfer-source</command> in <xref linkend="zone_transfers"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>alt-transfer-source-v6</command></term>
+ <listitem>
+ <para>
+ See the description of
+ <command>alt-transfer-source-v6</command> in <xref linkend="zone_transfers"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>use-alt-transfer-source</command></term>
+ <listitem>
+ <para>
+ See the description of
+ <command>use-alt-transfer-source</command> in <xref linkend="zone_transfers"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><command>notify-source</command></term>
+ <listitem>
+ <para>
+ See the description of
+ <command>notify-source</command> in <xref linkend="zone_transfers"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>notify-source-v6</command></term>
+ <listitem>
+ <para>
+ See the description of
+ <command>notify-source-v6</command> in <xref linkend="zone_transfers"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>min-refresh-time</command></term>
+ <term><command>max-refresh-time</command></term>
+ <term><command>min-retry-time</command></term>
+ <term><command>max-retry-time</command></term>
+ <listitem>
+ <para>
+ See the description in <xref linkend="tuning"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>ixfr-from-differences</command></term>
+ <listitem>
+ <para>
+ See the description of
+ <command>ixfr-from-differences</command> in <xref linkend="boolean_options"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>key-directory</command></term>
+ <listitem>
+ <para>
+ See the description of
+ <command>key-directory</command> in <xref linkend="options"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>multi-master</command></term>
+ <listitem>
+ <para>
+ See the description of <command>multi-master</command> in
+ <xref linkend="boolean_options"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>masterfile-format</command></term>
+ <listitem>
+ <para>
+ See the description of <command>masterfile-format</command>
+ in <xref linkend="tuning"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+
+ </sect3>
+ <sect3 id="dynamic_update_policies">
+ <title>Dynamic Update Policies</title>
+ <para>
+ <acronym>BIND</acronym> 9 supports two alternative
+ methods of granting clients
+ the right to perform dynamic updates to a zone,
+ configured by the <command>allow-update</command>
+ and
+ <command>update-policy</command> option,
+ respectively.
+ </para>
+ <para>
+ The <command>allow-update</command> clause works the
+ same
+ way as in previous versions of <acronym>BIND</acronym>. It grants given clients the
+ permission to update any record of any name in the zone.
+ </para>
+ <para>
+ The <command>update-policy</command> clause is new
+ in <acronym>BIND</acronym>
+ 9 and allows more fine-grained control over what updates are
+ allowed.
+ A set of rules is specified, where each rule either grants or
+ denies
+ permissions for one or more names to be updated by one or more
+ identities.
+ If the dynamic update request message is signed (that is, it
+ includes
+ either a TSIG or SIG(0) record), the identity of the signer can
+ be determined.
+ </para>
+ <para>
+ Rules are specified in the <command>update-policy</command> zone
+ option, and are only meaningful for master zones. When the <command>update-policy</command> statement
+ is present, it is a configuration error for the <command>allow-update</command> statement
+ to be present. The <command>update-policy</command>
+ statement only
+ examines the signer of a message; the source address is not
+ relevant.
+ </para>
+ <para>
+ This is how a rule definition looks:
+ </para>
+
<programlisting>
( <command>grant</command> | <command>deny</command> ) <replaceable>identity</replaceable> <replaceable>nametype</replaceable> <replaceable>name</replaceable> <optional> <replaceable>types</replaceable> </optional>
</programlisting>
-<para>Each rule grants or denies privileges. Once a message has
-successfully matched a rule, the operation is immediately granted
-or denied and no further rules are examined. A rule is matched
-when the signer matches the identity field, the name matches the
-name field in accordance with the nametype field, and the type matches
-the types specified in the type field.</para>
-
-<para>The identity field specifies a name or a wildcard name. Normally, this
-is the name of the TSIG or SIG(0) key used to sign the update request. When a
-TKEY exchange has been used to create a shared secret, the identity of the
-shared secret is the same as the identity of the key used to authenticate the
-TKEY exchange. When the <replaceable>identity</replaceable> field specifies a
-wildcard name, it is subject to DNS wildcard expansion, so the rule will apply
-to multiple identities. The <replaceable>identity</replaceable> field must
-contain a fully qualified domain name.</para>
-
-<para>The <replaceable>nametype</replaceable> field has 4 values:
-<varname>name</varname>, <varname>subdomain</varname>,
-<varname>wildcard</varname>, and <varname>self</varname>.
-</para>
-<informaltable>
- <tgroup cols = "2" colsep = "0"
- rowsep = "0" tgroupstyle = "4Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.819in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.681in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>name</varname></para></entry>
-<entry colname = "2"><para>Exact-match semantics. This rule matches when the
-name being updated is identical to the contents of the
-<replaceable>name</replaceable> field.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>subdomain</varname></para></entry>
-<entry colname = "2"><para>This rule matches when the name being updated
-is a subdomain of, or identical to, the contents of the
-<replaceable>name</replaceable> field.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>wildcard</varname></para></entry>
-<entry colname = "2"><para>The <replaceable>name</replaceable> field is
-subject to DNS wildcard expansion, and this rule matches when the name
-being updated name is a valid expansion of the wildcard.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>self</varname></para></entry>
-<entry colname = "2"><para>This rule matches when the name being updated
-matches the contents of the <replaceable>identity</replaceable> field.
-The <replaceable>name</replaceable> field is ignored, but should be
-the same as the <replaceable>identity</replaceable> field. The
-<varname>self</varname> nametype is most useful when allowing using
-one key per name to update, where the key has the same name as the name
-to be updated. The <replaceable>identity</replaceable> would be
-specified as <constant>*</constant> in this case.</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-
-<para>In all cases, the <replaceable>name</replaceable> field must
-specify a fully qualified domain name.</para>
-
-<para>If no types are explicitly specified, this rule matches all types except
-SIG, NS, SOA, and NXT. Types may be specified by name, including
-"ANY" (ANY matches all types except NXT, which can never be updated).
-Note that when an attempt is made to delete all records associated with a
-name, the rules are checked for each existing record type.
-</para>
- </sect3>
- </sect2>
- </sect1>
- <sect1>
- <title>Zone File</title>
- <sect2 id="types_of_resource_records_and_when_to_use_them">
- <title>Types of Resource Records and When to Use Them</title>
-<para>This section, largely borrowed from RFC 1034, describes the
-concept of a Resource Record (RR) and explains when each is used.
-Since the publication of RFC 1034, several new RRs have been identified
-and implemented in the DNS. These are also included.</para>
- <sect3>
- <title>Resource Records</title>
-
- <para>A domain name identifies a node. Each node has a set of
- resource information, which may be empty. The set of resource
- information associated with a particular name is composed of
- separate RRs. The order of RRs in a set is not significant and
- need not be preserved by name servers, resolvers, or other
- parts of the DNS. However, sorting of multiple RRs is
- permitted for optimization purposes, for example, to specify
- that a particular nearby server be tried first. See <xref
- linkend="the_sortlist_statement"/> and <xref
- linkend="rrset_ordering"/>.</para>
-
-<para>The components of a Resource Record are:</para>
-<informaltable colsep = "0"
- rowsep = "0"><tgroup cols = "2" colsep = "0"
- rowsep = "0" tgroupstyle = "4Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.000in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.500in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para>owner name</para></entry>
-<entry colname = "2"><para>the domain name where the RR is found.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>type</para></entry>
-<entry colname = "2"><para>an encoded 16-bit value that specifies
-the type of the resource record.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>TTL</para></entry>
-<entry colname = "2"><para>the time-to-live of the RR. This field
-is a 32-bit integer in units of seconds, and is primarily used by
-resolvers when they cache RRs. The TTL describes how long a RR can
-be cached before it should be discarded.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>class</para></entry>
-<entry colname = "2"><para>an encoded 16-bit value that identifies
-a protocol family or instance of a protocol.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>RDATA</para></entry>
-<entry colname = "2"><para>the resource data. The format of the
-data is type (and sometimes class) specific.</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-<para>The following are <emphasis>types</emphasis> of valid RRs:</para>
-<informaltable colsep = "0"
- rowsep = "0"><tgroup cols = "2" colsep = "0"
- rowsep = "0" tgroupstyle = "4Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.875in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.625in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para>A</para></entry>
-<entry colname = "2"><para>a host address. In the IN class, this is a
-32-bit IP address. Described in RFC 1035.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>AAAA</para></entry>
-<entry colname = "2"><para>IPv6 address. Described in RFC 1886.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>A6</para></entry>
-<entry colname = "2"><para>IPv6 address. This can be a partial
-address (a suffix) and an indirection to the name where the rest of the
-address (the prefix) can be found. Experimental. Described in RFC 2874.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>AFSDB</para></entry>
-<entry colname = "2"><para>location of AFS database servers.
-Experimental. Described in RFC 1183.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>APL</para></entry>
-<entry colname = "2"><para>address prefix list. Experimental.
-Described in RFC 3123.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>CERT</para></entry>
-<entry colname = "2"><para>holds a digital certificate.
-Described in RFC 2538.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>CNAME</para></entry>
-<entry colname = "2"><para>identifies the canonical name of an alias.
-Described in RFC 1035.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>DNAME</para></entry>
-<entry colname = "2"><para>Replaces the domain name specified with
-another name to be looked up, effectively aliasing an entire
-subtree of the domain name space rather than a single record
-as in the case of the CNAME RR.
-Described in RFC 2672.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>GPOS</para></entry>
-<entry colname = "2"><para>Specifies the global position. Superseded by LOC.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>HINFO</para></entry>
-<entry colname = "2"><para>identifies the CPU and OS used by a host.
-Described in RFC 1035.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>ISDN</para></entry>
-<entry colname = "2"><para>representation of ISDN addresses.
-Experimental. Described in RFC 1183.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>KEY</para></entry>
-<entry colname = "2"><para>stores a public key associated with a
-DNS name. Described in RFC 2535.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>KX</para></entry>
-<entry colname = "2"><para>identifies a key exchanger for this
-DNS name. Described in RFC 2230.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>LOC</para></entry>
-<entry colname = "2"><para>for storing GPS info. Described in RFC 1876.
-Experimental.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>MX</para></entry>
-<entry colname = "2"><para>identifies a mail exchange for the domain.
-A 16-bit preference value (lower is better)
-followed by the host name of the mail exchange.
-Described in RFC 974, RFC 1035.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>NAPTR</para></entry>
-<entry colname = "2"><para>name authority pointer. Described in RFC 2915.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>NSAP</para></entry>
-<entry colname = "2"><para>a network service access point.
-Described in RFC 1706.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>NS</para></entry>
-<entry colname = "2"><para>the authoritative name server for the
-domain. Described in RFC 1035.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>NXT</para></entry>
-<entry colname = "2"><para>used in DNSSEC to securely indicate that
-RRs with an owner name in a certain name interval do not exist in
-a zone and indicate what RR types are present for an existing name.
-Described in RFC 2535.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>PTR</para></entry>
-<entry colname = "2"><para>a pointer to another part of the domain
-name space. Described in RFC 1035.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>PX</para></entry>
-<entry colname = "2"><para>provides mappings between RFC 822 and X.400
-addresses. Described in RFC 2163.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>RP</para></entry>
-<entry colname = "2"><para>information on persons responsible
-for the domain. Experimental. Described in RFC 1183.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>RT</para></entry>
-<entry colname = "2"><para>route-through binding for hosts that
-do not have their own direct wide area network addresses.
-Experimental. Described in RFC 1183.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>SIG</para></entry>
-<entry colname = "2"><para>("signature") contains data authenticated
-in the secure DNS. Described in RFC 2535.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>SOA</para></entry>
-<entry colname = "2"><para>identifies the start of a zone of authority.
-Described in RFC 1035.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>SRV</para></entry>
-<entry colname = "2"><para>information about well known network
-services (replaces WKS). Described in RFC 2782.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>TXT</para></entry>
-<entry colname = "2"><para>text records. Described in RFC 1035.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>WKS</para></entry>
-<entry colname = "2"><para>information about which well known
-network services, such as SMTP, that a domain supports. Historical.
-</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>X25</para></entry>
-<entry colname = "2"><para>representation of X.25 network addresses.
-Experimental. Described in RFC 1183.</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-<para>The following <emphasis>classes</emphasis> of resource records
-are currently valid in the DNS:</para><informaltable colsep = "0"
- rowsep = "0"><tgroup cols = "2" colsep = "0" rowsep = "0"
- tgroupstyle = "4Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.875in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.625in"/>
-<tbody>
-
-<row rowsep = "0">
-<entry colname = "1"><para>IN</para></entry>
-<entry colname = "2"><para>The Internet.</para></entry>
-</row>
-
-<row rowsep = "0">
-<entry colname = "1"><para>CH</para></entry>
-<entry colname = "2"><para>
-CHAOSnet, a LAN protocol created at MIT in the mid-1970s.
-Rarely used for its historical purpose, but reused for BIND's
-built-in server information zones, e.g.,
-<literal>version.bind</literal>.
-</para></entry>
-</row>
-
-<row rowsep = "0">
-<entry colname = "1"><para>HS</para></entry>
-<entry colname = "2"><para>
-Hesiod, an information service
-developed by MIT's Project Athena. It is used to share information
-about various systems databases, such as users, groups, printers
-and so on.
-</para></entry>
-</row>
-
-</tbody>
-</tgroup></informaltable>
-
-<para>The owner name is often implicit, rather than forming an integral
-part of the RR. For example, many name servers internally form tree
-or hash structures for the name space, and chain RRs off nodes.
- The remaining RR parts are the fixed header (type, class, TTL)
-which is consistent for all RRs, and a variable part (RDATA) that
-fits the needs of the resource being described.</para>
-<para>The meaning of the TTL field is a time limit on how long an
-RR can be kept in a cache. This limit does not apply to authoritative
-data in zones; it is also timed out, but by the refreshing policies
-for the zone. The TTL is assigned by the administrator for the
-zone where the data originates. While short TTLs can be used to
-minimize caching, and a zero TTL prohibits caching, the realities
-of Internet performance suggest that these times should be on the
-order of days for the typical host. If a change can be anticipated,
-the TTL can be reduced prior to the change to minimize inconsistency
-during the change, and then increased back to its former value following
-the change.</para>
-<para>The data in the RDATA section of RRs is carried as a combination
-of binary strings and domain names. The domain names are frequently
-used as "pointers" to other data in the DNS.</para></sect3>
-<sect3><title>Textual expression of RRs</title>
-<para>RRs are represented in binary form in the packets of the DNS
-protocol, and are usually represented in highly encoded form when
-stored in a name server or resolver. In the examples provided in
-RFC 1034, a style similar to that used in master files was employed
-in order to show the contents of RRs. In this format, most RRs
-are shown on a single line, although continuation lines are possible
-using parentheses.</para>
-<para>The start of the line gives the owner of the RR. If a line
-begins with a blank, then the owner is assumed to be the same as
-that of the previous RR. Blank lines are often included for readability.</para>
-<para>Following the owner, we list the TTL, type, and class of the
-RR. Class and type use the mnemonics defined above, and TTL is
-an integer before the type field. In order to avoid ambiguity in
-parsing, type and class mnemonics are disjoint, TTLs are integers,
-and the type mnemonic is always last. The IN class and TTL values
-are often omitted from examples in the interests of clarity.</para>
-<para>The resource data or RDATA section of the RR are given using
-knowledge of the typical representation for the data.</para>
-<para>For example, we might show the RRs carried in a message as:</para> <informaltable
- colsep = "0" rowsep = "0"><tgroup cols = "3"
- colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.381in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "1.020in"/>
-<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "2.099in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para><literal>ISI.EDU.</literal></para></entry>
-<entry colname = "2"><para><literal>MX</literal></para></entry>
-<entry colname = "3"><para><literal>10 VENERA.ISI.EDU.</literal></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para></para></entry>
-<entry colname = "2"><para><literal>MX</literal></para></entry>
-<entry colname = "3"><para><literal>10 VAXA.ISI.EDU</literal></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><literal>VENERA.ISI.EDU</literal></para></entry>
-<entry colname = "2"><para><literal>A</literal></para></entry>
-<entry colname = "3"><para><literal>128.9.0.32</literal></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para></para></entry>
-<entry colname = "2"><para><literal>A</literal></para></entry>
-<entry colname = "3"><para><literal>10.1.0.52</literal></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><literal>VAXA.ISI.EDU</literal></para></entry>
-<entry colname = "2"><para><literal>A</literal></para></entry>
-<entry colname = "3"><para><literal>10.2.0.27</literal></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para></para></entry>
-<entry colname = "2"><para><literal>A</literal></para></entry>
-<entry colname = "3"><para><literal>128.9.0.33</literal></para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-<para>The MX RRs have an RDATA section which consists of a 16-bit
-number followed by a domain name. The address RRs use a standard
-IP address format to contain a 32-bit internet address.</para>
-<para>The above example shows six RRs, with two RRs at each of three
-domain names.</para>
-<para>Similarly we might see:</para><informaltable colsep = "0"
- rowsep = "0"><tgroup cols = "3" colsep = "0" rowsep = "0"
- tgroupstyle = "4Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.491in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "1.067in"/>
-<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "2.067in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para><literal>XX.LCS.MIT.EDU. IN</literal></para></entry>
-<entry colname = "2"><para><literal>A</literal></para></entry>
-<entry colname = "3"><para><literal>10.0.0.44</literal></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><literal>CH</literal></para></entry>
-<entry colname = "2"><para><literal>A</literal></para></entry>
-<entry colname = "3"><para><literal>MIT.EDU. 2420</literal></para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-<para>This example shows two addresses for <literal>XX.LCS.MIT.EDU</literal>,
-each of a different class.</para></sect3></sect2>
-
-<sect2><title>Discussion of MX Records</title>
-
-<para>As described above, domain servers store information as a
-series of resource records, each of which contains a particular
-piece of information about a given domain name (which is usually,
-but not always, a host). The simplest way to think of a RR is as
-a typed pair of data, a domain name matched with a relevant datum,
-and stored with some additional type information to help systems
-determine when the RR is relevant.</para>
-
-<para>MX records are used to control delivery of email. The data
-specified in the record is a priority and a domain name. The priority
-controls the order in which email delivery is attempted, with the
-lowest number first. If two priorities are the same, a server is
-chosen randomly. If no servers at a given priority are responding,
-the mail transport agent will fall back to the next largest priority.
-Priority numbers do not have any absolute meaning &mdash; they are relevant
-only respective to other MX records for that domain name. The domain
-name given is the machine to which the mail will be delivered. It <emphasis>must</emphasis> have
-an associated A record &mdash; CNAME is not sufficient.</para>
-<para>For a given domain, if there is both a CNAME record and an
-MX record, the MX record is in error, and will be ignored. Instead,
-the mail will be delivered to the server specified in the MX record
-pointed to by the CNAME.</para>
-<informaltable colsep = "0" rowsep = "0"><tgroup cols = "5"
- colsep = "0" rowsep = "0" tgroupstyle = "3Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.708in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "0.444in"/>
-<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "0.444in"/>
-<colspec colname = "4" colnum = "4" colsep = "0" colwidth = "0.976in"/>
-<colspec colname = "5" colnum = "5" colsep = "0" colwidth = "1.553in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para><literal>example.com.</literal></para></entry>
-<entry colname = "2"><para><literal>IN</literal></para></entry>
-<entry colname = "3"><para><literal>MX</literal></para></entry>
-<entry colname = "4"><para><literal>10</literal></para></entry>
-<entry colname = "5"><para><literal>mail.example.com.</literal></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para></para></entry>
-<entry colname = "2"><para><literal>IN</literal></para></entry>
-<entry colname = "3"><para><literal>MX</literal></para></entry>
-<entry colname = "4"><para><literal>10</literal></para></entry>
-<entry colname = "5"><para><literal>mail2.example.com.</literal></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para></para></entry>
-<entry colname = "2"><para><literal>IN</literal></para></entry>
-<entry colname = "3"><para><literal>MX</literal></para></entry>
-<entry colname = "4"><para><literal>20</literal></para></entry>
-<entry colname = "5"><para><literal>mail.backup.org.</literal></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><literal>mail.example.com.</literal></para></entry>
-<entry colname = "2"><para><literal>IN</literal></para></entry>
-<entry colname = "3"><para><literal>A</literal></para></entry>
-<entry colname = "4"><para><literal>10.0.0.1</literal></para></entry>
-<entry colname = "5"><para></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><literal>mail2.example.com.</literal></para></entry>
-<entry colname = "2"><para><literal>IN</literal></para></entry>
-<entry colname = "3"><para><literal>A</literal></para></entry>
-<entry colname = "4"><para><literal>10.0.0.2</literal></para></entry>
-<entry colname = "5"><para></para></entry>
-</row>
-</tbody>
-</tgroup></informaltable><para>For example:</para>
-<para>Mail delivery will be attempted to <literal>mail.example.com</literal> and
-<literal>mail2.example.com</literal> (in
-any order), and if neither of those succeed, delivery to <literal>mail.backup.org</literal> will
-be attempted.</para></sect2>
-<sect2 id="Setting_TTLs"><title>Setting TTLs</title>
-<para>The time-to-live of the RR field is a 32-bit integer represented
-in units of seconds, and is primarily used by resolvers when they
-cache RRs. The TTL describes how long a RR can be cached before it
-should be discarded. The following three types of TTL are currently
-used in a zone file.</para>
-<informaltable colsep = "0" rowsep = "0"><tgroup cols = "2"
- colsep = "0" rowsep = "0" tgroupstyle = "3Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.750in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.375in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para>SOA</para></entry>
-<entry colname = "2"><para>The last field in the SOA is the negative
-caching TTL. This controls how long other servers will cache no-such-domain
-(NXDOMAIN) responses from you.</para><para>The maximum time for
-negative caching is 3 hours (3h).</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>$TTL</para></entry>
-<entry colname = "2"><para>The $TTL directive at the top of the
-zone file (before the SOA) gives a default TTL for every RR without
-a specific TTL set.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>RR TTLs</para></entry>
-<entry colname = "2"><para>Each RR can have a TTL as the second
-field in the RR, which will control how long other servers can cache
-the it.</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-<para>All of these TTLs default to units of seconds, though units
-can be explicitly specified, for example, <literal>1h30m</literal>. </para></sect2>
-<sect2><title>Inverse Mapping in IPv4</title>
-<para>Reverse name resolution (that is, translation from IP address
-to name) is achieved by means of the <emphasis>in-addr.arpa</emphasis> domain
-and PTR records. Entries in the in-addr.arpa domain are made in
-least-to-most significant order, read left to right. This is the
-opposite order to the way IP addresses are usually written. Thus,
-a machine with an IP address of 10.1.2.3 would have a corresponding
-in-addr.arpa name of
-3.2.1.10.in-addr.arpa. This name should have a PTR resource record
-whose data field is the name of the machine or, optionally, multiple
-PTR records if the machine has more than one name. For example,
-in the <optional>example.com</optional> domain:</para>
-<informaltable colsep = "0" rowsep = "0">
-<tgroup cols = "2" colsep = "0" rowsep = "0"
- tgroupstyle = "3Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.125in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.000in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para><literal>$ORIGIN</literal></para></entry>
-<entry colname = "2"><para><literal>2.1.10.in-addr.arpa</literal></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><literal>3</literal></para></entry>
-<entry colname = "2"><para><literal>IN PTR foo.example.com.</literal></para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
- <note>
-<para>The <command>$ORIGIN</command> lines in the examples
-are for providing context to the examples only-they do not necessarily
-appear in the actual usage. They are only used here to indicate
-that the example is relative to the listed origin.</para></note></sect2>
-<sect2><title>Other Zone File Directives</title>
-<para>The Master File Format was initially defined in RFC 1035 and
-has subsequently been extended. While the Master File Format itself
-is class independent all records in a Master File must be of the same
-class.</para>
-<para>Master File Directives include <command>$ORIGIN</command>, <command>$INCLUDE</command>,
-and <command>$TTL.</command></para>
-<sect3><title>The <command>$ORIGIN</command> Directive</title>
-<para>Syntax: <command>$ORIGIN
-</command><replaceable>domain-name</replaceable> <optional> <replaceable>comment</replaceable></optional></para>
-<para><command>$ORIGIN</command> sets the domain name that will
-be appended to any unqualified records. When a zone is first read
-in there is an implicit <command>$ORIGIN</command> &#60;<varname>zone-name</varname>><command>.</command> The
-current <command>$ORIGIN</command> is appended to the domain specified
-in the <command>$ORIGIN</command> argument if it is not absolute.</para>
-<programlisting>$ORIGIN example.com.
-WWW CNAME MAIN-SERVER</programlisting>
-<para>is equivalent to</para>
-<programlisting>WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.</programlisting></sect3>
-<sect3><title>The <command>$INCLUDE</command> Directive</title>
-<para>Syntax: <command>$INCLUDE</command>
-<replaceable>filename</replaceable> <optional>
-<replaceable>origin</replaceable> </optional> <optional> <replaceable>comment</replaceable> </optional></para>
-<para>Read and process the file <filename>filename</filename> as
-if it were included into the file at this point. If <command>origin</command> is
-specified the file is processed with <command>$ORIGIN</command> set
-to that value, otherwise the current <command>$ORIGIN</command> is
-used.</para>
-<para>The origin and the current domain name
-revert to the values they had prior to the <command>$INCLUDE</command> once
-the file has been read.</para>
-<note><para>
-RFC 1035 specifies that the current origin should be restored after
-an <command>$INCLUDE</command>, but it is silent on whether the current
-domain name should also be restored. BIND 9 restores both of them.
-This could be construed as a deviation from RFC 1035, a feature, or both.
-</para></note>
-</sect3>
-<sect3><title>The <command>$TTL</command> Directive</title>
-<para>Syntax: <command>$TTL</command>
-<replaceable>default-ttl</replaceable> <optional>
-<replaceable>comment</replaceable> </optional></para>
-<para>Set the default Time To Live (TTL) for subsequent records
-with undefined TTLs. Valid TTLs are of the range 0-2147483647 seconds.</para>
-<para><command>$TTL</command> is defined in RFC 2308.</para></sect3></sect2>
-<sect2><title><acronym>BIND</acronym> Master File Extension: the <command>$GENERATE</command> Directive</title>
- <para>Syntax: <command>$GENERATE</command> <replaceable>range</replaceable> <replaceable>lhs</replaceable> <optional><replaceable>ttl</replaceable></optional> <optional><replaceable>class</replaceable></optional> <replaceable>type</replaceable> <replaceable>rhs</replaceable> <optional> <replaceable>comment</replaceable> </optional></para>
-<para><command>$GENERATE</command> is used to create a series of
-resource records that only differ from each other by an iterator. <command>$GENERATE</command> can
-be used to easily generate the sets of records required to support
-sub /24 reverse delegations described in RFC 2317: Classless IN-ADDR.ARPA
-delegation.</para>
+
+ <para>
+ Each rule grants or denies privileges. Once a message has
+ successfully matched a rule, the operation is immediately
+ granted
+ or denied and no further rules are examined. A rule is matched
+ when the signer matches the identity field, the name matches the
+ name field in accordance with the nametype field, and the type
+ matches
+ the types specified in the type field.
+ </para>
+
+ <para>
+ The identity field specifies a name or a wildcard name.
+ Normally, this
+ is the name of the TSIG or SIG(0) key used to sign the update
+ request. When a
+ TKEY exchange has been used to create a shared secret, the
+ identity of the
+ shared secret is the same as the identity of the key used to
+ authenticate the
+ TKEY exchange. When the <replaceable>identity</replaceable> field specifies a
+ wildcard name, it is subject to DNS wildcard expansion, so the
+ rule will apply
+ to multiple identities. The <replaceable>identity</replaceable> field must
+ contain a fully qualified domain name.
+ </para>
+
+ <para>
+ The <replaceable>nametype</replaceable> field has 6
+ values:
+ <varname>name</varname>, <varname>subdomain</varname>,
+ <varname>wildcard</varname>, <varname>self</varname>,
+ <varname>selfsub</varname>, and <varname>selfwild</varname>.
+ </para>
+ <informaltable>
+ <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
+ <colspec colname="1" colnum="1" colsep="0" colwidth="0.819in"/>
+ <colspec colname="2" colnum="2" colsep="0" colwidth="3.681in"/>
+ <tbody>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>name</varname>
+ </para>
+ </entry> <entry colname="2">
+ <para>
+ Exact-match semantics. This rule matches
+ when the name being updated is identical
+ to the contents of the
+ <replaceable>name</replaceable> field.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>subdomain</varname>
+ </para>
+ </entry> <entry colname="2">
+ <para>
+ This rule matches when the name being updated
+ is a subdomain of, or identical to, the
+ contents of the <replaceable>name</replaceable>
+ field.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>wildcard</varname>
+ </para>
+ </entry> <entry colname="2">
+ <para>
+ The <replaceable>name</replaceable> field
+ is subject to DNS wildcard expansion, and
+ this rule matches when the name being updated
+ name is a valid expansion of the wildcard.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>self</varname>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ This rule matches when the name being updated
+ matches the contents of the
+ <replaceable>identity</replaceable> field.
+ The <replaceable>name</replaceable> field
+ is ignored, but should be the same as the
+ <replaceable>identity</replaceable> field.
+ The <varname>self</varname> nametype is
+ most useful when allowing using one key per
+ name to update, where the key has the same
+ name as the name to be updated. The
+ <replaceable>identity</replaceable> would
+ be specified as <constant>*</constant> (an asterisk) in
+ this case.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>selfsub</varname>
+ </para>
+ </entry> <entry colname="2">
+ <para>
+ This rule is similar to <varname>self</varname>
+ except that subdomains of <varname>self</varname>
+ can also be updated.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>selfwild</varname>
+ </para>
+ </entry> <entry colname="2">
+ <para>
+ This rule is similar to <varname>self</varname>
+ except that only subdomains of
+ <varname>self</varname> can be updated.
+ </para>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>
+ In all cases, the <replaceable>name</replaceable>
+ field must
+ specify a fully qualified domain name.
+ </para>
+
+ <para>
+ If no types are explicitly specified, this rule matches all
+ types except
+ RRSIG, NS, SOA, and NSEC. Types may be specified by name, including
+ "ANY" (ANY matches all types except NSEC, which can never be
+ updated).
+ Note that when an attempt is made to delete all records
+ associated with a
+ name, the rules are checked for each existing record type.
+ </para>
+ </sect3>
+ </sect2>
+ </sect1>
+ <sect1>
+ <title>Zone File</title>
+ <sect2 id="types_of_resource_records_and_when_to_use_them">
+ <title>Types of Resource Records and When to Use Them</title>
+ <para>
+ This section, largely borrowed from RFC 1034, describes the
+ concept of a Resource Record (RR) and explains when each is used.
+ Since the publication of RFC 1034, several new RRs have been
+ identified
+ and implemented in the DNS. These are also included.
+ </para>
+ <sect3>
+ <title>Resource Records</title>
+
+ <para>
+ A domain name identifies a node. Each node has a set of
+ resource information, which may be empty. The set of resource
+ information associated with a particular name is composed of
+ separate RRs. The order of RRs in a set is not significant and
+ need not be preserved by name servers, resolvers, or other
+ parts of the DNS. However, sorting of multiple RRs is
+ permitted for optimization purposes, for example, to specify
+ that a particular nearby server be tried first. See <xref linkend="the_sortlist_statement"/> and <xref linkend="rrset_ordering"/>.
+ </para>
+
+ <para>
+ The components of a Resource Record are:
+ </para>
+ <informaltable colsep="0" rowsep="0">
+ <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
+ <colspec colname="1" colnum="1" colsep="0" colwidth="1.000in"/>
+ <colspec colname="2" colnum="2" colsep="0" colwidth="3.500in"/>
+ <tbody>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ owner name
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ The domain name where the RR is found.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ type
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ An encoded 16-bit value that specifies
+ the type of the resource record.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ TTL
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ The time-to-live of the RR. This field
+ is a 32-bit integer in units of seconds, and is
+ primarily used by
+ resolvers when they cache RRs. The TTL describes how
+ long a RR can
+ be cached before it should be discarded.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ class
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ An encoded 16-bit value that identifies
+ a protocol family or instance of a protocol.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ RDATA
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ The resource data. The format of the
+ data is type (and sometimes class) specific.
+ </para>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+ <para>
+ The following are <emphasis>types</emphasis> of valid RRs:
+ </para>
+ <informaltable colsep="0" rowsep="0">
+ <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
+ <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
+ <colspec colname="2" colnum="2" colsep="0" colwidth="3.625in"/>
+ <tbody>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ A
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ A host address. In the IN class, this is a
+ 32-bit IP address. Described in RFC 1035.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ AAAA
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ IPv6 address. Described in RFC 1886.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ A6
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ IPv6 address. This can be a partial
+ address (a suffix) and an indirection to the name
+ where the rest of the
+ address (the prefix) can be found. Experimental.
+ Described in RFC 2874.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ AFSDB
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Location of AFS database servers.
+ Experimental. Described in RFC 1183.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ APL
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Address prefix list. Experimental.
+ Described in RFC 3123.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ CERT
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Holds a digital certificate.
+ Described in RFC 2538.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ CNAME
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Identifies the canonical name of an alias.
+ Described in RFC 1035.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ DNAME
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Replaces the domain name specified with
+ another name to be looked up, effectively aliasing an
+ entire
+ subtree of the domain name space rather than a single
+ record
+ as in the case of the CNAME RR.
+ Described in RFC 2672.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ DNSKEY
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Stores a public key associated with a signed
+ DNS zone. Described in RFC 4034.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ DS
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Stores the hash of a public key associated with a
+ signed DNS zone. Described in RFC 4034.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ GPOS
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Specifies the global position. Superseded by LOC.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ HINFO
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Identifies the CPU and OS used by a host.
+ Described in RFC 1035.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ ISDN
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Representation of ISDN addresses.
+ Experimental. Described in RFC 1183.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ KEY
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Stores a public key associated with a
+ DNS name. Used in original DNSSEC; replaced
+ by DNSKEY in DNSSECbis, but still used with
+ SIG(0). Described in RFCs 2535 and 2931.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ KX
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Identifies a key exchanger for this
+ DNS name. Described in RFC 2230.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ LOC
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ For storing GPS info. Described in RFC 1876.
+ Experimental.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ MX
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Identifies a mail exchange for the domain with
+ a 16-bit preference value (lower is better)
+ followed by the host name of the mail exchange.
+ Described in RFC 974, RFC 1035.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ NAPTR
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Name authority pointer. Described in RFC 2915.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ NSAP
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ A network service access point.
+ Described in RFC 1706.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ NS
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ The authoritative name server for the
+ domain. Described in RFC 1035.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ NSEC
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Used in DNSSECbis to securely indicate that
+ RRs with an owner name in a certain name interval do
+ not exist in
+ a zone and indicate what RR types are present for an
+ existing name.
+ Described in RFC 4034.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ NXT
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Used in DNSSEC to securely indicate that
+ RRs with an owner name in a certain name interval do
+ not exist in
+ a zone and indicate what RR types are present for an
+ existing name.
+ Used in original DNSSEC; replaced by NSEC in
+ DNSSECbis.
+ Described in RFC 2535.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ PTR
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ A pointer to another part of the domain
+ name space. Described in RFC 1035.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ PX
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Provides mappings between RFC 822 and X.400
+ addresses. Described in RFC 2163.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ RP
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Information on persons responsible
+ for the domain. Experimental. Described in RFC 1183.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ RRSIG
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Contains DNSSECbis signature data. Described
+ in RFC 4034.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ RT
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Route-through binding for hosts that
+ do not have their own direct wide area network
+ addresses.
+ Experimental. Described in RFC 1183.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ SIG
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Contains DNSSEC signature data. Used in
+ original DNSSEC; replaced by RRSIG in
+ DNSSECbis, but still used for SIG(0).
+ Described in RFCs 2535 and 2931.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ SOA
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Identifies the start of a zone of authority.
+ Described in RFC 1035.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ SRV
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Information about well known network
+ services (replaces WKS). Described in RFC 2782.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ TXT
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Text records. Described in RFC 1035.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ WKS
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Information about which well known
+ network services, such as SMTP, that a domain
+ supports. Historical.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ X25
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Representation of X.25 network addresses.
+ Experimental. Described in RFC 1183.
+ </para>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+ <para>
+ The following <emphasis>classes</emphasis> of resource records
+ are currently valid in the DNS:
+ </para>
+ <informaltable colsep="0" rowsep="0"><tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
+ <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
+ <colspec colname="2" colnum="2" colsep="0" colwidth="3.625in"/>
+ <tbody>
+
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ IN
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ The Internet.
+ </para>
+ </entry>
+ </row>
+
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ CH
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ CHAOSnet, a LAN protocol created at MIT in the
+ mid-1970s.
+ Rarely used for its historical purpose, but reused for
+ BIND's
+ built-in server information zones, e.g.,
+ <literal>version.bind</literal>.
+ </para>
+ </entry>
+ </row>
+
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ HS
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Hesiod, an information service
+ developed by MIT's Project Athena. It is used to share
+ information
+ about various systems databases, such as users,
+ groups, printers
+ and so on.
+ </para>
+ </entry>
+ </row>
+
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>
+ The owner name is often implicit, rather than forming an
+ integral
+ part of the RR. For example, many name servers internally form
+ tree
+ or hash structures for the name space, and chain RRs off nodes.
+ The remaining RR parts are the fixed header (type, class, TTL)
+ which is consistent for all RRs, and a variable part (RDATA)
+ that
+ fits the needs of the resource being described.
+ </para>
+ <para>
+ The meaning of the TTL field is a time limit on how long an
+ RR can be kept in a cache. This limit does not apply to
+ authoritative
+ data in zones; it is also timed out, but by the refreshing
+ policies
+ for the zone. The TTL is assigned by the administrator for the
+ zone where the data originates. While short TTLs can be used to
+ minimize caching, and a zero TTL prohibits caching, the
+ realities
+ of Internet performance suggest that these times should be on
+ the
+ order of days for the typical host. If a change can be
+ anticipated,
+ the TTL can be reduced prior to the change to minimize
+ inconsistency
+ during the change, and then increased back to its former value
+ following
+ the change.
+ </para>
+ <para>
+ The data in the RDATA section of RRs is carried as a combination
+ of binary strings and domain names. The domain names are
+ frequently
+ used as "pointers" to other data in the DNS.
+ </para>
+ </sect3>
+ <sect3>
+ <title>Textual expression of RRs</title>
+ <para>
+ RRs are represented in binary form in the packets of the DNS
+ protocol, and are usually represented in highly encoded form
+ when
+ stored in a name server or resolver. In the examples provided
+ in
+ RFC 1034, a style similar to that used in master files was
+ employed
+ in order to show the contents of RRs. In this format, most RRs
+ are shown on a single line, although continuation lines are
+ possible
+ using parentheses.
+ </para>
+ <para>
+ The start of the line gives the owner of the RR. If a line
+ begins with a blank, then the owner is assumed to be the same as
+ that of the previous RR. Blank lines are often included for
+ readability.
+ </para>
+ <para>
+ Following the owner, we list the TTL, type, and class of the
+ RR. Class and type use the mnemonics defined above, and TTL is
+ an integer before the type field. In order to avoid ambiguity
+ in
+ parsing, type and class mnemonics are disjoint, TTLs are
+ integers,
+ and the type mnemonic is always last. The IN class and TTL
+ values
+ are often omitted from examples in the interests of clarity.
+ </para>
+ <para>
+ The resource data or RDATA section of the RR are given using
+ knowledge of the typical representation for the data.
+ </para>
+ <para>
+ For example, we might show the RRs carried in a message as:
+ </para>
+ <informaltable colsep="0" rowsep="0"><tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
+ <colspec colname="1" colnum="1" colsep="0" colwidth="1.381in"/>
+ <colspec colname="2" colnum="2" colsep="0" colwidth="1.020in"/>
+ <colspec colname="3" colnum="3" colsep="0" colwidth="2.099in"/>
+ <tbody>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <literal>ISI.EDU.</literal>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ <literal>MX</literal>
+ </para>
+ </entry>
+ <entry colname="3">
+ <para>
+ <literal>10 VENERA.ISI.EDU.</literal>
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para/>
+ </entry>
+ <entry colname="2">
+ <para>
+ <literal>MX</literal>
+ </para>
+ </entry>
+ <entry colname="3">
+ <para>
+ <literal>10 VAXA.ISI.EDU</literal>
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <literal>VENERA.ISI.EDU</literal>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ <literal>A</literal>
+ </para>
+ </entry>
+ <entry colname="3">
+ <para>
+ <literal>128.9.0.32</literal>
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para/>
+ </entry>
+ <entry colname="2">
+ <para>
+ <literal>A</literal>
+ </para>
+ </entry>
+ <entry colname="3">
+ <para>
+ <literal>10.1.0.52</literal>
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <literal>VAXA.ISI.EDU</literal>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ <literal>A</literal>
+ </para>
+ </entry>
+ <entry colname="3">
+ <para>
+ <literal>10.2.0.27</literal>
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para/>
+ </entry>
+ <entry colname="2">
+ <para>
+ <literal>A</literal>
+ </para>
+ </entry>
+ <entry colname="3">
+ <para>
+ <literal>128.9.0.33</literal>
+ </para>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+ <para>
+ The MX RRs have an RDATA section which consists of a 16-bit
+ number followed by a domain name. The address RRs use a
+ standard
+ IP address format to contain a 32-bit internet address.
+ </para>
+ <para>
+ The above example shows six RRs, with two RRs at each of three
+ domain names.
+ </para>
+ <para>
+ Similarly we might see:
+ </para>
+ <informaltable colsep="0" rowsep="0"><tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
+ <colspec colname="1" colnum="1" colsep="0" colwidth="1.491in"/>
+ <colspec colname="2" colnum="2" colsep="0" colwidth="1.067in"/>
+ <colspec colname="3" colnum="3" colsep="0" colwidth="2.067in"/>
+ <tbody>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <literal>XX.LCS.MIT.EDU.</literal>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ <literal>IN A</literal>
+ </para>
+ </entry>
+ <entry colname="3">
+ <para>
+ <literal>10.0.0.44</literal>
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1"/>
+ <entry colname="2">
+ <para>
+ <literal>CH A</literal>
+ </para>
+ </entry>
+ <entry colname="3">
+ <para>
+ <literal>MIT.EDU. 2420</literal>
+ </para>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+ <para>
+ This example shows two addresses for
+ <literal>XX.LCS.MIT.EDU</literal>, each of a different class.
+ </para>
+ </sect3>
+ </sect2>
+
+ <sect2>
+ <title>Discussion of MX Records</title>
+
+ <para>
+ As described above, domain servers store information as a
+ series of resource records, each of which contains a particular
+ piece of information about a given domain name (which is usually,
+ but not always, a host). The simplest way to think of a RR is as
+ a typed pair of data, a domain name matched with a relevant datum,
+ and stored with some additional type information to help systems
+ determine when the RR is relevant.
+ </para>
+
+ <para>
+ MX records are used to control delivery of email. The data
+ specified in the record is a priority and a domain name. The
+ priority
+ controls the order in which email delivery is attempted, with the
+ lowest number first. If two priorities are the same, a server is
+ chosen randomly. If no servers at a given priority are responding,
+ the mail transport agent will fall back to the next largest
+ priority.
+ Priority numbers do not have any absolute meaning &mdash; they are
+ relevant
+ only respective to other MX records for that domain name. The
+ domain
+ name given is the machine to which the mail will be delivered.
+ It <emphasis>must</emphasis> have an associated address record
+ (A or AAAA) &mdash; CNAME is not sufficient.
+ </para>
+ <para>
+ For a given domain, if there is both a CNAME record and an
+ MX record, the MX record is in error, and will be ignored.
+ Instead,
+ the mail will be delivered to the server specified in the MX
+ record
+ pointed to by the CNAME.
+ </para>
+ <para>
+ For example:
+ </para>
+ <informaltable colsep="0" rowsep="0">
+ <tgroup cols="5" colsep="0" rowsep="0" tgroupstyle="3Level-table">
+ <colspec colname="1" colnum="1" colsep="0" colwidth="1.708in"/>
+ <colspec colname="2" colnum="2" colsep="0" colwidth="0.444in"/>
+ <colspec colname="3" colnum="3" colsep="0" colwidth="0.444in"/>
+ <colspec colname="4" colnum="4" colsep="0" colwidth="0.976in"/>
+ <colspec colname="5" colnum="5" colsep="0" colwidth="1.553in"/>
+ <tbody>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <literal>example.com.</literal>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ <literal>IN</literal>
+ </para>
+ </entry>
+ <entry colname="3">
+ <para>
+ <literal>MX</literal>
+ </para>
+ </entry>
+ <entry colname="4">
+ <para>
+ <literal>10</literal>
+ </para>
+ </entry>
+ <entry colname="5">
+ <para>
+ <literal>mail.example.com.</literal>
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para/>
+ </entry>
+ <entry colname="2">
+ <para>
+ <literal>IN</literal>
+ </para>
+ </entry>
+ <entry colname="3">
+ <para>
+ <literal>MX</literal>
+ </para>
+ </entry>
+ <entry colname="4">
+ <para>
+ <literal>10</literal>
+ </para>
+ </entry>
+ <entry colname="5">
+ <para>
+ <literal>mail2.example.com.</literal>
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para/>
+ </entry>
+ <entry colname="2">
+ <para>
+ <literal>IN</literal>
+ </para>
+ </entry>
+ <entry colname="3">
+ <para>
+ <literal>MX</literal>
+ </para>
+ </entry>
+ <entry colname="4">
+ <para>
+ <literal>20</literal>
+ </para>
+ </entry>
+ <entry colname="5">
+ <para>
+ <literal>mail.backup.org.</literal>
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <literal>mail.example.com.</literal>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ <literal>IN</literal>
+ </para>
+ </entry>
+ <entry colname="3">
+ <para>
+ <literal>A</literal>
+ </para>
+ </entry>
+ <entry colname="4">
+ <para>
+ <literal>10.0.0.1</literal>
+ </para>
+ </entry>
+ <entry colname="5">
+ <para/>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <literal>mail2.example.com.</literal>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ <literal>IN</literal>
+ </para>
+ </entry>
+ <entry colname="3">
+ <para>
+ <literal>A</literal>
+ </para>
+ </entry>
+ <entry colname="4">
+ <para>
+ <literal>10.0.0.2</literal>
+ </para>
+ </entry>
+ <entry colname="5">
+ <para/>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable><para>
+ Mail delivery will be attempted to <literal>mail.example.com</literal> and
+ <literal>mail2.example.com</literal> (in
+ any order), and if neither of those succeed, delivery to <literal>mail.backup.org</literal> will
+ be attempted.
+ </para>
+ </sect2>
+ <sect2 id="Setting_TTLs">
+ <title>Setting TTLs</title>
+ <para>
+ The time-to-live of the RR field is a 32-bit integer represented
+ in units of seconds, and is primarily used by resolvers when they
+ cache RRs. The TTL describes how long a RR can be cached before it
+ should be discarded. The following three types of TTL are
+ currently
+ used in a zone file.
+ </para>
+ <informaltable colsep="0" rowsep="0">
+ <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
+ <colspec colname="1" colnum="1" colsep="0" colwidth="0.750in"/>
+ <colspec colname="2" colnum="2" colsep="0" colwidth="4.375in"/>
+ <tbody>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ SOA
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ The last field in the SOA is the negative
+ caching TTL. This controls how long other servers will
+ cache no-such-domain
+ (NXDOMAIN) responses from you.
+ </para>
+ <para>
+ The maximum time for
+ negative caching is 3 hours (3h).
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ $TTL
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ The $TTL directive at the top of the
+ zone file (before the SOA) gives a default TTL for every
+ RR without
+ a specific TTL set.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ RR TTLs
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Each RR can have a TTL as the second
+ field in the RR, which will control how long other
+ servers can cache
+ the it.
+ </para>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+ <para>
+ All of these TTLs default to units of seconds, though units
+ can be explicitly specified, for example, <literal>1h30m</literal>.
+ </para>
+ </sect2>
+ <sect2>
+ <title>Inverse Mapping in IPv4</title>
+ <para>
+ Reverse name resolution (that is, translation from IP address
+ to name) is achieved by means of the <emphasis>in-addr.arpa</emphasis> domain
+ and PTR records. Entries in the in-addr.arpa domain are made in
+ least-to-most significant order, read left to right. This is the
+ opposite order to the way IP addresses are usually written. Thus,
+ a machine with an IP address of 10.1.2.3 would have a
+ corresponding
+ in-addr.arpa name of
+ 3.2.1.10.in-addr.arpa. This name should have a PTR resource record
+ whose data field is the name of the machine or, optionally,
+ multiple
+ PTR records if the machine has more than one name. For example,
+ in the <optional>example.com</optional> domain:
+ </para>
+ <informaltable colsep="0" rowsep="0">
+ <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
+ <colspec colname="1" colnum="1" colsep="0" colwidth="1.125in"/>
+ <colspec colname="2" colnum="2" colsep="0" colwidth="4.000in"/>
+ <tbody>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <literal>$ORIGIN</literal>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ <literal>2.1.10.in-addr.arpa</literal>
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <literal>3</literal>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ <literal>IN PTR foo.example.com.</literal>
+ </para>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+ <note>
+ <para>
+ The <command>$ORIGIN</command> lines in the examples
+ are for providing context to the examples only-they do not
+ necessarily
+ appear in the actual usage. They are only used here to indicate
+ that the example is relative to the listed origin.
+ </para>
+ </note>
+ </sect2>
+ <sect2>
+ <title>Other Zone File Directives</title>
+ <para>
+ The Master File Format was initially defined in RFC 1035 and
+ has subsequently been extended. While the Master File Format
+ itself
+ is class independent all records in a Master File must be of the
+ same
+ class.
+ </para>
+ <para>
+ Master File Directives include <command>$ORIGIN</command>, <command>$INCLUDE</command>,
+ and <command>$TTL.</command>
+ </para>
+ <sect3>
+ <title>The <command>$ORIGIN</command> Directive</title>
+ <para>
+ Syntax: <command>$ORIGIN</command>
+ <replaceable>domain-name</replaceable>
+ <optional><replaceable>comment</replaceable></optional>
+ </para>
+ <para><command>$ORIGIN</command>
+ sets the domain name that will be appended to any
+ unqualified records. When a zone is first read in there
+ is an implicit <command>$ORIGIN</command>
+ &lt;<varname>zone-name</varname>&gt;<command>.</command>
+ The current <command>$ORIGIN</command> is appended to
+ the domain specified in the <command>$ORIGIN</command>
+ argument if it is not absolute.
+ </para>
+
+<programlisting>
+$ORIGIN example.com.
+WWW CNAME MAIN-SERVER
+</programlisting>
+
+ <para>
+ is equivalent to
+ </para>
+
+<programlisting>
+WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
+</programlisting>
+
+ </sect3>
+ <sect3>
+ <title>The <command>$INCLUDE</command> Directive</title>
+ <para>
+ Syntax: <command>$INCLUDE</command>
+ <replaceable>filename</replaceable>
+ <optional>
+<replaceable>origin</replaceable> </optional>
+ <optional> <replaceable>comment</replaceable> </optional>
+ </para>
+ <para>
+ Read and process the file <filename>filename</filename> as
+ if it were included into the file at this point. If <command>origin</command> is
+ specified the file is processed with <command>$ORIGIN</command> set
+ to that value, otherwise the current <command>$ORIGIN</command> is
+ used.
+ </para>
+ <para>
+ The origin and the current domain name
+ revert to the values they had prior to the <command>$INCLUDE</command> once
+ the file has been read.
+ </para>
+ <note>
+ <para>
+ RFC 1035 specifies that the current origin should be restored
+ after
+ an <command>$INCLUDE</command>, but it is silent
+ on whether the current
+ domain name should also be restored. BIND 9 restores both of
+ them.
+ This could be construed as a deviation from RFC 1035, a
+ feature, or both.
+ </para>
+ </note>
+ </sect3>
+ <sect3>
+ <title>The <command>$TTL</command> Directive</title>
+ <para>
+ Syntax: <command>$TTL</command>
+ <replaceable>default-ttl</replaceable>
+ <optional>
+<replaceable>comment</replaceable> </optional>
+ </para>
+ <para>
+ Set the default Time To Live (TTL) for subsequent records
+ with undefined TTLs. Valid TTLs are of the range 0-2147483647
+ seconds.
+ </para>
+ <para><command>$TTL</command>
+ is defined in RFC 2308.
+ </para>
+ </sect3>
+ </sect2>
+ <sect2>
+ <title><acronym>BIND</acronym> Master File Extension: the <command>$GENERATE</command> Directive</title>
+ <para>
+ Syntax: <command>$GENERATE</command>
+ <replaceable>range</replaceable>
+ <replaceable>lhs</replaceable>
+ <optional><replaceable>ttl</replaceable></optional>
+ <optional><replaceable>class</replaceable></optional>
+ <replaceable>type</replaceable>
+ <replaceable>rhs</replaceable>
+ <optional><replaceable>comment</replaceable></optional>
+ </para>
+ <para><command>$GENERATE</command>
+ is used to create a series of resource records that only
+ differ from each other by an
+ iterator. <command>$GENERATE</command> can be used to
+ easily generate the sets of records required to support
+ sub /24 reverse delegations described in RFC 2317:
+ Classless IN-ADDR.ARPA delegation.
+ </para>
+
<programlisting>$ORIGIN 0.0.192.IN-ADDR.ARPA.
$GENERATE 1-2 0 NS SERVER$.EXAMPLE.
$GENERATE 1-127 $ CNAME $.0</programlisting>
-<para>is equivalent to</para>
+
+ <para>
+ is equivalent to
+ </para>
+
<programlisting>0.0.0.192.IN-ADDR.ARPA NS SERVER1.EXAMPLE.
0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
@@ -5842,97 +10382,215 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
...
127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
</programlisting>
- <informaltable colsep = "0" rowsep = "0">
- <tgroup cols = "2" colsep = "0" rowsep = "0" tgroupstyle = "3Level-table">
- <colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.875in"/>
- <colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.250in"/>
- <tbody>
- <row rowsep = "0">
- <entry colname = "1"><para><command>range</command></para></entry>
- <entry colname = "2"><para>This can be one of two forms: start-stop
-or start-stop/step. If the first form is used, then step is set to
- 1. All of start, stop and step must be positive.</para></entry>
- </row>
- <row rowsep = "0">
- <entry colname = "1"><para><command>lhs</command></para></entry>
- <entry colname = "2"><para><command>lhs</command> describes the
-owner name of the resource records to be created. Any single
-<command>$</command> (dollar sign) symbols
-within the <command>lhs</command> side are replaced by the iterator
-value.
-To get a $ in the output you need to escape the <command>$</command>
-using a backslash <command>\</command>,
-e.g. <command>\$</command>. The <command>$</command> may optionally be followed
-by modifiers which change the offset from the iterator, field width and base.
-Modifiers are introduced by a <command>{</command> immediately following the
-<command>$</command> as <command>${offset[,width[,base]]}</command>.
-For example, <command>${-20,3,d}</command> which subtracts 20 from the current value,
-prints the result as a decimal in a zero-padded field of width 3. Available
-output forms are decimal (<command>d</command>), octal (<command>o</command>)
-and hexadecimal (<command>x</command> or <command>X</command> for uppercase).
-The default modifier is <command>${0,0,d}</command>.
-If the <command>lhs</command> is not
-absolute, the current <command>$ORIGIN</command> is appended to
-the name.</para>
-<para>For compatibility with earlier versions, <command>$$</command> is still
-recognized as indicating a literal $ in the output.</para></entry>
- </row>
- <row rowsep = "0">
- <entry colname = "1"><para><command>ttl</command></para></entry>
- <entry colname = "2"><para>Specifies the
- ttl of the generated records. If not specified this will be
- inherited using the normal ttl inheritance rules.</para>
- <para><command>class</command> and <command>ttl</command> can be
- entered in either order.</para></entry>
- </row>
- <row rowsep = "0">
- <entry colname = "1"><para><command>class</command></para></entry>
- <entry colname = "2"><para>Specifies the
- class of the generated records. This must match the zone class if
- it is specified.</para>
- <para><command>class</command> and <command>ttl</command> can be
- entered in either order.</para></entry>
- </row>
- <row rowsep = "0">
- <entry colname = "1"><para><command>type</command></para></entry>
- <entry colname = "2"><para>At present the only supported types are
-PTR, CNAME, DNAME, A, AAAA and NS.</para></entry>
- </row>
- <row rowsep = "0">
- <entry colname = "1"><para><command>rhs</command></para></entry>
- <entry colname = "2"><para>A domain name. It is processed
-similarly to lhs.</para></entry>
- </row>
- </tbody>
- </tgroup></informaltable>
- <para>The <command>$GENERATE</command> directive is a <acronym>BIND</acronym> extension
-and not part of the standard zone file format.</para>
- <para>BIND 8 does not support the optional TTL and CLASS fields.</para>
- </sect2>
- </sect1>
-</chapter>
-<chapter id="Bv9ARM.ch07"><title><acronym>BIND</acronym> 9 Security Considerations</title>
-<sect1 id="Access_Control_Lists"><title>Access Control Lists</title>
-<para>Access Control Lists (ACLs), are address match lists that
-you can set up and nickname for future use in <command>allow-notify</command>,
-<command>allow-query</command>, <command>allow-recursion</command>,
-<command>blackhole</command>, <command>allow-transfer</command>,
-etc.</para>
-<para>Using ACLs allows you to have finer control over who can access
-your name server, without cluttering up your config files with huge
-lists of IP addresses.</para>
-<para>It is a <emphasis>good idea</emphasis> to use ACLs, and to
-control access to your server. Limiting access to your server by
-outside parties can help prevent spoofing and denial of service (DoS)
-attacks against your server.</para>
-<para>Here is an example of how to properly apply ACLs:</para>
+
+ <informaltable colsep="0" rowsep="0">
+ <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
+ <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
+ <colspec colname="2" colnum="2" colsep="0" colwidth="4.250in"/>
+ <tbody>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>range</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ This can be one of two forms: start-stop
+ or start-stop/step. If the first form is used, then step
+ is set to
+ 1. All of start, stop and step must be positive.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>lhs</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command>lhs</command>
+ describes the owner name of the resource records
+ to be created. Any single <command>$</command>
+ (dollar sign)
+ symbols within the <command>lhs</command> side
+ are replaced by the iterator value.
+
+ To get a $ in the output you need to escape the
+ <command>$</command> using a backslash
+ <command>\</command>,
+ e.g. <command>\$</command>. The
+ <command>$</command> may optionally be followed
+ by modifiers which change the offset from the
+ iterator, field width and base.
+
+ Modifiers are introduced by a
+ <command>{</command> immediately following the
+ <command>$</command> as
+ <command>${offset[,width[,base]]}</command>.
+ For example, <command>${-20,3,d}</command>
+ subtracts 20 from the current value, prints the
+ result as a decimal in a zero-padded field of
+ width 3.
+
+ Available output forms are decimal
+ (<command>d</command>), octal
+ (<command>o</command>) and hexadecimal
+ (<command>x</command> or <command>X</command>
+ for uppercase). The default modifier is
+ <command>${0,0,d}</command>. If the
+ <command>lhs</command> is not absolute, the
+ current <command>$ORIGIN</command> is appended
+ to the name.
+ </para>
+ <para>
+ For compatibility with earlier versions, <command>$$</command> is still
+ recognized as indicating a literal $ in the output.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>ttl</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Specifies the time-to-live of the generated records. If
+ not specified this will be inherited using the
+ normal ttl inheritance rules.
+ </para>
+ <para><command>class</command>
+ and <command>ttl</command> can be
+ entered in either order.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>class</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Specifies the class of the generated records.
+ This must match the zone class if it is
+ specified.
+ </para>
+ <para><command>class</command>
+ and <command>ttl</command> can be
+ entered in either order.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>type</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ At present the only supported types are
+ PTR, CNAME, DNAME, A, AAAA and NS.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>rhs</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ A domain name. It is processed
+ similarly to lhs.
+ </para>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+ <para>
+ The <command>$GENERATE</command> directive is a <acronym>BIND</acronym> extension
+ and not part of the standard zone file format.
+ </para>
+ <para>
+ BIND 8 does not support the optional TTL and CLASS fields.
+ </para>
+ </sect2>
+
+ <sect2 id="zonefile_format">
+ <title>Additional File Formats</title>
+ <para>
+ In addition to the standard textual format, BIND 9
+ supports the ability to read or dump to zone files in
+ other formats. The <constant>raw</constant> format is
+ currently available as an additional format. It is a
+ binary format representing BIND 9's internal data
+ structure directly, thereby remarkably improving the
+ loading time.
+ </para>
+ <para>
+ For a primary server, a zone file in the
+ <constant>raw</constant> format is expected to be
+ generated from a textual zone file by the
+ <command>named-compilezone</command> command. For a
+ secondary server or for a dynamic zone, it is automatically
+ generated (if this format is specified by the
+ <command>masterfile-format</command> option) when
+ <command>named</command> dumps the zone contents after
+ zone transfer or when applying prior updates.
+ </para>
+ <para>
+ If a zone file in a binary format needs manual modification,
+ it first must be converted to a textual form by the
+ <command>named-compilezone</command> command. All
+ necessary modification should go to the text file, which
+ should then be converted to the binary form by the
+ <command>named-compilezone</command> command again.
+ </para>
+ <para>
+ Although the <constant>raw</constant> format uses the
+ network byte order and avoids architecture-dependent
+ data alignment so that it is as much portable as
+ possible, it is primarily expected to be used inside
+ the same single system. In order to export a zone
+ file in the <constant>raw</constant> format or make a
+ portable backup of the file, it is recommended to
+ convert the file to the standard textual representation.
+ </para>
+ </sect2>
+ </sect1>
+ </chapter>
+ <chapter id="Bv9ARM.ch07">
+ <title><acronym>BIND</acronym> 9 Security Considerations</title>
+ <sect1 id="Access_Control_Lists">
+ <title>Access Control Lists</title>
+ <para>
+ Access Control Lists (ACLs), are address match lists that
+ you can set up and nickname for future use in <command>allow-notify</command>,
+ <command>allow-query</command>, <command>allow-recursion</command>,
+ <command>blackhole</command>, <command>allow-transfer</command>,
+ etc.
+ </para>
+ <para>
+ Using ACLs allows you to have finer control over who can access
+ your name server, without cluttering up your config files with huge
+ lists of IP addresses.
+ </para>
+ <para>
+ It is a <emphasis>good idea</emphasis> to use ACLs, and to
+ control access to your server. Limiting access to your server by
+ outside parties can help prevent spoofing and denial of service (DoS) attacks against
+ your server.
+ </para>
+ <para>
+ Here is an example of how to properly apply ACLs:
+ </para>
+
<programlisting>
-// Set up an ACL named "bogusnets" that will block RFC1918 space,
-// which is commonly used in spoofing attacks.
-acl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
+// Set up an ACL named "bogusnets" that will block RFC1918 space
+// and some reserved space, which is commonly used in spoofing attacks.
+acl bogusnets {
+ 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
+ 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
+};
// Set up an ACL called our-nets. Replace this with the real IP numbers.
-acl our-nets { x.x.x.x/24; x.x.x.x/21; };
+acl our-nets { x.x.x.x/24; x.x.x.x/21; };
options {
...
...
@@ -5949,919 +10607,1646 @@ zone "example.com" {
allow-query { any; };
};
</programlisting>
-<para>This allows recursive queries of the server from the outside
-unless recursion has been previously disabled.</para>
-<para>For more information on how to use ACLs to protect your server,
-see the <emphasis>AUSCERT</emphasis> advisory at
-<ulink url="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</ulink></para></sect1>
-<sect1><title><command>chroot</command> and <command>setuid</command> (for
-UNIX servers)</title>
-<para>On UNIX servers, it is possible to run <acronym>BIND</acronym> in a <emphasis>chrooted</emphasis> environment
-(using the <command>chroot()</command> function) by specifying the "<option>-t</option>"
-option. This can help improve system security by placing <acronym>BIND</acronym> in
-a "sandbox", which will limit the damage done if a server is compromised.</para>
-<para>Another useful feature in the UNIX version of <acronym>BIND</acronym> is the
-ability to run the daemon as an unprivileged user ( <option>-u</option> <replaceable>user</replaceable> ).
-We suggest running as an unprivileged user when using the <command>chroot</command> feature.</para>
-<para>Here is an example command line to load <acronym>BIND</acronym> in a <command>chroot</command> sandbox,
-<command>/var/named</command>, and to run <command>named</command> <command>setuid</command> to
-user 202:</para>
-<para><userinput>/usr/local/bin/named -u 202 -t /var/named</userinput></para>
-
-<sect2><title>The <command>chroot</command> Environment</title>
-
-<para>In order for a <command>chroot</command> environment to
-work properly in a particular directory
-(for example, <filename>/var/named</filename>),
-you will need to set up an environment that includes everything
-<acronym>BIND</acronym> needs to run.
-From <acronym>BIND</acronym>'s point of view, <filename>/var/named</filename> is
-the root of the filesystem. You will need to adjust the values of options like
-like <command>directory</command> and <command>pid-file</command> to account
-for this.
-</para>
-<para>
-Unlike with earlier versions of BIND, you will typically
-<emphasis>not</emphasis> need to compile <command>named</command>
-statically nor install shared libraries under the new root.
-However, depending on your operating system, you may need
-to set up things like
-<filename>/dev/zero</filename>,
-<filename>/dev/random</filename>,
-<filename>/dev/log</filename>, and
-<filename>/etc/localtime</filename>.
-</para>
-</sect2>
-
-<sect2><title>Using the <command>setuid</command> Function</title>
-
-<para>Prior to running the <command>named</command> daemon, use
-the <command>touch</command> utility (to change file access and
-modification times) or the <command>chown</command> utility (to
-set the user id and/or group id) on files
-to which you want <acronym>BIND</acronym>
-to write. Note that if the <command>named</command> daemon is running as an
-unprivileged user, it will not be able to bind to new restricted ports if the
-server is reloaded.</para>
-</sect2>
-</sect1>
-
-<sect1 id="dynamic_update_security"><title>Dynamic Update Security</title>
-
-<para>Access to the dynamic
-update facility should be strictly limited. In earlier versions of
-<acronym>BIND</acronym>, the only way to do this was based on the IP
-address of the host requesting the update, by listing an IP address or
-network prefix in the <command>allow-update</command> zone option.
-This method is insecure since the source address of the update UDP packet
-is easily forged. Also note that if the IP addresses allowed by the
-<command>allow-update</command> option include the address of a slave
-server which performs forwarding of dynamic updates, the master can be
-trivially attacked by sending the update to the slave, which will
-forward it to the master with its own source IP address causing the
-master to approve it without question.</para>
-
-<para>For these reasons, we strongly recommend that updates be
-cryptographically authenticated by means of transaction signatures
-(TSIG). That is, the <command>allow-update</command> option should
-list only TSIG key names, not IP addresses or network
-prefixes. Alternatively, the new <command>update-policy</command>
-option can be used.</para>
-
-<para>Some sites choose to keep all dynamically-updated DNS data
-in a subdomain and delegate that subdomain to a separate zone. This
-way, the top-level zone containing critical data such as the IP addresses
-of public web and mail servers need not allow dynamic update at
-all.</para>
-
-</sect1></chapter>
-
-<chapter id="Bv9ARM.ch08">
- <title>Troubleshooting</title>
- <sect1>
- <title>Common Problems</title>
- <sect2>
- <title>It's not working; how can I figure out what's wrong?</title>
-
- <para>The best solution to solving installation and
- configuration issues is to take preventative measures by setting
- up logging files beforehand. The log files provide a
- source of hints and information that can be used to figure out
- what went wrong and how to fix the problem.</para>
-
- </sect2>
- </sect1>
- <sect1>
- <title>Incrementing and Changing the Serial Number</title>
-
- <para>Zone serial numbers are just numbers-they aren't date
- related. A lot of people set them to a number that represents a
- date, usually of the form YYYYMMDDRR. A number of people have been
- testing these numbers for Y2K compliance and have set the number
- to the year 2000 to see if it will work. They then try to restore
- the old serial number. This will cause problems because serial
- numbers are used to indicate that a zone has been updated. If the
- serial number on the slave server is lower than the serial number
- on the master, the slave server will attempt to update its copy of
- the zone.</para>
-
- <para>Setting the serial number to a lower number on the master
- server than the slave server means that the slave will not perform
- updates to its copy of the zone.</para>
-
- <para>The solution to this is to add 2147483647 (2^31-1) to the
- number, reload the zone and make sure all slaves have updated to
- the new zone serial number, then reset the number to what you want
- it to be, and reload the zone again.</para>
-
- </sect1>
- <sect1>
- <title>Where Can I Get Help?</title>
-
- <para>The Internet Software Consortium (<acronym>ISC</acronym>) offers a wide range
- of support and service agreements for <acronym>BIND</acronym> and <acronym>DHCP</acronym> servers. Four
- levels of premium support are available and each level includes
- support for all <acronym>ISC</acronym> programs, significant discounts on products
- and training, and a recognized priority on bug fixes and
- non-funded feature requests. In addition, <acronym>ISC</acronym> offers a standard
- support agreement package which includes services ranging from bug
- fix announcements to remote support. It also includes training in
- <acronym>BIND</acronym> and <acronym>DHCP</acronym>.</para>
-
- <para>To discuss arrangements for support, contact
- <ulink url="mailto:info@isc.org">info@isc.org</ulink> or visit the
- <acronym>ISC</acronym> web page at <ulink
- url="http://www.isc.org/services/support/">http://www.isc.org/services/support/</ulink>
- to read more.</para>
- </sect1>
-</chapter>
-<appendix id="Bv9ARM.ch09">
- <title>Appendices</title>
- <sect1>
- <title>Acknowledgments</title>
- <sect2>
- <title>A Brief History of the <acronym>DNS</acronym> and <acronym>BIND</acronym></title>
-
- <para>Although the "official" beginning of the Domain Name
- System occurred in 1984 with the publication of RFC 920, the
- core of the new system was described in 1983 in RFCs 882 and
- 883. From 1984 to 1987, the ARPAnet (the precursor to today's
- Internet) became a testbed of experimentation for developing the
- new naming/addressing scheme in a rapidly expanding,
- operational network environment. New RFCs were written and
- published in 1987 that modified the original documents to
- incorporate improvements based on the working model. RFC 1034,
- "Domain Names-Concepts and Facilities", and RFC 1035, "Domain
- Names-Implementation and Specification" were published and
- became the standards upon which all <acronym>DNS</acronym> implementations are
- built.
-</para>
-
- <para>The first working domain name server, called "Jeeves", was
-written in 1983-84 by Paul Mockapetris for operation on DEC Tops-20
-machines located at the University of Southern California's Information
-Sciences Institute (USC-ISI) and SRI International's Network Information
-Center (SRI-NIC). A <acronym>DNS</acronym> server for Unix machines, the Berkeley Internet
-Name Domain (<acronym>BIND</acronym>) package, was written soon after by a group of
-graduate students at the University of California at Berkeley under
-a grant from the US Defense Advanced Research Projects Administration
-(DARPA).
-</para>
-<para>
-Versions of <acronym>BIND</acronym> through 4.8.3 were maintained by the Computer
-Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
-Painter, David Riggle and Songnian Zhou made up the initial <acronym>BIND</acronym>
-project team. After that, additional work on the software package
-was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment Corporation
-employee on loan to the CSRG, worked on <acronym>BIND</acronym> for 2 years, from 1985
-to 1987. Many other people also contributed to <acronym>BIND</acronym> development
-during that time: Doug Kingston, Craig Partridge, Smoot Carl-Mitchell,
-Mike Muuss, Jim Bloom and Mike Schwartz. <acronym>BIND</acronym> maintenance was subsequently
-handled by Mike Karels and O. Kure.</para>
- <para><acronym>BIND</acronym> versions 4.9 and 4.9.1 were released by Digital Equipment
-Corporation (now Compaq Computer Corporation). Paul Vixie, then
-a DEC employee, became <acronym>BIND</acronym>'s primary caretaker. He was assisted
-by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan Beecher, Andrew
-Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
-Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
-Wolfhugel, and others.</para>
- <para><acronym>BIND</acronym> version 4.9.2 was sponsored by Vixie Enterprises. Paul
-Vixie became <acronym>BIND</acronym>'s principal architect/programmer.</para>
- <para><acronym>BIND</acronym> versions from 4.9.3 onward have been developed and maintained
-by the Internet Software Consortium with support being provided
-by ISC's sponsors. As co-architects/programmers, Bob Halley and
-Paul Vixie released the first production-ready version of <acronym>BIND</acronym> version
-8 in May 1997.</para>
- <para><acronym>BIND</acronym> development work is made possible today by the sponsorship
-of several corporations, and by the tireless work efforts of numerous
-individuals.</para>
- </sect2>
- </sect1>
-<sect1 id="historical_dns_information">
-
-<title>General <acronym>DNS</acronym> Reference Information</title>
- <sect2 id="ipv6addresses">
- <title>IPv6 addresses (AAAA)</title>
- <para>IPv6 addresses are 128-bit identifiers for interfaces and
-sets of interfaces which were introduced in the <acronym>DNS</acronym> to facilitate
-scalable Internet routing. There are three types of addresses: <emphasis>Unicast</emphasis>,
-an identifier for a single interface; <emphasis>Anycast</emphasis>,
-an identifier for a set of interfaces; and <emphasis>Multicast</emphasis>,
-an identifier for a set of interfaces. Here we describe the global
-Unicast address scheme. For more information, see RFC 2374.</para>
-<para>The aggregatable global Unicast address format is as follows:</para>
-<informaltable colsep = "0" rowsep = "0"><tgroup cols = "6"
- colsep = "0" rowsep = "0" tgroupstyle = "1Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.477in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "0.501in"/>
-<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "0.523in"/>
-<colspec colname = "4" colnum = "4" colsep = "0" colwidth = "0.731in"/>
-<colspec colname = "5" colnum = "5" colsep = "0" colwidth = "1.339in"/>
-<colspec colname = "6" colnum = "6" colsep = "0" colwidth = "2.529in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1" colsep = "1" rowsep = "1"><para>3</para></entry>
-<entry colname = "2" colsep = "1" rowsep = "1"><para>13</para></entry>
-<entry colname = "3" colsep = "1" rowsep = "1"><para>8</para></entry>
-<entry colname = "4" colsep = "1" rowsep = "1"><para>24</para></entry>
-<entry colname = "5" colsep = "1" rowsep = "1"><para>16</para></entry>
-<entry colname = "6" rowsep = "1"><para>64 bits</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1" colsep = "1"><para>FP</para></entry>
-<entry colname = "2" colsep = "1"><para>TLA ID</para></entry>
-<entry colname = "3" colsep = "1"><para>RES</para></entry>
-<entry colname = "4" colsep = "1"><para>NLA ID</para></entry>
-<entry colname = "5" colsep = "1"><para>SLA ID</para></entry>
-<entry colname = "6"><para>Interface ID</para></entry>
-</row>
-<row rowsep = "0">
-<entry nameend = "4" namest = "1"><para>&#60;------ Public Topology
-------></para></entry>
-<entry colname = "5"><para></para></entry>
-<entry colname = "6"><para></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para></para></entry>
-<entry colname = "2"><para></para></entry>
-<entry colname = "3"><para></para></entry>
-<entry colname = "4"><para></para></entry>
-<entry colname = "5"><para>&#60;-Site Topology-></para></entry>
-<entry colname = "6"><para></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para></para></entry>
-<entry colname = "2"><para></para></entry>
-<entry colname = "3"><para></para></entry>
-<entry colname = "4"><para></para></entry>
-<entry colname = "5"><para></para></entry>
-<entry colname = "6"><para>&#60;------ Interface Identifier ------></para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
- <para>Where
-<informaltable colsep = "0" rowsep = "0"><tgroup
- cols = "3" colsep = "0" rowsep = "0" tgroupstyle = "2Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.375in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "0.250in"/>
-<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "3.500in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para>FP</para></entry>
-<entry colname = "2"><para>=</para></entry>
-<entry colname = "3"><para>Format Prefix (001)</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>TLA ID</para></entry>
-<entry colname = "2"><para>=</para></entry>
-<entry colname = "3"><para>Top-Level Aggregation Identifier</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>RES</para></entry>
-<entry colname = "2"><para>=</para></entry>
-<entry colname = "3"><para>Reserved for future use</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>NLA ID</para></entry>
-<entry colname = "2"><para>=</para></entry>
-<entry colname = "3"><para>Next-Level Aggregation Identifier</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>SLA ID</para></entry>
-<entry colname = "2"><para>=</para></entry>
-<entry colname = "3"><para>Site-Level Aggregation Identifier</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>INTERFACE ID</para></entry>
-<entry colname = "2"><para>=</para></entry>
-<entry colname = "3"><para>Interface Identifier</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable></para>
- <para>The <emphasis>Public Topology</emphasis> is provided by the
-upstream provider or ISP, and (roughly) corresponds to the IPv4 <emphasis>network</emphasis> section
-of the address range. The <emphasis>Site Topology</emphasis> is
-where you can subnet this space, much the same as subnetting an
-IPv4 /16 network into /24 subnets. The <emphasis>Interface Identifier</emphasis> is
-the address of an individual interface on a given network. (With
-IPv6, addresses belong to interfaces rather than machines.)</para>
- <para>The subnetting capability of IPv6 is much more flexible than
-that of IPv4: subnetting can now be carried out on bit boundaries,
-in much the same way as Classless InterDomain Routing (CIDR).</para>
-<para>The Interface Identifier must be unique on that network. On
-ethernet networks, one way to ensure this is to set the address
-to the first three bytes of the hardware address, "FFFE", then the
-last three bytes of the hardware address. The lowest significant
-bit of the first byte should then be complemented. Addresses are
-written as 32-bit blocks separated with a colon, and leading zeros
-of a block may be omitted, for example:</para>
-<para><command>2001:db8:201:9:a00:20ff:fe81:2b32</command></para>
-<para>IPv6 address specifications are likely to contain long strings
-of zeros, so the architects have included a shorthand for specifying
-them. The double colon (`::') indicates the longest possible string
-of zeros that can fit, and can be used only once in an address.</para>
- </sect2>
- </sect1>
- <sect1 id="bibliography">
- <title>Bibliography (and Suggested Reading)</title>
- <sect2 id="rfcs">
- <title>Request for Comments (RFCs)</title>
- <para>Specification documents for the Internet protocol suite, including
-the <acronym>DNS</acronym>, are published as part of the Request for Comments (RFCs)
-series of technical notes. The standards themselves are defined
-by the Internet Engineering Task Force (IETF) and the Internet Engineering
-Steering Group (IESG). RFCs can be obtained online via FTP at
-<ulink url="ftp://www.isi.edu/in-notes/">ftp://www.isi.edu/in-notes/RFC<replaceable>xxx</replaceable>.txt</ulink> (where <replaceable>xxx</replaceable> is
-the number of the RFC). RFCs are also available via the Web at
-<ulink url="http://www.ietf.org/rfc/">http://www.ietf.org/rfc/</ulink>.
-</para>
- <bibliography>
- <bibliodiv>
- <!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
- <title>Standards</title>
- <biblioentry>
- <abbrev>RFC974</abbrev>
- <author>
- <surname>Partridge</surname>
- <firstname>C.</firstname>
- </author>
- <title>Mail Routing and the Domain System</title>
- <pubdate>January 1986</pubdate>
- </biblioentry>
- <biblioentry>
- <abbrev>RFC1034</abbrev>
- <author>
- <surname>Mockapetris</surname>
- <firstname>P.V.</firstname>
- </author>
- <title>Domain Names &mdash; Concepts and Facilities</title>
- <pubdate>November 1987</pubdate>
- </biblioentry>
- <biblioentry>
- <abbrev>RFC1035</abbrev>
- <author>
- <surname>Mockapetris</surname>
- <firstname>P. V.</firstname>
- </author> <title>Domain Names &mdash; Implementation and
-Specification</title>
- <pubdate>November 1987</pubdate>
- </biblioentry>
- </bibliodiv>
- <bibliodiv id="proposed_standards" xreflabel="Proposed Standards">
-
- <title>Proposed Standards</title>
- <!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
- <biblioentry>
- <abbrev>RFC2181</abbrev>
- <author>
- <surname>Elz</surname>
- <firstname>R., R. Bush</firstname>
- </author>
- <title>Clarifications to the <acronym>DNS</acronym> Specification</title>
- <pubdate>July 1997</pubdate>
- </biblioentry>
- <biblioentry>
- <abbrev>RFC2308</abbrev>
- <author>
- <surname>Andrews</surname>
- <firstname>M.</firstname>
- </author>
- <title>Negative Caching of <acronym>DNS</acronym> Queries</title>
- <pubdate>March 1998</pubdate>
- </biblioentry>
- <biblioentry>
- <abbrev>RFC1995</abbrev>
- <author>
- <surname>Ohta</surname>
- <firstname>M.</firstname>
- </author>
- <title>Incremental Zone Transfer in <acronym>DNS</acronym></title>
- <pubdate>August 1996</pubdate>
- </biblioentry>
- <biblioentry>
- <abbrev>RFC1996</abbrev>
- <author>
- <surname>Vixie</surname>
- <firstname>P.</firstname>
- </author>
- <title>A Mechanism for Prompt Notification of Zone Changes</title>
- <pubdate>August 1996</pubdate>
- </biblioentry>
- <biblioentry>
- <abbrev>RFC2136</abbrev>
- <authorgroup>
- <author>
- <surname>Vixie</surname>
- <firstname>P.</firstname>
- </author>
- <author>
- <firstname>S.</firstname>
- <surname>Thomson</surname>
- </author>
- <author>
- <firstname>Y.</firstname>
- <surname>Rekhter</surname>
- </author>
- <author>
- <firstname>J.</firstname>
- <surname>Bound</surname>
- </author>
- </authorgroup>
- <title>Dynamic Updates in the Domain Name System</title>
- <pubdate>April 1997</pubdate>
- </biblioentry>
- <biblioentry>
- <abbrev>RFC2845</abbrev>
- <authorgroup>
- <author>
- <surname>Vixie</surname>
- <firstname>P.</firstname>
- </author>
- <author>
- <firstname>O.</firstname>
- <surname>Gudmundsson</surname>
- </author>
- <author>
- <firstname>D.</firstname>
- <surname>Eastlake</surname>
- <lineage>3rd</lineage></author>
- <author>
- <firstname>B.</firstname>
- <surname>Wellington</surname>
- </author></authorgroup>
- <title>Secret Key Transaction Authentication for <acronym>DNS</acronym> (TSIG)</title>
- <pubdate>May 2000</pubdate>
- </biblioentry>
- </bibliodiv>
- <bibliodiv>
- <title>Proposed Standards Still Under Development</title>
- <note>
- <para><emphasis>Note:</emphasis> the following list of
-RFCs are undergoing major revision by the IETF.</para>
- </note>
- <biblioentry>
- <abbrev>RFC1886</abbrev>
- <authorgroup>
- <author>
- <surname>Thomson</surname>
- <firstname>S.</firstname>
- </author>
- <author>
- <firstname>C.</firstname>
- <surname>Huitema</surname>
- </author>
- </authorgroup>
- <title><acronym>DNS</acronym> Extensions to support IP version 6</title>
- <pubdate>December 1995</pubdate>
- </biblioentry>
- <biblioentry>
- <abbrev>RFC2065</abbrev>
- <authorgroup>
- <author>
- <surname>Eastlake</surname>
- <lineage>3rd</lineage>
- <firstname>D.</firstname>
- </author>
- <author>
- <firstname>C.</firstname>
- <surname>Kaufman</surname>
- </author>
- </authorgroup>
- <title>Domain Name System Security Extensions</title>
- <pubdate>January 1997</pubdate>
- </biblioentry>
- <biblioentry>
- <abbrev>RFC2137</abbrev>
- <author>
- <surname>Eastlake</surname>
- <lineage>3rd</lineage>
- <firstname>D.</firstname>
- </author>
- <title>Secure Domain Name System Dynamic Update</title>
- <pubdate>April 1997</pubdate>
- </biblioentry>
- </bibliodiv>
- <bibliodiv>
- <title>Other Important RFCs About <acronym>DNS</acronym> Implementation</title>
- <biblioentry>
- <abbrev>RFC1535</abbrev>
- <author>
- <surname>Gavron</surname>
- <firstname>E.</firstname>
- </author>
- <title>A Security Problem and Proposed Correction With Widely Deployed <acronym>DNS</acronym> Software.</title>
- <pubdate>October 1993</pubdate>
- </biblioentry>
- <biblioentry>
- <abbrev>RFC1536</abbrev>
- <authorgroup>
- <author>
- <surname>Kumar</surname>
- <firstname>A.</firstname>
- </author>
- <author>
- <firstname>J.</firstname>
- <surname>Postel</surname>
- </author>
- <author>
- <firstname>C.</firstname>
- <surname>Neuman</surname></author>
- <author>
- <firstname>P.</firstname>
- <surname>Danzig</surname>
- </author>
- <author>
- <firstname>S.</firstname>
- <surname>Miller</surname>
- </author>
- </authorgroup>
- <title>Common <acronym>DNS</acronym> Implementation Errors and Suggested Fixes</title>
- <pubdate>October 1993</pubdate>
- </biblioentry>
- <biblioentry>
- <abbrev>RFC1982</abbrev>
- <authorgroup>
- <author>
- <surname>Elz</surname>
- <firstname>R.</firstname>
- </author>
- <author>
- <firstname>R.</firstname>
- <surname>Bush</surname>
- </author>
- </authorgroup>
- <title>Serial Number Arithmetic</title>
- <pubdate>August 1996</pubdate>
- </biblioentry>
- </bibliodiv>
- <bibliodiv>
- <title>Resource Record Types</title>
- <biblioentry>
- <abbrev>RFC1183</abbrev>
- <authorgroup>
- <author>
- <surname>Everhart</surname>
- <firstname>C.F.</firstname>
- </author>
- <author>
- <firstname>L. A.</firstname>
- <surname>Mamakos</surname>
- </author>
- <author>
- <firstname>R.</firstname>
- <surname>Ullmann</surname>
- </author>
- <author>
- <firstname>P.</firstname>
- <surname>Mockapetris</surname>
- </author>
- </authorgroup>
- <title>New <acronym>DNS</acronym> RR Definitions</title>
- <pubdate>October 1990</pubdate>
- </biblioentry>
- <biblioentry>
- <abbrev>RFC1706</abbrev>
- <authorgroup>
- <author>
- <surname>Manning</surname>
- <firstname>B.</firstname>
- </author>
- <author>
- <firstname>R.</firstname>
- <surname>Colella</surname>
- </author>
- </authorgroup>
- <title><acronym>DNS</acronym> NSAP Resource Records</title>
- <pubdate>October 1994</pubdate>
- </biblioentry>
- <biblioentry>
- <abbrev>RFC2168</abbrev>
- <authorgroup>
- <author>
- <surname>Daniel</surname>
- <firstname>R.</firstname>
- </author>
- <author>
- <firstname>M.</firstname>
- <surname>Mealling</surname>
- </author>
- </authorgroup>
- <title>Resolution of Uniform Resource Identifiers using
-the Domain Name System</title>
- <pubdate>June 1997</pubdate>
- </biblioentry>
- <biblioentry>
- <abbrev>RFC1876</abbrev>
- <authorgroup>
- <author>
- <surname>Davis</surname>
- <firstname>C.</firstname>
- </author>
- <author>
- <firstname>P.</firstname>
- <surname>Vixie</surname>
- </author>
- <author>
- <firstname>T.</firstname>
- <firstname>Goodwin</firstname>
- </author>
- <author>
- <firstname>I.</firstname>
- <surname>Dickinson</surname>
- </author>
- </authorgroup>
- <title>A Means for Expressing Location Information in the Domain
-Name System</title>
- <pubdate>January 1996</pubdate>
- </biblioentry>
- <biblioentry>
- <abbrev>RFC2052</abbrev>
- <authorgroup>
- <author>
- <surname>Gulbrandsen</surname>
- <firstname>A.</firstname>
- </author>
- <author>
- <firstname>P.</firstname>
- <surname>Vixie</surname>
- </author>
- </authorgroup>
- <title>A <acronym>DNS</acronym> RR for Specifying the Location of
-Services.</title>
- <pubdate>October 1996</pubdate>
- </biblioentry>
- <biblioentry>
- <abbrev>RFC2163</abbrev>
- <author>
- <surname>Allocchio</surname>
- <firstname>A.</firstname>
- </author>
- <title>Using the Internet <acronym>DNS</acronym> to Distribute MIXER
-Conformant Global Address Mapping</title>
- <pubdate>January 1998</pubdate>
- </biblioentry>
- <biblioentry>
- <abbrev>RFC2230</abbrev>
- <author>
- <surname>Atkinson</surname>
- <firstname>R.</firstname>
- </author>
- <title>Key Exchange Delegation Record for the <acronym>DNS</acronym></title>
- <pubdate>October 1997</pubdate>
- </biblioentry>
- </bibliodiv>
- <bibliodiv>
- <title><acronym>DNS</acronym> and the Internet</title>
- <biblioentry>
- <abbrev>RFC1101</abbrev>
- <author>
- <surname>Mockapetris</surname>
- <firstname>P. V.</firstname>
- </author>
- <title><acronym>DNS</acronym> Encoding of Network Names and Other Types</title>
- <pubdate>April 1989</pubdate>
- </biblioentry>
- <biblioentry>
- <abbrev>RFC1123</abbrev>
- <author>
- <surname>Braden</surname>
- <surname>R.</surname>
- </author>
- <title>Requirements for Internet Hosts - Application and Support</title>
- <pubdate>October 1989</pubdate>
- </biblioentry>
- <biblioentry>
- <abbrev>RFC1591</abbrev>
- <author>
- <surname>Postel</surname>
- <firstname>J.</firstname></author>
- <title>Domain Name System Structure and Delegation</title>
- <pubdate>March 1994</pubdate></biblioentry>
- <biblioentry>
- <abbrev>RFC2317</abbrev>
- <authorgroup>
- <author>
- <surname>Eidnes</surname>
- <firstname>H.</firstname>
- </author>
- <author>
- <firstname>G.</firstname>
- <surname>de Groot</surname>
- </author>
- <author>
- <firstname>P.</firstname>
- <surname>Vixie</surname>
- </author>
- </authorgroup>
- <title>Classless IN-ADDR.ARPA Delegation</title>
- <pubdate>March 1998</pubdate>
- </biblioentry>
- </bibliodiv>
- <bibliodiv>
- <title><acronym>DNS</acronym> Operations</title>
- <biblioentry>
- <abbrev>RFC1537</abbrev>
- <author>
- <surname>Beertema</surname>
- <firstname>P.</firstname>
- </author>
- <title>Common <acronym>DNS</acronym> Data File Configuration Errors</title>
- <pubdate>October 1993</pubdate>
- </biblioentry>
- <biblioentry>
- <abbrev>RFC1912</abbrev>
- <author>
- <surname>Barr</surname>
- <firstname>D.</firstname>
- </author>
- <title>Common <acronym>DNS</acronym> Operational and Configuration Errors</title>
- <pubdate>February 1996</pubdate>
- </biblioentry>
- <biblioentry>
- <abbrev>RFC2010</abbrev>
- <authorgroup>
- <author>
- <surname>Manning</surname>
- <firstname>B.</firstname>
- </author>
- <author>
- <firstname>P.</firstname>
- <surname>Vixie</surname>
- </author>
- </authorgroup>
- <title>Operational Criteria for Root Name Servers.</title>
- <pubdate>October 1996</pubdate>
- </biblioentry>
- <biblioentry>
- <abbrev>RFC2219</abbrev>
- <authorgroup>
- <author>
- <surname>Hamilton</surname>
- <firstname>M.</firstname>
- </author>
- <author>
- <firstname>R.</firstname>
- <surname>Wright</surname>
- </author>
- </authorgroup>
- <title>Use of <acronym>DNS</acronym> Aliases for Network Services.</title>
- <pubdate>October 1997</pubdate>
- </biblioentry>
- </bibliodiv>
- <bibliodiv>
- <title>Other <acronym>DNS</acronym>-related RFCs</title>
- <note>
- <para>Note: the following list of RFCs, although
-<acronym>DNS</acronym>-related, are not concerned with implementing software.</para>
- </note>
- <biblioentry>
- <abbrev>RFC1464</abbrev>
- <author>
- <surname>Rosenbaum</surname>
- <firstname>R.</firstname>
- </author>
- <title>Using the Domain Name System To Store Arbitrary String Attributes</title>
- <pubdate>May 1993</pubdate>
- </biblioentry>
- <biblioentry>
- <abbrev>RFC1713</abbrev>
- <author>
- <surname>Romao</surname>
- <firstname>A.</firstname>
- </author>
- <title>Tools for <acronym>DNS</acronym> Debugging</title>
- <pubdate>November 1994</pubdate></biblioentry>
- <biblioentry>
- <abbrev>RFC1794</abbrev>
- <author>
- <surname>Brisco</surname>
- <firstname>T.</firstname>
- </author>
- <title><acronym>DNS</acronym> Support for Load Balancing</title>
- <pubdate>April 1995</pubdate>
- </biblioentry>
- <biblioentry>
- <abbrev>RFC2240</abbrev>
- <author>
- <surname>Vaughan</surname>
- <firstname>O.</firstname></author>
- <title>A Legal Basis for Domain Name Allocation</title>
- <pubdate>November 1997</pubdate>
- </biblioentry>
- <biblioentry>
- <abbrev>RFC2345</abbrev>
- <authorgroup>
- <author>
- <surname>Klensin</surname>
- <firstname>J.</firstname>
- </author>
- <author>
- <firstname>T.</firstname>
- <surname>Wolf</surname>
- </author>
- <author>
- <firstname>G.</firstname>
- <surname>Oglesby</surname>
- </author>
- </authorgroup>
- <title>Domain Names and Company Name Retrieval</title>
- <pubdate>May 1998</pubdate>
- </biblioentry>
- <biblioentry>
- <abbrev>RFC2352</abbrev>
- <author>
- <surname>Vaughan</surname>
- <firstname>O.</firstname>
- </author>
- <title>A Convention For Using Legal Names as Domain Names</title>
- <pubdate>May 1998</pubdate>
- </biblioentry>
- </bibliodiv>
- <bibliodiv>
- <title>Obsolete and Unimplemented Experimental RRs</title>
- <biblioentry>
- <abbrev>RFC1712</abbrev>
- <authorgroup>
- <author>
- <surname>Farrell</surname>
- <firstname>C.</firstname>
- </author>
- <author>
- <firstname>M.</firstname>
- <surname>Schulze</surname>
- </author>
- <author>
- <firstname>S.</firstname>
- <surname>Pleitner</surname>
- </author>
- <author>
- <firstname>D.</firstname>
- <surname>Baldoni</surname>
- </author>
- </authorgroup>
- <title><acronym>DNS</acronym> Encoding of Geographical
-Location</title>
- <pubdate>November 1994</pubdate>
- </biblioentry>
- </bibliodiv>
- </bibliography>
- </sect2>
- <sect2 id="internet_drafts">
- <title>Internet Drafts</title>
- <para>Internet Drafts (IDs) are rough-draft working documents of
-the Internet Engineering Task Force. They are, in essence, RFCs
-in the preliminary stages of development. Implementors are cautioned not
-to regard IDs as archival, and they should not be quoted or cited
-in any formal documents unless accompanied by the disclaimer that
-they are "works in progress." IDs have a lifespan of six months
-after which they are deleted unless updated by their authors.
-</para>
- </sect2>
- <sect2>
- <title>Other Documents About <acronym>BIND</acronym></title>
- <para></para>
- <bibliography>
- <biblioentry>
- <authorgroup>
- <author>
- <surname>Albitz</surname>
- <firstname>Paul</firstname>
- </author>
- <author>
- <firstname>Cricket</firstname>
- <surname>Liu</surname>
- </author>
- </authorgroup>
- <title><acronym>DNS</acronym> and <acronym>BIND</acronym></title>
- <copyright>
- <year>1998</year>
- <holder>Sebastopol, CA: O'Reilly and Associates</holder>
- </copyright>
- </biblioentry>
- </bibliography>
- </sect2>
- </sect1>
-
-</appendix>
-
-</book>
+
+ <para>
+ This allows recursive queries of the server from the outside
+ unless recursion has been previously disabled.
+ </para>
+ <para>
+ For more information on how to use ACLs to protect your server,
+ see the <emphasis>AUSCERT</emphasis> advisory at:
+ </para>
+ <para>
+ <ulink url="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos"
+ >ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</ulink>
+ </para>
+ </sect1>
+ <sect1>
+ <title><command>chroot</command> and <command>setuid</command></title>
+ <para>
+ On UNIX servers, it is possible to run <acronym>BIND</acronym> in a <emphasis>chrooted</emphasis> environment
+ (using the <command>chroot()</command> function) by specifying the "<option>-t</option>"
+ option. This can help improve system security by placing <acronym>BIND</acronym> in
+ a "sandbox", which will limit the damage done if a server is
+ compromised.
+ </para>
+ <para>
+ Another useful feature in the UNIX version of <acronym>BIND</acronym> is the
+ ability to run the daemon as an unprivileged user ( <option>-u</option> <replaceable>user</replaceable> ).
+ We suggest running as an unprivileged user when using the <command>chroot</command> feature.
+ </para>
+ <para>
+ Here is an example command line to load <acronym>BIND</acronym> in a <command>chroot</command> sandbox,
+ <command>/var/named</command>, and to run <command>named</command> <command>setuid</command> to
+ user 202:
+ </para>
+ <para>
+ <userinput>/usr/local/bin/named -u 202 -t /var/named</userinput>
+ </para>
+
+ <sect2>
+ <title>The <command>chroot</command> Environment</title>
+
+ <para>
+ In order for a <command>chroot</command> environment
+ to
+ work properly in a particular directory
+ (for example, <filename>/var/named</filename>),
+ you will need to set up an environment that includes everything
+ <acronym>BIND</acronym> needs to run.
+ From <acronym>BIND</acronym>'s point of view, <filename>/var/named</filename> is
+ the root of the filesystem. You will need to adjust the values of
+ options like
+ like <command>directory</command> and <command>pid-file</command> to account
+ for this.
+ </para>
+ <para>
+ Unlike with earlier versions of BIND, you will typically
+ <emphasis>not</emphasis> need to compile <command>named</command>
+ statically nor install shared libraries under the new root.
+ However, depending on your operating system, you may need
+ to set up things like
+ <filename>/dev/zero</filename>,
+ <filename>/dev/random</filename>,
+ <filename>/dev/log</filename>, and
+ <filename>/etc/localtime</filename>.
+ </para>
+ </sect2>
+
+ <sect2>
+ <title>Using the <command>setuid</command> Function</title>
+
+ <para>
+ Prior to running the <command>named</command> daemon,
+ use
+ the <command>touch</command> utility (to change file
+ access and
+ modification times) or the <command>chown</command>
+ utility (to
+ set the user id and/or group id) on files
+ to which you want <acronym>BIND</acronym>
+ to write.
+ </para>
+ <note>
+ Note that if the <command>named</command> daemon is running as an
+ unprivileged user, it will not be able to bind to new restricted
+ ports if the server is reloaded.
+ </note>
+ </sect2>
+ </sect1>
+
+ <sect1 id="dynamic_update_security">
+ <title>Dynamic Update Security</title>
+
+ <para>
+ Access to the dynamic
+ update facility should be strictly limited. In earlier versions of
+ <acronym>BIND</acronym>, the only way to do this was
+ based on the IP
+ address of the host requesting the update, by listing an IP address
+ or
+ network prefix in the <command>allow-update</command>
+ zone option.
+ This method is insecure since the source address of the update UDP
+ packet
+ is easily forged. Also note that if the IP addresses allowed by the
+ <command>allow-update</command> option include the
+ address of a slave
+ server which performs forwarding of dynamic updates, the master can
+ be
+ trivially attacked by sending the update to the slave, which will
+ forward it to the master with its own source IP address causing the
+ master to approve it without question.
+ </para>
+
+ <para>
+ For these reasons, we strongly recommend that updates be
+ cryptographically authenticated by means of transaction signatures
+ (TSIG). That is, the <command>allow-update</command>
+ option should
+ list only TSIG key names, not IP addresses or network
+ prefixes. Alternatively, the new <command>update-policy</command>
+ option can be used.
+ </para>
+
+ <para>
+ Some sites choose to keep all dynamically-updated DNS data
+ in a subdomain and delegate that subdomain to a separate zone. This
+ way, the top-level zone containing critical data such as the IP
+ addresses
+ of public web and mail servers need not allow dynamic update at
+ all.
+ </para>
+
+ </sect1>
+ </chapter>
+
+ <chapter id="Bv9ARM.ch08">
+ <title>Troubleshooting</title>
+ <sect1>
+ <title>Common Problems</title>
+ <sect2>
+ <title>It's not working; how can I figure out what's wrong?</title>
+
+ <para>
+ The best solution to solving installation and
+ configuration issues is to take preventative measures by setting
+ up logging files beforehand. The log files provide a
+ source of hints and information that can be used to figure out
+ what went wrong and how to fix the problem.
+ </para>
+
+ </sect2>
+ </sect1>
+ <sect1>
+ <title>Incrementing and Changing the Serial Number</title>
+
+ <para>
+ Zone serial numbers are just numbers-they aren't date
+ related. A lot of people set them to a number that represents a
+ date, usually of the form YYYYMMDDRR. A number of people have been
+ testing these numbers for Y2K compliance and have set the number
+ to the year 2000 to see if it will work. They then try to restore
+ the old serial number. This will cause problems because serial
+ numbers are used to indicate that a zone has been updated. If the
+ serial number on the slave server is lower than the serial number
+ on the master, the slave server will attempt to update its copy of
+ the zone.
+ </para>
+
+ <para>
+ Setting the serial number to a lower number on the master
+ server than the slave server means that the slave will not perform
+ updates to its copy of the zone.
+ </para>
+
+ <para>
+ The solution to this is to add 2147483647 (2^31-1) to the
+ number, reload the zone and make sure all slaves have updated to
+ the new zone serial number, then reset the number to what you want
+ it to be, and reload the zone again.
+ </para>
+
+ </sect1>
+ <sect1>
+ <title>Where Can I Get Help?</title>
+
+ <para>
+ The Internet Systems Consortium
+ (<acronym>ISC</acronym>) offers a wide range
+ of support and service agreements for <acronym>BIND</acronym> and <acronym>DHCP</acronym> servers. Four
+ levels of premium support are available and each level includes
+ support for all <acronym>ISC</acronym> programs,
+ significant discounts on products
+ and training, and a recognized priority on bug fixes and
+ non-funded feature requests. In addition, <acronym>ISC</acronym> offers a standard
+ support agreement package which includes services ranging from bug
+ fix announcements to remote support. It also includes training in
+ <acronym>BIND</acronym> and <acronym>DHCP</acronym>.
+ </para>
+
+ <para>
+ To discuss arrangements for support, contact
+ <ulink url="mailto:info@isc.org">info@isc.org</ulink> or visit the
+ <acronym>ISC</acronym> web page at
+ <ulink url="http://www.isc.org/services/support/"
+ >http://www.isc.org/services/support/</ulink>
+ to read more.
+ </para>
+ </sect1>
+ </chapter>
+ <appendix id="Bv9ARM.ch09">
+ <title>Appendices</title>
+ <sect1>
+ <title>Acknowledgments</title>
+ <sect2 id="historical_dns_information">
+ <title>A Brief History of the <acronym>DNS</acronym> and <acronym>BIND</acronym></title>
+
+ <para>
+ Although the "official" beginning of the Domain Name
+ System occurred in 1984 with the publication of RFC 920, the
+ core of the new system was described in 1983 in RFCs 882 and
+ 883. From 1984 to 1987, the ARPAnet (the precursor to today's
+ Internet) became a testbed of experimentation for developing the
+ new naming/addressing scheme in a rapidly expanding,
+ operational network environment. New RFCs were written and
+ published in 1987 that modified the original documents to
+ incorporate improvements based on the working model. RFC 1034,
+ "Domain Names-Concepts and Facilities", and RFC 1035, "Domain
+ Names-Implementation and Specification" were published and
+ became the standards upon which all <acronym>DNS</acronym> implementations are
+ built.
+ </para>
+
+ <para>
+ The first working domain name server, called "Jeeves", was
+ written in 1983-84 by Paul Mockapetris for operation on DEC
+ Tops-20
+ machines located at the University of Southern California's
+ Information
+ Sciences Institute (USC-ISI) and SRI International's Network
+ Information
+ Center (SRI-NIC). A <acronym>DNS</acronym> server for
+ Unix machines, the Berkeley Internet
+ Name Domain (<acronym>BIND</acronym>) package, was
+ written soon after by a group of
+ graduate students at the University of California at Berkeley
+ under
+ a grant from the US Defense Advanced Research Projects
+ Administration
+ (DARPA).
+ </para>
+ <para>
+ Versions of <acronym>BIND</acronym> through
+ 4.8.3 were maintained by the Computer
+ Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
+ Painter, David Riggle and Songnian Zhou made up the initial <acronym>BIND</acronym>
+ project team. After that, additional work on the software package
+ was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment
+ Corporation
+ employee on loan to the CSRG, worked on <acronym>BIND</acronym> for 2 years, from 1985
+ to 1987. Many other people also contributed to <acronym>BIND</acronym> development
+ during that time: Doug Kingston, Craig Partridge, Smoot
+ Carl-Mitchell,
+ Mike Muuss, Jim Bloom and Mike Schwartz. <acronym>BIND</acronym> maintenance was subsequently
+ handled by Mike Karels and O. Kure.
+ </para>
+ <para>
+ <acronym>BIND</acronym> versions 4.9 and 4.9.1 were
+ released by Digital Equipment
+ Corporation (now Compaq Computer Corporation). Paul Vixie, then
+ a DEC employee, became <acronym>BIND</acronym>'s
+ primary caretaker. He was assisted
+ by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan
+ Beecher, Andrew
+ Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
+ Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
+ Wolfhugel, and others.
+ </para>
+ <para>
+ <acronym>BIND</acronym> version 4.9.2 was sponsored by
+ Vixie Enterprises. Paul
+ Vixie became <acronym>BIND</acronym>'s principal
+ architect/programmer.
+ </para>
+ <para>
+ <acronym>BIND</acronym> versions from 4.9.3 onward
+ have been developed and maintained
+ by the Internet Systems Consortium and its predecessor,
+ the Internet Software Consortium, with support being provided
+ by ISC's sponsors. As co-architects/programmers, Bob Halley and
+ Paul Vixie released the first production-ready version of
+ <acronym>BIND</acronym> version 8 in May 1997.
+ </para>
+ <para>
+ <acronym>BIND</acronym> development work is made
+ possible today by the sponsorship
+ of several corporations, and by the tireless work efforts of
+ numerous individuals.
+ </para>
+ </sect2>
+ </sect1>
+ <sect1>
+ <title>General <acronym>DNS</acronym> Reference Information</title>
+ <sect2 id="ipv6addresses">
+ <title>IPv6 addresses (AAAA)</title>
+ <para>
+ IPv6 addresses are 128-bit identifiers for interfaces and
+ sets of interfaces which were introduced in the <acronym>DNS</acronym> to facilitate
+ scalable Internet routing. There are three types of addresses: <emphasis>Unicast</emphasis>,
+ an identifier for a single interface;
+ <emphasis>Anycast</emphasis>,
+ an identifier for a set of interfaces; and <emphasis>Multicast</emphasis>,
+ an identifier for a set of interfaces. Here we describe the global
+ Unicast address scheme. For more information, see RFC 3587.
+ </para>
+ <para>
+ IPv6 unicast addresses consist of a
+ <emphasis>global routing prefix</emphasis>, a
+ <emphasis>subnet identifier</emphasis>, and an
+ <emphasis>interface identifier</emphasis>.
+ </para>
+ <para>
+ The global routing prefix is provided by the
+ upstream provider or ISP, and (roughly) corresponds to the
+ IPv4 <emphasis>network</emphasis> section
+ of the address range.
+
+ The subnet identifier is for local subnetting, much the
+ same as subnetting an
+ IPv4 /16 network into /24 subnets.
+
+ The interface identifier is the address of an individual
+ interface on a given network; in IPv6, addresses belong to
+ interfaces rather than to machines.
+ </para>
+ <para>
+ The subnetting capability of IPv6 is much more flexible than
+ that of IPv4: subnetting can be carried out on bit boundaries,
+ in much the same way as Classless InterDomain Routing
+ (CIDR), and the DNS PTR representation ("nibble" format)
+ makes setting up reverse zones easier.
+ </para>
+ <para>
+ The Interface Identifier must be unique on the local link,
+ and is usually generated automatically by the IPv6
+ implementation, although it is usually possible to
+ override the default setting if necessary. A typical IPv6
+ address might look like:
+ <command>2001:db8:201:9:a00:20ff:fe81:2b32</command>
+ </para>
+ <para>
+ IPv6 address specifications often contain long strings
+ of zeros, so the architects have included a shorthand for
+ specifying
+ them. The double colon (`::') indicates the longest possible
+ string
+ of zeros that can fit, and can be used only once in an address.
+ </para>
+ </sect2>
+ </sect1>
+ <sect1 id="bibliography">
+ <title>Bibliography (and Suggested Reading)</title>
+ <sect2 id="rfcs">
+ <title>Request for Comments (RFCs)</title>
+ <para>
+ Specification documents for the Internet protocol suite, including
+ the <acronym>DNS</acronym>, are published as part of
+ the Request for Comments (RFCs)
+ series of technical notes. The standards themselves are defined
+ by the Internet Engineering Task Force (IETF) and the Internet
+ Engineering Steering Group (IESG). RFCs can be obtained online via FTP at:
+ </para>
+ <para>
+ <ulink url="ftp://www.isi.edu/in-notes/">
+ ftp://www.isi.edu/in-notes/RFC<replaceable>xxxx</replaceable>.txt
+ </ulink>
+ </para>
+ <para>
+ (where <replaceable>xxxx</replaceable> is
+ the number of the RFC). RFCs are also available via the Web at:
+ </para>
+ <para>
+ <ulink url="http://www.ietf.org/rfc/"
+ >http://www.ietf.org/rfc/</ulink>.
+ </para>
+ <bibliography>
+ <bibliodiv>
+ <!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
+ <title>Standards</title>
+ <biblioentry>
+ <abbrev>RFC974</abbrev>
+ <author>
+ <surname>Partridge</surname>
+ <firstname>C.</firstname>
+ </author>
+ <title>Mail Routing and the Domain System</title>
+ <pubdate>January 1986</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC1034</abbrev>
+ <author>
+ <surname>Mockapetris</surname>
+ <firstname>P.V.</firstname>
+ </author>
+ <title>Domain Names &mdash; Concepts and Facilities</title>
+ <pubdate>November 1987</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC1035</abbrev>
+ <author>
+ <surname>Mockapetris</surname>
+ <firstname>P. V.</firstname>
+ </author> <title>Domain Names &mdash; Implementation and
+ Specification</title>
+ <pubdate>November 1987</pubdate>
+ </biblioentry>
+ </bibliodiv>
+ <bibliodiv id="proposed_standards" xreflabel="Proposed Standards">
+
+ <title>Proposed Standards</title>
+ <!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
+ <biblioentry>
+ <abbrev>RFC2181</abbrev>
+ <author>
+ <surname>Elz</surname>
+ <firstname>R., R. Bush</firstname>
+ </author>
+ <title>Clarifications to the <acronym>DNS</acronym>
+ Specification</title>
+ <pubdate>July 1997</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC2308</abbrev>
+ <author>
+ <surname>Andrews</surname>
+ <firstname>M.</firstname>
+ </author>
+ <title>Negative Caching of <acronym>DNS</acronym>
+ Queries</title>
+ <pubdate>March 1998</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC1995</abbrev>
+ <author>
+ <surname>Ohta</surname>
+ <firstname>M.</firstname>
+ </author>
+ <title>Incremental Zone Transfer in <acronym>DNS</acronym></title>
+ <pubdate>August 1996</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC1996</abbrev>
+ <author>
+ <surname>Vixie</surname>
+ <firstname>P.</firstname>
+ </author>
+ <title>A Mechanism for Prompt Notification of Zone Changes</title>
+ <pubdate>August 1996</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC2136</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Vixie</surname>
+ <firstname>P.</firstname>
+ </author>
+ <author>
+ <firstname>S.</firstname>
+ <surname>Thomson</surname>
+ </author>
+ <author>
+ <firstname>Y.</firstname>
+ <surname>Rekhter</surname>
+ </author>
+ <author>
+ <firstname>J.</firstname>
+ <surname>Bound</surname>
+ </author>
+ </authorgroup>
+ <title>Dynamic Updates in the Domain Name System</title>
+ <pubdate>April 1997</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC2671</abbrev>
+ <authorgroup>
+ <author>
+ <firstname>P.</firstname>
+ <surname>Vixie</surname>
+ </author>
+ </authorgroup>
+ <title>Extension Mechanisms for DNS (EDNS0)</title>
+ <pubdate>August 1997</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC2672</abbrev>
+ <authorgroup>
+ <author>
+ <firstname>M.</firstname>
+ <surname>Crawford</surname>
+ </author>
+ </authorgroup>
+ <title>Non-Terminal DNS Name Redirection</title>
+ <pubdate>August 1999</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC2845</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Vixie</surname>
+ <firstname>P.</firstname>
+ </author>
+ <author>
+ <firstname>O.</firstname>
+ <surname>Gudmundsson</surname>
+ </author>
+ <author>
+ <firstname>D.</firstname>
+ <surname>Eastlake</surname>
+ <lineage>3rd</lineage>
+ </author>
+ <author>
+ <firstname>B.</firstname>
+ <surname>Wellington</surname>
+ </author>
+ </authorgroup>
+ <title>Secret Key Transaction Authentication for <acronym>DNS</acronym> (TSIG)</title>
+ <pubdate>May 2000</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC2930</abbrev>
+ <authorgroup>
+ <author>
+ <firstname>D.</firstname>
+ <surname>Eastlake</surname>
+ <lineage>3rd</lineage>
+ </author>
+ </authorgroup>
+ <title>Secret Key Establishment for DNS (TKEY RR)</title>
+ <pubdate>September 2000</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC2931</abbrev>
+ <authorgroup>
+ <author>
+ <firstname>D.</firstname>
+ <surname>Eastlake</surname>
+ <lineage>3rd</lineage>
+ </author>
+ </authorgroup>
+ <title>DNS Request and Transaction Signatures (SIG(0)s)</title>
+ <pubdate>September 2000</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC3007</abbrev>
+ <authorgroup>
+ <author>
+ <firstname>B.</firstname>
+ <surname>Wellington</surname>
+ </author>
+ </authorgroup>
+ <title>Secure Domain Name System (DNS) Dynamic Update</title>
+ <pubdate>November 2000</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC3645</abbrev>
+ <authorgroup>
+ <author>
+ <firstname>S.</firstname>
+ <surname>Kwan</surname>
+ </author>
+ <author>
+ <firstname>P.</firstname>
+ <surname>Garg</surname>
+ </author>
+ <author>
+ <firstname>J.</firstname>
+ <surname>Gilroy</surname>
+ </author>
+ <author>
+ <firstname>L.</firstname>
+ <surname>Esibov</surname>
+ </author>
+ <author>
+ <firstname>J.</firstname>
+ <surname>Westhead</surname>
+ </author>
+ <author>
+ <firstname>R.</firstname>
+ <surname>Hall</surname>
+ </author>
+ </authorgroup>
+ <title>Generic Security Service Algorithm for Secret
+ Key Transaction Authentication for DNS
+ (GSS-TSIG)</title>
+ <pubdate>October 2003</pubdate>
+ </biblioentry>
+ </bibliodiv>
+ <bibliodiv>
+ <title><acronym>DNS</acronym> Security Proposed Standards</title>
+ <biblioentry>
+ <abbrev>RFC3225</abbrev>
+ <authorgroup>
+ <author>
+ <firstname>D.</firstname>
+ <surname>Conrad</surname>
+ </author>
+ </authorgroup>
+ <title>Indicating Resolver Support of DNSSEC</title>
+ <pubdate>December 2001</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC3833</abbrev>
+ <authorgroup>
+ <author>
+ <firstname>D.</firstname>
+ <surname>Atkins</surname>
+ </author>
+ <author>
+ <firstname>R.</firstname>
+ <surname>Austein</surname>
+ </author>
+ </authorgroup>
+ <title>Threat Analysis of the Domain Name System (DNS)</title>
+ <pubdate>August 2004</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC4033</abbrev>
+ <authorgroup>
+ <author>
+ <firstname>R.</firstname>
+ <surname>Arends</surname>
+ </author>
+ <author>
+ <firstname>R.</firstname>
+ <surname>Austein</surname>
+ </author>
+ <author>
+ <firstname>M.</firstname>
+ <surname>Larson</surname>
+ </author>
+ <author>
+ <firstname>D.</firstname>
+ <surname>Massey</surname>
+ </author>
+ <author>
+ <firstname>S.</firstname>
+ <surname>Rose</surname>
+ </author>
+ </authorgroup>
+ <title>DNS Security Introduction and Requirements</title>
+ <pubdate>March 2005</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC4044</abbrev>
+ <authorgroup>
+ <author>
+ <firstname>R.</firstname>
+ <surname>Arends</surname>
+ </author>
+ <author>
+ <firstname>R.</firstname>
+ <surname>Austein</surname>
+ </author>
+ <author>
+ <firstname>M.</firstname>
+ <surname>Larson</surname>
+ </author>
+ <author>
+ <firstname>D.</firstname>
+ <surname>Massey</surname>
+ </author>
+ <author>
+ <firstname>S.</firstname>
+ <surname>Rose</surname>
+ </author>
+ </authorgroup>
+ <title>Resource Records for the DNS Security Extensions</title>
+ <pubdate>March 2005</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC4035</abbrev>
+ <authorgroup>
+ <author>
+ <firstname>R.</firstname>
+ <surname>Arends</surname>
+ </author>
+ <author>
+ <firstname>R.</firstname>
+ <surname>Austein</surname>
+ </author>
+ <author>
+ <firstname>M.</firstname>
+ <surname>Larson</surname>
+ </author>
+ <author>
+ <firstname>D.</firstname>
+ <surname>Massey</surname>
+ </author>
+ <author>
+ <firstname>S.</firstname>
+ <surname>Rose</surname>
+ </author>
+ </authorgroup>
+ <title>Protocol Modifications for the DNS
+ Security Extensions</title>
+ <pubdate>March 2005</pubdate>
+ </biblioentry>
+ </bibliodiv>
+ <bibliodiv>
+ <title>Other Important RFCs About <acronym>DNS</acronym>
+ Implementation</title>
+ <biblioentry>
+ <abbrev>RFC1535</abbrev>
+ <author>
+ <surname>Gavron</surname>
+ <firstname>E.</firstname>
+ </author>
+ <title>A Security Problem and Proposed Correction With Widely
+ Deployed <acronym>DNS</acronym> Software.</title>
+ <pubdate>October 1993</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC1536</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Kumar</surname>
+ <firstname>A.</firstname>
+ </author>
+ <author>
+ <firstname>J.</firstname>
+ <surname>Postel</surname>
+ </author>
+ <author>
+ <firstname>C.</firstname>
+ <surname>Neuman</surname>
+ </author>
+ <author>
+ <firstname>P.</firstname>
+ <surname>Danzig</surname>
+ </author>
+ <author>
+ <firstname>S.</firstname>
+ <surname>Miller</surname>
+ </author>
+ </authorgroup>
+ <title>Common <acronym>DNS</acronym> Implementation
+ Errors and Suggested Fixes</title>
+ <pubdate>October 1993</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC1982</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Elz</surname>
+ <firstname>R.</firstname>
+ </author>
+ <author>
+ <firstname>R.</firstname>
+ <surname>Bush</surname>
+ </author>
+ </authorgroup>
+ <title>Serial Number Arithmetic</title>
+ <pubdate>August 1996</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC4074</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Morishita</surname>
+ <firstname>Y.</firstname>
+ </author>
+ <author>
+ <firstname>T.</firstname>
+ <surname>Jinmei</surname>
+ </author>
+ </authorgroup>
+ <title>Common Misbehaviour Against <acronym>DNS</acronym>
+ Queries for IPv6 Addresses</title>
+ <pubdate>May 2005</pubdate>
+ </biblioentry>
+ </bibliodiv>
+ <bibliodiv>
+ <title>Resource Record Types</title>
+ <biblioentry>
+ <abbrev>RFC1183</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Everhart</surname>
+ <firstname>C.F.</firstname>
+ </author>
+ <author>
+ <firstname>L. A.</firstname>
+ <surname>Mamakos</surname>
+ </author>
+ <author>
+ <firstname>R.</firstname>
+ <surname>Ullmann</surname>
+ </author>
+ <author>
+ <firstname>P.</firstname>
+ <surname>Mockapetris</surname>
+ </author>
+ </authorgroup>
+ <title>New <acronym>DNS</acronym> RR Definitions</title>
+ <pubdate>October 1990</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC1706</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Manning</surname>
+ <firstname>B.</firstname>
+ </author>
+ <author>
+ <firstname>R.</firstname>
+ <surname>Colella</surname>
+ </author>
+ </authorgroup>
+ <title><acronym>DNS</acronym> NSAP Resource Records</title>
+ <pubdate>October 1994</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC2168</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Daniel</surname>
+ <firstname>R.</firstname>
+ </author>
+ <author>
+ <firstname>M.</firstname>
+ <surname>Mealling</surname>
+ </author>
+ </authorgroup>
+ <title>Resolution of Uniform Resource Identifiers using
+ the Domain Name System</title>
+ <pubdate>June 1997</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC1876</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Davis</surname>
+ <firstname>C.</firstname>
+ </author>
+ <author>
+ <firstname>P.</firstname>
+ <surname>Vixie</surname>
+ </author>
+ <author>
+ <firstname>T.</firstname>
+ <firstname>Goodwin</firstname>
+ </author>
+ <author>
+ <firstname>I.</firstname>
+ <surname>Dickinson</surname>
+ </author>
+ </authorgroup>
+ <title>A Means for Expressing Location Information in the
+ Domain
+ Name System</title>
+ <pubdate>January 1996</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC2052</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Gulbrandsen</surname>
+ <firstname>A.</firstname>
+ </author>
+ <author>
+ <firstname>P.</firstname>
+ <surname>Vixie</surname>
+ </author>
+ </authorgroup>
+ <title>A <acronym>DNS</acronym> RR for Specifying the
+ Location of
+ Services.</title>
+ <pubdate>October 1996</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC2163</abbrev>
+ <author>
+ <surname>Allocchio</surname>
+ <firstname>A.</firstname>
+ </author>
+ <title>Using the Internet <acronym>DNS</acronym> to
+ Distribute MIXER
+ Conformant Global Address Mapping</title>
+ <pubdate>January 1998</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC2230</abbrev>
+ <author>
+ <surname>Atkinson</surname>
+ <firstname>R.</firstname>
+ </author>
+ <title>Key Exchange Delegation Record for the <acronym>DNS</acronym></title>
+ <pubdate>October 1997</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC2536</abbrev>
+ <author>
+ <surname>Eastlake</surname>
+ <firstname>D.</firstname>
+ <lineage>3rd</lineage>
+ </author>
+ <title>DSA KEYs and SIGs in the Domain Name System (DNS)</title>
+ <pubdate>March 1999</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC2537</abbrev>
+ <author>
+ <surname>Eastlake</surname>
+ <firstname>D.</firstname>
+ <lineage>3rd</lineage>
+ </author>
+ <title>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</title>
+ <pubdate>March 1999</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC2538</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Eastlake</surname>
+ <firstname>D.</firstname>
+ <lineage>3rd</lineage>
+ </author>
+ <author>
+ <surname>Gudmundsson</surname>
+ <firstname>O.</firstname>
+ </author>
+ </authorgroup>
+ <title>Storing Certificates in the Domain Name System (DNS)</title>
+ <pubdate>March 1999</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC2539</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Eastlake</surname>
+ <firstname>D.</firstname>
+ <lineage>3rd</lineage>
+ </author>
+ </authorgroup>
+ <title>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</title>
+ <pubdate>March 1999</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC2540</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Eastlake</surname>
+ <firstname>D.</firstname>
+ <lineage>3rd</lineage>
+ </author>
+ </authorgroup>
+ <title>Detached Domain Name System (DNS) Information</title>
+ <pubdate>March 1999</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC2782</abbrev>
+ <author>
+ <surname>Gulbrandsen</surname>
+ <firstname>A.</firstname>
+ </author>
+ <author>
+ <surname>Vixie</surname>
+ <firstname>P.</firstname>
+ </author>
+ <author>
+ <surname>Esibov</surname>
+ <firstname>L.</firstname>
+ </author>
+ <title>A DNS RR for specifying the location of services (DNS SRV)</title>
+ <pubdate>February 2000</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC2915</abbrev>
+ <author>
+ <surname>Mealling</surname>
+ <firstname>M.</firstname>
+ </author>
+ <author>
+ <surname>Daniel</surname>
+ <firstname>R.</firstname>
+ </author>
+ <title>The Naming Authority Pointer (NAPTR) DNS Resource Record</title>
+ <pubdate>September 2000</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC3110</abbrev>
+ <author>
+ <surname>Eastlake</surname>
+ <firstname>D.</firstname>
+ <lineage>3rd</lineage>
+ </author>
+ <title>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</title>
+ <pubdate>May 2001</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC3123</abbrev>
+ <author>
+ <surname>Koch</surname>
+ <firstname>P.</firstname>
+ </author>
+ <title>A DNS RR Type for Lists of Address Prefixes (APL RR)</title>
+ <pubdate>June 2001</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC3596</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Thomson</surname>
+ <firstname>S.</firstname>
+ </author>
+ <author>
+ <firstname>C.</firstname>
+ <surname>Huitema</surname>
+ </author>
+ <author>
+ <firstname>V.</firstname>
+ <surname>Ksinant</surname>
+ </author>
+ <author>
+ <firstname>M.</firstname>
+ <surname>Souissi</surname>
+ </author>
+ </authorgroup>
+ <title><acronym>DNS</acronym> Extensions to support IP
+ version 6</title>
+ <pubdate>October 2003</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC3597</abbrev>
+ <author>
+ <surname>Gustafsson</surname>
+ <firstname>A.</firstname>
+ </author>
+ <title>Handling of Unknown DNS Resource Record (RR) Types</title>
+ <pubdate>September 2003</pubdate>
+ </biblioentry>
+ </bibliodiv>
+ <bibliodiv>
+ <title><acronym>DNS</acronym> and the Internet</title>
+ <biblioentry>
+ <abbrev>RFC1101</abbrev>
+ <author>
+ <surname>Mockapetris</surname>
+ <firstname>P. V.</firstname>
+ </author>
+ <title><acronym>DNS</acronym> Encoding of Network Names
+ and Other Types</title>
+ <pubdate>April 1989</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC1123</abbrev>
+ <author>
+ <surname>Braden</surname>
+ <surname>R.</surname>
+ </author>
+ <title>Requirements for Internet Hosts - Application and
+ Support</title>
+ <pubdate>October 1989</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC1591</abbrev>
+ <author>
+ <surname>Postel</surname>
+ <firstname>J.</firstname>
+ </author>
+ <title>Domain Name System Structure and Delegation</title>
+ <pubdate>March 1994</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC2317</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Eidnes</surname>
+ <firstname>H.</firstname>
+ </author>
+ <author>
+ <firstname>G.</firstname>
+ <surname>de Groot</surname>
+ </author>
+ <author>
+ <firstname>P.</firstname>
+ <surname>Vixie</surname>
+ </author>
+ </authorgroup>
+ <title>Classless IN-ADDR.ARPA Delegation</title>
+ <pubdate>March 1998</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC2826</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Internet Architecture Board</surname>
+ </author>
+ </authorgroup>
+ <title>IAB Technical Comment on the Unique DNS Root</title>
+ <pubdate>May 2000</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC2929</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Eastlake</surname>
+ <firstname>D.</firstname>
+ <lineage>3rd</lineage>
+ </author>
+ <author>
+ <surname>Brunner-Williams</surname>
+ <firstname>E.</firstname>
+ </author>
+ <author>
+ <surname>Manning</surname>
+ <firstname>B.</firstname>
+ </author>
+ </authorgroup>
+ <title>Domain Name System (DNS) IANA Considerations</title>
+ <pubdate>September 2000</pubdate>
+ </biblioentry>
+ </bibliodiv>
+ <bibliodiv>
+ <title><acronym>DNS</acronym> Operations</title>
+ <biblioentry>
+ <abbrev>RFC1033</abbrev>
+ <author>
+ <surname>Lottor</surname>
+ <firstname>M.</firstname>
+ </author>
+ <title>Domain administrators operations guide.</title>
+ <pubdate>November 1987</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC1537</abbrev>
+ <author>
+ <surname>Beertema</surname>
+ <firstname>P.</firstname>
+ </author>
+ <title>Common <acronym>DNS</acronym> Data File
+ Configuration Errors</title>
+ <pubdate>October 1993</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC1912</abbrev>
+ <author>
+ <surname>Barr</surname>
+ <firstname>D.</firstname>
+ </author>
+ <title>Common <acronym>DNS</acronym> Operational and
+ Configuration Errors</title>
+ <pubdate>February 1996</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC2010</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Manning</surname>
+ <firstname>B.</firstname>
+ </author>
+ <author>
+ <firstname>P.</firstname>
+ <surname>Vixie</surname>
+ </author>
+ </authorgroup>
+ <title>Operational Criteria for Root Name Servers.</title>
+ <pubdate>October 1996</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC2219</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Hamilton</surname>
+ <firstname>M.</firstname>
+ </author>
+ <author>
+ <firstname>R.</firstname>
+ <surname>Wright</surname>
+ </author>
+ </authorgroup>
+ <title>Use of <acronym>DNS</acronym> Aliases for
+ Network Services.</title>
+ <pubdate>October 1997</pubdate>
+ </biblioentry>
+ </bibliodiv>
+ <bibliodiv>
+ <title>Internationalized Domain Names</title>
+ <biblioentry>
+ <abbrev>RFC2825</abbrev>
+ <authorgroup>
+ <author>
+ <surname>IAB</surname>
+ </author>
+ <author>
+ <surname>Daigle</surname>
+ <firstname>R.</firstname>
+ </author>
+ </authorgroup>
+ <title>A Tangled Web: Issues of I18N, Domain Names,
+ and the Other Internet protocols</title>
+ <pubdate>May 2000</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC3490</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Faltstrom</surname>
+ <firstname>P.</firstname>
+ </author>
+ <author>
+ <surname>Hoffman</surname>
+ <firstname>P.</firstname>
+ </author>
+ <author>
+ <surname>Costello</surname>
+ <firstname>A.</firstname>
+ </author>
+ </authorgroup>
+ <title>Internationalizing Domain Names in Applications (IDNA)</title>
+ <pubdate>March 2003</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC3491</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Hoffman</surname>
+ <firstname>P.</firstname>
+ </author>
+ <author>
+ <surname>Blanchet</surname>
+ <firstname>M.</firstname>
+ </author>
+ </authorgroup>
+ <title>Nameprep: A Stringprep Profile for Internationalized Domain Names</title>
+ <pubdate>March 2003</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC3492</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Costello</surname>
+ <firstname>A.</firstname>
+ </author>
+ </authorgroup>
+ <title>Punycode: A Bootstring encoding of Unicode
+ for Internationalized Domain Names in
+ Applications (IDNA)</title>
+ <pubdate>March 2003</pubdate>
+ </biblioentry>
+ </bibliodiv>
+ <bibliodiv>
+ <title>Other <acronym>DNS</acronym>-related RFCs</title>
+ <note>
+ <para>
+ Note: the following list of RFCs, although
+ <acronym>DNS</acronym>-related, are not
+ concerned with implementing software.
+ </para>
+ </note>
+ <biblioentry>
+ <abbrev>RFC1464</abbrev>
+ <author>
+ <surname>Rosenbaum</surname>
+ <firstname>R.</firstname>
+ </author>
+ <title>Using the Domain Name System To Store Arbitrary String
+ Attributes</title>
+ <pubdate>May 1993</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC1713</abbrev>
+ <author>
+ <surname>Romao</surname>
+ <firstname>A.</firstname>
+ </author>
+ <title>Tools for <acronym>DNS</acronym> Debugging</title>
+ <pubdate>November 1994</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC1794</abbrev>
+ <author>
+ <surname>Brisco</surname>
+ <firstname>T.</firstname>
+ </author>
+ <title><acronym>DNS</acronym> Support for Load
+ Balancing</title>
+ <pubdate>April 1995</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC2240</abbrev>
+ <author>
+ <surname>Vaughan</surname>
+ <firstname>O.</firstname>
+ </author>
+ <title>A Legal Basis for Domain Name Allocation</title>
+ <pubdate>November 1997</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC2345</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Klensin</surname>
+ <firstname>J.</firstname>
+ </author>
+ <author>
+ <firstname>T.</firstname>
+ <surname>Wolf</surname>
+ </author>
+ <author>
+ <firstname>G.</firstname>
+ <surname>Oglesby</surname>
+ </author>
+ </authorgroup>
+ <title>Domain Names and Company Name Retrieval</title>
+ <pubdate>May 1998</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC2352</abbrev>
+ <author>
+ <surname>Vaughan</surname>
+ <firstname>O.</firstname>
+ </author>
+ <title>A Convention For Using Legal Names as Domain Names</title>
+ <pubdate>May 1998</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC3071</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Klensin</surname>
+ <firstname>J.</firstname>
+ </author>
+ </authorgroup>
+ <title>Reflections on the DNS, RFC 1591, and Categories of Domains</title>
+ <pubdate>February 2001</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC3258</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Hardie</surname>
+ <firstname>T.</firstname>
+ </author>
+ </authorgroup>
+ <title>Distributing Authoritative Name Servers via
+ Shared Unicast Addresses</title>
+ <pubdate>April 2002</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC3901</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Durand</surname>
+ <firstname>A.</firstname>
+ </author>
+ <author>
+ <firstname>J.</firstname>
+ <surname>Ihren</surname>
+ </author>
+ </authorgroup>
+ <title>DNS IPv6 Transport Operational Guidelines</title>
+ <pubdate>September 2004</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC2352</abbrev>
+ <author>
+ <surname>Vaughan</surname>
+ <firstname>O.</firstname>
+ </author>
+ <title>A Convention For Using Legal Names as Domain Names</title>
+ <pubdate>May 1998</pubdate>
+ </biblioentry>
+ </bibliodiv>
+ <bibliodiv>
+ <title>Obsolete and Unimplemented Experimental RFC</title>
+ <biblioentry>
+ <abbrev>RFC1712</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Farrell</surname>
+ <firstname>C.</firstname>
+ </author>
+ <author>
+ <firstname>M.</firstname>
+ <surname>Schulze</surname>
+ </author>
+ <author>
+ <firstname>S.</firstname>
+ <surname>Pleitner</surname>
+ </author>
+ <author>
+ <firstname>D.</firstname>
+ <surname>Baldoni</surname>
+ </author>
+ </authorgroup>
+ <title><acronym>DNS</acronym> Encoding of Geographical
+ Location</title>
+ <pubdate>November 1994</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC2673</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Crawford</surname>
+ <firstname>M.</firstname>
+ </author>
+ </authorgroup>
+ <title>Binary Labels in the Domain Name System</title>
+ <pubdate>August 1999</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC2874</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Crawford</surname>
+ <firstname>M.</firstname>
+ </author>
+ <author>
+ <surname>Huitema</surname>
+ <firstname>C.</firstname>
+ </author>
+ </authorgroup>
+ <title>DNS Extensions to Support IPv6 Address Aggregation
+ and Renumbering</title>
+ <pubdate>July 2000</pubdate>
+ </biblioentry>
+ </bibliodiv>
+ <bibliodiv>
+ <title>Obsoleted DNS Security RFCs</title>
+ <note>
+ <para>
+ Most of these have been consolidated into RFC4033,
+ RFC4034 and RFC4035 which collectively describe DNSSECbis.
+ </para>
+ </note>
+ <biblioentry>
+ <abbrev>RFC2065</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Eastlake</surname>
+ <lineage>3rd</lineage>
+ <firstname>D.</firstname>
+ </author>
+ <author>
+ <firstname>C.</firstname>
+ <surname>Kaufman</surname>
+ </author>
+ </authorgroup>
+ <title>Domain Name System Security Extensions</title>
+ <pubdate>January 1997</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC2137</abbrev>
+ <author>
+ <surname>Eastlake</surname>
+ <lineage>3rd</lineage>
+ <firstname>D.</firstname>
+ </author>
+ <title>Secure Domain Name System Dynamic Update</title>
+ <pubdate>April 1997</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC2535</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Eastlake</surname>
+ <lineage>3rd</lineage>
+ <firstname>D.</firstname>
+ </author>
+ </authorgroup>
+ <title>Domain Name System Security Extensions</title>
+ <pubdate>March 1999</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC3008</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Wellington</surname>
+ <firstname>B.</firstname>
+ </author>
+ </authorgroup>
+ <title>Domain Name System Security (DNSSEC)
+ Signing Authority</title>
+ <pubdate>November 2000</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC3090</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Lewis</surname>
+ <firstname>E.</firstname>
+ </author>
+ </authorgroup>
+ <title>DNS Security Extension Clarification on Zone Status</title>
+ <pubdate>March 2001</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC3445</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Massey</surname>
+ <firstname>D.</firstname>
+ </author>
+ <author>
+ <surname>Rose</surname>
+ <firstname>S.</firstname>
+ </author>
+ </authorgroup>
+ <title>Limiting the Scope of the KEY Resource Record (RR)</title>
+ <pubdate>December 2002</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC3655</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Wellington</surname>
+ <firstname>B.</firstname>
+ </author>
+ <author>
+ <surname>Gudmundsson</surname>
+ <firstname>O.</firstname>
+ </author>
+ </authorgroup>
+ <title>Redefinition of DNS Authenticated Data (AD) bit</title>
+ <pubdate>November 2003</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC3658</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Gudmundsson</surname>
+ <firstname>O.</firstname>
+ </author>
+ </authorgroup>
+ <title>Delegation Signer (DS) Resource Record (RR)</title>
+ <pubdate>December 2003</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC3755</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Weiler</surname>
+ <firstname>S.</firstname>
+ </author>
+ </authorgroup>
+ <title>Legacy Resolver Compatibility for Delegation Signer (DS)</title>
+ <pubdate>May 2004</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC3757</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Kolkman</surname>
+ <firstname>O.</firstname>
+ </author>
+ <author>
+ <surname>Schlyter</surname>
+ <firstname>J.</firstname>
+ </author>
+ <author>
+ <surname>Lewis</surname>
+ <firstname>E.</firstname>
+ </author>
+ </authorgroup>
+ <title>Domain Name System KEY (DNSKEY) Resource Record
+ (RR) Secure Entry Point (SEP) Flag</title>
+ <pubdate>April 2004</pubdate>
+ </biblioentry>
+ <biblioentry>
+ <abbrev>RFC3845</abbrev>
+ <authorgroup>
+ <author>
+ <surname>Schlyter</surname>
+ <firstname>J.</firstname>
+ </author>
+ </authorgroup>
+ <title>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</title>
+ <pubdate>August 2004</pubdate>
+ </biblioentry>
+ </bibliodiv>
+ </bibliography>
+ </sect2>
+ <sect2 id="internet_drafts">
+ <title>Internet Drafts</title>
+ <para>
+ Internet Drafts (IDs) are rough-draft working documents of
+ the Internet Engineering Task Force. They are, in essence, RFCs
+ in the preliminary stages of development. Implementors are
+ cautioned not
+ to regard IDs as archival, and they should not be quoted or cited
+ in any formal documents unless accompanied by the disclaimer that
+ they are "works in progress." IDs have a lifespan of six months
+ after which they are deleted unless updated by their authors.
+ </para>
+ </sect2>
+ <sect2>
+ <title>Other Documents About <acronym>BIND</acronym></title>
+ <para/>
+ <bibliography>
+ <biblioentry>
+ <authorgroup>
+ <author>
+ <surname>Albitz</surname>
+ <firstname>Paul</firstname>
+ </author>
+ <author>
+ <firstname>Cricket</firstname>
+ <surname>Liu</surname>
+ </author>
+ </authorgroup>
+ <title><acronym>DNS</acronym> and <acronym>BIND</acronym></title>
+ <copyright>
+ <year>1998</year>
+ <holder>Sebastopol, CA: O'Reilly and Associates</holder>
+ </copyright>
+ </biblioentry>
+ </bibliography>
+ </sect2>
+ </sect1>
+ </appendix>
+
+ <reference id="Bv9ARM.ch10">
+ <title>Manual pages</title>
+ <xi:include href="../../bin/dig/dig.docbook"/>
+ <xi:include href="../../bin/dig/host.docbook"/>
+ <xi:include href="../../bin/dnssec/dnssec-keygen.docbook"/>
+ <xi:include href="../../bin/dnssec/dnssec-signzone.docbook"/>
+ <xi:include href="../../bin/check/named-checkconf.docbook"/>
+ <xi:include href="../../bin/check/named-checkzone.docbook"/>
+ <xi:include href="../../bin/named/named.docbook"/>
+ <!-- named.conf.docbook and others? -->
+ <!-- nsupdate gives db2latex indigestion, markup problems? -->
+ <xi:include href="../../bin/rndc/rndc.docbook"/>
+ <xi:include href="../../bin/rndc/rndc.conf.docbook"/>
+ <xi:include href="../../bin/rndc/rndc-confgen.docbook"/>
+ </reference>
+
+ </book>
+
+<!--
+ - Local variables:
+ - mode: sgml
+ - End:
+ -->
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch01.html b/contrib/bind9/doc/arm/Bv9ARM.ch01.html
index 3f3aebb..a644628 100644
--- a/contrib/bind9/doc/arm/Bv9ARM.ch01.html
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch01.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
@@ -14,12 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch01.html,v 1.12.2.2.8.15 2006/07/20 02:33:31 marka Exp $ -->
+<!-- $Id: Bv9ARM.ch01.html,v 1.16.18.19 2007/01/30 00:23:45 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 1. Introduction </title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<title>Chapter 1. Introduction</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="prev" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
@@ -28,7 +28,7 @@
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<div class="navheader">
<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 1. Introduction </th></tr>
+<tr><th colspan="3" align="center">Chapter 1. Introduction</th></tr>
<tr>
<td width="20%" align="left">
<a accesskey="p" href="Bv9ARM.html">Prev</a> </td>
@@ -41,71 +41,86 @@
</div>
<div class="chapter" lang="en">
<div class="titlepage"><div><div><h2 class="title">
-<a name="Bv9ARM.ch01"></a>Chapter 1. Introduction </h2></div></div></div>
+<a name="Bv9ARM.ch01"></a>Chapter 1. Introduction</h2></div></div></div>
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2569434">Scope of Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2569460">Organization of This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2569736">Conventions Used in This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2569994">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564115">Scope of Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564138">Organization of This Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563473">Conventions Used in This Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564746">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2570014">DNS Fundamentals</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2570323">Domains and Domain Names</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2570407">Zones</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2570550">Authoritative Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2570642">Caching Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2570699">Name Servers in Multiple Roles</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564768">DNS Fundamentals</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564802">Domains and Domain Names</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564886">Zones</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567284">Authoritative Name Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567525">Caching Name Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567587">Name Servers in Multiple Roles</a></span></dt>
</dl></dd>
</dl>
</div>
-<p>The Internet Domain Name System (<acronym class="acronym">DNS</acronym>) consists of the syntax
- to specify the names of entities in the Internet in a hierarchical
- manner, the rules used for delegating authority over names, and the
- system implementation that actually maps names to Internet
- addresses. <acronym class="acronym">DNS</acronym> data is maintained in a group of distributed
- hierarchical databases.</p>
+<p>
+ The Internet Domain Name System (<acronym class="acronym">DNS</acronym>)
+ consists of the syntax
+ to specify the names of entities in the Internet in a hierarchical
+ manner, the rules used for delegating authority over names, and the
+ system implementation that actually maps names to Internet
+ addresses. <acronym class="acronym">DNS</acronym> data is maintained in a
+ group of distributed
+ hierarchical databases.
+ </p>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2569434"></a>Scope of Document</h2></div></div></div>
-<p>The Berkeley Internet Name Domain (<acronym class="acronym">BIND</acronym>) implements a
- domain name server for a number of operating systems. This
- document provides basic information about the installation and
- care of the Internet Software Consortium (<acronym class="acronym">ISC</acronym>)
- <acronym class="acronym">BIND</acronym> version 9 software package for system
- administrators.</p>
-<p>This version of the manual corresponds to BIND version 9.3.</p>
+<a name="id2564115"></a>Scope of Document</h2></div></div></div>
+<p>
+ The Berkeley Internet Name Domain
+ (<acronym class="acronym">BIND</acronym>) implements a
+ domain name server for a number of operating systems. This
+ document provides basic information about the installation and
+ care of the Internet Systems Consortium (<acronym class="acronym">ISC</acronym>)
+ <acronym class="acronym">BIND</acronym> version 9 software package for
+ system administrators.
+ </p>
+<p>
+ This version of the manual corresponds to BIND version 9.4.
+ </p>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2569460"></a>Organization of This Document</h2></div></div></div>
-<p>In this document, <span class="emphasis"><em>Section 1</em></span> introduces
- the basic <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym> concepts. <span class="emphasis"><em>Section 2</em></span>
- describes resource requirements for running <acronym class="acronym">BIND</acronym> in various
- environments. Information in <span class="emphasis"><em>Section 3</em></span> is
- <span class="emphasis"><em>task-oriented</em></span> in its presentation and is
- organized functionally, to aid in the process of installing the
- <acronym class="acronym">BIND</acronym> 9 software. The task-oriented section is followed by
- <span class="emphasis"><em>Section 4</em></span>, which contains more advanced
- concepts that the system administrator may need for implementing
- certain options. <span class="emphasis"><em>Section 5</em></span>
- describes the <acronym class="acronym">BIND</acronym> 9 lightweight
- resolver. The contents of <span class="emphasis"><em>Section 6</em></span> are
- organized as in a reference manual to aid in the ongoing
- maintenance of the software. <span class="emphasis"><em>Section 7
- </em></span>addresses security considerations, and
- <span class="emphasis"><em>Section 8</em></span> contains troubleshooting help. The
- main body of the document is followed by several
- <span class="emphasis"><em>Appendices</em></span> which contain useful reference
- information, such as a <span class="emphasis"><em>Bibliography</em></span> and
- historic information related to <acronym class="acronym">BIND</acronym> and the Domain Name
- System.</p>
+<a name="id2564138"></a>Organization of This Document</h2></div></div></div>
+<p>
+ In this document, <span class="emphasis"><em>Section 1</em></span> introduces
+ the basic <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym> concepts. <span class="emphasis"><em>Section 2</em></span>
+ describes resource requirements for running <acronym class="acronym">BIND</acronym> in various
+ environments. Information in <span class="emphasis"><em>Section 3</em></span> is
+ <span class="emphasis"><em>task-oriented</em></span> in its presentation and is
+ organized functionally, to aid in the process of installing the
+ <acronym class="acronym">BIND</acronym> 9 software. The task-oriented
+ section is followed by
+ <span class="emphasis"><em>Section 4</em></span>, which contains more advanced
+ concepts that the system administrator may need for implementing
+ certain options. <span class="emphasis"><em>Section 5</em></span>
+ describes the <acronym class="acronym">BIND</acronym> 9 lightweight
+ resolver. The contents of <span class="emphasis"><em>Section 6</em></span> are
+ organized as in a reference manual to aid in the ongoing
+ maintenance of the software. <span class="emphasis"><em>Section 7</em></span> addresses
+ security considerations, and
+ <span class="emphasis"><em>Section 8</em></span> contains troubleshooting help. The
+ main body of the document is followed by several
+ <span class="emphasis"><em>Appendices</em></span> which contain useful reference
+ information, such as a <span class="emphasis"><em>Bibliography</em></span> and
+ historic information related to <acronym class="acronym">BIND</acronym>
+ and the Domain Name
+ System.
+ </p>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2569736"></a>Conventions Used in This Document</h2></div></div></div>
-<p>In this document, we use the following general typographic
- conventions:</p>
+<a name="id2563473"></a>Conventions Used in This Document</h2></div></div></div>
+<p>
+ In this document, we use the following general typographic
+ conventions:
+ </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -114,33 +129,59 @@
<tbody>
<tr>
<td>
-<p><span class="emphasis"><em>To
-describe:</em></span></p>
-</td>
+ <p>
+ <span class="emphasis"><em>To describe:</em></span>
+ </p>
+ </td>
<td>
-<p><span class="emphasis"><em>We use the style:</em></span></p>
-</td>
+ <p>
+ <span class="emphasis"><em>We use the style:</em></span>
+ </p>
+ </td>
</tr>
<tr>
<td>
-<p>a pathname, filename, URL, hostname,
-mailing list name, or new term or concept</p>
-</td>
-<td><p><code class="filename">Fixed width</code></p></td>
+ <p>
+ a pathname, filename, URL, hostname,
+ mailing list name, or new term or concept
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="filename">Fixed width</code>
+ </p>
+ </td>
</tr>
<tr>
-<td><p>literal user
-input</p></td>
-<td><p><strong class="userinput"><code>Fixed Width Bold</code></strong></p></td>
+<td>
+ <p>
+ literal user
+ input
+ </p>
+ </td>
+<td>
+ <p>
+ <strong class="userinput"><code>Fixed Width Bold</code></strong>
+ </p>
+ </td>
</tr>
<tr>
-<td><p>program output</p></td>
-<td><p><code class="computeroutput">Fixed Width</code></p></td>
+<td>
+ <p>
+ program output
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="computeroutput">Fixed Width</code>
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
-<p>The following conventions are used in descriptions of the
-<acronym class="acronym">BIND</acronym> configuration file:</p>
+<p>
+ The following conventions are used in descriptions of the
+ <acronym class="acronym">BIND</acronym> configuration file:</p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -148,246 +189,353 @@ input</p></td>
</colgroup>
<tbody>
<tr>
-<td><p><span class="emphasis"><em>To
-describe:</em></span></p></td>
-<td><p><span class="emphasis"><em>We use the style:</em></span></p></td>
+<td>
+ <p>
+ <span class="emphasis"><em>To describe:</em></span>
+ </p>
+ </td>
+<td>
+ <p>
+ <span class="emphasis"><em>We use the style:</em></span>
+ </p>
+ </td>
</tr>
<tr>
-<td><p>keywords</p></td>
-<td><p><code class="literal">Fixed Width</code></p></td>
+<td>
+ <p>
+ keywords
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">Fixed Width</code>
+ </p>
+ </td>
</tr>
<tr>
-<td><p>variables</p></td>
-<td><p><code class="varname">Fixed Width</code></p></td>
+<td>
+ <p>
+ variables
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="varname">Fixed Width</code>
+ </p>
+ </td>
</tr>
<tr>
-<td><p>Optional input</p></td>
-<td><p>[<span class="optional">Text is enclosed in square brackets</span>]</p></td>
+<td>
+ <p>
+ Optional input
+ </p>
+ </td>
+<td>
+ <p>
+ [<span class="optional">Text is enclosed in square brackets</span>]
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
+<p>
+ </p>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2569994"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div>
-<p>The purpose of this document is to explain the installation
-and upkeep of the <acronym class="acronym">BIND</acronym> software package, and we
-begin by reviewing the fundamentals of the Domain Name System
-(<acronym class="acronym">DNS</acronym>) as they relate to <acronym class="acronym">BIND</acronym>.
-</p>
+<a name="id2564746"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div>
+<p>
+ The purpose of this document is to explain the installation
+ and upkeep of the <acronym class="acronym">BIND</acronym> software
+ package, and we
+ begin by reviewing the fundamentals of the Domain Name System
+ (<acronym class="acronym">DNS</acronym>) as they relate to <acronym class="acronym">BIND</acronym>.
+ </p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2570014"></a>DNS Fundamentals</h3></div></div></div>
-<p>The Domain Name System (DNS) is the hierarchical, distributed
-database. It stores information for mapping Internet host names to IP
-addresses and vice versa, mail routing information, and other data
-used by Internet applications.</p>
-<p>Clients look up information in the DNS by calling a
-<span class="emphasis"><em>resolver</em></span> library, which sends queries to one or
-more <span class="emphasis"><em>name servers</em></span> and interprets the responses.
-The <acronym class="acronym">BIND</acronym> 9 software distribution contains a
-name server, <span><strong class="command">named</strong></span>, and two resolver
-libraries, <span><strong class="command">liblwres</strong></span> and <span><strong class="command">libbind</strong></span>.
-</p>
+<a name="id2564768"></a>DNS Fundamentals</h3></div></div></div>
+<p>
+ The Domain Name System (DNS) is a hierarchical, distributed
+ database. It stores information for mapping Internet host names to
+ IP
+ addresses and vice versa, mail routing information, and other data
+ used by Internet applications.
+ </p>
+<p>
+ Clients look up information in the DNS by calling a
+ <span class="emphasis"><em>resolver</em></span> library, which sends queries to one or
+ more <span class="emphasis"><em>name servers</em></span> and interprets the responses.
+ The <acronym class="acronym">BIND</acronym> 9 software distribution
+ contains a
+ name server, <span><strong class="command">named</strong></span>, and two resolver
+ libraries, <span><strong class="command">liblwres</strong></span> and <span><strong class="command">libbind</strong></span>.
+ </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2570323"></a>Domains and Domain Names</h3></div></div></div>
-<p>The data stored in the DNS is identified by <span class="emphasis"><em>domain
-names</em></span> that are organized as a tree according to
-organizational or administrative boundaries. Each node of the tree,
-called a <span class="emphasis"><em>domain</em></span>, is given a label. The domain name of the
-node is the concatenation of all the labels on the path from the
-node to the <span class="emphasis"><em>root</em></span> node. This is represented
-in written form as a string of labels listed from right to left and
-separated by dots. A label need only be unique within its parent
-domain.</p>
-<p>For example, a domain name for a host at the
-company <span class="emphasis"><em>Example, Inc.</em></span> could be
-<code class="literal">mail.example.com</code>,
-where <code class="literal">com</code> is the
-top level domain to which
-<code class="literal">ourhost.example.com</code> belongs,
-<code class="literal">example</code> is
-a subdomain of <code class="literal">com</code>, and
-<code class="literal">ourhost</code> is the
-name of the host.</p>
-<p>For administrative purposes, the name space is partitioned into
-areas called <span class="emphasis"><em>zones</em></span>, each starting at a node and
-extending down to the leaf nodes or to nodes where other zones start.
-The data for each zone is stored in a <span class="emphasis"><em>name
-server</em></span>, which answers queries about the zone using the
-<span class="emphasis"><em>DNS protocol</em></span>.
-</p>
-<p>The data associated with each domain name is stored in the
-form of <span class="emphasis"><em>resource records</em></span> (<acronym class="acronym">RR</acronym>s).
-Some of the supported resource record types are described in
-<a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them" title="Types of Resource Records and When to Use Them">the section called &#8220;Types of Resource Records and When to Use Them&#8221;</a>.</p>
-<p>For more detailed information about the design of the DNS and
-the DNS protocol, please refer to the standards documents listed in
-<a href="Bv9ARM.ch09.html#rfcs" title="Request for Comments (RFCs)">the section called &#8220;Request for Comments (RFCs)&#8221;</a>.</p>
+<a name="id2564802"></a>Domains and Domain Names</h3></div></div></div>
+<p>
+ The data stored in the DNS is identified by <span class="emphasis"><em>domain names</em></span> that are organized as a tree according to
+ organizational or administrative boundaries. Each node of the tree,
+ called a <span class="emphasis"><em>domain</em></span>, is given a label. The domain
+ name of the
+ node is the concatenation of all the labels on the path from the
+ node to the <span class="emphasis"><em>root</em></span> node. This is represented
+ in written form as a string of labels listed from right to left and
+ separated by dots. A label need only be unique within its parent
+ domain.
+ </p>
+<p>
+ For example, a domain name for a host at the
+ company <span class="emphasis"><em>Example, Inc.</em></span> could be
+ <code class="literal">ourhost.example.com</code>,
+ where <code class="literal">com</code> is the
+ top level domain to which
+ <code class="literal">ourhost.example.com</code> belongs,
+ <code class="literal">example</code> is
+ a subdomain of <code class="literal">com</code>, and
+ <code class="literal">ourhost</code> is the
+ name of the host.
+ </p>
+<p>
+ For administrative purposes, the name space is partitioned into
+ areas called <span class="emphasis"><em>zones</em></span>, each starting at a node and
+ extending down to the leaf nodes or to nodes where other zones
+ start.
+ The data for each zone is stored in a <span class="emphasis"><em>name server</em></span>, which answers queries about the zone using the
+ <span class="emphasis"><em>DNS protocol</em></span>.
+ </p>
+<p>
+ The data associated with each domain name is stored in the
+ form of <span class="emphasis"><em>resource records</em></span> (<acronym class="acronym">RR</acronym>s).
+ Some of the supported resource record types are described in
+ <a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them" title="Types of Resource Records and When to Use Them">the section called &#8220;Types of Resource Records and When to Use Them&#8221;</a>.
+ </p>
+<p>
+ For more detailed information about the design of the DNS and
+ the DNS protocol, please refer to the standards documents listed in
+ <a href="Bv9ARM.ch09.html#rfcs" title="Request for Comments (RFCs)">the section called &#8220;Request for Comments (RFCs)&#8221;</a>.
+ </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2570407"></a>Zones</h3></div></div></div>
-<p>To properly operate a name server, it is important to understand
-the difference between a <span class="emphasis"><em>zone</em></span>
-and a <span class="emphasis"><em>domain</em></span>.</p>
-<p>As we stated previously, a zone is a point of delegation in
-the <acronym class="acronym">DNS</acronym> tree. A zone consists of
-those contiguous parts of the domain
-tree for which a name server has complete information and over which
-it has authority. It contains all domain names from a certain point
-downward in the domain tree except those which are delegated to
-other zones. A delegation point is marked by one or more
-<span class="emphasis"><em>NS records</em></span> in the
-parent zone, which should be matched by equivalent NS records at
-the root of the delegated zone.</p>
-<p>For instance, consider the <code class="literal">example.com</code>
-domain which includes names
-such as <code class="literal">host.aaa.example.com</code> and
-<code class="literal">host.bbb.example.com</code> even though
-the <code class="literal">example.com</code> zone includes
-only delegations for the <code class="literal">aaa.example.com</code> and
-<code class="literal">bbb.example.com</code> zones. A zone can map
-exactly to a single domain, but could also include only part of a
-domain, the rest of which could be delegated to other
-name servers. Every name in the <acronym class="acronym">DNS</acronym> tree is a
-<span class="emphasis"><em>domain</em></span>, even if it is
-<span class="emphasis"><em>terminal</em></span>, that is, has no
-<span class="emphasis"><em>subdomains</em></span>. Every subdomain is a domain and
-every domain except the root is also a subdomain. The terminology is
-not intuitive and we suggest that you read RFCs 1033, 1034 and 1035 to
-gain a complete understanding of this difficult and subtle
-topic.</p>
-<p>Though <acronym class="acronym">BIND</acronym> is called a "domain name server",
-it deals primarily in terms of zones. The master and slave
-declarations in the <code class="filename">named.conf</code> file specify
-zones, not domains. When you ask some other site if it is willing to
-be a slave server for your <span class="emphasis"><em>domain</em></span>, you are
-actually asking for slave service for some collection of zones.</p>
+<a name="id2564886"></a>Zones</h3></div></div></div>
+<p>
+ To properly operate a name server, it is important to understand
+ the difference between a <span class="emphasis"><em>zone</em></span>
+ and a <span class="emphasis"><em>domain</em></span>.
+ </p>
+<p>
+ As stated previously, a zone is a point of delegation in
+ the <acronym class="acronym">DNS</acronym> tree. A zone consists of
+ those contiguous parts of the domain
+ tree for which a name server has complete information and over which
+ it has authority. It contains all domain names from a certain point
+ downward in the domain tree except those which are delegated to
+ other zones. A delegation point is marked by one or more
+ <span class="emphasis"><em>NS records</em></span> in the
+ parent zone, which should be matched by equivalent NS records at
+ the root of the delegated zone.
+ </p>
+<p>
+ For instance, consider the <code class="literal">example.com</code>
+ domain which includes names
+ such as <code class="literal">host.aaa.example.com</code> and
+ <code class="literal">host.bbb.example.com</code> even though
+ the <code class="literal">example.com</code> zone includes
+ only delegations for the <code class="literal">aaa.example.com</code> and
+ <code class="literal">bbb.example.com</code> zones. A zone can
+ map
+ exactly to a single domain, but could also include only part of a
+ domain, the rest of which could be delegated to other
+ name servers. Every name in the <acronym class="acronym">DNS</acronym>
+ tree is a
+ <span class="emphasis"><em>domain</em></span>, even if it is
+ <span class="emphasis"><em>terminal</em></span>, that is, has no
+ <span class="emphasis"><em>subdomains</em></span>. Every subdomain is a domain and
+ every domain except the root is also a subdomain. The terminology is
+ not intuitive and we suggest that you read RFCs 1033, 1034 and 1035
+ to
+ gain a complete understanding of this difficult and subtle
+ topic.
+ </p>
+<p>
+ Though <acronym class="acronym">BIND</acronym> is called a "domain name
+ server",
+ it deals primarily in terms of zones. The master and slave
+ declarations in the <code class="filename">named.conf</code> file
+ specify
+ zones, not domains. When you ask some other site if it is willing to
+ be a slave server for your <span class="emphasis"><em>domain</em></span>, you are
+ actually asking for slave service for some collection of zones.
+ </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2570550"></a>Authoritative Name Servers</h3></div></div></div>
-<p>Each zone is served by at least
-one <span class="emphasis"><em>authoritative name server</em></span>,
-which contains the complete data for the zone.
-To make the DNS tolerant of server and network failures,
-most zones have two or more authoritative servers.
-</p>
-<p>Responses from authoritative servers have the "authoritative
-answer" (AA) bit set in the response packets. This makes them
-easy to identify when debugging DNS configurations using tools like
-<span><strong class="command">dig</strong></span> (<a href="Bv9ARM.ch03.html#diagnostic_tools" title="Diagnostic Tools">the section called &#8220;Diagnostic Tools&#8221;</a>).</p>
+<a name="id2567284"></a>Authoritative Name Servers</h3></div></div></div>
+<p>
+ Each zone is served by at least
+ one <span class="emphasis"><em>authoritative name server</em></span>,
+ which contains the complete data for the zone.
+ To make the DNS tolerant of server and network failures,
+ most zones have two or more authoritative servers, on
+ different networks.
+ </p>
+<p>
+ Responses from authoritative servers have the "authoritative
+ answer" (AA) bit set in the response packets. This makes them
+ easy to identify when debugging DNS configurations using tools like
+ <span><strong class="command">dig</strong></span> (<a href="Bv9ARM.ch03.html#diagnostic_tools" title="Diagnostic Tools">the section called &#8220;Diagnostic Tools&#8221;</a>).
+ </p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2570572"></a>The Primary Master</h4></div></div></div>
-<p>
-The authoritative server where the master copy of the zone data is maintained is
-called the <span class="emphasis"><em>primary master</em></span> server, or simply the
-<span class="emphasis"><em>primary</em></span>. It loads the zone contents from some
-local file edited by humans or perhaps generated mechanically from
-some other local file which is edited by humans. This file is called
-the <span class="emphasis"><em>zone file</em></span> or <span class="emphasis"><em>master file</em></span>.</p>
+<a name="id2567307"></a>The Primary Master</h4></div></div></div>
+<p>
+ The authoritative server where the master copy of the zone
+ data is maintained is called the
+ <span class="emphasis"><em>primary master</em></span> server, or simply the
+ <span class="emphasis"><em>primary</em></span>. Typically it loads the zone
+ contents from some local file edited by humans or perhaps
+ generated mechanically from some other local file which is
+ edited by humans. This file is called the
+ <span class="emphasis"><em>zone file</em></span> or
+ <span class="emphasis"><em>master file</em></span>.
+ </p>
+<p>
+ In some cases, however, the master file may not be edited
+ by humans at all, but may instead be the result of
+ <span class="emphasis"><em>dynamic update</em></span> operations.
+ </p>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2570594"></a>Slave Servers</h4></div></div></div>
-<p>The other authoritative servers, the <span class="emphasis"><em>slave</em></span>
-servers (also known as <span class="emphasis"><em>secondary</em></span> servers) load
-the zone contents from another server using a replication process
-known as a <span class="emphasis"><em>zone transfer</em></span>. Typically the data are
-transferred directly from the primary master, but it is also possible
-to transfer it from another slave. In other words, a slave server
-may itself act as a master to a subordinate slave server.</p>
+<a name="id2567337"></a>Slave Servers</h4></div></div></div>
+<p>
+ The other authoritative servers, the <span class="emphasis"><em>slave</em></span>
+ servers (also known as <span class="emphasis"><em>secondary</em></span> servers)
+ load
+ the zone contents from another server using a replication process
+ known as a <span class="emphasis"><em>zone transfer</em></span>. Typically the data
+ are
+ transferred directly from the primary master, but it is also
+ possible
+ to transfer it from another slave. In other words, a slave server
+ may itself act as a master to a subordinate slave server.
+ </p>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2570613"></a>Stealth Servers</h4></div></div></div>
-<p>Usually all of the zone's authoritative servers are listed in
-NS records in the parent zone. These NS records constitute
-a <span class="emphasis"><em>delegation</em></span> of the zone from the parent.
-The authoritative servers are also listed in the zone file itself,
-at the <span class="emphasis"><em>top level</em></span> or <span class="emphasis"><em>apex</em></span>
-of the zone. You can list servers in the zone's top-level NS
-records that are not in the parent's NS delegation, but you cannot
-list servers in the parent's delegation that are not present at
-the zone's top level.</p>
-<p>A <span class="emphasis"><em>stealth server</em></span> is a server that is
-authoritative for a zone but is not listed in that zone's NS
-records. Stealth servers can be used for keeping a local copy of a
-zone to speed up access to the zone's records or to make sure that the
-zone is available even if all the "official" servers for the zone are
-inaccessible.</p>
-<p>A configuration where the primary master server itself is a
-stealth server is often referred to as a "hidden primary"
-configuration. One use for this configuration is when the primary master
-is behind a firewall and therefore unable to communicate directly
-with the outside world.</p>
+<a name="id2567358"></a>Stealth Servers</h4></div></div></div>
+<p>
+ Usually all of the zone's authoritative servers are listed in
+ NS records in the parent zone. These NS records constitute
+ a <span class="emphasis"><em>delegation</em></span> of the zone from the parent.
+ The authoritative servers are also listed in the zone file itself,
+ at the <span class="emphasis"><em>top level</em></span> or <span class="emphasis"><em>apex</em></span>
+ of the zone. You can list servers in the zone's top-level NS
+ records that are not in the parent's NS delegation, but you cannot
+ list servers in the parent's delegation that are not present at
+ the zone's top level.
+ </p>
+<p>
+ A <span class="emphasis"><em>stealth server</em></span> is a server that is
+ authoritative for a zone but is not listed in that zone's NS
+ records. Stealth servers can be used for keeping a local copy of
+ a
+ zone to speed up access to the zone's records or to make sure that
+ the
+ zone is available even if all the "official" servers for the zone
+ are
+ inaccessible.
+ </p>
+<p>
+ A configuration where the primary master server itself is a
+ stealth server is often referred to as a "hidden primary"
+ configuration. One use for this configuration is when the primary
+ master
+ is behind a firewall and therefore unable to communicate directly
+ with the outside world.
+ </p>
</div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2570642"></a>Caching Name Servers</h3></div></div></div>
-<p>The resolver libraries provided by most operating systems are
-<span class="emphasis"><em>stub resolvers</em></span>, meaning that they are not capable of
-performing the full DNS resolution process by themselves by talking
-directly to the authoritative servers. Instead, they rely on a local
-name server to perform the resolution on their behalf. Such a server
-is called a <span class="emphasis"><em>recursive</em></span> name server; it performs
-<span class="emphasis"><em>recursive lookups</em></span> for local clients.</p>
-<p>To improve performance, recursive servers cache the results of
-the lookups they perform. Since the processes of recursion and
-caching are intimately connected, the terms
-<span class="emphasis"><em>recursive server</em></span> and
-<span class="emphasis"><em>caching server</em></span> are often used synonymously.</p>
-<p>The length of time for which a record may be retained in
-the cache of a caching name server is controlled by the
-Time To Live (TTL) field associated with each resource record.
-</p>
+<a name="id2567525"></a>Caching Name Servers</h3></div></div></div>
+<p>
+ The resolver libraries provided by most operating systems are
+ <span class="emphasis"><em>stub resolvers</em></span>, meaning that they are not
+ capable of
+ performing the full DNS resolution process by themselves by talking
+ directly to the authoritative servers. Instead, they rely on a
+ local
+ name server to perform the resolution on their behalf. Such a
+ server
+ is called a <span class="emphasis"><em>recursive</em></span> name server; it performs
+ <span class="emphasis"><em>recursive lookups</em></span> for local clients.
+ </p>
+<p>
+ To improve performance, recursive servers cache the results of
+ the lookups they perform. Since the processes of recursion and
+ caching are intimately connected, the terms
+ <span class="emphasis"><em>recursive server</em></span> and
+ <span class="emphasis"><em>caching server</em></span> are often used synonymously.
+ </p>
+<p>
+ The length of time for which a record may be retained in
+ the cache of a caching name server is controlled by the
+ Time To Live (TTL) field associated with each resource record.
+ </p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2570674"></a>Forwarding</h4></div></div></div>
-<p>Even a caching name server does not necessarily perform
-the complete recursive lookup itself. Instead, it can
-<span class="emphasis"><em>forward</em></span> some or all of the queries
-that it cannot satisfy from its cache to another caching name server,
-commonly referred to as a <span class="emphasis"><em>forwarder</em></span>.
-</p>
-<p>There may be one or more forwarders,
-and they are queried in turn until the list is exhausted or an answer
-is found. Forwarders are typically used when you do not
-wish all the servers at a given site to interact directly with the rest of
-the Internet servers. A typical scenario would involve a number
-of internal <acronym class="acronym">DNS</acronym> servers and an Internet firewall. Servers unable
-to pass packets through the firewall would forward to the server
-that can do it, and that server would query the Internet <acronym class="acronym">DNS</acronym> servers
-on the internal server's behalf. An added benefit of using the forwarding
-feature is that the central machine develops a much more complete
-cache of information that all the clients can take advantage
-of.</p>
+<a name="id2567560"></a>Forwarding</h4></div></div></div>
+<p>
+ Even a caching name server does not necessarily perform
+ the complete recursive lookup itself. Instead, it can
+ <span class="emphasis"><em>forward</em></span> some or all of the queries
+ that it cannot satisfy from its cache to another caching name
+ server,
+ commonly referred to as a <span class="emphasis"><em>forwarder</em></span>.
+ </p>
+<p>
+ There may be one or more forwarders,
+ and they are queried in turn until the list is exhausted or an
+ answer
+ is found. Forwarders are typically used when you do not
+ wish all the servers at a given site to interact directly with the
+ rest of
+ the Internet servers. A typical scenario would involve a number
+ of internal <acronym class="acronym">DNS</acronym> servers and an
+ Internet firewall. Servers unable
+ to pass packets through the firewall would forward to the server
+ that can do it, and that server would query the Internet <acronym class="acronym">DNS</acronym> servers
+ on the internal server's behalf.
+ </p>
</div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2570699"></a>Name Servers in Multiple Roles</h3></div></div></div>
-<p>The <acronym class="acronym">BIND</acronym> name server can simultaneously act as
-a master for some zones, a slave for other zones, and as a caching
-(recursive) server for a set of local clients.</p>
-<p>However, since the functions of authoritative name service
-and caching/recursive name service are logically separate, it is
-often advantageous to run them on separate server machines.
+<a name="id2567587"></a>Name Servers in Multiple Roles</h3></div></div></div>
+<p>
+ The <acronym class="acronym">BIND</acronym> name server can
+ simultaneously act as
+ a master for some zones, a slave for other zones, and as a caching
+ (recursive) server for a set of local clients.
+ </p>
+<p>
+ However, since the functions of authoritative name service
+ and caching/recursive name service are logically separate, it is
+ often advantageous to run them on separate server machines.
-A server that only provides authoritative name service
-(an <span class="emphasis"><em>authoritative-only</em></span> server) can run with
-recursion disabled, improving reliability and security.
+ A server that only provides authoritative name service
+ (an <span class="emphasis"><em>authoritative-only</em></span> server) can run with
+ recursion disabled, improving reliability and security.
-A server that is not authoritative for any zones and only provides
-recursive service to local
-clients (a <span class="emphasis"><em>caching-only</em></span> server)
-does not need to be reachable from the Internet at large and can
-be placed inside a firewall.</p>
+ A server that is not authoritative for any zones and only provides
+ recursive service to local
+ clients (a <span class="emphasis"><em>caching-only</em></span> server)
+ does not need to be reachable from the Internet at large and can
+ be placed inside a firewall.
+ </p>
</div>
</div>
</div>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch02.html b/contrib/bind9/doc/arm/Bv9ARM.ch02.html
index d1e3445..6098540 100644
--- a/contrib/bind9/doc/arm/Bv9ARM.ch02.html
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch02.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
@@ -14,15 +14,15 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch02.html,v 1.10.2.1.8.12 2006/06/29 13:02:31 marka Exp $ -->
+<!-- $Id: Bv9ARM.ch02.html,v 1.13.18.18 2007/01/30 00:23:45 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Chapter 2. BIND Resource Requirements</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch01.html" title="Chapter 1. Introduction ">
+<link rel="prev" href="Bv9ARM.ch01.html" title="Chapter 1. Introduction">
<link rel="next" href="Bv9ARM.ch03.html" title="Chapter 3. Name Server Configuration">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
@@ -45,68 +45,96 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2570868">Hardware requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2570892">CPU Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2570903">Memory Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2570918">Name Server Intensive Environment Issues</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2570995">Supported Operating Systems</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567621">Hardware requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567648">CPU Requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567660">Memory Requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567687">Name Server Intensive Environment Issues</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567698">Supported Operating Systems</a></span></dt>
</dl>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2570868"></a>Hardware requirements</h2></div></div></div>
-<p><acronym class="acronym">DNS</acronym> hardware requirements have traditionally been quite modest.
-For many installations, servers that have been pensioned off from
-active duty have performed admirably as <acronym class="acronym">DNS</acronym> servers.</p>
-<p>The DNSSEC and IPv6 features of <acronym class="acronym">BIND</acronym> 9 may prove to be quite
-CPU intensive however, so organizations that make heavy use of these
-features may wish to consider larger systems for these applications.
-<acronym class="acronym">BIND</acronym> 9 is fully multithreaded, allowing full utilization of
-multiprocessor systems for installations that need it.</p>
+<a name="id2567621"></a>Hardware requirements</h2></div></div></div>
+<p>
+ <acronym class="acronym">DNS</acronym> hardware requirements have
+ traditionally been quite modest.
+ For many installations, servers that have been pensioned off from
+ active duty have performed admirably as <acronym class="acronym">DNS</acronym> servers.
+ </p>
+<p>
+ The DNSSEC features of <acronym class="acronym">BIND</acronym> 9
+ may prove to be quite
+ CPU intensive however, so organizations that make heavy use of these
+ features may wish to consider larger systems for these applications.
+ <acronym class="acronym">BIND</acronym> 9 is fully multithreaded, allowing
+ full utilization of
+ multiprocessor systems for installations that need it.
+ </p>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2570892"></a>CPU Requirements</h2></div></div></div>
-<p>CPU requirements for <acronym class="acronym">BIND</acronym> 9 range from i486-class machines
-for serving of static zones without caching, to enterprise-class
-machines if you intend to process many dynamic updates and DNSSEC
-signed zones, serving many thousands of queries per second.</p>
+<a name="id2567648"></a>CPU Requirements</h2></div></div></div>
+<p>
+ CPU requirements for <acronym class="acronym">BIND</acronym> 9 range from
+ i486-class machines
+ for serving of static zones without caching, to enterprise-class
+ machines if you intend to process many dynamic updates and DNSSEC
+ signed zones, serving many thousands of queries per second.
+ </p>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2570903"></a>Memory Requirements</h2></div></div></div>
-<p>The memory of the server has to be large enough to fit the
-cache and zones loaded off disk. The <span><strong class="command">max-cache-size</strong></span>
-option can be used to limit the amount of memory used by the cache,
-at the expense of reducing cache hit rates and causing more <acronym class="acronym">DNS</acronym>
-traffic. It is still good practice to have enough memory to load
-all zone and cache data into memory &#8212; unfortunately, the best way
-to determine this for a given installation is to watch the name server
-in operation. After a few weeks the server process should reach
-a relatively stable size where entries are expiring from the cache as
-fast as they are being inserted.</p>
+<a name="id2567660"></a>Memory Requirements</h2></div></div></div>
+<p>
+ The memory of the server has to be large enough to fit the
+ cache and zones loaded off disk. The <span><strong class="command">max-cache-size</strong></span>
+ option can be used to limit the amount of memory used by the cache,
+ at the expense of reducing cache hit rates and causing more <acronym class="acronym">DNS</acronym>
+ traffic.
+ Additionally, if additional section caching
+ (<a href="Bv9ARM.ch06.html#acache" title="Additional Section Caching">the section called &#8220;Additional Section Caching&#8221;</a>) is enabled,
+ the <span><strong class="command">max-acache-size</strong></span> can be used to
+ limit the amount
+ of memory used by the mechanism.
+ It is still good practice to have enough memory to load
+ all zone and cache data into memory &#8212; unfortunately, the best
+ way
+ to determine this for a given installation is to watch the name server
+ in operation. After a few weeks the server process should reach
+ a relatively stable size where entries are expiring from the cache as
+ fast as they are being inserted.
+ </p>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2570918"></a>Name Server Intensive Environment Issues</h2></div></div></div>
-<p>For name server intensive environments, there are two alternative
-configurations that may be used. The first is where clients and
-any second-level internal name servers query a main name server, which
-has enough memory to build a large cache. This approach minimizes
-the bandwidth used by external name lookups. The second alternative
-is to set up second-level internal name servers to make queries independently.
-In this configuration, none of the individual machines needs to
-have as much memory or CPU power as in the first alternative, but
-this has the disadvantage of making many more external queries,
-as none of the name servers share their cached data.</p>
+<a name="id2567687"></a>Name Server Intensive Environment Issues</h2></div></div></div>
+<p>
+ For name server intensive environments, there are two alternative
+ configurations that may be used. The first is where clients and
+ any second-level internal name servers query a main name server, which
+ has enough memory to build a large cache. This approach minimizes
+ the bandwidth used by external name lookups. The second alternative
+ is to set up second-level internal name servers to make queries
+ independently.
+ In this configuration, none of the individual machines needs to
+ have as much memory or CPU power as in the first alternative, but
+ this has the disadvantage of making many more external queries,
+ as none of the name servers share their cached data.
+ </p>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2570995"></a>Supported Operating Systems</h2></div></div></div>
-<p>ISC <acronym class="acronym">BIND</acronym> 9 compiles and runs on a large number
-of Unix-like operating system and on Windows NT / 2000. For an up-to-date
-list of supported systems, see the README file in the top level directory
-of the BIND 9 source distribution.</p>
+<a name="id2567698"></a>Supported Operating Systems</h2></div></div></div>
+<p>
+ ISC <acronym class="acronym">BIND</acronym> 9 compiles and runs on a large
+ number
+ of Unix-like operating system and on NT-derived versions of
+ Microsoft Windows such as Windows 2000 and Windows XP. For an
+ up-to-date
+ list of supported systems, see the README file in the top level
+ directory
+ of the BIND 9 source distribution.
+ </p>
</div>
</div>
<div class="navfooter">
@@ -120,7 +148,7 @@ of the BIND 9 source distribution.</p>
</td>
</tr>
<tr>
-<td width="40%" align="left" valign="top">Chapter 1. Introduction  </td>
+<td width="40%" align="left" valign="top">Chapter 1. Introduction </td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top"> Chapter 3. Name Server Configuration</td>
</tr>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch03.html b/contrib/bind9/doc/arm/Bv9ARM.ch03.html
index 399c826..4c2f9f3 100644
--- a/contrib/bind9/doc/arm/Bv9ARM.ch03.html
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch03.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
@@ -14,12 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch03.html,v 1.26.2.5.4.17 2006/06/29 13:02:31 marka Exp $ -->
+<!-- $Id: Bv9ARM.ch03.html,v 1.35.18.26 2007/01/30 00:23:45 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Chapter 3. Name Server Configuration</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="prev" href="Bv9ARM.ch02.html" title="Chapter 2. BIND Resource Requirements">
@@ -47,31 +47,37 @@
<dl>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2571026">A Caching-only Name Server</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2571042">An Authoritative-only Name Server</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568003">A Caching-only Name Server</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568019">An Authoritative-only Name Server</a></span></dt>
</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2571064">Load Balancing</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2571484">Name Server Operations</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568041">Load Balancing</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568465">Name Server Operations</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2571490">Tools for Use With the Name Server Daemon</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2572723">Signals</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568470">Tools for Use With the Name Server Daemon</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2569972">Signals</a></span></dt>
</dl></dd>
</dl>
</div>
-<p>In this section we provide some suggested configurations along
-with guidelines for their use. We also address the topic of reasonable
-option setting.</p>
+<p>
+ In this section we provide some suggested configurations along
+ with guidelines for their use. We suggest reasonable values for
+ certain option settings.
+ </p>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="sample_configuration"></a>Sample Configurations</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571026"></a>A Caching-only Name Server</h3></div></div></div>
-<p>The following sample configuration is appropriate for a caching-only
-name server for use by clients internal to a corporation. All queries
-from outside clients are refused using the <span><strong class="command">allow-query</strong></span>
-option. Alternatively, the same effect could be achieved using suitable
-firewall rules.</p>
+<a name="id2568003"></a>A Caching-only Name Server</h3></div></div></div>
+<p>
+ The following sample configuration is appropriate for a caching-only
+ name server for use by clients internal to a corporation. All
+ queries
+ from outside clients are refused using the <span><strong class="command">allow-query</strong></span>
+ option. Alternatively, the same effect could be achieved using
+ suitable
+ firewall rules.
+ </p>
<pre class="programlisting">
// Two corporate subnets we wish to allow queries from.
acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
@@ -89,13 +95,16 @@ zone "0.0.127.in-addr.arpa" {
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571042"></a>An Authoritative-only Name Server</h3></div></div></div>
-<p>This sample configuration is for an authoritative-only server
-that is the master server for "<code class="filename">example.com</code>"
-and a slave for the subdomain "<code class="filename">eng.example.com</code>".</p>
+<a name="id2568019"></a>An Authoritative-only Name Server</h3></div></div></div>
+<p>
+ This sample configuration is for an authoritative-only server
+ that is the master server for "<code class="filename">example.com</code>"
+ and a slave for the subdomain "<code class="filename">eng.example.com</code>".
+ </p>
<pre class="programlisting">
options {
directory "/etc/namedb"; // Working directory
+ allow-query-cache { none; }; // Do not allow access to cache
allow-query { any; }; // This is the default
recursion no; // Do not provide recursive service
};
@@ -128,13 +137,18 @@ zone "eng.example.com" {
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2571064"></a>Load Balancing</h2></div></div></div>
-<p>A primitive form of load balancing can be achieved in
-the <acronym class="acronym">DNS</acronym> by using multiple A records for one name.</p>
-<p>For example, if you have three WWW servers with network addresses
-of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
-following means that clients will connect to each machine one third
-of the time:</p>
+<a name="id2568041"></a>Load Balancing</h2></div></div></div>
+<p>
+ A primitive form of load balancing can be achieved in
+ the <acronym class="acronym">DNS</acronym> by using multiple A records for
+ one name.
+ </p>
+<p>
+ For example, if you have three WWW servers with network addresses
+ of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
+ following means that clients will connect to each machine one third
+ of the time:
+ </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -145,296 +159,535 @@ of the time:</p>
</colgroup>
<tbody>
<tr>
-<td><p>Name</p></td>
-<td><p>TTL</p></td>
-<td><p>CLASS</p></td>
-<td><p>TYPE</p></td>
-<td><p>Resource Record (RR) Data</p></td>
+<td>
+ <p>
+ Name
+ </p>
+ </td>
+<td>
+ <p>
+ TTL
+ </p>
+ </td>
+<td>
+ <p>
+ CLASS
+ </p>
+ </td>
+<td>
+ <p>
+ TYPE
+ </p>
+ </td>
+<td>
+ <p>
+ Resource Record (RR) Data
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="literal">www</code></p></td>
-<td><p><code class="literal">600</code></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.0.0.1</code></p></td>
+<td>
+ <p>
+ <code class="literal">www</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">600</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">IN</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">A</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">10.0.0.1</code>
+ </p>
+ </td>
</tr>
<tr>
-<td><p></p></td>
-<td><p><code class="literal">600</code></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.0.0.2</code></p></td>
+<td>
+ <p></p>
+ </td>
+<td>
+ <p>
+ <code class="literal">600</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">IN</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">A</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">10.0.0.2</code>
+ </p>
+ </td>
</tr>
<tr>
-<td><p></p></td>
-<td><p><code class="literal">600</code></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.0.0.3</code></p></td>
+<td>
+ <p></p>
+ </td>
+<td>
+ <p>
+ <code class="literal">600</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">IN</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">A</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">10.0.0.3</code>
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
-<p>When a resolver queries for these records, <acronym class="acronym">BIND</acronym> will rotate
- them and respond to the query with the records in a different
- order. In the example above, clients will randomly receive
- records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
- will use the first record returned and discard the rest.</p>
-<p>For more detail on ordering responses, check the
- <span><strong class="command">rrset-order</strong></span> substatement in the
- <span><strong class="command">options</strong></span> statement, see
- <a href="Bv9ARM.ch06.html#rrset_ordering">RRset Ordering</a>.
- This substatement is not supported in
- <acronym class="acronym">BIND</acronym> 9, and only the ordering scheme described above is
- available.</p>
+<p>
+ When a resolver queries for these records, <acronym class="acronym">BIND</acronym> will rotate
+ them and respond to the query with the records in a different
+ order. In the example above, clients will randomly receive
+ records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
+ will use the first record returned and discard the rest.
+ </p>
+<p>
+ For more detail on ordering responses, check the
+ <span><strong class="command">rrset-order</strong></span> substatement in the
+ <span><strong class="command">options</strong></span> statement, see
+ <a href="Bv9ARM.ch06.html#rrset_ordering">RRset Ordering</a>.
+ </p>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2571484"></a>Name Server Operations</h2></div></div></div>
+<a name="id2568465"></a>Name Server Operations</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571490"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
-<p>There are several indispensable diagnostic, administrative
-and monitoring tools available to the system administrator for controlling
-and debugging the name server daemon. We describe several in this
-section </p>
+<a name="id2568470"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
+<p>
+ This section describes several indispensable diagnostic,
+ administrative and monitoring tools available to the system
+ administrator for controlling and debugging the name server
+ daemon.
+ </p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="diagnostic_tools"></a>Diagnostic Tools</h4></div></div></div>
-<p>The <span><strong class="command">dig</strong></span>, <span><strong class="command">host</strong></span>, and
-<span><strong class="command">nslookup</strong></span> programs are all command line tools
-for manually querying name servers. They differ in style and
-output format.
-</p>
+<p>
+ The <span><strong class="command">dig</strong></span>, <span><strong class="command">host</strong></span>, and
+ <span><strong class="command">nslookup</strong></span> programs are all command
+ line tools
+ for manually querying name servers. They differ in style and
+ output format.
+ </p>
<div class="variablelist"><dl>
<dt><span class="term"><a name="dig"></a><span><strong class="command">dig</strong></span></span></dt>
<dd>
-<p>The domain information groper (<span><strong class="command">dig</strong></span>)
-is the most versatile and complete of these lookup tools.
-It has two modes: simple interactive
-mode for a single query, and batch mode which executes a query for
-each in a list of several query lines. All query options are accessible
-from the command line.</p>
+<p>
+ The domain information groper (<span><strong class="command">dig</strong></span>)
+ is the most versatile and complete of these lookup tools.
+ It has two modes: simple interactive
+ mode for a single query, and batch mode which executes a
+ query for
+ each in a list of several query lines. All query options are
+ accessible
+ from the command line.
+ </p>
<div class="cmdsynopsis"><p><code class="command">dig</code> [@<em class="replaceable"><code>server</code></em>] <em class="replaceable"><code>domain</code></em> [<em class="replaceable"><code>query-type</code></em>] [<em class="replaceable"><code>query-class</code></em>] [+<em class="replaceable"><code>query-option</code></em>] [-<em class="replaceable"><code>dig-option</code></em>] [%<em class="replaceable"><code>comment</code></em>]</p></div>
-<p>The usual simple use of dig will take the form</p>
-<p><span><strong class="command">dig @server domain query-type query-class</strong></span></p>
-<p>For more information and a list of available commands and
-options, see the <span><strong class="command">dig</strong></span> man page.</p>
+<p>
+ The usual simple use of dig will take the form
+ </p>
+<p>
+ <span><strong class="command">dig @server domain query-type query-class</strong></span>
+ </p>
+<p>
+ For more information and a list of available commands and
+ options, see the <span><strong class="command">dig</strong></span> man
+ page.
+ </p>
</dd>
<dt><span class="term"><span><strong class="command">host</strong></span></span></dt>
<dd>
-<p>The <span><strong class="command">host</strong></span> utility emphasizes simplicity
-and ease of use. By default, it converts
-between host names and Internet addresses, but its functionality
-can be extended with the use of options.</p>
+<p>
+ The <span><strong class="command">host</strong></span> utility emphasizes
+ simplicity
+ and ease of use. By default, it converts
+ between host names and Internet addresses, but its
+ functionality
+ can be extended with the use of options.
+ </p>
<div class="cmdsynopsis"><p><code class="command">host</code> [-aCdlrTwv] [-c <em class="replaceable"><code>class</code></em>] [-N <em class="replaceable"><code>ndots</code></em>] [-t <em class="replaceable"><code>type</code></em>] [-W <em class="replaceable"><code>timeout</code></em>] [-R <em class="replaceable"><code>retries</code></em>] <em class="replaceable"><code>hostname</code></em> [<em class="replaceable"><code>server</code></em>]</p></div>
-<p>For more information and a list of available commands and
-options, see the <span><strong class="command">host</strong></span> man page.</p>
+<p>
+ For more information and a list of available commands and
+ options, see the <span><strong class="command">host</strong></span> man
+ page.
+ </p>
</dd>
<dt><span class="term"><span><strong class="command">nslookup</strong></span></span></dt>
<dd>
-<p><span><strong class="command">nslookup</strong></span> has two modes: interactive
-and non-interactive. Interactive mode allows the user to query name servers
-for information about various hosts and domains or to print a list
-of hosts in a domain. Non-interactive mode is used to print just
-the name and requested information for a host or domain.</p>
+<p><span><strong class="command">nslookup</strong></span>
+ has two modes: interactive and
+ non-interactive. Interactive mode allows the user to
+ query name servers for information about various
+ hosts and domains or to print a list of hosts in a
+ domain. Non-interactive mode is used to print just
+ the name and requested information for a host or
+ domain.
+ </p>
<div class="cmdsynopsis"><p><code class="command">nslookup</code> [-option...] [[<em class="replaceable"><code>host-to-find</code></em>] | [- [server]]]</p></div>
-<p>Interactive mode is entered when no arguments are given (the
-default name server will be used) or when the first argument is a
-hyphen (`-') and the second argument is the host name or Internet address
-of a name server.</p>
-<p>Non-interactive mode is used when the name or Internet address
-of the host to be looked up is given as the first argument. The
-optional second argument specifies the host name or address of a name server.</p>
-<p>Due to its arcane user interface and frequently inconsistent
-behavior, we do not recommend the use of <span><strong class="command">nslookup</strong></span>.
-Use <span><strong class="command">dig</strong></span> instead.</p>
+<p>
+ Interactive mode is entered when no arguments are given (the
+ default name server will be used) or when the first argument
+ is a
+ hyphen (`-') and the second argument is the host name or
+ Internet address
+ of a name server.
+ </p>
+<p>
+ Non-interactive mode is used when the name or Internet
+ address
+ of the host to be looked up is given as the first argument.
+ The
+ optional second argument specifies the host name or address
+ of a name server.
+ </p>
+<p>
+ Due to its arcane user interface and frequently inconsistent
+ behavior, we do not recommend the use of <span><strong class="command">nslookup</strong></span>.
+ Use <span><strong class="command">dig</strong></span> instead.
+ </p>
</dd>
</dl></div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="admin_tools"></a>Administrative Tools</h4></div></div></div>
-<p>Administrative tools play an integral part in the management
-of a server.</p>
+<p>
+ Administrative tools play an integral part in the management
+ of a server.
+ </p>
<div class="variablelist"><dl>
<dt>
<a name="named-checkconf"></a><span class="term"><span><strong class="command">named-checkconf</strong></span></span>
</dt>
<dd>
-<p>The <span><strong class="command">named-checkconf</strong></span> program
- checks the syntax of a <code class="filename">named.conf</code> file.</p>
+<p>
+ The <span><strong class="command">named-checkconf</strong></span> program
+ checks the syntax of a <code class="filename">named.conf</code> file.
+ </p>
<div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [-jvz] [-t <em class="replaceable"><code>directory</code></em>] [<em class="replaceable"><code>filename</code></em>]</p></div>
</dd>
<dt>
<a name="named-checkzone"></a><span class="term"><span><strong class="command">named-checkzone</strong></span></span>
</dt>
<dd>
-<p>The <span><strong class="command">named-checkzone</strong></span> program checks a master file for
- syntax and consistency.</p>
-<div class="cmdsynopsis"><p><code class="command">named-checkzone</code> [-djqvD] [-c <em class="replaceable"><code>class</code></em>] [-o <em class="replaceable"><code>output</code></em>] [-t <em class="replaceable"><code>directory</code></em>] [-w <em class="replaceable"><code>directory</code></em>] [-k <em class="replaceable"><code>(ignore|warn|fail)</code></em>] [-n <em class="replaceable"><code>(ignore|warn|fail)</code></em>] <em class="replaceable"><code>zone</code></em> [<em class="replaceable"><code>filename</code></em>]</p></div>
+<p>
+ The <span><strong class="command">named-checkzone</strong></span> program
+ checks a master file for
+ syntax and consistency.
+ </p>
+<div class="cmdsynopsis"><p><code class="command">named-checkzone</code> [-djqvD] [-c <em class="replaceable"><code>class</code></em>] [-o <em class="replaceable"><code>output</code></em>] [-t <em class="replaceable"><code>directory</code></em>] [-w <em class="replaceable"><code>directory</code></em>] [-k <em class="replaceable"><code>(ignore|warn|fail)</code></em>] [-n <em class="replaceable"><code>(ignore|warn|fail)</code></em>] [-W <em class="replaceable"><code>(ignore|warn)</code></em>] <em class="replaceable"><code>zone</code></em> [<em class="replaceable"><code>filename</code></em>]</p></div>
</dd>
<dt>
+<a name="named-compilezone"></a><span class="term"><span><strong class="command">named-compilezone</strong></span></span>
+</dt>
+<dd><p>
+ Similar to <span><strong class="command">named-checkzone,</strong></span> but
+ it always dumps the zone content to a specified file
+ (typically in a different format).
+ </p></dd>
+<dt>
<a name="rndc"></a><span class="term"><span><strong class="command">rndc</strong></span></span>
</dt>
<dd>
-<p>The remote name daemon control
- (<span><strong class="command">rndc</strong></span>) program allows the system
- administrator to control the operation of a name server.
- If you run <span><strong class="command">rndc</strong></span> without any options
- it will display a usage message as follows:</p>
+<p>
+ The remote name daemon control
+ (<span><strong class="command">rndc</strong></span>) program allows the
+ system
+ administrator to control the operation of a name server.
+ If you run <span><strong class="command">rndc</strong></span> without any
+ options
+ it will display a usage message as follows:
+ </p>
<div class="cmdsynopsis"><p><code class="command">rndc</code> [-c <em class="replaceable"><code>config</code></em>] [-s <em class="replaceable"><code>server</code></em>] [-p <em class="replaceable"><code>port</code></em>] [-y <em class="replaceable"><code>key</code></em>] <em class="replaceable"><code>command</code></em> [<em class="replaceable"><code>command</code></em>...]</p></div>
-<p>The <span><strong class="command">command</strong></span> is one of the following:</p>
+<p>The <span><strong class="command">command</strong></span>
+ is one of the following:
+ </p>
<div class="variablelist"><dl>
<dt><span class="term"><strong class="userinput"><code>reload</code></strong></span></dt>
-<dd><p>Reload configuration file and zones.</p></dd>
+<dd><p>
+ Reload configuration file and zones.
+ </p></dd>
<dt><span class="term"><strong class="userinput"><code>reload <em class="replaceable"><code>zone</code></em>
- [<span class="optional"><em class="replaceable"><code>class</code></em>
+ [<span class="optional"><em class="replaceable"><code>class</code></em>
[<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd><p>Reload the given zone.</p></dd>
+<dd><p>
+ Reload the given zone.
+ </p></dd>
<dt><span class="term"><strong class="userinput"><code>refresh <em class="replaceable"><code>zone</code></em>
- [<span class="optional"><em class="replaceable"><code>class</code></em>
+ [<span class="optional"><em class="replaceable"><code>class</code></em>
[<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd><p>Schedule zone maintenance for the given zone.</p></dd>
+<dd><p>
+ Schedule zone maintenance for the given zone.
+ </p></dd>
<dt><span class="term"><strong class="userinput"><code>retransfer <em class="replaceable"><code>zone</code></em>
- [<span class="optional"><em class="replaceable"><code>class</code></em>
+
+ [<span class="optional"><em class="replaceable"><code>class</code></em>
[<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd><p>Retransfer the given zone from the master.</p></dd>
-<dt><span class="term"><strong class="userinput"><code>freeze [<span class="optional"><em class="replaceable"><code>zone</code></em>
+<dd><p>
+ Retransfer the given zone from the master.
+ </p></dd>
+<dt><span class="term"><strong class="userinput"><code>freeze
+ [<span class="optional"><em class="replaceable"><code>zone</code></em>
[<span class="optional"><em class="replaceable"><code>class</code></em>
[<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
-<dd><p>Suspend updates to a dynamic zone. If no zone is specified,
- then all zones are suspended. This allows manual
- edits to be made to a zone normally updated by dynamic update. It
- also causes changes in the journal file to be synced into the master
- and the journal file to be removed. All dynamic update attempts will
- be refused while the zone is frozen.</p></dd>
-<dt><span class="term"><strong class="userinput"><code>thaw [<span class="optional"><em class="replaceable"><code>zone</code></em>
+<dd><p>
+ Suspend updates to a dynamic zone. If no zone is
+ specified,
+ then all zones are suspended. This allows manual
+ edits to be made to a zone normally updated by dynamic
+ update. It
+ also causes changes in the journal file to be synced
+ into the master
+ and the journal file to be removed. All dynamic
+ update attempts will
+ be refused while the zone is frozen.
+ </p></dd>
+<dt><span class="term"><strong class="userinput"><code>thaw
+ [<span class="optional"><em class="replaceable"><code>zone</code></em>
[<span class="optional"><em class="replaceable"><code>class</code></em>
[<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
-<dd><p>Enable updates to a frozen dynamic zone. If no zone is
- specified, then all frozen zones are enabled. This causes
- the server to reload the zone from disk, and re-enables dynamic updates
- after the load has completed. After a zone is thawed, dynamic updates
- will no longer be refused.</p></dd>
+<dd><p>
+ Enable updates to a frozen dynamic zone. If no zone
+ is
+ specified, then all frozen zones are enabled. This
+ causes
+ the server to reload the zone from disk, and
+ re-enables dynamic updates
+ after the load has completed. After a zone is thawed,
+ dynamic updates
+ will no longer be refused.
+ </p></dd>
+<dt><span class="term"><strong class="userinput"><code>notify <em class="replaceable"><code>zone</code></em>
+ [<span class="optional"><em class="replaceable"><code>class</code></em>
+ [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
+<dd><p>
+ Resend NOTIFY messages for the zone.
+ </p></dd>
<dt><span class="term"><strong class="userinput"><code>reconfig</code></strong></span></dt>
-<dd><p>Reload the configuration file and load new zones,
- but do not reload existing zone files even if they have changed.
- This is faster than a full <span><strong class="command">reload</strong></span> when there
- is a large number of zones because it avoids the need to examine the
- modification times of the zones files.
- </p></dd>
+<dd><p>
+ Reload the configuration file and load new zones,
+ but do not reload existing zone files even if they
+ have changed.
+ This is faster than a full <span><strong class="command">reload</strong></span> when there
+ is a large number of zones because it avoids the need
+ to examine the
+ modification times of the zones files.
+ </p></dd>
<dt><span class="term"><strong class="userinput"><code>stats</code></strong></span></dt>
-<dd><p>Write server statistics to the statistics file.</p></dd>
+<dd><p>
+ Write server statistics to the statistics file.
+ </p></dd>
<dt><span class="term"><strong class="userinput"><code>querylog</code></strong></span></dt>
-<dd><p>Toggle query logging. Query logging can also be enabled
- by explicitly directing the <span><strong class="command">queries</strong></span>
- <span><strong class="command">category</strong></span> to a <span><strong class="command">channel</strong></span> in the
- <span><strong class="command">logging</strong></span> section of
- <code class="filename">named.conf</code>.</p></dd>
-<dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zone</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
-<dd><p>Dump the server's caches (default) and / or zones to the
- dump file for the specified views. If no view is specified, all
- views are dumped.</p></dd>
+<dd><p>
+ Toggle query logging. Query logging can also be enabled
+ by explicitly directing the <span><strong class="command">queries</strong></span>
+ <span><strong class="command">category</strong></span> to a
+ <span><strong class="command">channel</strong></span> in the
+ <span><strong class="command">logging</strong></span> section of
+ <code class="filename">named.conf</code> or by specifying
+ <span><strong class="command">querylog yes;</strong></span> in the
+ <span><strong class="command">options</strong></span> section of
+ <code class="filename">named.conf</code>.
+ </p></dd>
+<dt><span class="term"><strong class="userinput"><code>dumpdb
+ [<span class="optional">-all|-cache|-zone</span>]
+ [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
+<dd><p>
+ Dump the server's caches (default) and/or zones to
+ the
+ dump file for the specified views. If no view is
+ specified, all
+ views are dumped.
+ </p></dd>
<dt><span class="term"><strong class="userinput"><code>stop [<span class="optional">-p</span>]</code></strong></span></dt>
-<dd><p>Stop the server, making sure any recent changes
- made through dynamic update or IXFR are first saved to the master files
- of the updated zones. If -p is specified named's process id is returned.
- This allows an external process to determine when named had completed stopping.</p></dd>
+<dd><p>
+ Stop the server, making sure any recent changes
+ made through dynamic update or IXFR are first saved to
+ the master files of the updated zones.
+ If -p is specified named's process id is returned.
+ This allows an external process to determine when named
+ had completed stopping.
+ </p></dd>
<dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt>
-<dd><p>Stop the server immediately. Recent changes
- made through dynamic update or IXFR are not saved to the master files,
- but will be rolled forward from the journal files when the server
- is restarted. If -p is specified named's process id is returned.
- This allows an external process to determine when named had completed
- stopping.</p></dd>
+<dd><p>
+ Stop the server immediately. Recent changes
+ made through dynamic update or IXFR are not saved to
+ the master files, but will be rolled forward from the
+ journal files when the server is restarted.
+ If -p is specified named's process id is returned.
+ This allows an external process to determine when named
+ had completed halting.
+ </p></dd>
<dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt>
-<dd><p>Increment the servers debugging level by one. </p></dd>
+<dd><p>
+ Increment the servers debugging level by one.
+ </p></dd>
<dt><span class="term"><strong class="userinput"><code>trace <em class="replaceable"><code>level</code></em></code></strong></span></dt>
-<dd><p>Sets the server's debugging level to an explicit
- value.</p></dd>
+<dd><p>
+ Sets the server's debugging level to an explicit
+ value.
+ </p></dd>
<dt><span class="term"><strong class="userinput"><code>notrace</code></strong></span></dt>
-<dd><p>Sets the server's debugging level to 0.</p></dd>
+<dd><p>
+ Sets the server's debugging level to 0.
+ </p></dd>
<dt><span class="term"><strong class="userinput"><code>flush</code></strong></span></dt>
-<dd><p>Flushes the server's cache.</p></dd>
+<dd><p>
+ Flushes the server's cache.
+ </p></dd>
<dt><span class="term"><strong class="userinput"><code>flushname</code></strong> <em class="replaceable"><code>name</code></em></span></dt>
-<dd><p>Flushes the given name from the server's cache.</p></dd>
+<dd><p>
+ Flushes the given name from the server's cache.
+ </p></dd>
<dt><span class="term"><strong class="userinput"><code>status</code></strong></span></dt>
-<dd><p>Display status of the server.
-Note that the number of zones includes the internal <span><strong class="command">bind/CH</strong></span> zone
-and the default <span><strong class="command">./IN</strong></span> hint zone if there is not an
-explicit root zone configured.</p></dd>
+<dd><p>
+ Display status of the server.
+ Note that the number of zones includes the internal <span><strong class="command">bind/CH</strong></span> zone
+ and the default <span><strong class="command">./IN</strong></span>
+ hint zone if there is not an
+ explicit root zone configured.
+ </p></dd>
<dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt>
-<dd><p>Dump the list of queries named is currently recursing
- on.
- </p></dd>
+<dd><p>
+ Dump the list of queries named is currently recursing
+ on.
+ </p></dd>
</dl></div>
-<p>In <acronym class="acronym">BIND</acronym> 9.2, <span><strong class="command">rndc</strong></span>
-supports all the commands of the BIND 8 <span><strong class="command">ndc</strong></span>
-utility except <span><strong class="command">ndc start</strong></span> and
-<span><strong class="command">ndc restart</strong></span>, which were also
-not supported in <span><strong class="command">ndc</strong></span>'s channel mode.</p>
-<p>A configuration file is required, since all
-communication with the server is authenticated with
-digital signatures that rely on a shared secret, and
-there is no way to provide that secret other than with a
-configuration file. The default location for the
-<span><strong class="command">rndc</strong></span> configuration file is
-<code class="filename">/etc/rndc.conf</code>, but an alternate
-location can be specified with the <code class="option">-c</code>
-option. If the configuration file is not found,
-<span><strong class="command">rndc</strong></span> will also look in
-<code class="filename">/etc/rndc.key</code> (or whatever
-<code class="varname">sysconfdir</code> was defined when
-the <acronym class="acronym">BIND</acronym> build was configured).
-The <code class="filename">rndc.key</code> file is generated by
-running <span><strong class="command">rndc-confgen -a</strong></span> as described in
-<a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called &#8220;<span><strong class="command">controls</strong></span> Statement Definition and Usage&#8221;</a>.</p>
-<p>The format of the configuration file is similar to
-that of <code class="filename">named.conf</code>, but limited to
-only four statements, the <span><strong class="command">options</strong></span>,
-<span><strong class="command">key</strong></span>, <span><strong class="command">server</strong></span> and
-<span><strong class="command">include</strong></span>
-statements. These statements are what associate the
-secret keys to the servers with which they are meant to
-be shared. The order of statements is not
-significant.</p>
-<p>The <span><strong class="command">options</strong></span> statement has three clauses:
-<span><strong class="command">default-server</strong></span>, <span><strong class="command">default-key</strong></span>,
-and <span><strong class="command">default-port</strong></span>.
-<span><strong class="command">default-server</strong></span> takes a
-host name or address argument and represents the server that will
-be contacted if no <code class="option">-s</code>
-option is provided on the command line.
-<span><strong class="command">default-key</strong></span> takes
-the name of a key as its argument, as defined by a <span><strong class="command">key</strong></span> statement.
-<span><strong class="command">default-port</strong></span> specifies the port to which
-<span><strong class="command">rndc</strong></span> should connect if no
-port is given on the command line or in a
-<span><strong class="command">server</strong></span> statement.</p>
-<p>The <span><strong class="command">key</strong></span> statement defines a key to be used
-by <span><strong class="command">rndc</strong></span> when authenticating with
-<span><strong class="command">named</strong></span>. Its syntax is identical to the
-<span><strong class="command">key</strong></span> statement in named.conf.
-The keyword <strong class="userinput"><code>key</code></strong> is
-followed by a key name, which must be a valid
-domain name, though it need not actually be hierarchical; thus,
-a string like "<strong class="userinput"><code>rndc_key</code></strong>" is a valid name.
-The <span><strong class="command">key</strong></span> statement has two clauses:
-<span><strong class="command">algorithm</strong></span> and <span><strong class="command">secret</strong></span>.
-While the configuration parser will accept any string as the argument
-to algorithm, currently only the string "<strong class="userinput"><code>hmac-md5</code></strong>"
-has any meaning. The secret is a base-64 encoded string.</p>
-<p>The <span><strong class="command">server</strong></span> statement associates a key
-defined using the <span><strong class="command">key</strong></span> statement with a server.
-The keyword <strong class="userinput"><code>server</code></strong> is followed by a
-host name or address. The <span><strong class="command">server</strong></span> statement
-has two clauses: <span><strong class="command">key</strong></span> and <span><strong class="command">port</strong></span>.
-The <span><strong class="command">key</strong></span> clause specifies the name of the key
-to be used when communicating with this server, and the
-<span><strong class="command">port</strong></span> clause can be used to
-specify the port <span><strong class="command">rndc</strong></span> should connect
-to on the server.</p>
-<p>A sample minimal configuration file is as follows:</p>
+<p>
+ In <acronym class="acronym">BIND</acronym> 9.2, <span><strong class="command">rndc</strong></span>
+ supports all the commands of the BIND 8 <span><strong class="command">ndc</strong></span>
+ utility except <span><strong class="command">ndc start</strong></span> and
+ <span><strong class="command">ndc restart</strong></span>, which were also
+ not supported in <span><strong class="command">ndc</strong></span>'s
+ channel mode.
+ </p>
+<p>
+ A configuration file is required, since all
+ communication with the server is authenticated with
+ digital signatures that rely on a shared secret, and
+ there is no way to provide that secret other than with a
+ configuration file. The default location for the
+ <span><strong class="command">rndc</strong></span> configuration file is
+ <code class="filename">/etc/rndc.conf</code>, but an
+ alternate
+ location can be specified with the <code class="option">-c</code>
+ option. If the configuration file is not found,
+ <span><strong class="command">rndc</strong></span> will also look in
+ <code class="filename">/etc/rndc.key</code> (or whatever
+ <code class="varname">sysconfdir</code> was defined when
+ the <acronym class="acronym">BIND</acronym> build was
+ configured).
+ The <code class="filename">rndc.key</code> file is
+ generated by
+ running <span><strong class="command">rndc-confgen -a</strong></span> as
+ described in
+ <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
+ Usage">the section called &#8220;<span><strong class="command">controls</strong></span> Statement Definition and
+ Usage&#8221;</a>.
+ </p>
+<p>
+ The format of the configuration file is similar to
+ that of <code class="filename">named.conf</code>, but
+ limited to
+ only four statements, the <span><strong class="command">options</strong></span>,
+ <span><strong class="command">key</strong></span>, <span><strong class="command">server</strong></span> and
+ <span><strong class="command">include</strong></span>
+ statements. These statements are what associate the
+ secret keys to the servers with which they are meant to
+ be shared. The order of statements is not
+ significant.
+ </p>
+<p>
+ The <span><strong class="command">options</strong></span> statement has
+ three clauses:
+ <span><strong class="command">default-server</strong></span>, <span><strong class="command">default-key</strong></span>,
+ and <span><strong class="command">default-port</strong></span>.
+ <span><strong class="command">default-server</strong></span> takes a
+ host name or address argument and represents the server
+ that will
+ be contacted if no <code class="option">-s</code>
+ option is provided on the command line.
+ <span><strong class="command">default-key</strong></span> takes
+ the name of a key as its argument, as defined by a <span><strong class="command">key</strong></span> statement.
+ <span><strong class="command">default-port</strong></span> specifies the
+ port to which
+ <span><strong class="command">rndc</strong></span> should connect if no
+ port is given on the command line or in a
+ <span><strong class="command">server</strong></span> statement.
+ </p>
+<p>
+ The <span><strong class="command">key</strong></span> statement defines a
+ key to be used
+ by <span><strong class="command">rndc</strong></span> when authenticating
+ with
+ <span><strong class="command">named</strong></span>. Its syntax is
+ identical to the
+ <span><strong class="command">key</strong></span> statement in named.conf.
+ The keyword <strong class="userinput"><code>key</code></strong> is
+ followed by a key name, which must be a valid
+ domain name, though it need not actually be hierarchical;
+ thus,
+ a string like "<strong class="userinput"><code>rndc_key</code></strong>" is a valid
+ name.
+ The <span><strong class="command">key</strong></span> statement has two
+ clauses:
+ <span><strong class="command">algorithm</strong></span> and <span><strong class="command">secret</strong></span>.
+ While the configuration parser will accept any string as the
+ argument
+ to algorithm, currently only the string "<strong class="userinput"><code>hmac-md5</code></strong>"
+ has any meaning. The secret is a base-64 encoded string
+ as specified in RFC 3548.
+ </p>
+<p>
+ The <span><strong class="command">server</strong></span> statement
+ associates a key
+ defined using the <span><strong class="command">key</strong></span>
+ statement with a server.
+ The keyword <strong class="userinput"><code>server</code></strong> is followed by a
+ host name or address. The <span><strong class="command">server</strong></span> statement
+ has two clauses: <span><strong class="command">key</strong></span> and <span><strong class="command">port</strong></span>.
+ The <span><strong class="command">key</strong></span> clause specifies the
+ name of the key
+ to be used when communicating with this server, and the
+ <span><strong class="command">port</strong></span> clause can be used to
+ specify the port <span><strong class="command">rndc</strong></span> should
+ connect
+ to on the server.
+ </p>
+<p>
+ A sample minimal configuration file is as follows:
+ </p>
<pre class="programlisting">
key rndc_key {
algorithm "hmac-md5";
@@ -445,38 +698,55 @@ options {
default-key rndc_key;
};
</pre>
-<p>This file, if installed as <code class="filename">/etc/rndc.conf</code>,
-would allow the command:</p>
-<p><code class="prompt">$ </code><strong class="userinput"><code>rndc reload</code></strong></p>
-<p>to connect to 127.0.0.1 port 953 and cause the name server
-to reload, if a name server on the local machine were running with
-following controls statements:</p>
+<p>
+ This file, if installed as <code class="filename">/etc/rndc.conf</code>,
+ would allow the command:
+ </p>
+<p>
+ <code class="prompt">$ </code><strong class="userinput"><code>rndc reload</code></strong>
+ </p>
+<p>
+ to connect to 127.0.0.1 port 953 and cause the name server
+ to reload, if a name server on the local machine were
+ running with
+ following controls statements:
+ </p>
<pre class="programlisting">
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
};
</pre>
-<p>and it had an identical key statement for
-<code class="literal">rndc_key</code>.</p>
-<p>Running the <span><strong class="command">rndc-confgen</strong></span> program will
-conveniently create a <code class="filename">rndc.conf</code>
-file for you, and also display the
-corresponding <span><strong class="command">controls</strong></span> statement that you need to
-add to <code class="filename">named.conf</code>. Alternatively,
-you can run <span><strong class="command">rndc-confgen -a</strong></span> to set up
-a <code class="filename">rndc.key</code> file and not modify
-<code class="filename">named.conf</code> at all.
-</p>
+<p>
+ and it had an identical key statement for
+ <code class="literal">rndc_key</code>.
+ </p>
+<p>
+ Running the <span><strong class="command">rndc-confgen</strong></span>
+ program will
+ conveniently create a <code class="filename">rndc.conf</code>
+ file for you, and also display the
+ corresponding <span><strong class="command">controls</strong></span>
+ statement that you need to
+ add to <code class="filename">named.conf</code>.
+ Alternatively,
+ you can run <span><strong class="command">rndc-confgen -a</strong></span>
+ to set up
+ a <code class="filename">rndc.key</code> file and not
+ modify
+ <code class="filename">named.conf</code> at all.
+ </p>
</dd>
</dl></div>
</div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2572723"></a>Signals</h3></div></div></div>
-<p>Certain UNIX signals cause the name server to take specific
-actions, as described in the following table. These signals can
-be sent using the <span><strong class="command">kill</strong></span> command.</p>
+<a name="id2569972"></a>Signals</h3></div></div></div>
+<p>
+ Certain UNIX signals cause the name server to take specific
+ actions, as described in the following table. These signals can
+ be sent using the <span><strong class="command">kill</strong></span> command.
+ </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -484,19 +754,35 @@ be sent using the <span><strong class="command">kill</strong></span> command.</p
</colgroup>
<tbody>
<tr>
-<td><p><span><strong class="command">SIGHUP</strong></span></p></td>
-<td><p>Causes the server to read <code class="filename">named.conf</code> and
-reload the database. </p></td>
+<td>
+ <p><span><strong class="command">SIGHUP</strong></span></p>
+ </td>
+<td>
+ <p>
+ Causes the server to read <code class="filename">named.conf</code> and
+ reload the database.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">SIGTERM</strong></span></p></td>
-<td><p>Causes the server to clean up and exit.</p></td>
+<td>
+ <p><span><strong class="command">SIGTERM</strong></span></p>
+ </td>
+<td>
+ <p>
+ Causes the server to clean up and exit.
+ </p>
+ </td>
</tr>
<tr>
<td>
-<p><span><strong class="command">SIGINT</strong></span></p>
-</td>
-<td><p>Causes the server to clean up and exit.</p></td>
+ <p><span><strong class="command">SIGINT</strong></span></p>
+ </td>
+<td>
+ <p>
+ Causes the server to clean up and exit.
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch04.html b/contrib/bind9/doc/arm/Bv9ARM.ch04.html
index adf2036..a316b1f 100644
--- a/contrib/bind9/doc/arm/Bv9ARM.ch04.html
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch04.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
@@ -14,12 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch04.html,v 1.30.2.6.2.24 2006/11/15 04:33:41 marka Exp $ -->
+<!-- $Id: Bv9ARM.ch04.html,v 1.40.18.34 2007/01/30 00:23:45 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Chapter 4. Advanced DNS Features</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="prev" href="Bv9ARM.ch03.html" title="Chapter 3. Name Server Configuration">
@@ -49,213 +49,309 @@
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2573147">Split DNS</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570429">Split DNS</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573709">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573776">Copying the Shared Secret to Both Machines</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573784">Informing the Servers of the Key's Existence</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573824">Instructing the Server to Use the Key</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573876">TSIG Key Based Access Control</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573920">Errors</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570949">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571022">Copying the Shared Secret to Both Machines</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571033">Informing the Servers of the Key's Existence</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571141">Instructing the Server to Use the Key</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571198">TSIG Key Based Access Control</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571243">Errors</a></span></dt>
</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2573933">TKEY</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2573982">SIG(0)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571257">TKEY</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571306">SIG(0)</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574049">Generating Keys</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574116">Signing the Zone</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574259">Configuring Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571579">Generating Keys</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571649">Signing the Zone</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571728">Configuring Servers</a></span></dt>
</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2574396">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571802">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574455">Address Lookups Using AAAA Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574475">Address to Name Lookups Using Nibble Format</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572001">Address Lookups Using AAAA Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572022">Address to Name Lookups Using Nibble Format</a></span></dt>
</dl></dd>
</dl>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="notify"></a>Notify</h2></div></div></div>
-<p><acronym class="acronym">DNS</acronym> NOTIFY is a mechanism that allows master
-servers to notify their slave servers of changes to a zone's data. In
-response to a <span><strong class="command">NOTIFY</strong></span> from a master server, the
-slave will check to see that its version of the zone is the
-current version and, if not, initiate a zone transfer.</p>
-<p><acronym class="acronym">DNS</acronym>
-For more information about
-<span><strong class="command">NOTIFY</strong></span>, see the description of the
-<span><strong class="command">notify</strong></span> option in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a> and
-the description of the zone option <span><strong class="command">also-notify</strong></span> in
-<a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>. The <span><strong class="command">NOTIFY</strong></span>
-protocol is specified in RFC 1996.
-</p>
+<p>
+ <acronym class="acronym">DNS</acronym> NOTIFY is a mechanism that allows master
+ servers to notify their slave servers of changes to a zone's data. In
+ response to a <span><strong class="command">NOTIFY</strong></span> from a master server, the
+ slave will check to see that its version of the zone is the
+ current version and, if not, initiate a zone transfer.
+ </p>
+<p>
+ For more information about <acronym class="acronym">DNS</acronym>
+ <span><strong class="command">NOTIFY</strong></span>, see the description of the
+ <span><strong class="command">notify</strong></span> option in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a> and
+ the description of the zone option <span><strong class="command">also-notify</strong></span> in
+ <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>. The <span><strong class="command">NOTIFY</strong></span>
+ protocol is specified in RFC 1996.
+ </p>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+ As a slave zone can also be a master to other slaves, named,
+ by default, sends <span><strong class="command">NOTIFY</strong></span> messages for every zone
+ it loads. Specifying <span><strong class="command">notify master-only;</strong></span> will
+ cause named to only send <span><strong class="command">NOTIFY</strong></span> for master
+ zones that it loads.
+ </div>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="dynamic_update"></a>Dynamic Update</h2></div></div></div>
-<p>Dynamic Update is a method for adding, replacing or deleting
- records in a master server by sending it a special form of DNS
- messages. The format and meaning of these messages is specified
- in RFC 2136.</p>
-<p>Dynamic update is enabled on a zone-by-zone basis, by
- including an <span><strong class="command">allow-update</strong></span> or
- <span><strong class="command">update-policy</strong></span> clause in the
- <span><strong class="command">zone</strong></span> statement.</p>
-<p>Updating of secure zones (zones using DNSSEC) follows
- RFC 3007: RRSIG and NSEC records affected by updates are automatically
- regenerated by the server using an online zone key.
- Update authorization is based
- on transaction signatures and an explicit server policy.</p>
+<p>
+ Dynamic Update is a method for adding, replacing or deleting
+ records in a master server by sending it a special form of DNS
+ messages. The format and meaning of these messages is specified
+ in RFC 2136.
+ </p>
+<p>
+ Dynamic update is enabled by
+ including an <span><strong class="command">allow-update</strong></span> or
+ <span><strong class="command">update-policy</strong></span> clause in the
+ <span><strong class="command">zone</strong></span> statement.
+ </p>
+<p>
+ Updating of secure zones (zones using DNSSEC) follows
+ RFC 3007: RRSIG and NSEC records affected by updates are automatically
+ regenerated by the server using an online zone key.
+ Update authorization is based
+ on transaction signatures and an explicit server policy.
+ </p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="journal"></a>The journal file</h3></div></div></div>
-<p>All changes made to a zone using dynamic update are stored in the
- zone's journal file. This file is automatically created by the
- server when the first dynamic update takes place. The name of
- the journal file is formed by appending the
- extension <code class="filename">.jnl</code> to the
- name of the corresponding zone file. The journal file is in a
- binary format and should not be edited manually.</p>
-<p>The server will also occasionally write ("dump")
- the complete contents of the updated zone to its zone file.
- This is not done immediately after
- each dynamic update, because that would be too slow when a large
- zone is updated frequently. Instead, the dump is delayed by
- up to 15 minutes, allowing additional updates to take place.</p>
-<p>When a server is restarted after a shutdown or crash, it will replay
- the journal file to incorporate into the zone any updates that took
- place after the last zone dump.</p>
-<p>Changes that result from incoming incremental zone transfers are also
- journalled in a similar way.</p>
-<p>The zone files of dynamic zones cannot normally be edited by
- hand because they are not guaranteed to contain the most recent
- dynamic changes &#8212; those are only in the journal file.
- The only way to ensure that the zone file of a dynamic zone
- is up to date is to run <span><strong class="command">rndc stop</strong></span>.</p>
-<p>If you have to make changes to a dynamic zone
- manually, the following procedure will work: Disable dynamic updates
- to the zone using
- <span><strong class="command">rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>.
- This will also remove the zone's <code class="filename">.jnl</code> file
- and update the master file. Edit the zone file. Run
- <span><strong class="command">rndc thaw <em class="replaceable"><code>zone</code></em></strong></span>
- to reload the changed zone and re-enable dynamic updates.</p>
+<p>
+ All changes made to a zone using dynamic update are stored
+ in the zone's journal file. This file is automatically created
+ by the server when the first dynamic update takes place.
+ The name of the journal file is formed by appending the extension
+ <code class="filename">.jnl</code> to the name of the
+ corresponding zone
+ file unless specifically overridden. The journal file is in a
+ binary format and should not be edited manually.
+ </p>
+<p>
+ The server will also occasionally write ("dump")
+ the complete contents of the updated zone to its zone file.
+ This is not done immediately after
+ each dynamic update, because that would be too slow when a large
+ zone is updated frequently. Instead, the dump is delayed by
+ up to 15 minutes, allowing additional updates to take place.
+ </p>
+<p>
+ When a server is restarted after a shutdown or crash, it will replay
+ the journal file to incorporate into the zone any updates that
+ took
+ place after the last zone dump.
+ </p>
+<p>
+ Changes that result from incoming incremental zone transfers are
+ also
+ journalled in a similar way.
+ </p>
+<p>
+ The zone files of dynamic zones cannot normally be edited by
+ hand because they are not guaranteed to contain the most recent
+ dynamic changes &#8212; those are only in the journal file.
+ The only way to ensure that the zone file of a dynamic zone
+ is up to date is to run <span><strong class="command">rndc stop</strong></span>.
+ </p>
+<p>
+ If you have to make changes to a dynamic zone
+ manually, the following procedure will work: Disable dynamic updates
+ to the zone using
+ <span><strong class="command">rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>.
+ This will also remove the zone's <code class="filename">.jnl</code> file
+ and update the master file. Edit the zone file. Run
+ <span><strong class="command">rndc thaw <em class="replaceable"><code>zone</code></em></strong></span>
+ to reload the changed zone and re-enable dynamic updates.
+ </p>
</div>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="incremental_zone_transfers"></a>Incremental Zone Transfers (IXFR)</h2></div></div></div>
-<p>The incremental zone transfer (IXFR) protocol is a way for
-slave servers to transfer only changed data, instead of having to
-transfer the entire zone. The IXFR protocol is specified in RFC
-1995. See <a href="Bv9ARM.ch09.html#proposed_standards">Proposed Standards</a>.</p>
-<p>When acting as a master, <acronym class="acronym">BIND</acronym> 9
-supports IXFR for those zones
-where the necessary change history information is available. These
-include master zones maintained by dynamic update and slave zones
-whose data was obtained by IXFR. For manually maintained master
-zones, and for slave zones obtained by performing a full zone
-transfer (AXFR), IXFR is supported only if the option
-<span><strong class="command">ixfr-from-differences</strong></span> is set
-to <strong class="userinput"><code>yes</code></strong>.
-</p>
-<p>When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will
-attempt to use IXFR unless
-it is explicitly disabled. For more information about disabling
-IXFR, see the description of the <span><strong class="command">request-ixfr</strong></span> clause
-of the <span><strong class="command">server</strong></span> statement.</p>
+<p>
+ The incremental zone transfer (IXFR) protocol is a way for
+ slave servers to transfer only changed data, instead of having to
+ transfer the entire zone. The IXFR protocol is specified in RFC
+ 1995. See <a href="Bv9ARM.ch09.html#proposed_standards">Proposed Standards</a>.
+ </p>
+<p>
+ When acting as a master, <acronym class="acronym">BIND</acronym> 9
+ supports IXFR for those zones
+ where the necessary change history information is available. These
+ include master zones maintained by dynamic update and slave zones
+ whose data was obtained by IXFR. For manually maintained master
+ zones, and for slave zones obtained by performing a full zone
+ transfer (AXFR), IXFR is supported only if the option
+ <span><strong class="command">ixfr-from-differences</strong></span> is set
+ to <strong class="userinput"><code>yes</code></strong>.
+ </p>
+<p>
+ When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will
+ attempt to use IXFR unless
+ it is explicitly disabled. For more information about disabling
+ IXFR, see the description of the <span><strong class="command">request-ixfr</strong></span> clause
+ of the <span><strong class="command">server</strong></span> statement.
+ </p>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2573147"></a>Split DNS</h2></div></div></div>
-<p>Setting up different views, or visibility, of the DNS space to
-internal and external resolvers is usually referred to as a <span class="emphasis"><em>Split
-DNS</em></span> setup. There are several reasons an organization
-would want to set up its DNS this way.</p>
-<p>One common reason for setting up a DNS system this way is
-to hide "internal" DNS information from "external" clients on the
-Internet. There is some debate as to whether or not this is actually useful.
-Internal DNS information leaks out in many ways (via email headers,
-for example) and most savvy "attackers" can find the information
-they need using other means.</p>
-<p>Another common reason for setting up a Split DNS system is
-to allow internal networks that are behind filters or in RFC 1918
-space (reserved IP space, as documented in RFC 1918) to resolve DNS
-on the Internet. Split DNS can also be used to allow mail from outside
-back in to the internal network.</p>
-<p>Here is an example of a split DNS setup:</p>
-<p>Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
-(<code class="literal">example.com</code>)
-has several corporate sites that have an internal network with reserved
-Internet Protocol (IP) space and an external demilitarized zone (DMZ),
-or "outside" section of a network, that is available to the public.</p>
-<p><span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients
-to be able to resolve external hostnames and to exchange mail with
-people on the outside. The company also wants its internal resolvers
-to have access to certain internal-only zones that are not available
-at all outside of the internal network.</p>
-<p>In order to accomplish this, the company will set up two sets
-of name servers. One set will be on the inside network (in the reserved
-IP space) and the other set will be on bastion hosts, which are "proxy"
-hosts that can talk to both sides of its network, in the DMZ.</p>
-<p>The internal servers will be configured to forward all queries,
-except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,
-and <code class="filename">site2.example.com</code>, to the servers in the
-DMZ. These internal servers will have complete sets of information
-for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>,<span class="emphasis"><em> </em></span><code class="filename">site1.internal</code>,
-and <code class="filename">site2.internal</code>.</p>
-<p>To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,
-the internal name servers must be configured to disallow all queries
-to these domains from any external hosts, including the bastion
-hosts.</p>
-<p>The external servers, which are on the bastion hosts, will
-be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.
-This could include things such as the host records for public servers
-(<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>),
-and mail exchange (MX) records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).</p>
-<p>In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones
-should have special MX records that contain wildcard (`*') records
-pointing to the bastion hosts. This is needed because external mail
-servers do not have any other way of looking up how to deliver mail
-to those internal hosts. With the wildcard records, the mail will
-be delivered to the bastion host, which can then forward it on to
-internal hosts.</p>
-<p>Here's an example of a wildcard MX record:</p>
+<a name="id2570429"></a>Split DNS</h2></div></div></div>
+<p>
+ Setting up different views, or visibility, of the DNS space to
+ internal and external resolvers is usually referred to as a
+ <span class="emphasis"><em>Split DNS</em></span> setup. There are several
+ reasons an organization would want to set up its DNS this way.
+ </p>
+<p>
+ One common reason for setting up a DNS system this way is
+ to hide "internal" DNS information from "external" clients on the
+ Internet. There is some debate as to whether or not this is actually
+ useful.
+ Internal DNS information leaks out in many ways (via email headers,
+ for example) and most savvy "attackers" can find the information
+ they need using other means.
+ However, since listing addresses of internal servers that
+ external clients cannot possibly reach can result in
+ connection delays and other annoyances, an organization may
+ choose to use a Split DNS to present a consistant view of itself
+ to the outside world.
+ </p>
+<p>
+ Another common reason for setting up a Split DNS system is
+ to allow internal networks that are behind filters or in RFC 1918
+ space (reserved IP space, as documented in RFC 1918) to resolve DNS
+ on the Internet. Split DNS can also be used to allow mail from outside
+ back in to the internal network.
+ </p>
+<p>
+ Here is an example of a split DNS setup:
+ </p>
+<p>
+ Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
+ (<code class="literal">example.com</code>)
+ has several corporate sites that have an internal network with
+ reserved
+ Internet Protocol (IP) space and an external demilitarized zone (DMZ),
+ or "outside" section of a network, that is available to the public.
+ </p>
+<p>
+ <span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients
+ to be able to resolve external hostnames and to exchange mail with
+ people on the outside. The company also wants its internal resolvers
+ to have access to certain internal-only zones that are not available
+ at all outside of the internal network.
+ </p>
+<p>
+ In order to accomplish this, the company will set up two sets
+ of name servers. One set will be on the inside network (in the
+ reserved
+ IP space) and the other set will be on bastion hosts, which are
+ "proxy"
+ hosts that can talk to both sides of its network, in the DMZ.
+ </p>
+<p>
+ The internal servers will be configured to forward all queries,
+ except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,
+ and <code class="filename">site2.example.com</code>, to the servers
+ in the
+ DMZ. These internal servers will have complete sets of information
+ for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>,<span class="emphasis"><em></em></span> <code class="filename">site1.internal</code>,
+ and <code class="filename">site2.internal</code>.
+ </p>
+<p>
+ To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,
+ the internal name servers must be configured to disallow all queries
+ to these domains from any external hosts, including the bastion
+ hosts.
+ </p>
+<p>
+ The external servers, which are on the bastion hosts, will
+ be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.
+ This could include things such as the host records for public servers
+ (<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>),
+ and mail exchange (MX) records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).
+ </p>
+<p>
+ In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones
+ should have special MX records that contain wildcard (`*') records
+ pointing to the bastion hosts. This is needed because external mail
+ servers do not have any other way of looking up how to deliver mail
+ to those internal hosts. With the wildcard records, the mail will
+ be delivered to the bastion host, which can then forward it on to
+ internal hosts.
+ </p>
+<p>
+ Here's an example of a wildcard MX record:
+ </p>
<pre class="programlisting">* IN MX 10 external1.example.com.</pre>
-<p>Now that they accept mail on behalf of anything in the internal
-network, the bastion hosts will need to know how to deliver mail
-to internal hosts. In order for this to work properly, the resolvers on
-the bastion hosts will need to be configured to point to the internal
-name servers for DNS resolution.</p>
-<p>Queries for internal hostnames will be answered by the internal
-servers, and queries for external hostnames will be forwarded back
-out to the DNS servers on the bastion hosts.</p>
-<p>In order for all this to work properly, internal clients will
-need to be configured to query <span class="emphasis"><em>only</em></span> the internal
-name servers for DNS queries. This could also be enforced via selective
-filtering on the network.</p>
-<p>If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s
-internal clients will now be able to:</p>
+<p>
+ Now that they accept mail on behalf of anything in the internal
+ network, the bastion hosts will need to know how to deliver mail
+ to internal hosts. In order for this to work properly, the resolvers
+ on
+ the bastion hosts will need to be configured to point to the internal
+ name servers for DNS resolution.
+ </p>
+<p>
+ Queries for internal hostnames will be answered by the internal
+ servers, and queries for external hostnames will be forwarded back
+ out to the DNS servers on the bastion hosts.
+ </p>
+<p>
+ In order for all this to work properly, internal clients will
+ need to be configured to query <span class="emphasis"><em>only</em></span> the internal
+ name servers for DNS queries. This could also be enforced via
+ selective
+ filtering on the network.
+ </p>
+<p>
+ If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s
+ internal clients will now be able to:
+ </p>
<div class="itemizedlist"><ul type="disc">
-<li>Look up any hostnames in the <code class="literal">site1</code> and
-<code class="literal">site2.example.com</code> zones.</li>
-<li>Look up any hostnames in the <code class="literal">site1.internal</code> and
-<code class="literal">site2.internal</code> domains.</li>
+<li>
+ Look up any hostnames in the <code class="literal">site1</code>
+ and
+ <code class="literal">site2.example.com</code> zones.
+ </li>
+<li>
+ Look up any hostnames in the <code class="literal">site1.internal</code> and
+ <code class="literal">site2.internal</code> domains.
+ </li>
<li>Look up any hostnames on the Internet.</li>
-<li>Exchange mail with both internal AND external people.</li>
+<li>Exchange mail with both internal and external people.</li>
</ul></div>
-<p>Hosts on the Internet will be able to:</p>
+<p>
+ Hosts on the Internet will be able to:
+ </p>
<div class="itemizedlist"><ul type="disc">
-<li>Look up any hostnames in the <code class="literal">site1</code> and
-<code class="literal">site2.example.com</code> zones.</li>
-<li>Exchange mail with anyone in the <code class="literal">site1</code> and
-<code class="literal">site2.example.com</code> zones.</li>
+<li>
+ Look up any hostnames in the <code class="literal">site1</code>
+ and
+ <code class="literal">site2.example.com</code> zones.
+ </li>
+<li>
+ Exchange mail with anyone in the <code class="literal">site1</code> and
+ <code class="literal">site2.example.com</code> zones.
+ </li>
</ul></div>
-<p>Here is an example configuration for the setup we just
- described above. Note that this is only configuration information;
- for information on how to configure your zone files, see <a href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called &#8220;Sample Configurations&#8221;</a>.</p>
-<p>Internal DNS server config:</p>
+<p>
+ Here is an example configuration for the setup we just
+ described above. Note that this is only configuration information;
+ for information on how to configure your zone files, see <a href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called &#8220;Sample Configurations&#8221;</a>.
+ </p>
+<p>
+ Internal DNS server config:
+ </p>
<pre class="programlisting">
acl internals { 172.16.72.0/24; 192.168.1.0/24; };
@@ -267,7 +363,7 @@ options {
...
forward only;
forwarders { // forward to external servers
- <code class="varname">bastion-ips-go-here</code>;
+ <code class="varname">bastion-ips-go-here</code>;
};
allow-transfer { none; }; // sample allow-transfer (no one)
allow-query { internals; externals; }; // restrict query access
@@ -311,7 +407,9 @@ zone "site2.internal" {
allow-transfer { internals; }
};
</pre>
-<p>External (bastion host) DNS server config:</p>
+<p>
+ External (bastion host) DNS server config:
+ </p>
<pre class="programlisting">
acl internals { 172.16.72.0/24; 192.168.1.0/24; };
@@ -321,7 +419,8 @@ options {
...
...
allow-transfer { none; }; // sample allow-transfer (no one)
- allow-query { internals; externals; }; // restrict query access
+ allow-query { any; }; // default query access
+ allow-query-cache { internals; externals; }; // restrict cache access
allow-recursion { internals; externals; }; // restrict recursion
...
...
@@ -330,7 +429,6 @@ options {
zone "site1.example.com" { // sample slave zone
type master;
file "m/site1.foo.com";
- allow-query { any; };
allow-transfer { internals; externals; };
};
@@ -338,12 +436,13 @@ zone "site2.example.com" {
type slave;
file "s/site2.foo.com";
masters { another_bastion_host_maybe; };
- allow-query { any; };
allow-transfer { internals; externals; }
};
</pre>
-<p>In the <code class="filename">resolv.conf</code> (or equivalent) on
-the bastion host(s):</p>
+<p>
+ In the <code class="filename">resolv.conf</code> (or equivalent) on
+ the bastion host(s):
+ </p>
<pre class="programlisting">
search ...
nameserver 172.16.72.2
@@ -354,416 +453,551 @@ nameserver 172.16.72.4
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="tsig"></a>TSIG</h2></div></div></div>
-<p>This is a short guide to setting up Transaction SIGnatures
-(TSIG) based transaction security in <acronym class="acronym">BIND</acronym>. It describes changes
-to the configuration file as well as what changes are required for
-different features, including the process of creating transaction
-keys and using transaction signatures with <acronym class="acronym">BIND</acronym>.</p>
-<p><acronym class="acronym">BIND</acronym> primarily supports TSIG for server to server communication.
-This includes zone transfer, notify, and recursive query messages.
-Resolvers based on newer versions of <acronym class="acronym">BIND</acronym> 8 have limited support
-for TSIG.</p>
-<p>TSIG might be most useful for dynamic update. A primary
- server for a dynamic zone should use access control to control
- updates, but IP-based access control is insufficient.
- The cryptographic access control provided by TSIG
- is far superior. The <span><strong class="command">nsupdate</strong></span>
- program supports TSIG via the <code class="option">-k</code> and
- <code class="option">-y</code> command line options.</p>
+<p>
+ This is a short guide to setting up Transaction SIGnatures
+ (TSIG) based transaction security in <acronym class="acronym">BIND</acronym>. It describes changes
+ to the configuration file as well as what changes are required for
+ different features, including the process of creating transaction
+ keys and using transaction signatures with <acronym class="acronym">BIND</acronym>.
+ </p>
+<p>
+ <acronym class="acronym">BIND</acronym> primarily supports TSIG for server
+ to server communication.
+ This includes zone transfer, notify, and recursive query messages.
+ Resolvers based on newer versions of <acronym class="acronym">BIND</acronym> 8 have limited support
+ for TSIG.
+ </p>
+<p>
+ TSIG can also be useful for dynamic update. A primary
+ server for a dynamic zone should control access to the dynamic
+ update service, but IP-based access control is insufficient.
+ The cryptographic access control provided by TSIG
+ is far superior. The <span><strong class="command">nsupdate</strong></span>
+ program supports TSIG via the <code class="option">-k</code> and
+ <code class="option">-y</code> command line options or inline by use
+ of the <span><strong class="command">key</strong></span>.
+ </p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2573709"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
-<p>A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
-An arbitrary key name is chosen: "host1-host2.". The key name must
-be the same on both hosts.</p>
+<a name="id2570949"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
+<p>
+ A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
+ An arbitrary key name is chosen: "host1-host2.". The key name must
+ be the same on both hosts.
+ </p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2573725"></a>Automatic Generation</h4></div></div></div>
-<p>The following command will generate a 128-bit (16 byte) HMAC-MD5
-key as described above. Longer keys are better, but shorter keys
-are easier to read. Note that the maximum key length is 512 bits;
-keys longer than that will be digested with MD5 to produce a
-128-bit key.</p>
-<p><strong class="userinput"><code>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</code></strong></p>
-<p>The key is in the file <code class="filename">Khost1-host2.+157+00000.private</code>.
-Nothing directly uses this file, but the base-64 encoded string
-following "<code class="literal">Key:</code>"
-can be extracted from the file and used as a shared secret:</p>
+<a name="id2570966"></a>Automatic Generation</h4></div></div></div>
+<p>
+ The following command will generate a 128-bit (16 byte) HMAC-MD5
+ key as described above. Longer keys are better, but shorter keys
+ are easier to read. Note that the maximum key length is 512 bits;
+ keys longer than that will be digested with MD5 to produce a
+ 128-bit key.
+ </p>
+<p>
+ <strong class="userinput"><code>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</code></strong>
+ </p>
+<p>
+ The key is in the file <code class="filename">Khost1-host2.+157+00000.private</code>.
+ Nothing directly uses this file, but the base-64 encoded string
+ following "<code class="literal">Key:</code>"
+ can be extracted from the file and used as a shared secret:
+ </p>
<pre class="programlisting">Key: La/E5CjG9O+os1jq0a2jdA==</pre>
-<p>The string "<code class="literal">La/E5CjG9O+os1jq0a2jdA==</code>" can
-be used as the shared secret.</p>
+<p>
+ The string "<code class="literal">La/E5CjG9O+os1jq0a2jdA==</code>" can
+ be used as the shared secret.
+ </p>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2573760"></a>Manual Generation</h4></div></div></div>
-<p>The shared secret is simply a random sequence of bits, encoded
-in base-64. Most ASCII strings are valid base-64 strings (assuming
-the length is a multiple of 4 and only valid characters are used),
-so the shared secret can be manually generated.</p>
-<p>Also, a known string can be run through <span><strong class="command">mmencode</strong></span> or
-a similar program to generate base-64 encoded data.</p>
+<a name="id2571004"></a>Manual Generation</h4></div></div></div>
+<p>
+ The shared secret is simply a random sequence of bits, encoded
+ in base-64. Most ASCII strings are valid base-64 strings (assuming
+ the length is a multiple of 4 and only valid characters are used),
+ so the shared secret can be manually generated.
+ </p>
+<p>
+ Also, a known string can be run through <span><strong class="command">mmencode</strong></span> or
+ a similar program to generate base-64 encoded data.
+ </p>
</div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2573776"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
-<p>This is beyond the scope of DNS. A secure transport mechanism
-should be used. This could be secure FTP, ssh, telephone, etc.</p>
+<a name="id2571022"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
+<p>
+ This is beyond the scope of DNS. A secure transport mechanism
+ should be used. This could be secure FTP, ssh, telephone, etc.
+ </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2573784"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
-<p>Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span> are
-both servers. The following is added to each server's <code class="filename">named.conf</code> file:</p>
+<a name="id2571033"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
+<p>
+ Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span>
+ are
+ both servers. The following is added to each server's <code class="filename">named.conf</code> file:
+ </p>
<pre class="programlisting">
key host1-host2. {
algorithm hmac-md5;
secret "La/E5CjG9O+os1jq0a2jdA==";
};
</pre>
-<p>The algorithm, hmac-md5, is the only one supported by <acronym class="acronym">BIND</acronym>.
-The secret is the one generated above. Since this is a secret, it
-is recommended that either <code class="filename">named.conf</code> be non-world
-readable, or the key directive be added to a non-world readable
-file that is included by <code class="filename">named.conf</code>.</p>
-<p>At this point, the key is recognized. This means that if the
-server receives a message signed by this key, it can verify the
-signature. If the signature is successfully verified, the
-response is signed by the same key.</p>
+<p>
+ The algorithm, hmac-md5, is the only one supported by <acronym class="acronym">BIND</acronym>.
+ The secret is the one generated above. Since this is a secret, it
+ is recommended that either <code class="filename">named.conf</code> be non-world
+ readable, or the key directive be added to a non-world readable
+ file that is included by
+ <code class="filename">named.conf</code>.
+ </p>
+<p>
+ At this point, the key is recognized. This means that if the
+ server receives a message signed by this key, it can verify the
+ signature. If the signature is successfully verified, the
+ response is signed by the same key.
+ </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2573824"></a>Instructing the Server to Use the Key</h3></div></div></div>
-<p>Since keys are shared between two hosts only, the server must
-be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
-for <span class="emphasis"><em>host1</em></span>, if the IP address of <span class="emphasis"><em>host2</em></span> is
-10.1.2.3:</p>
+<a name="id2571141"></a>Instructing the Server to Use the Key</h3></div></div></div>
+<p>
+ Since keys are shared between two hosts only, the server must
+ be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
+ for <span class="emphasis"><em>host1</em></span>, if the IP address of <span class="emphasis"><em>host2</em></span> is
+ 10.1.2.3:
+ </p>
<pre class="programlisting">
server 10.1.2.3 {
keys { host1-host2. ;};
};
</pre>
-<p>Multiple keys may be present, but only the first is used.
-This directive does not contain any secrets, so it may be in a world-readable
-file.</p>
-<p>If <span class="emphasis"><em>host1</em></span> sends a message that is a request
-to that address, the message will be signed with the specified key. <span class="emphasis"><em>host1</em></span> will
-expect any responses to signed messages to be signed with the same
-key.</p>
-<p>A similar statement must be present in <span class="emphasis"><em>host2</em></span>'s
-configuration file (with <span class="emphasis"><em>host1</em></span>'s address) for <span class="emphasis"><em>host2</em></span> to
-sign request messages to <span class="emphasis"><em>host1</em></span>.</p>
+<p>
+ Multiple keys may be present, but only the first is used.
+ This directive does not contain any secrets, so it may be in a
+ world-readable
+ file.
+ </p>
+<p>
+ If <span class="emphasis"><em>host1</em></span> sends a message that is a request
+ to that address, the message will be signed with the specified key. <span class="emphasis"><em>host1</em></span> will
+ expect any responses to signed messages to be signed with the same
+ key.
+ </p>
+<p>
+ A similar statement must be present in <span class="emphasis"><em>host2</em></span>'s
+ configuration file (with <span class="emphasis"><em>host1</em></span>'s address) for <span class="emphasis"><em>host2</em></span> to
+ sign request messages to <span class="emphasis"><em>host1</em></span>.
+ </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2573876"></a>TSIG Key Based Access Control</h3></div></div></div>
-<p><acronym class="acronym">BIND</acronym> allows IP addresses and ranges to be specified in ACL
-definitions and
-<span><strong class="command">allow-{ query | transfer | update }</strong></span> directives.
-This has been extended to allow TSIG keys also. The above key would
-be denoted <span><strong class="command">key host1-host2.</strong></span></p>
-<p>An example of an allow-update directive would be:</p>
+<a name="id2571198"></a>TSIG Key Based Access Control</h3></div></div></div>
+<p>
+ <acronym class="acronym">BIND</acronym> allows IP addresses and ranges
+ to be specified in ACL
+ definitions and
+ <span><strong class="command">allow-{ query | transfer | update }</strong></span>
+ directives.
+ This has been extended to allow TSIG keys also. The above key would
+ be denoted <span><strong class="command">key host1-host2.</strong></span>
+ </p>
+<p>
+ An example of an allow-update directive would be:
+ </p>
<pre class="programlisting">
allow-update { key host1-host2. ;};
</pre>
-<p>This allows dynamic updates to succeed only if the request
- was signed by a key named
- "<span><strong class="command">host1-host2.</strong></span>".</p>
-<p>You may want to read about the more
- powerful <span><strong class="command">update-policy</strong></span> statement in <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>.</p>
+<p>
+ This allows dynamic updates to succeed only if the request
+ was signed by a key named
+ "<span><strong class="command">host1-host2.</strong></span>".
+ </p>
+<p>
+ You may want to read about the more
+ powerful <span><strong class="command">update-policy</strong></span> statement in <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>.
+ </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2573920"></a>Errors</h3></div></div></div>
-<p>The processing of TSIG signed messages can result in
- several errors. If a signed message is sent to a non-TSIG
- aware server, a FORMERR (format error) will be returned, since
- the server will not understand the record. This is a result
- of misconfiguration, since the server must be explicitly
- configured to send a TSIG signed message to a specific
- server.</p>
-<p>If a TSIG aware server receives a message signed by an
- unknown key, the response will be unsigned with the TSIG
- extended error code set to BADKEY. If a TSIG aware server
- receives a message with a signature that does not validate, the
- response will be unsigned with the TSIG extended error code set
- to BADSIG. If a TSIG aware server receives a message with a time
- outside of the allowed range, the response will be signed with
- the TSIG extended error code set to BADTIME, and the time values
- will be adjusted so that the response can be successfully
- verified. In any of these cases, the message's rcode is set to
- NOTAUTH (not authenticated).</p>
+<a name="id2571243"></a>Errors</h3></div></div></div>
+<p>
+ The processing of TSIG signed messages can result in
+ several errors. If a signed message is sent to a non-TSIG aware
+ server, a FORMERR (format error) will be returned, since the server will not
+ understand the record. This is a result of misconfiguration,
+ since the server must be explicitly configured to send a TSIG
+ signed message to a specific server.
+ </p>
+<p>
+ If a TSIG aware server receives a message signed by an
+ unknown key, the response will be unsigned with the TSIG
+ extended error code set to BADKEY. If a TSIG aware server
+ receives a message with a signature that does not validate, the
+ response will be unsigned with the TSIG extended error code set
+ to BADSIG. If a TSIG aware server receives a message with a time
+ outside of the allowed range, the response will be signed with
+ the TSIG extended error code set to BADTIME, and the time values
+ will be adjusted so that the response can be successfully
+ verified. In any of these cases, the message's rcode is set to
+ NOTAUTH (not authenticated).
+ </p>
</div>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2573933"></a>TKEY</h2></div></div></div>
-<p><span><strong class="command">TKEY</strong></span> is a mechanism for automatically
- generating a shared secret between two hosts. There are several
- "modes" of <span><strong class="command">TKEY</strong></span> that specify how the key is
- generated or assigned. <acronym class="acronym">BIND</acronym> 9
- implements only one of these modes,
- the Diffie-Hellman key exchange. Both hosts are required to have
- a Diffie-Hellman KEY record (although this record is not required
- to be present in a zone). The <span><strong class="command">TKEY</strong></span> process
- must use signed messages, signed either by TSIG or SIG(0). The
- result of <span><strong class="command">TKEY</strong></span> is a shared secret that can be
- used to sign messages with TSIG. <span><strong class="command">TKEY</strong></span> can also
- be used to delete shared secrets that it had previously
- generated.</p>
-<p>The <span><strong class="command">TKEY</strong></span> process is initiated by a client
- or server by sending a signed <span><strong class="command">TKEY</strong></span> query
- (including any appropriate KEYs) to a TKEY-aware server. The
- server response, if it indicates success, will contain a
- <span><strong class="command">TKEY</strong></span> record and any appropriate keys. After
- this exchange, both participants have enough information to
- determine the shared secret; the exact process depends on the
- <span><strong class="command">TKEY</strong></span> mode. When using the Diffie-Hellman
- <span><strong class="command">TKEY</strong></span> mode, Diffie-Hellman keys are exchanged,
- and the shared secret is derived by both participants.</p>
+<a name="id2571257"></a>TKEY</h2></div></div></div>
+<p><span><strong class="command">TKEY</strong></span>
+ is a mechanism for automatically generating a shared secret
+ between two hosts. There are several "modes" of
+ <span><strong class="command">TKEY</strong></span> that specify how the key is generated
+ or assigned. <acronym class="acronym">BIND</acronym> 9 implements only one of
+ these modes, the Diffie-Hellman key exchange. Both hosts are
+ required to have a Diffie-Hellman KEY record (although this
+ record is not required to be present in a zone). The
+ <span><strong class="command">TKEY</strong></span> process must use signed messages,
+ signed either by TSIG or SIG(0). The result of
+ <span><strong class="command">TKEY</strong></span> is a shared secret that can be used to
+ sign messages with TSIG. <span><strong class="command">TKEY</strong></span> can also be
+ used to delete shared secrets that it had previously
+ generated.
+ </p>
+<p>
+ The <span><strong class="command">TKEY</strong></span> process is initiated by a
+ client
+ or server by sending a signed <span><strong class="command">TKEY</strong></span>
+ query
+ (including any appropriate KEYs) to a TKEY-aware server. The
+ server response, if it indicates success, will contain a
+ <span><strong class="command">TKEY</strong></span> record and any appropriate keys.
+ After
+ this exchange, both participants have enough information to
+ determine the shared secret; the exact process depends on the
+ <span><strong class="command">TKEY</strong></span> mode. When using the
+ Diffie-Hellman
+ <span><strong class="command">TKEY</strong></span> mode, Diffie-Hellman keys are
+ exchanged,
+ and the shared secret is derived by both participants.
+ </p>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2573982"></a>SIG(0)</h2></div></div></div>
-<p><acronym class="acronym">BIND</acronym> 9 partially supports DNSSEC SIG(0)
- transaction signatures as specified in RFC 2535 and RFC2931. SIG(0)
- uses public/private keys to authenticate messages. Access control
- is performed in the same manner as TSIG keys; privileges can be
- granted or denied based on the key name.</p>
-<p>When a SIG(0) signed message is received, it will only be
- verified if the key is known and trusted by the server; the server
- will not attempt to locate and / or validate the key.</p>
-<p>SIG(0) signing of multiple-message TCP streams is not
- supported.</p>
-<p>The only tool shipped with <acronym class="acronym">BIND</acronym> 9 that
- generates SIG(0) signed messages is <span><strong class="command">nsupdate</strong></span>.</p>
+<a name="id2571306"></a>SIG(0)</h2></div></div></div>
+<p>
+ <acronym class="acronym">BIND</acronym> 9 partially supports DNSSEC SIG(0)
+ transaction signatures as specified in RFC 2535 and RFC2931.
+ SIG(0)
+ uses public/private keys to authenticate messages. Access control
+ is performed in the same manner as TSIG keys; privileges can be
+ granted or denied based on the key name.
+ </p>
+<p>
+ When a SIG(0) signed message is received, it will only be
+ verified if the key is known and trusted by the server; the server
+ will not attempt to locate and/or validate the key.
+ </p>
+<p>
+ SIG(0) signing of multiple-message TCP streams is not
+ supported.
+ </p>
+<p>
+ The only tool shipped with <acronym class="acronym">BIND</acronym> 9 that
+ generates SIG(0) signed messages is <span><strong class="command">nsupdate</strong></span>.
+ </p>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="DNSSEC"></a>DNSSEC</h2></div></div></div>
-<p>Cryptographic authentication of DNS information is possible
- through the DNS Security (<span class="emphasis"><em>DNSSEC-bis</em></span>)
- extensions, defined in RFC 4033, RFC4034 and RFC4035. This
- section describes the creation and use of DNSSEC signed
- zones.</p>
-<p>In order to set up a DNSSEC secure zone, there are a series
- of steps which must be followed. <acronym class="acronym">BIND</acronym> 9 ships
- with several tools
- that are used in this process, which are explained in more detail
- below. In all cases, the <code class="option">-h</code> option prints a
- full list of parameters. Note that the DNSSEC tools require the
- keyset files to be in the working directory or the
- directory specified by the <code class="option">-h</code> option, and
- that the tools shipped with BIND 9.2.x and earlier are not compatible
- with the current ones.</p>
-<p>There must also be communication with the administrators of
- the parent and/or child zone to transmit keys. A zone's security
- status must be indicated by the parent zone for a DNSSEC capable
- resolver to trust its data. This is done through the presence
- or absence of a <code class="literal">DS</code> record at the delegation
- point.</p>
-<p>For other servers to trust data in this zone, they must
- either be statically configured with this zone's zone key or the
- zone key of another zone above this one in the DNS tree.</p>
+<p>
+ Cryptographic authentication of DNS information is possible
+ through the DNS Security (<span class="emphasis"><em>DNSSEC-bis</em></span>) extensions,
+ defined in RFC 4033, RFC 4034 and RFC 4035.
+ This section describes the creation and use of DNSSEC signed zones.
+ </p>
+<p>
+ In order to set up a DNSSEC secure zone, there are a series
+ of steps which must be followed. <acronym class="acronym">BIND</acronym>
+ 9 ships
+ with several tools
+ that are used in this process, which are explained in more detail
+ below. In all cases, the <code class="option">-h</code> option prints a
+ full list of parameters. Note that the DNSSEC tools require the
+ keyset files to be in the working directory or the
+ directory specified by the <code class="option">-d</code> option, and
+ that the tools shipped with BIND 9.2.x and earlier are not compatible
+ with the current ones.
+ </p>
+<p>
+ There must also be communication with the administrators of
+ the parent and/or child zone to transmit keys. A zone's security
+ status must be indicated by the parent zone for a DNSSEC capable
+ resolver to trust its data. This is done through the presence
+ or absence of a <code class="literal">DS</code> record at the
+ delegation
+ point.
+ </p>
+<p>
+ For other servers to trust data in this zone, they must
+ either be statically configured with this zone's zone key or the
+ zone key of another zone above this one in the DNS tree.
+ </p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2574049"></a>Generating Keys</h3></div></div></div>
-<p>The <span><strong class="command">dnssec-keygen</strong></span> program is used to
- generate keys.</p>
-<p>A secure zone must contain one or more zone keys. The
- zone keys will sign all other records in the zone, as well as
- the zone keys of any secure delegated zones. Zone keys must
- have the same name as the zone, a name type of
- <span><strong class="command">ZONE</strong></span>, and must be usable for authentication.
- It is recommended that zone keys use a cryptographic algorithm
- designated as "mandatory to implement" by the IETF; currently
- the only one is RSASHA1.</p>
-<p>The following command will generate a 768-bit RSASHA1 key for
- the <code class="filename">child.example</code> zone:</p>
-<p><strong class="userinput"><code>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</code></strong></p>
-<p>Two output files will be produced:
- <code class="filename">Kchild.example.+005+12345.key</code> and
- <code class="filename">Kchild.example.+005+12345.private</code> (where
- 12345 is an example of a key tag). The key file names contain
- the key name (<code class="filename">child.example.</code>), algorithm (3
- is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in this case).
- The private key (in the <code class="filename">.private</code> file) is
- used to generate signatures, and the public key (in the
- <code class="filename">.key</code> file) is used for signature
- verification.</p>
-<p>To generate another key with the same properties (but with
- a different key tag), repeat the above command.</p>
-<p>The public keys should be inserted into the zone file by
- including the <code class="filename">.key</code> files using
- <span><strong class="command">$INCLUDE</strong></span> statements.
- </p>
+<a name="id2571579"></a>Generating Keys</h3></div></div></div>
+<p>
+ The <span><strong class="command">dnssec-keygen</strong></span> program is used to
+ generate keys.
+ </p>
+<p>
+ A secure zone must contain one or more zone keys. The
+ zone keys will sign all other records in the zone, as well as
+ the zone keys of any secure delegated zones. Zone keys must
+ have the same name as the zone, a name type of
+ <span><strong class="command">ZONE</strong></span>, and must be usable for
+ authentication.
+ It is recommended that zone keys use a cryptographic algorithm
+ designated as "mandatory to implement" by the IETF; currently
+ the only one is RSASHA1.
+ </p>
+<p>
+ The following command will generate a 768-bit RSASHA1 key for
+ the <code class="filename">child.example</code> zone:
+ </p>
+<p>
+ <strong class="userinput"><code>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</code></strong>
+ </p>
+<p>
+ Two output files will be produced:
+ <code class="filename">Kchild.example.+005+12345.key</code> and
+ <code class="filename">Kchild.example.+005+12345.private</code>
+ (where
+ 12345 is an example of a key tag). The key file names contain
+ the key name (<code class="filename">child.example.</code>),
+ algorithm (3
+ is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
+ this case).
+ The private key (in the <code class="filename">.private</code>
+ file) is
+ used to generate signatures, and the public key (in the
+ <code class="filename">.key</code> file) is used for signature
+ verification.
+ </p>
+<p>
+ To generate another key with the same properties (but with
+ a different key tag), repeat the above command.
+ </p>
+<p>
+ The public keys should be inserted into the zone file by
+ including the <code class="filename">.key</code> files using
+ <span><strong class="command">$INCLUDE</strong></span> statements.
+ </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2574116"></a>Signing the Zone</h3></div></div></div>
-<p>The <span><strong class="command">dnssec-signzone</strong></span> program is used to
- sign a zone.</p>
-<p>Any <code class="filename">keyset</code> files corresponding
- to secure subzones should be present. The zone signer will
- generate <code class="literal">NSEC</code> and <code class="literal">RRSIG</code>
- records for the zone, as well as <code class="literal">DS</code> for
- the child zones if <code class="literal">'-d'</code> is specified.
- If <code class="literal">'-d'</code> is not specified, then DS RRsets for
- the secure child zones need to be added manually.</p>
-<p>The following command signs the zone, assuming it is in a
- file called <code class="filename">zone.child.example</code>. By
- default, all zone keys which have an available private key are
- used to generate signatures.</p>
-<p><strong class="userinput"><code>dnssec-signzone -o child.example zone.child.example</code></strong></p>
-<p>One output file is produced:
- <code class="filename">zone.child.example.signed</code>. This file
- should be referenced by <code class="filename">named.conf</code> as the
- input file for the zone.</p>
-<p><span><strong class="command">dnssec-signzone</strong></span> will also produce a
- keyset and dsset files and optionally a dlvset file. These
- are used to provide the parent zone administators with the
- <code class="literal">DNSKEYs</code> (or their corresponding <code class="literal">DS</code>
- records) that are the secure entry point to the zone.</p>
+<a name="id2571649"></a>Signing the Zone</h3></div></div></div>
+<p>
+ The <span><strong class="command">dnssec-signzone</strong></span> program is used
+ to
+ sign a zone.
+ </p>
+<p>
+ Any <code class="filename">keyset</code> files corresponding
+ to secure subzones should be present. The zone signer will
+ generate <code class="literal">NSEC</code> and <code class="literal">RRSIG</code>
+ records for the zone, as well as <code class="literal">DS</code>
+ for
+ the child zones if <code class="literal">'-d'</code> is specified.
+ If <code class="literal">'-d'</code> is not specified, then
+ DS RRsets for
+ the secure child zones need to be added manually.
+ </p>
+<p>
+ The following command signs the zone, assuming it is in a
+ file called <code class="filename">zone.child.example</code>. By
+ default, all zone keys which have an available private key are
+ used to generate signatures.
+ </p>
+<p>
+ <strong class="userinput"><code>dnssec-signzone -o child.example zone.child.example</code></strong>
+ </p>
+<p>
+ One output file is produced:
+ <code class="filename">zone.child.example.signed</code>. This
+ file
+ should be referenced by <code class="filename">named.conf</code>
+ as the
+ input file for the zone.
+ </p>
+<p><span><strong class="command">dnssec-signzone</strong></span>
+ will also produce a keyset and dsset files and optionally a
+ dlvset file. These are used to provide the parent zone
+ administators with the <code class="literal">DNSKEYs</code> (or their
+ corresponding <code class="literal">DS</code> records) that are the
+ secure entry point to the zone.
+ </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2574259"></a>Configuring Servers</h3></div></div></div>
+<a name="id2571728"></a>Configuring Servers</h3></div></div></div>
<p>
- To enable <span><strong class="command">named</strong></span> to respond appropriately
- to DNS requests from DNSSEC aware clients,
- <span><strong class="command">dnssec-enable</strong></span> must be set to yes.
- </p>
+ To enable <span><strong class="command">named</strong></span> to respond appropriately
+ to DNS requests from DNSSEC aware clients,
+ <span><strong class="command">dnssec-enable</strong></span> must be set to yes.
+ </p>
<p>
- To enable <span><strong class="command">named</strong></span> to validate answers from
- other servers <span><strong class="command">dnssec-enable</strong></span> and
- some <span><strong class="command">trusted-keys</strong></span> must be configured
- into <code class="filename">named.conf</code>.
- </p>
+ To enable <span><strong class="command">named</strong></span> to validate answers from
+ other servers both <span><strong class="command">dnssec-enable</strong></span> and
+ <span><strong class="command">dnssec-validate</strong></span> must be set and some
+ <span><strong class="command">trusted-keys</strong></span> must be configured
+ into <code class="filename">named.conf</code>.
+ </p>
+<p>
+ <span><strong class="command">trusted-keys</strong></span> are copies of DNSKEY RRs
+ for zones that are used to form the first link in the
+ cryptographic chain of trust. All keys listed in
+ <span><strong class="command">trusted-keys</strong></span> (and corresponding zones)
+ are deemed to exist and only the listed keys will be used
+ to validated the DNSKEY RRset that they are from.
+ </p>
<p>
- <span><strong class="command">trusted-keys</strong></span> are copies of DNSKEY RRs
- for zones that are used to form the first link in the
- cryptographic chain of trust. All keys listed in
- <span><strong class="command">trusted-keys</strong></span> (and corresponding zones)
- are deemed to exist and only the listed keys will be used
- to validated the DNSKEY RRset that they are from.
- </p>
-<p>
- <span><strong class="command">trusted-keys</strong></span> are described in more detail
- later in this document.
- </p>
-<p>
- Unlike <acronym class="acronym">BIND</acronym> 8, <acronym class="acronym">BIND</acronym>
- 9 does not verify signatures on load, so zone keys for
- authoritative zones do not need to be specified in the
- configuration file.
- </p>
-<p>
- After DNSSEC gets established, a typical DNSSEC configuration
- will look something like the following. It has a one or
- more public keys for the root. This allows answers from
- outside the organization to be validated. It will also
- have several keys for parts of the namespace the organization
- controls. These are here to ensure that named is immune
- to compromises in the DNSSEC components of the security
- of parent zones.
- </p>
+ <span><strong class="command">trusted-keys</strong></span> are described in more detail
+ later in this document.
+ </p>
+<p>
+ Unlike <acronym class="acronym">BIND</acronym> 8, <acronym class="acronym">BIND</acronym>
+ 9 does not verify signatures on load, so zone keys for
+ authoritative zones do not need to be specified in the
+ configuration file.
+ </p>
+<p>
+ After DNSSEC gets established, a typical DNSSEC configuration
+ will look something like the following. It has a one or
+ more public keys for the root. This allows answers from
+ outside the organization to be validated. It will also
+ have several keys for parts of the namespace the organization
+ controls. These are here to ensure that named is immune
+ to compromises in the DNSSEC components of the security
+ of parent zones.
+ </p>
<pre class="programlisting">
trusted-keys {
- /* Root Key */
+ /* Root Key */
"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
- E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
- zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
- MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
- /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
- iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
- Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
+ E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
+ zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
+ MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
+ /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
+ iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
+ Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
/* Key for our organization's forward zone */
example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
- OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
- lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
- 8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
- iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
- SCThlHf3xiYleDbt/o1OTQ09A0=";
+ OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
+ lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
+ 8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
+ iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
+ SCThlHf3xiYleDbt/o1OTQ09A0=";
/* Key for our reverse zone. */
2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
- tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
- yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
- 4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
- zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
- 7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
- 52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
+ tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
+ yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
+ 4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
+ zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
+ 7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
+ 52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
};
options {
- ...
- dnssec-enable yes;
+ ...
+ dnssec-enable yes;
+ dnssec-validation yes;
};
</pre>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
- None of the keys listed in this example are valid. In particular,
- the root key is not valid.
- </div>
+ None of the keys listed in this example are valid. In particular,
+ the root key is not valid.
+ </div>
</div>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2574396"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
-<p><acronym class="acronym">BIND</acronym> 9 fully supports all currently defined forms of IPv6
- name to address and address to name lookups. It will also use
- IPv6 addresses to make queries when running on an IPv6 capable
- system.</p>
-<p>For forward lookups, <acronym class="acronym">BIND</acronym> 9 supports only AAAA
- records. The use of A6 records is deprecated by RFC 3363, and the
- support for forward lookups in <acronym class="acronym">BIND</acronym> 9 is
- removed accordingly.
- However, authoritative <acronym class="acronym">BIND</acronym> 9 name servers still
- load zone files containing A6 records correctly, answer queries
- for A6 records, and accept zone transfer for a zone containing A6
- records.</p>
-<p>For IPv6 reverse lookups, <acronym class="acronym">BIND</acronym> 9 supports
- the traditional "nibble" format used in the
- <span class="emphasis"><em>ip6.arpa</em></span> domain, as well as the older, deprecated
- <span class="emphasis"><em>ip6.int</em></span> domain.
- <acronym class="acronym">BIND</acronym> 9 formerly
- supported the "binary label" (also known as "bitstring") format.
- The support of binary labels, however, is now completely removed
- according to the changes in RFC 3363.
- Any applications in <acronym class="acronym">BIND</acronym> 9 do not understand
- the format any more, and will return an error if given.
- In particular, an authoritative <acronym class="acronym">BIND</acronym> 9 name
- server rejects to load a zone file containing binary labels.</p>
-<p>For an overview of the format and structure of IPv6 addresses,
- see <a href="Bv9ARM.ch09.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called &#8220;IPv6 addresses (AAAA)&#8221;</a>.</p>
+<a name="id2571802"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
+<p>
+ <acronym class="acronym">BIND</acronym> 9 fully supports all currently
+ defined forms of IPv6
+ name to address and address to name lookups. It will also use
+ IPv6 addresses to make queries when running on an IPv6 capable
+ system.
+ </p>
+<p>
+ For forward lookups, <acronym class="acronym">BIND</acronym> 9 supports
+ only AAAA records. RFC 3363 deprecated the use of A6 records,
+ and client-side support for A6 records was accordingly removed
+ from <acronym class="acronym">BIND</acronym> 9.
+ However, authoritative <acronym class="acronym">BIND</acronym> 9 name servers still
+ load zone files containing A6 records correctly, answer queries
+ for A6 records, and accept zone transfer for a zone containing A6
+ records.
+ </p>
+<p>
+ For IPv6 reverse lookups, <acronym class="acronym">BIND</acronym> 9 supports
+ the traditional "nibble" format used in the
+ <span class="emphasis"><em>ip6.arpa</em></span> domain, as well as the older, deprecated
+ <span class="emphasis"><em>ip6.int</em></span> domain.
+ Older versions of <acronym class="acronym">BIND</acronym> 9
+ supported the "binary label" (also known as "bitstring") format,
+ but support of binary labels has been completely removed per
+ RFC 3363.
+ Many applications in <acronym class="acronym">BIND</acronym> 9 do not understand
+ the binary label format at all any more, and will return an
+ error if given.
+ In particular, an authoritative <acronym class="acronym">BIND</acronym> 9
+ name server will not load a zone file containing binary labels.
+ </p>
+<p>
+ For an overview of the format and structure of IPv6 addresses,
+ see <a href="Bv9ARM.ch09.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called &#8220;IPv6 addresses (AAAA)&#8221;</a>.
+ </p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2574455"></a>Address Lookups Using AAAA Records</h3></div></div></div>
-<p>The AAAA record is a parallel to the IPv4 A record. It
- specifies the entire address in a single record. For
- example,</p>
+<a name="id2572001"></a>Address Lookups Using AAAA Records</h3></div></div></div>
+<p>
+ The IPv6 AAAA record is a parallel to the IPv4 A record,
+ and, unlike the deprecated A6 record, specifies the entire
+ IPv6 address in a single record. For example,
+ </p>
<pre class="programlisting">
$ORIGIN example.com.
host 3600 IN AAAA 2001:db8::1
</pre>
-<p>It is recommended that IPv4-in-IPv6 mapped addresses not
- be used. If a host has an IPv4 address, use an A record, not
- a AAAA, with <code class="literal">::ffff:192.168.42.1</code> as the
- address.</p>
+<p>
+ Use of IPv4-in-IPv6 mapped addresses is not recommended.
+ If a host has an IPv4 address, use an A record, not
+ a AAAA, with <code class="literal">::ffff:192.168.42.1</code> as
+ the address.
+ </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2574475"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
-<p>When looking up an address in nibble format, the address
- components are simply reversed, just as in IPv4, and
- <code class="literal">ip6.arpa.</code> is appended to the resulting name.
- For example, the following would provide reverse name lookup for
- a host with address
- <code class="literal">2001:db8::1</code>.</p>
+<a name="id2572022"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
+<p>
+ When looking up an address in nibble format, the address
+ components are simply reversed, just as in IPv4, and
+ <code class="literal">ip6.arpa.</code> is appended to the
+ resulting name.
+ For example, the following would provide reverse name lookup for
+ a host with address
+ <code class="literal">2001:db8::1</code>.
+ </p>
<pre class="programlisting">
$ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 14400 IN PTR host.example.com.
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch05.html b/contrib/bind9/doc/arm/Bv9ARM.ch05.html
index 51abc58..7d06e91 100644
--- a/contrib/bind9/doc/arm/Bv9ARM.ch05.html
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch05.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
@@ -14,12 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch05.html,v 1.24.2.5.2.17 2006/06/29 13:02:31 marka Exp $ -->
+<!-- $Id: Bv9ARM.ch05.html,v 1.33.18.28 2007/01/30 00:23:45 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Chapter 5. The BIND 9 Lightweight Resolver</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="prev" href="Bv9ARM.ch04.html" title="Chapter 4. Advanced DNS Features">
@@ -45,53 +45,81 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2574507">The Lightweight Resolver Library</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572055">The Lightweight Resolver Library</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
</dl>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2574507"></a>The Lightweight Resolver Library</h2></div></div></div>
-<p>Traditionally applications have been linked with a stub resolver
-library that sends recursive DNS queries to a local caching name
-server.</p>
-<p>IPv6 once introduced new complexity into the resolution process,
-such as following A6 chains and DNAME records, and simultaneous
-lookup of IPv4 and IPv6 addresses. Though most of the complexity was
-then removed, these are hard or impossible
-to implement in a traditional stub resolver.</p>
-<p>Instead, <acronym class="acronym">BIND</acronym> 9 provides resolution services to local clients
-using a combination of a lightweight resolver library and a resolver
-daemon process running on the local host. These communicate using
-a simple UDP-based protocol, the "lightweight resolver protocol"
-that is distinct from and simpler than the full DNS protocol.</p>
+<a name="id2572055"></a>The Lightweight Resolver Library</h2></div></div></div>
+<p>
+ Traditionally applications have been linked with a stub resolver
+ library that sends recursive DNS queries to a local caching name
+ server.
+ </p>
+<p>
+ IPv6 once introduced new complexity into the resolution process,
+ such as following A6 chains and DNAME records, and simultaneous
+ lookup of IPv4 and IPv6 addresses. Though most of the complexity was
+ then removed, these are hard or impossible
+ to implement in a traditional stub resolver.
+ </p>
+<p>
+ <acronym class="acronym">BIND</acronym> 9 therefore can also provide resolution
+ services to local clients
+ using a combination of a lightweight resolver library and a resolver
+ daemon process running on the local host. These communicate using
+ a simple UDP-based protocol, the "lightweight resolver protocol"
+ that is distinct from and simpler than the full DNS protocol.
+ </p>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="lwresd"></a>Running a Resolver Daemon</h2></div></div></div>
-<p>To use the lightweight resolver interface, the system must
-run the resolver daemon <span><strong class="command">lwresd</strong></span> or a local
-name server configured with a <span><strong class="command">lwres</strong></span> statement.</p>
-<p>By default, applications using the lightweight resolver library will make
-UDP requests to the IPv4 loopback address (127.0.0.1) on port 921. The
-address can be overridden by <span><strong class="command">lwserver</strong></span> lines in
-<code class="filename">/etc/resolv.conf</code>.</p>
-<p>The daemon currently only looks in the DNS, but in the future
-it may use other sources such as <code class="filename">/etc/hosts</code>,
-NIS, etc.</p>
-<p>The <span><strong class="command">lwresd</strong></span> daemon is essentially a
-caching-only name server that responds to requests using the lightweight
-resolver protocol rather than the DNS protocol. Because it needs
-to run on each host, it is designed to require no or minimal configuration.
-Unless configured otherwise, it uses the name servers listed on
-<span><strong class="command">nameserver</strong></span> lines in <code class="filename">/etc/resolv.conf</code>
-as forwarders, but is also capable of doing the resolution autonomously if
-none are specified.</p>
-<p>The <span><strong class="command">lwresd</strong></span> daemon may also be configured with a
-<code class="filename">named.conf</code> style configuration file, in
-<code class="filename">/etc/lwresd.conf</code> by default. A name server may also
-be configured to act as a lightweight resolver daemon using the
-<span><strong class="command">lwres</strong></span> statement in <code class="filename">named.conf</code>.</p>
+<p>
+ To use the lightweight resolver interface, the system must
+ run the resolver daemon <span><strong class="command">lwresd</strong></span> or a
+ local
+ name server configured with a <span><strong class="command">lwres</strong></span>
+ statement.
+ </p>
+<p>
+ By default, applications using the lightweight resolver library will
+ make
+ UDP requests to the IPv4 loopback address (127.0.0.1) on port 921.
+ The
+ address can be overridden by <span><strong class="command">lwserver</strong></span>
+ lines in
+ <code class="filename">/etc/resolv.conf</code>.
+ </p>
+<p>
+ The daemon currently only looks in the DNS, but in the future
+ it may use other sources such as <code class="filename">/etc/hosts</code>,
+ NIS, etc.
+ </p>
+<p>
+ The <span><strong class="command">lwresd</strong></span> daemon is essentially a
+ caching-only name server that responds to requests using the
+ lightweight
+ resolver protocol rather than the DNS protocol. Because it needs
+ to run on each host, it is designed to require no or minimal
+ configuration.
+ Unless configured otherwise, it uses the name servers listed on
+ <span><strong class="command">nameserver</strong></span> lines in <code class="filename">/etc/resolv.conf</code>
+ as forwarders, but is also capable of doing the resolution
+ autonomously if
+ none are specified.
+ </p>
+<p>
+ The <span><strong class="command">lwresd</strong></span> daemon may also be
+ configured with a
+ <code class="filename">named.conf</code> style configuration file,
+ in
+ <code class="filename">/etc/lwresd.conf</code> by default. A name
+ server may also
+ be configured to act as a lightweight resolver daemon using the
+ <span><strong class="command">lwres</strong></span> statement in <code class="filename">named.conf</code>.
+ </p>
</div>
</div>
<div class="navfooter">
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch06.html b/contrib/bind9/doc/arm/Bv9ARM.ch06.html
index 1474685..cb17489 100644
--- a/contrib/bind9/doc/arm/Bv9ARM.ch06.html
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch06.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
@@ -14,12 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch06.html,v 1.56.2.12.2.43 2006/11/15 04:33:41 marka Exp $ -->
+<!-- $Id: Bv9ARM.ch06.html,v 1.82.18.63 2007/01/30 00:23:45 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Chapter 6. BIND 9 Configuration Reference</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="prev" href="Bv9ARM.ch05.html" title="Chapter 5. The BIND 9 Lightweight Resolver">
@@ -48,64 +48,79 @@
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575672">Comment Syntax</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573470">Comment Syntax</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576157"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574151"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
-Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576326"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576672"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576686"><span><strong class="command">include</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576709"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576730"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576870"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577064"><span><strong class="command">logging</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578270"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578343"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578406"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578518"><span><strong class="command">masters</strong></span> Statement Definition and Usage </a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578533"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and Usage</a></span></dt>
+ Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574341"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
+ Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574770"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574785"><span><strong class="command">include</strong></span> Statement Definition and
+ Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574808"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574829"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574920"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575046"><span><strong class="command">logging</strong></span> Statement Definition and
+ Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576396"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576470"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576534"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576578"><span><strong class="command">masters</strong></span> Statement Definition and
+ Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576593"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
+ Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586290"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586338"><span><strong class="command">trusted-keys</strong></span> Statement Definition
- and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
+ Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585018"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585136"><span><strong class="command">trusted-keys</strong></span> Statement Definition
+ and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586420"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585216"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
-Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587635"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
+ Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586586"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2589173">Zone File</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2588846">Zone File</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590605">Discussion of MX Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590800">Discussion of MX Records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591102">Inverse Mapping in IPv4</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591208">Other Zone File Directives</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591377"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591419">Inverse Mapping in IPv4</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591546">Other Zone File Directives</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591803"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
</dl></dd>
</dl>
</div>
-<p><acronym class="acronym">BIND</acronym> 9 configuration is broadly similar
-to <acronym class="acronym">BIND</acronym> 8; however, there are a few new areas
-of configuration, such as views. <acronym class="acronym">BIND</acronym>
-8 configuration files should work with few alterations in <acronym class="acronym">BIND</acronym>
-9, although more complex configurations should be reviewed to check
-if they can be more efficiently implemented using the new features
-found in <acronym class="acronym">BIND</acronym> 9.</p>
-<p><acronym class="acronym">BIND</acronym> 4 configuration files can be converted to the new format
-using the shell script
-<code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.</p>
+<p>
+ <acronym class="acronym">BIND</acronym> 9 configuration is broadly similar
+ to <acronym class="acronym">BIND</acronym> 8; however, there are a few new
+ areas
+ of configuration, such as views. <acronym class="acronym">BIND</acronym>
+ 8 configuration files should work with few alterations in <acronym class="acronym">BIND</acronym>
+ 9, although more complex configurations should be reviewed to check
+ if they can be more efficiently implemented using the new features
+ found in <acronym class="acronym">BIND</acronym> 9.
+ </p>
+<p>
+ <acronym class="acronym">BIND</acronym> 4 configuration files can be
+ converted to the new format
+ using the shell script
+ <code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.
+ </p>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div>
-<p>Following is a list of elements used throughout the <acronym class="acronym">BIND</acronym> configuration
-file documentation:</p>
+<p>
+ Following is a list of elements used throughout the <acronym class="acronym">BIND</acronym> configuration
+ file documentation:
+ </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -113,129 +128,298 @@ file documentation:</p>
</colgroup>
<tbody>
<tr>
-<td><p><code class="varname">acl_name</code></p></td>
-<td><p>The name of an <code class="varname">address_match_list</code> as
-defined by the <span><strong class="command">acl</strong></span> statement.</p></td>
+<td>
+ <p>
+ <code class="varname">acl_name</code>
+ </p>
+ </td>
+<td>
+ <p>
+ The name of an <code class="varname">address_match_list</code> as
+ defined by the <span><strong class="command">acl</strong></span> statement.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">address_match_list</code></p></td>
-<td><p>A list of one or more <code class="varname">ip_addr</code>,
-<code class="varname">ip_prefix</code>, <code class="varname">key_id</code>,
-or <code class="varname">acl_name</code> elements, see
-<a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called &#8220;Address Match Lists&#8221;</a>.</p></td>
+<td>
+ <p>
+ <code class="varname">address_match_list</code>
+ </p>
+ </td>
+<td>
+ <p>
+ A list of one or more
+ <code class="varname">ip_addr</code>,
+ <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>,
+ or <code class="varname">acl_name</code> elements, see
+ <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called &#8220;Address Match Lists&#8221;</a>.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">domain_name</code></p></td>
-<td><p>A quoted string which will be used as
-a DNS name, for example "<code class="literal">my.test.domain</code>".</p></td>
+<td>
+ <p>
+ <code class="varname">masters_list</code>
+ </p>
+ </td>
+<td>
+ <p>
+ A named list of one or more <code class="varname">ip_addr</code>
+ with optional <code class="varname">key_id</code> and/or
+ <code class="varname">ip_port</code>.
+ A <code class="varname">masters_list</code> may include other
+ <code class="varname">masters_lists</code>.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">dotted_decimal</code></p></td>
-<td><p>One to four integers valued 0 through
-255 separated by dots (`.'), such as <span><strong class="command">123</strong></span>,
-<span><strong class="command">45.67</strong></span> or <span><strong class="command">89.123.45.67</strong></span>.</p></td>
+<td>
+ <p>
+ <code class="varname">domain_name</code>
+ </p>
+ </td>
+<td>
+ <p>
+ A quoted string which will be used as
+ a DNS name, for example "<code class="literal">my.test.domain</code>".
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">ip4_addr</code></p></td>
-<td><p>An IPv4 address with exactly four elements
-in <code class="varname">dotted_decimal</code> notation.</p></td>
+<td>
+ <p>
+ <code class="varname">dotted_decimal</code>
+ </p>
+ </td>
+<td>
+ <p>
+ One to four integers valued 0 through
+ 255 separated by dots (`.'), such as <span><strong class="command">123</strong></span>,
+ <span><strong class="command">45.67</strong></span> or <span><strong class="command">89.123.45.67</strong></span>.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">ip6_addr</code></p></td>
-<td><p>An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>.
-IPv6 scoped addresses that have ambiguity on their scope zones must be
-disambiguated by an appropriate zone ID with the percent character
-(`%') as delimiter.
-It is strongly recommended to use string zone names rather than
-numeric identifiers, in order to be robust against system
-configuration changes.
-However, since there is no standard mapping for such names and
-identifier values, currently only interface names as link identifiers
-are supported, assuming one-to-one mapping between interfaces and links.
-For example, a link-local address <span><strong class="command">fe80::1</strong></span> on the
-link attached to the interface <span><strong class="command">ne0</strong></span>
-can be specified as <span><strong class="command">fe80::1%ne0</strong></span>.
-Note that on most systems link-local addresses always have the
-ambiguity, and need to be disambiguated.</p></td>
+<td>
+ <p>
+ <code class="varname">ip4_addr</code>
+ </p>
+ </td>
+<td>
+ <p>
+ An IPv4 address with exactly four elements
+ in <code class="varname">dotted_decimal</code> notation.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">ip_addr</code></p></td>
-<td><p>An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>.</p></td>
+<td>
+ <p>
+ <code class="varname">ip6_addr</code>
+ </p>
+ </td>
+<td>
+ <p>
+ An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>.
+ IPv6 scoped addresses that have ambiguity on their scope
+ zones must be
+ disambiguated by an appropriate zone ID with the percent
+ character
+ (`%') as delimiter.
+ It is strongly recommended to use string zone names rather
+ than
+ numeric identifiers, in order to be robust against system
+ configuration changes.
+ However, since there is no standard mapping for such names
+ and
+ identifier values, currently only interface names as link
+ identifiers
+ are supported, assuming one-to-one mapping between
+ interfaces and links.
+ For example, a link-local address <span><strong class="command">fe80::1</strong></span> on the
+ link attached to the interface <span><strong class="command">ne0</strong></span>
+ can be specified as <span><strong class="command">fe80::1%ne0</strong></span>.
+ Note that on most systems link-local addresses always have
+ the
+ ambiguity, and need to be disambiguated.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">ip_port</code></p></td>
-<td><p>An IP port <code class="varname">number</code>.
-<code class="varname">number</code> is limited to 0 through 65535, with values
-below 1024 typically restricted to use by processes running as root.
-In some cases, an asterisk (`*') character can be used as a placeholder to
-select a random high-numbered port.</p></td>
+<td>
+ <p>
+ <code class="varname">ip_addr</code>
+ </p>
+ </td>
+<td>
+ <p>
+ An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">ip_prefix</code></p></td>
-<td><p>An IP network specified as an <code class="varname">ip_addr</code>,
-followed by a slash (`/') and then the number of bits in the netmask.
-Trailing zeros in a <code class="varname">ip_addr</code> may omitted.
-For example, <span><strong class="command">127/8</strong></span> is the network <span><strong class="command">127.0.0.0</strong></span> with
-netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is
-network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>.</p></td>
+<td>
+ <p>
+ <code class="varname">ip_port</code>
+ </p>
+ </td>
+<td>
+ <p>
+ An IP port <code class="varname">number</code>.
+ <code class="varname">number</code> is limited to 0
+ through 65535, with values
+ below 1024 typically restricted to use by processes running
+ as root.
+ In some cases, an asterisk (`*') character can be used as a
+ placeholder to
+ select a random high-numbered port.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p>
+ <code class="varname">ip_prefix</code>
+ </p>
+ </td>
+<td>
+ <p>
+ An IP network specified as an <code class="varname">ip_addr</code>,
+ followed by a slash (`/') and then the number of bits in the
+ netmask.
+ Trailing zeros in a <code class="varname">ip_addr</code>
+ may omitted.
+ For example, <span><strong class="command">127/8</strong></span> is the
+ network <span><strong class="command">127.0.0.0</strong></span> with
+ netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is
+ network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">key_id</code></p></td>
-<td><p>A <code class="varname">domain_name</code> representing
-the name of a shared key, to be used for transaction security.</p></td>
+<td>
+ <p>
+ <code class="varname">key_id</code>
+ </p>
+ </td>
+<td>
+ <p>
+ A <code class="varname">domain_name</code> representing
+ the name of a shared key, to be used for transaction
+ security.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">key_list</code></p></td>
-<td><p>A list of one or more <code class="varname">key_id</code>s,
-separated by semicolons and ending with a semicolon.</p></td>
+<td>
+ <p>
+ <code class="varname">key_list</code>
+ </p>
+ </td>
+<td>
+ <p>
+ A list of one or more
+ <code class="varname">key_id</code>s,
+ separated by semicolons and ending with a semicolon.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">number</code></p></td>
-<td><p>A non-negative 32-bit integer
-(i.e., a number between 0 and 4294967295, inclusive).
-Its acceptable value might further
-be limited by the context in which it is used.</p></td>
+<td>
+ <p>
+ <code class="varname">number</code>
+ </p>
+ </td>
+<td>
+ <p>
+ A non-negative 32-bit integer
+ (i.e., a number between 0 and 4294967295, inclusive).
+ Its acceptable value might further
+ be limited by the context in which it is used.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">path_name</code></p></td>
-<td><p>A quoted string which will be used as
-a pathname, such as <code class="filename">zones/master/my.test.domain</code>.</p></td>
+<td>
+ <p>
+ <code class="varname">path_name</code>
+ </p>
+ </td>
+<td>
+ <p>
+ A quoted string which will be used as
+ a pathname, such as <code class="filename">zones/master/my.test.domain</code>.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">size_spec</code></p></td>
<td>
-<p>A number, the word <strong class="userinput"><code>unlimited</code></strong>,
-or the word <strong class="userinput"><code>default</code></strong>.</p>
-<p>
-An <code class="varname">unlimited</code> <code class="varname">size_spec</code> requests unlimited
-use, or the maximum available amount. A <code class="varname">default size_spec</code> uses
-the limit that was in force when the server was started.</p>
-<p>A <code class="varname">number</code> can
-optionally be followed by a scaling factor: <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong> for
-kilobytes, <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong> for
-megabytes, and <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong> for gigabytes,
-which scale by 1024, 1024*1024, and 1024*1024*1024 respectively.</p>
-<p>The value must be representable as a 64-bit unsigned integer
-(0 to 18446744073709551615, inclusive).
-Using <code class="varname">unlimited</code> is the best way
-to safely set a really large number.</p>
-</td>
+ <p>
+ <code class="varname">size_spec</code>
+ </p>
+ </td>
+<td>
+ <p>
+ A number, the word <strong class="userinput"><code>unlimited</code></strong>,
+ or the word <strong class="userinput"><code>default</code></strong>.
+ </p>
+ <p>
+ An <code class="varname">unlimited</code> <code class="varname">size_spec</code> requests unlimited
+ use, or the maximum available amount. A <code class="varname">default size_spec</code> uses
+ the limit that was in force when the server was started.
+ </p>
+ <p>
+ A <code class="varname">number</code> can optionally be
+ followed by a scaling factor:
+ <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong>
+ for kilobytes,
+ <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong>
+ for megabytes, and
+ <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong> for gigabytes,
+ which scale by 1024, 1024*1024, and 1024*1024*1024
+ respectively.
+ </p>
+ <p>
+ The value must be representable as a 64-bit unsigned integer
+ (0 to 18446744073709551615, inclusive).
+ Using <code class="varname">unlimited</code> is the best
+ way
+ to safely set a really large number.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">yes_or_no</code></p></td>
-<td><p>Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>.
-The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are
-also accepted, as are the numbers <strong class="userinput"><code>1</code></strong> and <strong class="userinput"><code>0</code></strong>.</p></td>
+<td>
+ <p>
+ <code class="varname">yes_or_no</code>
+ </p>
+ </td>
+<td>
+ <p>
+ Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>.
+ The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are
+ also accepted, as are the numbers <strong class="userinput"><code>1</code></strong>
+ and <strong class="userinput"><code>0</code></strong>.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">dialup_option</code></p></td>
-<td><p>One of <strong class="userinput"><code>yes</code></strong>,
-<strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>,
-<strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or
-<strong class="userinput"><code>passive</code></strong>.
-When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>,
-<strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong>
-are restricted to slave and stub zones.</p></td>
+<td>
+ <p>
+ <code class="varname">dialup_option</code>
+ </p>
+ </td>
+<td>
+ <p>
+ One of <strong class="userinput"><code>yes</code></strong>,
+ <strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>,
+ <strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or
+ <strong class="userinput"><code>passive</code></strong>.
+ When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>,
+ <strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong>
+ are restricted to slave and stub zones.
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
@@ -244,7 +428,7 @@ are restricted to slave and stub zones.</p></td>
<a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2575552"></a>Syntax</h4></div></div></div>
+<a name="id2573336"></a>Syntax</h4></div></div></div>
<pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
[<span class="optional"> address_match_list_element; ... </span>]
<code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
@@ -253,115 +437,181 @@ are restricted to slave and stub zones.</p></td>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2575578"></a>Definition and Usage</h4></div></div></div>
-<p>Address match lists are primarily used to determine access
-control for various server operations. They are also used in
-the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span>
-statements. The elements
-which constitute an address match list can be any of the following:</p>
+<a name="id2573364"></a>Definition and Usage</h4></div></div></div>
+<p>
+ Address match lists are primarily used to determine access
+ control for various server operations. They are also used in
+ the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span>
+ statements. The elements
+ which constitute an address match list can be any of the
+ following:
+ </p>
<div class="itemizedlist"><ul type="disc">
<li>an IP address (IPv4 or IPv6)</li>
<li>an IP prefix (in `/' notation)</li>
-<li>a key ID, as defined by the <span><strong class="command">key</strong></span> statement</li>
+<li>
+ a key ID, as defined by the <span><strong class="command">key</strong></span>
+ statement
+ </li>
<li>the name of an address match list defined with
-the <span><strong class="command">acl</strong></span> statement</li>
+ the <span><strong class="command">acl</strong></span> statement
+ </li>
<li>a nested address match list enclosed in braces</li>
</ul></div>
-<p>Elements can be negated with a leading exclamation mark (`!'),
-and the match list names "any", "none", "localhost", and "localnets"
-are predefined. More information on those names can be found in
-the description of the acl statement.</p>
-<p>The addition of the key clause made the name of this syntactic
-element something of a misnomer, since security keys can be used
-to validate access without regard to a host or network address. Nonetheless,
-the term "address match list" is still used throughout the documentation.</p>
-<p>When a given IP address or prefix is compared to an address
-match list, the list is traversed in order until an element matches.
-The interpretation of a match depends on whether the list is being used
-for access control, defining listen-on ports, or in a sortlist,
-and whether the element was negated.</p>
-<p>When used as an access control list, a non-negated match allows
-access and a negated match denies access. If there is no match,
-access is denied. The clauses <span><strong class="command">allow-notify</strong></span>,
-<span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
-<span><strong class="command">allow-update</strong></span>, <span><strong class="command">allow-update-forwarding</strong></span>,
-and <span><strong class="command">blackhole</strong></span> all
-use address match lists this. Similarly, the listen-on option will cause
-the server to not accept queries on any of the machine's addresses
-which do not match the list.</p>
-<p>Because of the first-match aspect of the algorithm, an element
-that defines a subset of another element in the list should come
-before the broader element, regardless of whether either is negated. For
-example, in
-<span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span> the 1.2.3.13 element is
-completely useless because the algorithm will match any lookup for
-1.2.3.13 to the 1.2.3/24 element.
-Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes
-that problem by having 1.2.3.13 blocked by the negation but all
-other 1.2.3.* hosts fall through.</p>
+<p>
+ Elements can be negated with a leading exclamation mark (`!'),
+ and the match list names "any", "none", "localhost", and
+ "localnets"
+ are predefined. More information on those names can be found in
+ the description of the acl statement.
+ </p>
+<p>
+ The addition of the key clause made the name of this syntactic
+ element something of a misnomer, since security keys can be used
+ to validate access without regard to a host or network address.
+ Nonetheless,
+ the term "address match list" is still used throughout the
+ documentation.
+ </p>
+<p>
+ When a given IP address or prefix is compared to an address
+ match list, the list is traversed in order until an element
+ matches.
+ The interpretation of a match depends on whether the list is being
+ used
+ for access control, defining listen-on ports, or in a sortlist,
+ and whether the element was negated.
+ </p>
+<p>
+ When used as an access control list, a non-negated match
+ allows access and a negated match denies access. If
+ there is no match, access is denied. The clauses
+ <span><strong class="command">allow-notify</strong></span>,
+ <span><strong class="command">allow-query</strong></span>,
+ <span><strong class="command">allow-query-cache</strong></span>,
+ <span><strong class="command">allow-transfer</strong></span>,
+ <span><strong class="command">allow-update</strong></span>,
+ <span><strong class="command">allow-update-forwarding</strong></span>, and
+ <span><strong class="command">blackhole</strong></span> all use address match
+ lists. Similarly, the listen-on option will cause the
+ server to not accept queries on any of the machine's
+ addresses which do not match the list.
+ </p>
+<p>
+ Because of the first-match aspect of the algorithm, an element
+ that defines a subset of another element in the list should come
+ before the broader element, regardless of whether either is
+ negated. For
+ example, in
+ <span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span> the 1.2.3.13
+ element is
+ completely useless because the algorithm will match any lookup for
+ 1.2.3.13 to the 1.2.3/24 element.
+ Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes
+ that problem by having 1.2.3.13 blocked by the negation but all
+ other 1.2.3.* hosts fall through.
+ </p>
</div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2575672"></a>Comment Syntax</h3></div></div></div>
-<p>The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for comments to appear
-anywhere that white space may appear in a <acronym class="acronym">BIND</acronym> configuration
-file. To appeal to programmers of all kinds, they can be written
-in the C, C++, or shell/perl style.</p>
+<a name="id2573470"></a>Comment Syntax</h3></div></div></div>
+<p>
+ The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
+ comments to appear
+ anywhere that white space may appear in a <acronym class="acronym">BIND</acronym> configuration
+ file. To appeal to programmers of all kinds, they can be written
+ in the C, C++, or shell/perl style.
+ </p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2575687"></a>Syntax</h4></div></div></div>
+<a name="id2573485"></a>Syntax</h4></div></div></div>
+<p>
+ </p>
<pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
<p>
-</p>
+ </p>
<pre class="programlisting">// This is a <acronym class="acronym">BIND</acronym> comment as in C++</pre>
<p>
-</p>
+ </p>
<pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common UNIX shells and perl</pre>
<p>
- </p>
+ </p>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2575716"></a>Definition and Usage</h4></div></div></div>
-<p>Comments may appear anywhere that white space may appear in
-a <acronym class="acronym">BIND</acronym> configuration file.</p>
-<p>C-style comments start with the two characters /* (slash,
-star) and end with */ (star, slash). Because they are completely
-delimited with these characters, they can be used to comment only
-a portion of a line or to span multiple lines.</p>
-<p>C-style comments cannot be nested. For example, the following
-is not valid because the entire comment ends with the first */:</p>
+<a name="id2573515"></a>Definition and Usage</h4></div></div></div>
+<p>
+ Comments may appear anywhere that white space may appear in
+ a <acronym class="acronym">BIND</acronym> configuration file.
+ </p>
+<p>
+ C-style comments start with the two characters /* (slash,
+ star) and end with */ (star, slash). Because they are completely
+ delimited with these characters, they can be used to comment only
+ a portion of a line or to span multiple lines.
+ </p>
+<p>
+ C-style comments cannot be nested. For example, the following
+ is not valid because the entire comment ends with the first */:
+ </p>
+<p>
+
+</p>
<pre class="programlisting">/* This is the start of a comment.
This is still part of the comment.
/* This is an incorrect attempt at nesting a comment. */
This is no longer in any comment. */
</pre>
-<p>C++-style comments start with the two characters // (slash,
-slash) and continue to the end of the physical line. They cannot
-be continued across multiple physical lines; to have one logical
-comment span multiple lines, each line must use the // pair.</p>
-<p>For example:</p>
+<p>
+
+ </p>
+<p>
+ C++-style comments start with the two characters // (slash,
+ slash) and continue to the end of the physical line. They cannot
+ be continued across multiple physical lines; to have one logical
+ comment span multiple lines, each line must use the // pair.
+ </p>
+<p>
+ For example:
+ </p>
+<p>
+
+</p>
<pre class="programlisting">// This is the start of a comment. The next line
// is a new comment, even though it is logically
// part of the previous comment.
</pre>
-<p>Shell-style (or perl-style, if you prefer) comments start
-with the character <code class="literal">#</code> (number sign) and continue to the end of the
-physical line, as in C++ comments.</p>
-<p>For example:</p>
+<p>
+
+ </p>
+<p>
+ Shell-style (or perl-style, if you prefer) comments start
+ with the character <code class="literal">#</code> (number sign)
+ and continue to the end of the
+ physical line, as in C++ comments.
+ </p>
+<p>
+ For example:
+ </p>
+<p>
+
+</p>
<pre class="programlisting"># This is the start of a comment. The next line
# is a new comment, even though it is logically
# part of the previous comment.
</pre>
<p>
-</p>
+
+ </p>
<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Warning</h3>
-<p>You cannot use the semicolon (`;') character
- to start a comment such as you would in a zone file. The
- semicolon indicates the end of a configuration
- statement.</p>
+<p>
+ You cannot use the semicolon (`;') character
+ to start a comment such as you would in a zone file. The
+ semicolon indicates the end of a configuration
+ statement.
+ </p>
</div>
</div>
</div>
@@ -369,12 +619,17 @@ physical line, as in C++ comments.</p>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div>
-<p>A <acronym class="acronym">BIND</acronym> 9 configuration consists of statements and comments.
- Statements end with a semicolon. Statements and comments are the
- only elements that can appear without enclosing braces. Many
- statements contain a block of sub-statements, which are also
- terminated with a semicolon.</p>
-<p>The following statements are supported:</p>
+<p>
+ A <acronym class="acronym">BIND</acronym> 9 configuration consists of
+ statements and comments.
+ Statements end with a semicolon. Statements and comments are the
+ only elements that can appear without enclosing braces. Many
+ statements contain a block of sub-statements, which are also
+ terminated with a semicolon.
+ </p>
+<p>
+ The following statements are supported:
+ </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -382,85 +637,167 @@ physical line, as in C++ comments.</p>
</colgroup>
<tbody>
<tr>
-<td><p><span><strong class="command">acl</strong></span></p></td>
-<td><p>defines a named IP address
-matching list, for access control and other uses.</p></td>
+<td>
+ <p><span><strong class="command">acl</strong></span></p>
+ </td>
+<td>
+ <p>
+ defines a named IP address
+ matching list, for access control and other uses.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">controls</strong></span></p></td>
-<td><p>declares control channels to be used
-by the <span><strong class="command">rndc</strong></span> utility.</p></td>
+<td>
+ <p><span><strong class="command">controls</strong></span></p>
+ </td>
+<td>
+ <p>
+ declares control channels to be used
+ by the <span><strong class="command">rndc</strong></span> utility.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">include</strong></span></p></td>
-<td><p>includes a file.</p></td>
+<td>
+ <p><span><strong class="command">include</strong></span></p>
+ </td>
+<td>
+ <p>
+ includes a file.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">key</strong></span></p></td>
-<td><p>specifies key information for use in
-authentication and authorization using TSIG.</p></td>
+<td>
+ <p><span><strong class="command">key</strong></span></p>
+ </td>
+<td>
+ <p>
+ specifies key information for use in
+ authentication and authorization using TSIG.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">logging</strong></span></p></td>
-<td><p>specifies what the server logs, and where
-the log messages are sent.</p></td>
+<td>
+ <p><span><strong class="command">logging</strong></span></p>
+ </td>
+<td>
+ <p>
+ specifies what the server logs, and where
+ the log messages are sent.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">lwres</strong></span></p></td>
-<td><p>configures <span><strong class="command">named</strong></span> to
-also act as a light-weight resolver daemon (<span><strong class="command">lwresd</strong></span>).</p></td>
+<td>
+ <p><span><strong class="command">lwres</strong></span></p>
+ </td>
+<td>
+ <p>
+ configures <span><strong class="command">named</strong></span> to
+ also act as a light-weight resolver daemon (<span><strong class="command">lwresd</strong></span>).
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">masters</strong></span></p></td>
-<td><p>defines a named masters list for
-inclusion in stub and slave zone masters clauses.</p></td>
+<td>
+ <p><span><strong class="command">masters</strong></span></p>
+ </td>
+<td>
+ <p>
+ defines a named masters list for
+ inclusion in stub and slave zone masters clauses.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">options</strong></span></p></td>
-<td><p>controls global server configuration
-options and sets defaults for other statements.</p></td>
+<td>
+ <p><span><strong class="command">options</strong></span></p>
+ </td>
+<td>
+ <p>
+ controls global server configuration
+ options and sets defaults for other statements.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">server</strong></span></p></td>
-<td><p>sets certain configuration options on
-a per-server basis.</p></td>
+<td>
+ <p><span><strong class="command">server</strong></span></p>
+ </td>
+<td>
+ <p>
+ sets certain configuration options on
+ a per-server basis.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">trusted-keys</strong></span></p></td>
-<td><p>defines trusted DNSSEC keys.</p></td>
+<td>
+ <p><span><strong class="command">trusted-keys</strong></span></p>
+ </td>
+<td>
+ <p>
+ defines trusted DNSSEC keys.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">view</strong></span></p></td>
-<td><p>defines a view.</p></td>
+<td>
+ <p><span><strong class="command">view</strong></span></p>
+ </td>
+<td>
+ <p>
+ defines a view.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">zone</strong></span></p></td>
-<td><p>defines a zone.</p></td>
+<td>
+ <p><span><strong class="command">zone</strong></span></p>
+ </td>
+<td>
+ <p>
+ defines a zone.
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
-<p>The <span><strong class="command">logging</strong></span> and
- <span><strong class="command">options</strong></span> statements may only occur once per
- configuration.</p>
+<p>
+ The <span><strong class="command">logging</strong></span> and
+ <span><strong class="command">options</strong></span> statements may only occur once
+ per
+ configuration.
+ </p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2576157"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
- address_match_list
+<a name="id2574151"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
+<pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
+ address_match_list
};
</pre>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="acl"></a><span><strong class="command">acl</strong></span> Statement Definition and
-Usage</h3></div></div></div>
-<p>The <span><strong class="command">acl</strong></span> statement assigns a symbolic
- name to an address match list. It gets its name from a primary
- use of address match lists: Access Control Lists (ACLs).</p>
-<p>Note that an address match list's name must be defined
- with <span><strong class="command">acl</strong></span> before it can be used elsewhere; no
- forward references are allowed.</p>
-<p>The following ACLs are built-in:</p>
+ Usage</h3></div></div></div>
+<p>
+ The <span><strong class="command">acl</strong></span> statement assigns a symbolic
+ name to an address match list. It gets its name from a primary
+ use of address match lists: Access Control Lists (ACLs).
+ </p>
+<p>
+ Note that an address match list's name must be defined
+ with <span><strong class="command">acl</strong></span> before it can be used
+ elsewhere; no
+ forward references are allowed.
+ </p>
+<p>
+ The following ACLs are built-in:
+ </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -468,155 +805,201 @@ Usage</h3></div></div></div>
</colgroup>
<tbody>
<tr>
-<td><p><span><strong class="command">any</strong></span></p></td>
-<td><p>Matches all hosts.</p></td>
+<td>
+ <p><span><strong class="command">any</strong></span></p>
+ </td>
+<td>
+ <p>
+ Matches all hosts.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">none</strong></span></p></td>
-<td><p>Matches no hosts.</p></td>
+<td>
+ <p><span><strong class="command">none</strong></span></p>
+ </td>
+<td>
+ <p>
+ Matches no hosts.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">localhost</strong></span></p></td>
-<td><p>Matches the IPv4 and IPv6 addresses of all network
-interfaces on the system.</p></td>
+<td>
+ <p><span><strong class="command">localhost</strong></span></p>
+ </td>
+<td>
+ <p>
+ Matches the IPv4 and IPv6 addresses of all network
+ interfaces on the system.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">localnets</strong></span></p></td>
-<td><p>Matches any host on an IPv4 or IPv6 network
-for which the system has an interface.
-Some systems do not provide a way to determine the prefix lengths of
-local IPv6 addresses.
-In such a case, <span><strong class="command">localnets</strong></span> only matches the local
-IPv6 addresses, just like <span><strong class="command">localhost</strong></span>.
-</p></td>
+<td>
+ <p><span><strong class="command">localnets</strong></span></p>
+ </td>
+<td>
+ <p>
+ Matches any host on an IPv4 or IPv6 network
+ for which the system has an interface.
+ Some systems do not provide a way to determine the prefix
+ lengths of
+ local IPv6 addresses.
+ In such a case, <span><strong class="command">localnets</strong></span>
+ only matches the local
+ IPv6 addresses, just like <span><strong class="command">localhost</strong></span>.
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2576326"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2574341"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">controls</strong></span> {
- inet ( ip_addr | * ) [<span class="optional"> port ip_port </span>] allow { <em class="replaceable"><code> address_match_list </code></em> }
- keys { <em class="replaceable"><code> key_list </code></em> };
- [<span class="optional"> inet ...; </span>]
+ [ inet ( ip_addr | * ) [ port ip_port ] allow { <em class="replaceable"><code> address_match_list </code></em> }
+ keys { <em class="replaceable"><code>key_list</code></em> }; ]
+ [ inet ...; ]
+ [ unix <em class="replaceable"><code>path</code></em> perm <em class="replaceable"><code>number</code></em> owner <em class="replaceable"><code>number</code></em> group <em class="replaceable"><code>number</code></em> keys { <em class="replaceable"><code>key_list</code></em> }; ]
+ [ unix ...; ]
};
</pre>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="controls_statement_definition_and_usage"></a><span><strong class="command">controls</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">controls</strong></span> statement declares control
- channels to be used by system administrators to control the
- operation of the name server. These control channels are
- used by the <span><strong class="command">rndc</strong></span> utility to send commands to
- and retrieve non-DNS results from a name server.</p>
-<p>An <span><strong class="command">inet</strong></span> control channel is a TCP
- socket listening at the specified
- <span><strong class="command">ip_port</strong></span> on the specified
- <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
- address. An <span><strong class="command">ip_addr</strong></span>
- of <code class="literal">*</code> (asterisk) is interpreted as the IPv4 wildcard
- address; connections will be accepted on any of the system's
- IPv4 addresses. To listen on the IPv6 wildcard address,
- use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
- If you will only use <span><strong class="command">rndc</strong></span> on the local host,
- using the loopback address (<code class="literal">127.0.0.1</code>
- or <code class="literal">::1</code>) is recommended for maximum
- security.
- </p>
+<a name="controls_statement_definition_and_usage"></a><span><strong class="command">controls</strong></span> Statement Definition and
+ Usage</h3></div></div></div>
<p>
- If no port is specified, port 953
- is used. The asterisk "<code class="literal">*</code>" cannot be used for
- <span><strong class="command">ip_port</strong></span>.</p>
-<p>The ability to issue commands over the control channel is
- restricted by the <span><strong class="command">allow</strong></span> and
- <span><strong class="command">keys</strong></span> clauses. Connections to the control
- channel are permitted based on the
- <span><strong class="command">address_match_list</strong></span>. This is for simple
- IP address based filtering only; any <span><strong class="command">key_id</strong></span>
- elements of the <span><strong class="command">address_match_list</strong></span> are
- ignored.
- </p>
-<p>The primary authorization mechanism of the command
- channel is the <span><strong class="command">key_list</strong></span>, which contains
- a list of <span><strong class="command">key_id</strong></span>s.
- Each <span><strong class="command">key_id</strong></span> in
- the <span><strong class="command">key_list</strong></span> is authorized to execute
- commands over the control channel.
- See <a href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in
- <a href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called &#8220;Administrative Tools&#8221;</a>) for information about
- configuring keys in <span><strong class="command">rndc</strong></span>.</p>
-<p>
-If no <span><strong class="command">controls</strong></span> statement is present,
-<span><strong class="command">named</strong></span> will set up a default
-control channel listening on the loopback address 127.0.0.1
-and its IPv6 counterpart ::1.
-In this case, and also when the <span><strong class="command">controls</strong></span> statement
-is present but does not have a <span><strong class="command">keys</strong></span> clause,
-<span><strong class="command">named</strong></span> will attempt to load the command channel key
-from the file <code class="filename">rndc.key</code> in
-<code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code>
-was specified as when <acronym class="acronym">BIND</acronym> was built).
-To create a <code class="filename">rndc.key</code> file, run
-<strong class="userinput"><code>rndc-confgen -a</code></strong>.
-</p>
-<p>The <code class="filename">rndc.key</code> feature was created to
- ease the transition of systems from <acronym class="acronym">BIND</acronym> 8,
- which did not have digital signatures on its command channel messages
- and thus did not have a <span><strong class="command">keys</strong></span> clause.
+ The <span><strong class="command">controls</strong></span> statement declares control
+ channels to be used by system administrators to control the
+ operation of the name server. These control channels are
+ used by the <span><strong class="command">rndc</strong></span> utility to send
+ commands to and retrieve non-DNS results from a name server.
+ </p>
+<p>
+ An <span><strong class="command">inet</strong></span> control channel is a TCP socket
+ listening at the specified <span><strong class="command">ip_port</strong></span> on the
+ specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
+ address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
+ interpreted as the IPv4 wildcard address; connections will be
+ accepted on any of the system's IPv4 addresses.
+ To listen on the IPv6 wildcard address,
+ use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
+ If you will only use <span><strong class="command">rndc</strong></span> on the local host,
+ using the loopback address (<code class="literal">127.0.0.1</code>
+ or <code class="literal">::1</code>) is recommended for maximum security.
+ </p>
+<p>
+ If no port is specified, port 953 is used. The asterisk
+ "<code class="literal">*</code>" cannot be used for <span><strong class="command">ip_port</strong></span>.
+ </p>
+<p>
+ The ability to issue commands over the control channel is
+ restricted by the <span><strong class="command">allow</strong></span> and
+ <span><strong class="command">keys</strong></span> clauses.
+ Connections to the control channel are permitted based on the
+ <span><strong class="command">address_match_list</strong></span>. This is for simple
+ IP address based filtering only; any <span><strong class="command">key_id</strong></span>
+ elements of the <span><strong class="command">address_match_list</strong></span>
+ are ignored.
+ </p>
+<p>
+ A <span><strong class="command">unix</strong></span> control channel is a UNIX domain
+ socket listening at the specified path in the file system.
+ Access to the socket is specified by the <span><strong class="command">perm</strong></span>,
+ <span><strong class="command">owner</strong></span> and <span><strong class="command">group</strong></span> clauses.
+ Note on some platforms (SunOS and Solaris) the permissions
+ (<span><strong class="command">perm</strong></span>) are applied to the parent directory
+ as the permissions on the socket itself are ignored.
+ </p>
+<p>
+ The primary authorization mechanism of the command
+ channel is the <span><strong class="command">key_list</strong></span>, which
+ contains a list of <span><strong class="command">key_id</strong></span>s.
+ Each <span><strong class="command">key_id</strong></span> in the <span><strong class="command">key_list</strong></span>
+ is authorized to execute commands over the control channel.
+ See <a href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called &#8220;Administrative Tools&#8221;</a>)
+ for information about configuring keys in <span><strong class="command">rndc</strong></span>.
+ </p>
+<p>
+ If no <span><strong class="command">controls</strong></span> statement is present,
+ <span><strong class="command">named</strong></span> will set up a default
+ control channel listening on the loopback address 127.0.0.1
+ and its IPv6 counterpart ::1.
+ In this case, and also when the <span><strong class="command">controls</strong></span> statement
+ is present but does not have a <span><strong class="command">keys</strong></span> clause,
+ <span><strong class="command">named</strong></span> will attempt to load the command channel key
+ from the file <code class="filename">rndc.key</code> in
+ <code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code>
+ was specified as when <acronym class="acronym">BIND</acronym> was built).
+ To create a <code class="filename">rndc.key</code> file, run
+ <strong class="userinput"><code>rndc-confgen -a</code></strong>.
+ </p>
+<p>
+ The <code class="filename">rndc.key</code> feature was created to
+ ease the transition of systems from <acronym class="acronym">BIND</acronym> 8,
+ which did not have digital signatures on its command channel
+ messages and thus did not have a <span><strong class="command">keys</strong></span> clause.
-It makes it possible to use an existing <acronym class="acronym">BIND</acronym> 8
-configuration file in <acronym class="acronym">BIND</acronym> 9 unchanged,
-and still have <span><strong class="command">rndc</strong></span> work the same way
-<span><strong class="command">ndc</strong></span> worked in BIND 8, simply by executing the
-command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is
-installed.
-</p>
+ It makes it possible to use an existing <acronym class="acronym">BIND</acronym> 8
+ configuration file in <acronym class="acronym">BIND</acronym> 9 unchanged,
+ and still have <span><strong class="command">rndc</strong></span> work the same way
+ <span><strong class="command">ndc</strong></span> worked in BIND 8, simply by executing the
+ command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is
+ installed.
+ </p>
<p>
- Since the <code class="filename">rndc.key</code> feature
- is only intended to allow the backward-compatible usage of
- <acronym class="acronym">BIND</acronym> 8 configuration files, this feature does not
- have a high degree of configurability. You cannot easily change
- the key name or the size of the secret, so you should make a
- <code class="filename">rndc.conf</code> with your own key if you wish to change
- those things. The <code class="filename">rndc.key</code> file also has its
- permissions set such that only the owner of the file (the user that
- <span><strong class="command">named</strong></span> is running as) can access it. If you
- desire greater flexibility in allowing other users to access
- <span><strong class="command">rndc</strong></span> commands, then you need to create a
- <code class="filename">rndc.conf</code> file and make it group readable by a group
- that contains the users who should have access.</p>
-<p>The UNIX control channel type of <acronym class="acronym">BIND</acronym> 8 is not supported
- in <acronym class="acronym">BIND</acronym> 9.0, <acronym class="acronym">BIND</acronym> 9.1,
- <acronym class="acronym">BIND</acronym> 9.2 and <acronym class="acronym">BIND</acronym> 9.3.
- If it is present in the controls statement from a
- <acronym class="acronym">BIND</acronym> 8 configuration file, it is ignored
- and a warning is logged.</p>
-<p>
-To disable the command channel, use an empty <span><strong class="command">controls</strong></span>
-statement: <span><strong class="command">controls { };</strong></span>.
-</p>
+ Since the <code class="filename">rndc.key</code> feature
+ is only intended to allow the backward-compatible usage of
+ <acronym class="acronym">BIND</acronym> 8 configuration files, this
+ feature does not
+ have a high degree of configurability. You cannot easily change
+ the key name or the size of the secret, so you should make a
+ <code class="filename">rndc.conf</code> with your own key if you
+ wish to change
+ those things. The <code class="filename">rndc.key</code> file
+ also has its
+ permissions set such that only the owner of the file (the user that
+ <span><strong class="command">named</strong></span> is running as) can access it.
+ If you
+ desire greater flexibility in allowing other users to access
+ <span><strong class="command">rndc</strong></span> commands, then you need to create
+ a
+ <code class="filename">rndc.conf</code> file and make it group
+ readable by a group
+ that contains the users who should have access.
+ </p>
+<p>
+ To disable the command channel, use an empty
+ <span><strong class="command">controls</strong></span> statement:
+ <span><strong class="command">controls { };</strong></span>.
+ </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2576672"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2574770"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">include <em class="replaceable"><code>filename</code></em>;</pre>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2576686"></a><span><strong class="command">include</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">include</strong></span> statement inserts the
- specified file at the point where the <span><strong class="command">include</strong></span>
- statement is encountered. The <span><strong class="command">include</strong></span>
- statement facilitates the administration of configuration files
- by permitting the reading or writing of some things but not
- others. For example, the statement could include private keys
- that are readable only by the name server.</p>
+<a name="id2574785"></a><span><strong class="command">include</strong></span> Statement Definition and
+ Usage</h3></div></div></div>
+<p>
+ The <span><strong class="command">include</strong></span> statement inserts the
+ specified file at the point where the <span><strong class="command">include</strong></span>
+ statement is encountered. The <span><strong class="command">include</strong></span>
+ statement facilitates the administration of configuration
+ files
+ by permitting the reading or writing of some things but not
+ others. For example, the statement could include private keys
+ that are readable only by the name server.
+ </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2576709"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2574808"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">key <em class="replaceable"><code>key_id</code></em> {
algorithm <em class="replaceable"><code>string</code></em>;
secret <em class="replaceable"><code>string</code></em>;
@@ -625,43 +1008,58 @@ statement: <span><strong class="command">controls { };</strong></span>.
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2576730"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">key</strong></span> statement defines a shared
-secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
-or the command channel
-(see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called &#8220;<span><strong class="command">controls</strong></span> Statement Definition and Usage&#8221;</a>).
-</p>
+<a name="id2574829"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
<p>
-The <span><strong class="command">key</strong></span> statement can occur at the top level
-of the configuration file or inside a <span><strong class="command">view</strong></span>
-statement. Keys defined in top-level <span><strong class="command">key</strong></span>
-statements can be used in all views. Keys intended for use in
-a <span><strong class="command">controls</strong></span> statement
-(see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called &#8220;<span><strong class="command">controls</strong></span> Statement Definition and Usage&#8221;</a>)
-must be defined at the top level.
-</p>
-<p>The <em class="replaceable"><code>key_id</code></em>, also known as the
-key name, is a domain name uniquely identifying the key. It can
-be used in a <span><strong class="command">server</strong></span>
-statement to cause requests sent to that
-server to be signed with this key, or in address match lists to
-verify that incoming requests have been signed with a key
-matching this name, algorithm, and secret.</p>
-<p>The <em class="replaceable"><code>algorithm_id</code></em> is a string
-that specifies a security/authentication algorithm. The only
-algorithm currently supported with TSIG authentication is
-<code class="literal">hmac-md5</code>. The
-<em class="replaceable"><code>secret_string</code></em> is the secret to be
-used by the algorithm, and is treated as a base-64 encoded
-string.</p>
+ The <span><strong class="command">key</strong></span> statement defines a shared
+ secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
+ or the command channel
+ (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
+ Usage">the section called &#8220;<span><strong class="command">controls</strong></span> Statement Definition and
+ Usage&#8221;</a>).
+ </p>
+<p>
+ The <span><strong class="command">key</strong></span> statement can occur at the
+ top level
+ of the configuration file or inside a <span><strong class="command">view</strong></span>
+ statement. Keys defined in top-level <span><strong class="command">key</strong></span>
+ statements can be used in all views. Keys intended for use in
+ a <span><strong class="command">controls</strong></span> statement
+ (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
+ Usage">the section called &#8220;<span><strong class="command">controls</strong></span> Statement Definition and
+ Usage&#8221;</a>)
+ must be defined at the top level.
+ </p>
+<p>
+ The <em class="replaceable"><code>key_id</code></em>, also known as the
+ key name, is a domain name uniquely identifying the key. It can
+ be used in a <span><strong class="command">server</strong></span>
+ statement to cause requests sent to that
+ server to be signed with this key, or in address match lists to
+ verify that incoming requests have been signed with a key
+ matching this name, algorithm, and secret.
+ </p>
+<p>
+ The <em class="replaceable"><code>algorithm_id</code></em> is a string
+ that specifies a security/authentication algorithm. Named
+ supports <code class="literal">hmac-md5</code>,
+ <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>,
+ <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>
+ and <code class="literal">hmac-sha512</code> TSIG authentication.
+ Truncated hashes are supported by appending the minimum
+ number of required bits preceeded by a dash, e.g.
+ <code class="literal">hmac-sha1-80</code>. The
+ <em class="replaceable"><code>secret_string</code></em> is the secret
+ to be used by the algorithm, and is treated as a base-64
+ encoded string.
+ </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2576870"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2574920"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">logging</strong></span> {
[ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path name</code></em>
- [ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <code class="literal">unlimited</code> ) ]
+ [ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <span><strong class="command">unlimited</strong></span> ) ]
[ <span><strong class="command">size</strong></span> <em class="replaceable"><code>size spec</code></em> ]
| <span><strong class="command">syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em>
| <span><strong class="command">stderr</strong></span>
@@ -673,7 +1071,7 @@ string.</p>
[ <span><strong class="command">print-time</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
}; ]
[ <span><strong class="command">category</strong></span> <em class="replaceable"><code>category_name</code></em> {
- <em class="replaceable"><code>channel_name</code></em> ; [ <em class="replaceable"><code>channel_nam</code></em>e ; ... ]
+ <em class="replaceable"><code>channel_name</code></em> ; [ <em class="replaceable"><code>channel_name</code></em> ; ... ]
}; ]
...
};
@@ -681,148 +1079,223 @@ string.</p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2577064"></a><span><strong class="command">logging</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">logging</strong></span> statement configures a wide
-variety of logging options for the name server. Its <span><strong class="command">channel</strong></span> phrase
-associates output methods, format options and severity levels with
-a name that can then be used with the <span><strong class="command">category</strong></span> phrase
-to select how various classes of messages are logged.</p>
-<p>Only one <span><strong class="command">logging</strong></span> statement is used to define
-as many channels and categories as are wanted. If there is no <span><strong class="command">logging</strong></span> statement,
-the logging configuration will be:</p>
+<a name="id2575046"></a><span><strong class="command">logging</strong></span> Statement Definition and
+ Usage</h3></div></div></div>
+<p>
+ The <span><strong class="command">logging</strong></span> statement configures a
+ wide
+ variety of logging options for the name server. Its <span><strong class="command">channel</strong></span> phrase
+ associates output methods, format options and severity levels with
+ a name that can then be used with the <span><strong class="command">category</strong></span> phrase
+ to select how various classes of messages are logged.
+ </p>
+<p>
+ Only one <span><strong class="command">logging</strong></span> statement is used to
+ define
+ as many channels and categories as are wanted. If there is no <span><strong class="command">logging</strong></span> statement,
+ the logging configuration will be:
+ </p>
<pre class="programlisting">logging {
category default { default_syslog; default_debug; };
category unmatched { null; };
};
</pre>
-<p>In <acronym class="acronym">BIND</acronym> 9, the logging configuration is only established when
-the entire configuration file has been parsed. In <acronym class="acronym">BIND</acronym> 8, it was
-established as soon as the <span><strong class="command">logging</strong></span> statement
-was parsed. When the server is starting up, all logging messages
-regarding syntax errors in the configuration file go to the default
-channels, or to standard error if the "<code class="option">-g</code>" option
-was specified.</p>
+<p>
+ In <acronym class="acronym">BIND</acronym> 9, the logging configuration
+ is only established when
+ the entire configuration file has been parsed. In <acronym class="acronym">BIND</acronym> 8, it was
+ established as soon as the <span><strong class="command">logging</strong></span>
+ statement
+ was parsed. When the server is starting up, all logging messages
+ regarding syntax errors in the configuration file go to the default
+ channels, or to standard error if the "<code class="option">-g</code>" option
+ was specified.
+ </p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2577116"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
-<p>All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
-you can make as many of them as you want.</p>
-<p>Every channel definition must include a destination clause that
-says whether messages selected for the channel go to a file, to a
-particular syslog facility, to the standard error stream, or are
-discarded. It can optionally also limit the message severity level
-that will be accepted by the channel (the default is
-<span><strong class="command">info</strong></span>), and whether to include a
-<span><strong class="command">named</strong></span>-generated time stamp, the category name
-and/or severity level (the default is not to include any).</p>
-<p>The <span><strong class="command">null</strong></span> destination clause
-causes all messages sent to the channel to be discarded;
-in that case, other options for the channel are meaningless.</p>
-<p>The <span><strong class="command">file</strong></span> destination clause directs the channel
-to a disk file. It can include limitations
-both on how large the file is allowed to become, and how many versions
-of the file will be saved each time the file is opened.</p>
-<p>If you use the <span><strong class="command">versions</strong></span> log file option, then
-<span><strong class="command">named</strong></span> will retain that many backup versions of the file by
-renaming them when opening. For example, if you choose to keep three old versions
-of the file <code class="filename">lamers.log</code>, then just before it is opened
-<code class="filename">lamers.log.1</code> is renamed to
-<code class="filename">lamers.log.2</code>, <code class="filename">lamers.log.0</code> is renamed
-to <code class="filename">lamers.log.1</code>, and <code class="filename">lamers.log</code> is
-renamed to <code class="filename">lamers.log.0</code>.
-You can say <span><strong class="command">versions unlimited</strong></span> to not limit
-the number of versions.
-If a <span><strong class="command">size</strong></span> option is associated with the log file,
-then renaming is only done when the file being opened exceeds the
-indicated size. No backup versions are kept by default; any existing
-log file is simply appended.</p>
-<p>The <span><strong class="command">size</strong></span> option for files is used to limit log
-growth. If the file ever exceeds the size, then <span><strong class="command">named</strong></span> will
-stop writing to the file unless it has a <span><strong class="command">versions</strong></span> option
-associated with it. If backup versions are kept, the files are rolled as
-described above and a new one begun. If there is no
-<span><strong class="command">versions</strong></span> option, no more data will be written to the log
-until some out-of-band mechanism removes or truncates the log to less than the
-maximum size. The default behavior is not to limit the size of the
-file.</p>
-<p>Example usage of the <span><strong class="command">size</strong></span> and
-<span><strong class="command">versions</strong></span> options:</p>
+<a name="id2575098"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
+<p>
+ All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
+ you can make as many of them as you want.
+ </p>
+<p>
+ Every channel definition must include a destination clause that
+ says whether messages selected for the channel go to a file, to a
+ particular syslog facility, to the standard error stream, or are
+ discarded. It can optionally also limit the message severity level
+ that will be accepted by the channel (the default is
+ <span><strong class="command">info</strong></span>), and whether to include a
+ <span><strong class="command">named</strong></span>-generated time stamp, the
+ category name
+ and/or severity level (the default is not to include any).
+ </p>
+<p>
+ The <span><strong class="command">null</strong></span> destination clause
+ causes all messages sent to the channel to be discarded;
+ in that case, other options for the channel are meaningless.
+ </p>
+<p>
+ The <span><strong class="command">file</strong></span> destination clause directs
+ the channel
+ to a disk file. It can include limitations
+ both on how large the file is allowed to become, and how many
+ versions
+ of the file will be saved each time the file is opened.
+ </p>
+<p>
+ If you use the <span><strong class="command">versions</strong></span> log file
+ option, then
+ <span><strong class="command">named</strong></span> will retain that many backup
+ versions of the file by
+ renaming them when opening. For example, if you choose to keep
+ three old versions
+ of the file <code class="filename">lamers.log</code>, then just
+ before it is opened
+ <code class="filename">lamers.log.1</code> is renamed to
+ <code class="filename">lamers.log.2</code>, <code class="filename">lamers.log.0</code> is renamed
+ to <code class="filename">lamers.log.1</code>, and <code class="filename">lamers.log</code> is
+ renamed to <code class="filename">lamers.log.0</code>.
+ You can say <span><strong class="command">versions unlimited</strong></span> to
+ not limit
+ the number of versions.
+ If a <span><strong class="command">size</strong></span> option is associated with
+ the log file,
+ then renaming is only done when the file being opened exceeds the
+ indicated size. No backup versions are kept by default; any
+ existing
+ log file is simply appended.
+ </p>
+<p>
+ The <span><strong class="command">size</strong></span> option for files is used
+ to limit log
+ growth. If the file ever exceeds the size, then <span><strong class="command">named</strong></span> will
+ stop writing to the file unless it has a <span><strong class="command">versions</strong></span> option
+ associated with it. If backup versions are kept, the files are
+ rolled as
+ described above and a new one begun. If there is no
+ <span><strong class="command">versions</strong></span> option, no more data will
+ be written to the log
+ until some out-of-band mechanism removes or truncates the log to
+ less than the
+ maximum size. The default behavior is not to limit the size of
+ the
+ file.
+ </p>
+<p>
+ Example usage of the <span><strong class="command">size</strong></span> and
+ <span><strong class="command">versions</strong></span> options:
+ </p>
<pre class="programlisting">channel an_example_channel {
file "example.log" versions 3 size 20m;
print-time yes;
print-category yes;
};
</pre>
-<p>The <span><strong class="command">syslog</strong></span> destination clause directs the
-channel to the system log. Its argument is a
-syslog facility as described in the <span><strong class="command">syslog</strong></span> man
-page. Known facilities are <span><strong class="command">kern</strong></span>, <span><strong class="command">user</strong></span>,
-<span><strong class="command">mail</strong></span>, <span><strong class="command">daemon</strong></span>, <span><strong class="command">auth</strong></span>,
-<span><strong class="command">syslog</strong></span>, <span><strong class="command">lpr</strong></span>, <span><strong class="command">news</strong></span>,
-<span><strong class="command">uucp</strong></span>, <span><strong class="command">cron</strong></span>, <span><strong class="command">authpriv</strong></span>,
-<span><strong class="command">ftp</strong></span>, <span><strong class="command">local0</strong></span>, <span><strong class="command">local1</strong></span>,
-<span><strong class="command">local2</strong></span>, <span><strong class="command">local3</strong></span>, <span><strong class="command">local4</strong></span>,
-<span><strong class="command">local5</strong></span>, <span><strong class="command">local6</strong></span> and
-<span><strong class="command">local7</strong></span>, however not all facilities are supported on
-all operating systems.
-How <span><strong class="command">syslog</strong></span> will handle messages sent to
-this facility is described in the <span><strong class="command">syslog.conf</strong></span> man
-page. If you have a system which uses a very old version of <span><strong class="command">syslog</strong></span> that
-only uses two arguments to the <span><strong class="command">openlog()</strong></span> function,
-then this clause is silently ignored.</p>
-<p>The <span><strong class="command">severity</strong></span> clause works like <span><strong class="command">syslog</strong></span>'s
-"priorities", except that they can also be used if you are writing
-straight to a file rather than using <span><strong class="command">syslog</strong></span>.
-Messages which are not at least of the severity level given will
-not be selected for the channel; messages of higher severity levels
-will be accepted.</p>
-<p>If you are using <span><strong class="command">syslog</strong></span>, then the <span><strong class="command">syslog.conf</strong></span> priorities
-will also determine what eventually passes through. For example,
-defining a channel facility and severity as <span><strong class="command">daemon</strong></span> and <span><strong class="command">debug</strong></span> but
-only logging <span><strong class="command">daemon.warning</strong></span> via <span><strong class="command">syslog.conf</strong></span> will
-cause messages of severity <span><strong class="command">info</strong></span> and <span><strong class="command">notice</strong></span> to
-be dropped. If the situation were reversed, with <span><strong class="command">named</strong></span> writing
-messages of only <span><strong class="command">warning</strong></span> or higher, then <span><strong class="command">syslogd</strong></span> would
-print all messages it received from the channel.</p>
-<p>The <span><strong class="command">stderr</strong></span> destination clause directs the
-channel to the server's standard error stream. This is intended for
-use when the server is running as a foreground process, for example
-when debugging a configuration.</p>
-<p>The server can supply extensive debugging information when
-it is in debugging mode. If the server's global debug level is greater
-than zero, then debugging mode will be active. The global debug
-level is set either by starting the <span><strong class="command">named</strong></span> server
-with the <code class="option">-d</code> flag followed by a positive integer,
-or by running <span><strong class="command">rndc trace</strong></span>.
-The global debug level
-can be set to zero, and debugging mode turned off, by running <span><strong class="command">rndc
+<p>
+ The <span><strong class="command">syslog</strong></span> destination clause
+ directs the
+ channel to the system log. Its argument is a
+ syslog facility as described in the <span><strong class="command">syslog</strong></span> man
+ page. Known facilities are <span><strong class="command">kern</strong></span>, <span><strong class="command">user</strong></span>,
+ <span><strong class="command">mail</strong></span>, <span><strong class="command">daemon</strong></span>, <span><strong class="command">auth</strong></span>,
+ <span><strong class="command">syslog</strong></span>, <span><strong class="command">lpr</strong></span>, <span><strong class="command">news</strong></span>,
+ <span><strong class="command">uucp</strong></span>, <span><strong class="command">cron</strong></span>, <span><strong class="command">authpriv</strong></span>,
+ <span><strong class="command">ftp</strong></span>, <span><strong class="command">local0</strong></span>, <span><strong class="command">local1</strong></span>,
+ <span><strong class="command">local2</strong></span>, <span><strong class="command">local3</strong></span>, <span><strong class="command">local4</strong></span>,
+ <span><strong class="command">local5</strong></span>, <span><strong class="command">local6</strong></span> and
+ <span><strong class="command">local7</strong></span>, however not all facilities
+ are supported on
+ all operating systems.
+ How <span><strong class="command">syslog</strong></span> will handle messages
+ sent to
+ this facility is described in the <span><strong class="command">syslog.conf</strong></span> man
+ page. If you have a system which uses a very old version of <span><strong class="command">syslog</strong></span> that
+ only uses two arguments to the <span><strong class="command">openlog()</strong></span> function,
+ then this clause is silently ignored.
+ </p>
+<p>
+ The <span><strong class="command">severity</strong></span> clause works like <span><strong class="command">syslog</strong></span>'s
+ "priorities", except that they can also be used if you are writing
+ straight to a file rather than using <span><strong class="command">syslog</strong></span>.
+ Messages which are not at least of the severity level given will
+ not be selected for the channel; messages of higher severity
+ levels
+ will be accepted.
+ </p>
+<p>
+ If you are using <span><strong class="command">syslog</strong></span>, then the <span><strong class="command">syslog.conf</strong></span> priorities
+ will also determine what eventually passes through. For example,
+ defining a channel facility and severity as <span><strong class="command">daemon</strong></span> and <span><strong class="command">debug</strong></span> but
+ only logging <span><strong class="command">daemon.warning</strong></span> via <span><strong class="command">syslog.conf</strong></span> will
+ cause messages of severity <span><strong class="command">info</strong></span> and
+ <span><strong class="command">notice</strong></span> to
+ be dropped. If the situation were reversed, with <span><strong class="command">named</strong></span> writing
+ messages of only <span><strong class="command">warning</strong></span> or higher,
+ then <span><strong class="command">syslogd</strong></span> would
+ print all messages it received from the channel.
+ </p>
+<p>
+ The <span><strong class="command">stderr</strong></span> destination clause
+ directs the
+ channel to the server's standard error stream. This is intended
+ for
+ use when the server is running as a foreground process, for
+ example
+ when debugging a configuration.
+ </p>
+<p>
+ The server can supply extensive debugging information when
+ it is in debugging mode. If the server's global debug level is
+ greater
+ than zero, then debugging mode will be active. The global debug
+ level is set either by starting the <span><strong class="command">named</strong></span> server
+ with the <code class="option">-d</code> flag followed by a positive integer,
+ or by running <span><strong class="command">rndc trace</strong></span>.
+ The global debug level
+ can be set to zero, and debugging mode turned off, by running <span><strong class="command">rndc
notrace</strong></span>. All debugging messages in the server have a debug
-level, and higher debug levels give more detailed output. Channels
-that specify a specific debug severity, for example:</p>
+ level, and higher debug levels give more detailed output. Channels
+ that specify a specific debug severity, for example:
+ </p>
<pre class="programlisting">channel specific_debug_level {
file "foo";
severity debug 3;
};
</pre>
-<p>will get debugging output of level 3 or less any time the
-server is in debugging mode, regardless of the global debugging
-level. Channels with <span><strong class="command">dynamic</strong></span> severity use the
-server's global debug level to determine what messages to print.</p>
-<p>If <span><strong class="command">print-time</strong></span> has been turned on, then
-the date and time will be logged. <span><strong class="command">print-time</strong></span> may
-be specified for a <span><strong class="command">syslog</strong></span> channel, but is usually
-pointless since <span><strong class="command">syslog</strong></span> also prints the date and
-time. If <span><strong class="command">print-category</strong></span> is requested, then the
-category of the message will be logged as well. Finally, if <span><strong class="command">print-severity</strong></span> is
-on, then the severity level of the message will be logged. The <span><strong class="command">print-</strong></span> options may
-be used in any combination, and will always be printed in the following
-order: time, category, severity. Here is an example where all three <span><strong class="command">print-</strong></span> options
-are on:</p>
-<p><code class="computeroutput">28-Feb-2000 15:05:32.863 general: notice: running</code></p>
-<p>There are four predefined channels that are used for
-<span><strong class="command">named</strong></span>'s default logging as follows. How they are
-used is described in <a href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called &#8220;The <span><strong class="command">category</strong></span> Phrase&#8221;</a>.
-</p>
+<p>
+ will get debugging output of level 3 or less any time the
+ server is in debugging mode, regardless of the global debugging
+ level. Channels with <span><strong class="command">dynamic</strong></span>
+ severity use the
+ server's global debug level to determine what messages to print.
+ </p>
+<p>
+ If <span><strong class="command">print-time</strong></span> has been turned on,
+ then
+ the date and time will be logged. <span><strong class="command">print-time</strong></span> may
+ be specified for a <span><strong class="command">syslog</strong></span> channel,
+ but is usually
+ pointless since <span><strong class="command">syslog</strong></span> also prints
+ the date and
+ time. If <span><strong class="command">print-category</strong></span> is
+ requested, then the
+ category of the message will be logged as well. Finally, if <span><strong class="command">print-severity</strong></span> is
+ on, then the severity level of the message will be logged. The <span><strong class="command">print-</strong></span> options may
+ be used in any combination, and will always be printed in the
+ following
+ order: time, category, severity. Here is an example where all
+ three <span><strong class="command">print-</strong></span> options
+ are on:
+ </p>
+<p>
+ <code class="computeroutput">28-Feb-2000 15:05:32.863 general: notice: running</code>
+ </p>
+<p>
+ There are four predefined channels that are used for
+ <span><strong class="command">named</strong></span>'s default logging as follows.
+ How they are
+ used is described in <a href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called &#8220;The <span><strong class="command">category</strong></span> Phrase&#8221;</a>.
+ </p>
<pre class="programlisting">channel default_syslog {
syslog daemon; // send to syslog's daemon
// facility
@@ -852,35 +1325,50 @@ channel null {
// this channel
};
</pre>
-<p>The <span><strong class="command">default_debug</strong></span> channel has the special
-property that it only produces output when the server's debug level is
-nonzero. It normally writes to a file called <code class="filename">named.run</code>
-in the server's working directory.</p>
-<p>For security reasons, when the "<code class="option">-u</code>"
-command line option is used, the <code class="filename">named.run</code> file
-is created only after <span><strong class="command">named</strong></span> has changed to the
-new UID, and any debug output generated while <span><strong class="command">named</strong></span> is
-starting up and still running as root is discarded. If you need
-to capture this output, you must run the server with the "<code class="option">-g</code>"
-option and redirect standard error to a file.</p>
-<p>Once a channel is defined, it cannot be redefined. Thus you
-cannot alter the built-in channels directly, but you can modify
-the default logging by pointing categories at channels you have defined.</p>
+<p>
+ The <span><strong class="command">default_debug</strong></span> channel has the
+ special
+ property that it only produces output when the server's debug
+ level is
+ nonzero. It normally writes to a file called <code class="filename">named.run</code>
+ in the server's working directory.
+ </p>
+<p>
+ For security reasons, when the "<code class="option">-u</code>"
+ command line option is used, the <code class="filename">named.run</code> file
+ is created only after <span><strong class="command">named</strong></span> has
+ changed to the
+ new UID, and any debug output generated while <span><strong class="command">named</strong></span> is
+ starting up and still running as root is discarded. If you need
+ to capture this output, you must run the server with the "<code class="option">-g</code>"
+ option and redirect standard error to a file.
+ </p>
+<p>
+ Once a channel is defined, it cannot be redefined. Thus you
+ cannot alter the built-in channels directly, but you can modify
+ the default logging by pointing categories at channels you have
+ defined.
+ </p>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="the_category_phrase"></a>The <span><strong class="command">category</strong></span> Phrase</h4></div></div></div>
-<p>There are many categories, so you can send the logs you want
-to see wherever you want, without seeing logs you don't want. If
-you don't specify a list of channels for a category, then log messages
-in that category will be sent to the <span><strong class="command">default</strong></span> category
-instead. If you don't specify a default category, the following
-"default default" is used:</p>
+<p>
+ There are many categories, so you can send the logs you want
+ to see wherever you want, without seeing logs you don't want. If
+ you don't specify a list of channels for a category, then log
+ messages
+ in that category will be sent to the <span><strong class="command">default</strong></span> category
+ instead. If you don't specify a default category, the following
+ "default default" is used:
+ </p>
<pre class="programlisting">category default { default_syslog; default_debug; };
</pre>
-<p>As an example, let's say you want to log security events to
-a file, but you also want keep the default logging behavior. You'd
-specify the following:</p>
+<p>
+ As an example, let's say you want to log security events to
+ a file, but you also want keep the default logging behavior. You'd
+ specify the following:
+ </p>
<pre class="programlisting">channel my_security_channel {
file "my_security_file";
severity info;
@@ -890,13 +1378,17 @@ category security {
default_syslog;
default_debug;
};</pre>
-<p>To discard all messages in a category, specify the <span><strong class="command">null</strong></span> channel:</p>
+<p>
+ To discard all messages in a category, specify the <span><strong class="command">null</strong></span> channel:
+ </p>
<pre class="programlisting">category xfer-out { null; };
category notify { null; };
</pre>
-<p>Following are the available categories and brief descriptions
-of the types of log information they contain. More
-categories may be added in future <acronym class="acronym">BIND</acronym> releases.</p>
+<p>
+ Following are the available categories and brief descriptions
+ of the types of log information they contain. More
+ categories may be added in future <acronym class="acronym">BIND</acronym> releases.
+ </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -904,114 +1396,235 @@ categories may be added in future <acronym class="acronym">BIND</acronym> releas
</colgroup>
<tbody>
<tr>
-<td><p><span><strong class="command">default</strong></span></p></td>
-<td><p>The default category defines the logging
-options for those categories where no specific configuration has been
-defined.</p></td>
+<td>
+ <p><span><strong class="command">default</strong></span></p>
+ </td>
+<td>
+ <p>
+ The default category defines the logging
+ options for those categories where no specific
+ configuration has been
+ defined.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">general</strong></span></p></td>
-<td><p>The catch-all. Many things still aren't
-classified into categories, and they all end up here.</p></td>
+<td>
+ <p><span><strong class="command">general</strong></span></p>
+ </td>
+<td>
+ <p>
+ The catch-all. Many things still aren't
+ classified into categories, and they all end up here.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">database</strong></span></p></td>
-<td><p>Messages relating to the databases used
-internally by the name server to store zone and cache data.</p></td>
+<td>
+ <p><span><strong class="command">database</strong></span></p>
+ </td>
+<td>
+ <p>
+ Messages relating to the databases used
+ internally by the name server to store zone and cache
+ data.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">security</strong></span></p></td>
-<td><p>Approval and denial of requests.</p></td>
+<td>
+ <p><span><strong class="command">security</strong></span></p>
+ </td>
+<td>
+ <p>
+ Approval and denial of requests.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">config</strong></span></p></td>
-<td><p>Configuration file parsing and processing.</p></td>
+<td>
+ <p><span><strong class="command">config</strong></span></p>
+ </td>
+<td>
+ <p>
+ Configuration file parsing and processing.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">resolver</strong></span></p></td>
-<td><p>DNS resolution, such as the recursive
-lookups performed on behalf of clients by a caching name server.</p></td>
+<td>
+ <p><span><strong class="command">resolver</strong></span></p>
+ </td>
+<td>
+ <p>
+ DNS resolution, such as the recursive
+ lookups performed on behalf of clients by a caching name
+ server.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">xfer-in</strong></span></p></td>
-<td><p>Zone transfers the server is receiving.</p></td>
+<td>
+ <p><span><strong class="command">xfer-in</strong></span></p>
+ </td>
+<td>
+ <p>
+ Zone transfers the server is receiving.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">xfer-out</strong></span></p></td>
-<td><p>Zone transfers the server is sending.</p></td>
+<td>
+ <p><span><strong class="command">xfer-out</strong></span></p>
+ </td>
+<td>
+ <p>
+ Zone transfers the server is sending.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">notify</strong></span></p></td>
-<td><p>The NOTIFY protocol.</p></td>
+<td>
+ <p><span><strong class="command">notify</strong></span></p>
+ </td>
+<td>
+ <p>
+ The NOTIFY protocol.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">client</strong></span></p></td>
-<td><p>Processing of client requests.</p></td>
+<td>
+ <p><span><strong class="command">client</strong></span></p>
+ </td>
+<td>
+ <p>
+ Processing of client requests.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">unmatched</strong></span></p></td>
-<td><p>Messages that named was unable to determine the
-class of or for which there was no matching <span><strong class="command">view</strong></span>.
-A one line summary is also logged to the <span><strong class="command">client</strong></span> category.
-This category is best sent to a file or stderr, by default it is sent to
-the <span><strong class="command">null</strong></span> channel.</p></td>
+<td>
+ <p><span><strong class="command">unmatched</strong></span></p>
+ </td>
+<td>
+ <p>
+ Messages that named was unable to determine the
+ class of or for which there was no matching <span><strong class="command">view</strong></span>.
+ A one line summary is also logged to the <span><strong class="command">client</strong></span> category.
+ This category is best sent to a file or stderr, by
+ default it is sent to
+ the <span><strong class="command">null</strong></span> channel.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">network</strong></span></p></td>
-<td><p>Network operations.</p></td>
+<td>
+ <p><span><strong class="command">network</strong></span></p>
+ </td>
+<td>
+ <p>
+ Network operations.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">update</strong></span></p></td>
-<td><p>Dynamic updates.</p></td>
+<td>
+ <p><span><strong class="command">update</strong></span></p>
+ </td>
+<td>
+ <p>
+ Dynamic updates.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">update-security</strong></span></p></td>
-<td><p>Approval and denial of update requests.</p></td>
+<td>
+ <p><span><strong class="command">update-security</strong></span></p>
+ </td>
+<td>
+ <p>
+ Approval and denial of update requests.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">queries</strong></span></p></td>
<td>
-<p>Specify where queries should be logged to.</p>
-<p>
-At startup, specifying the category <span><strong class="command">queries</strong></span> will also
-enable query logging unless <span><strong class="command">querylog</strong></span> option has been
-specified.
-</p>
-<p>
-The query log entry reports the client's IP address and port number, and the
-query name, class and type. It also reports whether the Recursion Desired
-flag was set (+ if set, - if not set), EDNS was in use (E) or if the
-query was signed (S).</p>
-<p><code class="computeroutput">client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</code>
-</p>
-<p><code class="computeroutput">client ::1#62537: query: www.example.net IN AAAA -SE</code>
-</p>
-</td>
+ <p><span><strong class="command">queries</strong></span></p>
+ </td>
+<td>
+ <p>
+ Specify where queries should be logged to.
+ </p>
+ <p>
+ At startup, specifying the category <span><strong class="command">queries</strong></span> will also
+ enable query logging unless <span><strong class="command">querylog</strong></span> option has been
+ specified.
+ </p>
+ <p>
+ The query log entry reports the client's IP address and
+ port number, and the
+ query name, class and type. It also reports whether the
+ Recursion Desired
+ flag was set (+ if set, - if not set), EDNS was in use
+ (E) or if the
+ query was signed (S).
+ </p>
+ <p>
+ <code class="computeroutput">client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</code>
+ </p>
+ <p>
+ <code class="computeroutput">client ::1#62537: query: www.example.net IN AAAA -SE</code>
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">dispatch</strong></span></p></td>
-<td><p>Dispatching of incoming packets to the
-server modules where they are to be processed.
-</p></td>
+<td>
+ <p><span><strong class="command">dispatch</strong></span></p>
+ </td>
+<td>
+ <p>
+ Dispatching of incoming packets to the
+ server modules where they are to be processed.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">dnssec</strong></span></p></td>
-<td><p>DNSSEC and TSIG protocol processing.
-</p></td>
+<td>
+ <p><span><strong class="command">dnssec</strong></span></p>
+ </td>
+<td>
+ <p>
+ DNSSEC and TSIG protocol processing.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">lame-servers</strong></span></p></td>
-<td><p>Lame servers. These are misconfigurations
-in remote servers, discovered by BIND 9 when trying to query
-those servers during resolution.
-</p></td>
+<td>
+ <p><span><strong class="command">lame-servers</strong></span></p>
+ </td>
+<td>
+ <p>
+ Lame servers. These are misconfigurations
+ in remote servers, discovered by BIND 9 when trying to
+ query
+ those servers during resolution.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">delegation-only</strong></span></p></td>
-<td><p>Delegation only. Logs queries that have have
-been forced to NXDOMAIN as the result of a delegation-only zone or
-a <span><strong class="command">delegation-only</strong></span> in a hint or stub zone declaration.
-</p></td>
+<td>
+ <p><span><strong class="command">delegation-only</strong></span></p>
+ </td>
+<td>
+ <p>
+ Delegation only. Logs queries that have have
+ been forced to NXDOMAIN as the result of a
+ delegation-only zone or
+ a <span><strong class="command">delegation-only</strong></span> in a
+ hint or stub zone declaration.
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
@@ -1019,9 +1632,11 @@ a <span><strong class="command">delegation-only</strong></span> in a hint or stu
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2578270"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
-<p> This is the grammar of the <span><strong class="command">lwres</strong></span>
-statement in the <code class="filename">named.conf</code> file:</p>
+<a name="id2576396"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
+<p>
+ This is the grammar of the <span><strong class="command">lwres</strong></span>
+ statement in the <code class="filename">named.conf</code> file:
+ </p>
<pre class="programlisting"><span><strong class="command">lwres</strong></span> {
[<span class="optional"> listen-on { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> view <em class="replaceable"><code>view_name</code></em>; </span>]
@@ -1032,50 +1647,78 @@ statement in the <code class="filename">named.conf</code> file:</p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2578343"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">lwres</strong></span> statement configures the name
-server to also act as a lightweight resolver server. (See
-<a href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called &#8220;Running a Resolver Daemon&#8221;</a>.) There may be be multiple
-<span><strong class="command">lwres</strong></span> statements configuring
-lightweight resolver servers with different properties.</p>
-<p>The <span><strong class="command">listen-on</strong></span> statement specifies a list of
-addresses (and ports) that this instance of a lightweight resolver daemon
-should accept requests on. If no port is specified, port 921 is used.
-If this statement is omitted, requests will be accepted on 127.0.0.1,
-port 921.</p>
-<p>The <span><strong class="command">view</strong></span> statement binds this instance of a
-lightweight resolver daemon to a view in the DNS namespace, so that the
-response will be constructed in the same manner as a normal DNS query
-matching this view. If this statement is omitted, the default view is
-used, and if there is no default view, an error is triggered.</p>
-<p>The <span><strong class="command">search</strong></span> statement is equivalent to the
-<span><strong class="command">search</strong></span> statement in
-<code class="filename">/etc/resolv.conf</code>. It provides a list of domains
-which are appended to relative names in queries.</p>
-<p>The <span><strong class="command">ndots</strong></span> statement is equivalent to the
-<span><strong class="command">ndots</strong></span> statement in
-<code class="filename">/etc/resolv.conf</code>. It indicates the minimum
-number of dots in a relative domain name that should result in an
-exact match lookup before search path elements are appended.</p>
+<a name="id2576470"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
+<p>
+ The <span><strong class="command">lwres</strong></span> statement configures the
+ name
+ server to also act as a lightweight resolver server. (See
+ <a href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called &#8220;Running a Resolver Daemon&#8221;</a>.) There may be be multiple
+ <span><strong class="command">lwres</strong></span> statements configuring
+ lightweight resolver servers with different properties.
+ </p>
+<p>
+ The <span><strong class="command">listen-on</strong></span> statement specifies a
+ list of
+ addresses (and ports) that this instance of a lightweight resolver
+ daemon
+ should accept requests on. If no port is specified, port 921 is
+ used.
+ If this statement is omitted, requests will be accepted on
+ 127.0.0.1,
+ port 921.
+ </p>
+<p>
+ The <span><strong class="command">view</strong></span> statement binds this
+ instance of a
+ lightweight resolver daemon to a view in the DNS namespace, so that
+ the
+ response will be constructed in the same manner as a normal DNS
+ query
+ matching this view. If this statement is omitted, the default view
+ is
+ used, and if there is no default view, an error is triggered.
+ </p>
+<p>
+ The <span><strong class="command">search</strong></span> statement is equivalent to
+ the
+ <span><strong class="command">search</strong></span> statement in
+ <code class="filename">/etc/resolv.conf</code>. It provides a
+ list of domains
+ which are appended to relative names in queries.
+ </p>
+<p>
+ The <span><strong class="command">ndots</strong></span> statement is equivalent to
+ the
+ <span><strong class="command">ndots</strong></span> statement in
+ <code class="filename">/etc/resolv.conf</code>. It indicates the
+ minimum
+ number of dots in a relative domain name that should result in an
+ exact match lookup before search path elements are appended.
+ </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2578406"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2576534"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">
-<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] } ;
+<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
</pre>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2578518"></a><span><strong class="command">masters</strong></span> Statement Definition and Usage </h3></div></div></div>
-<p><span><strong class="command">masters</strong></span> lists allow for a common set of masters
-to be easily used by multiple stub and slave zones.</p>
+<a name="id2576578"></a><span><strong class="command">masters</strong></span> Statement Definition and
+ Usage</h3></div></div></div>
+<p><span><strong class="command">masters</strong></span>
+ lists allow for a common set of masters to be easily used by
+ multiple stub and slave zones.
+ </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2578533"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
-<p>This is the grammar of the <span><strong class="command">options</strong></span>
-statement in the <code class="filename">named.conf</code> file:</p>
+<a name="id2576593"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
+<p>
+ This is the grammar of the <span><strong class="command">options</strong></span>
+ statement in the <code class="filename">named.conf</code> file:
+ </p>
<pre class="programlisting">options {
[<span class="optional"> version <em class="replaceable"><code>version_string</code></em>; </span>]
[<span class="optional"> hostname <em class="replaceable"><code>hostname_string</code></em>; </span>]
@@ -1102,31 +1745,52 @@ statement in the <code class="filename">named.conf</code> file:</p>
[<span class="optional"> host-statistics-max <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> minimal-responses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> multiple-cnames <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em>; </span>]
+ [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em>; </span>]
[<span class="optional"> recursion <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> rfc2308-type1 <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> use-id-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-enable <em class="replaceable"><code>yes_or_no</code></em>; </span>]
+ [<span class="optional"> dnssec-validation <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-lookaside <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em>; </span>]
[<span class="optional"> dnssec-must-be-secure <em class="replaceable"><code>domain yes_or_no</code></em>; </span>]
+ [<span class="optional"> dnssec-accept-expired <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> forward ( <em class="replaceable"><code>only</code></em> | <em class="replaceable"><code>first</code></em> ); </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
- [<span class="optional"> dual-stack-servers [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>domain_name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ) ; ... }; </span>]
- [<span class="optional"> check-names ( <em class="replaceable"><code>master</code></em> | <em class="replaceable"><code>slave</code></em> | <em class="replaceable"><code>response</code></em> )( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
+ [<span class="optional"> dual-stack-servers [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] {
+ ( <em class="replaceable"><code>domain_name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] |
+ <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ) ;
+ ... }; </span>]
+ [<span class="optional"> check-names ( <em class="replaceable"><code>master</code></em> | <em class="replaceable"><code>slave</code></em> | <em class="replaceable"><code>response</code></em> )
+ ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
+ [<span class="optional"> check-mx ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
+ [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
+ [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em>; </span>]
+ [<span class="optional"> check-mx-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
+ [<span class="optional"> check-srv-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
+ [<span class="optional"> check-sibling <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+ [<span class="optional"> allow-query-cache { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-recursion { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+ [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+ [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> allow-v6-synthesis { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> blackhole { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> avoid-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
[<span class="optional"> avoid-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
[<span class="optional"> listen-on [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
- [<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
+ [<span class="optional"> query-source ( ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> )
+ [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] |
+ [<span class="optional"> address ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
+ [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
+ [<span class="optional"> query-source-v6 ( ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> )
+ [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] |
+ [<span class="optional"> address ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
+ [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em>; </span>]
@@ -1182,202 +1846,316 @@ statement in the <code class="filename">named.conf</code> file:</p>
[<span class="optional"> match-mapped-addresses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> preferred-glue ( <em class="replaceable"><code>A</code></em> | <em class="replaceable"><code>AAAA</code></em> | <em class="replaceable"><code>NONE</code></em> ); </span>]
[<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em>; </span>]
+ [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>namelist</code></em> } </span>] ; </span>]
[<span class="optional"> querylog <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> disable-algorithms <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>algorithm</code></em>; [<span class="optional"> <em class="replaceable"><code>algorithm</code></em>; </span>] }; </span>]
+ [<span class="optional"> acache-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
+ [<span class="optional"> acache-cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
+ [<span class="optional"> max-acache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
+ [<span class="optional"> clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
+ [<span class="optional"> max-clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
+ [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
+ [<span class="optional"> empty-server <em class="replaceable"><code>name</code></em> ; </span>]
+ [<span class="optional"> empty-contact <em class="replaceable"><code>name</code></em> ; </span>]
+ [<span class="optional"> empty-zones-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
+ [<span class="optional"> disable-empty-zone <em class="replaceable"><code>zone_name</code></em> ; </span>]
+ [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
+ [<span class="optional"> zero-no-soa-ttl-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
};
</pre>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="options"></a><span><strong class="command">options</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">options</strong></span> statement sets up global options
-to be used by <acronym class="acronym">BIND</acronym>. This statement may appear only
-once in a configuration file. If there is no <span><strong class="command">options</strong></span>
-statement, an options block with each option set to its default will
-be used.</p>
+<a name="options"></a><span><strong class="command">options</strong></span> Statement Definition and
+ Usage</h3></div></div></div>
+<p>
+ The <span><strong class="command">options</strong></span> statement sets up global
+ options
+ to be used by <acronym class="acronym">BIND</acronym>. This statement
+ may appear only
+ once in a configuration file. If there is no <span><strong class="command">options</strong></span>
+ statement, an options block with each option set to its default will
+ be used.
+ </p>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">directory</strong></span></span></dt>
-<dd><p>The working directory of the server.
-Any non-absolute pathnames in the configuration file will be taken
-as relative to this directory. The default location for most server
-output files (e.g. <code class="filename">named.run</code>) is this directory.
-If a directory is not specified, the working directory defaults
-to `<code class="filename">.</code>', the directory from which the server
-was started. The directory specified should be an absolute path.</p></dd>
+<dd><p>
+ The working directory of the server.
+ Any non-absolute pathnames in the configuration file will be
+ taken
+ as relative to this directory. The default location for most
+ server
+ output files (e.g. <code class="filename">named.run</code>)
+ is this directory.
+ If a directory is not specified, the working directory
+ defaults to `<code class="filename">.</code>', the directory from
+ which the server
+ was started. The directory specified should be an absolute
+ path.
+ </p></dd>
<dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt>
-<dd><p>When performing dynamic update of secure zones, the
-directory where the public and private key files should be found,
-if different than the current working directory. The directory specified
-must be an absolute path.</p></dd>
+<dd><p>
+ When performing dynamic update of secure zones, the
+ directory where the public and private key files should be
+ found,
+ if different than the current working directory. The
+ directory specified
+ must be an absolute path.
+ </p></dd>
<dt><span class="term"><span><strong class="command">named-xfer</strong></span></span></dt>
-<dd><p><span class="emphasis"><em>This option is obsolete.</em></span>
-It was used in <acronym class="acronym">BIND</acronym> 8 to
-specify the pathname to the <span><strong class="command">named-xfer</strong></span> program.
-In <acronym class="acronym">BIND</acronym> 9, no separate <span><strong class="command">named-xfer</strong></span> program is
-needed; its functionality is built into the name server.</p></dd>
+<dd><p>
+ <span class="emphasis"><em>This option is obsolete.</em></span>
+ It was used in <acronym class="acronym">BIND</acronym> 8 to
+ specify the pathname to the <span><strong class="command">named-xfer</strong></span> program.
+ In <acronym class="acronym">BIND</acronym> 9, no separate <span><strong class="command">named-xfer</strong></span> program is
+ needed; its functionality is built into the name server.
+ </p></dd>
<dt><span class="term"><span><strong class="command">tkey-domain</strong></span></span></dt>
-<dd><p>The domain appended to the names of all
-shared keys generated with <span><strong class="command">TKEY</strong></span>. When a client
-requests a <span><strong class="command">TKEY</strong></span> exchange, it may or may not specify
-the desired name for the key. If present, the name of the shared
-key will be "<code class="varname">client specified part</code>" +
-"<code class="varname">tkey-domain</code>".
-Otherwise, the name of the shared key will be "<code class="varname">random hex
+<dd><p>
+ The domain appended to the names of all
+ shared keys generated with
+ <span><strong class="command">TKEY</strong></span>. When a client
+ requests a <span><strong class="command">TKEY</strong></span> exchange, it
+ may or may not specify
+ the desired name for the key. If present, the name of the
+ shared
+ key will be "<code class="varname">client specified part</code>" +
+ "<code class="varname">tkey-domain</code>".
+ Otherwise, the name of the shared key will be "<code class="varname">random hex
digits</code>" + "<code class="varname">tkey-domain</code>". In most cases,
-the <span><strong class="command">domainname</strong></span> should be the server's domain
-name.</p></dd>
+ the <span><strong class="command">domainname</strong></span> should be the
+ server's domain
+ name.
+ </p></dd>
<dt><span class="term"><span><strong class="command">tkey-dhkey</strong></span></span></dt>
-<dd><p>The Diffie-Hellman key used by the server
-to generate shared keys with clients using the Diffie-Hellman mode
-of <span><strong class="command">TKEY</strong></span>. The server must be able to load the
-public and private keys from files in the working directory. In
-most cases, the keyname should be the server's host name.</p></dd>
+<dd><p>
+ The Diffie-Hellman key used by the server
+ to generate shared keys with clients using the Diffie-Hellman
+ mode
+ of <span><strong class="command">TKEY</strong></span>. The server must be
+ able to load the
+ public and private keys from files in the working directory.
+ In
+ most cases, the keyname should be the server's host name.
+ </p></dd>
<dt><span class="term"><span><strong class="command">cache-file</strong></span></span></dt>
<dd><p>
- This is for testing only. Do not use.
+ This is for testing only. Do not use.
</p></dd>
<dt><span class="term"><span><strong class="command">dump-file</strong></span></span></dt>
-<dd><p>The pathname of the file the server dumps
-the database to when instructed to do so with
-<span><strong class="command">rndc dumpdb</strong></span>.
-If not specified, the default is <code class="filename">named_dump.db</code>.</p></dd>
+<dd><p>
+ The pathname of the file the server dumps
+ the database to when instructed to do so with
+ <span><strong class="command">rndc dumpdb</strong></span>.
+ If not specified, the default is <code class="filename">named_dump.db</code>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">memstatistics-file</strong></span></span></dt>
-<dd><p>The pathname of the file the server writes memory
-usage statistics to on exit. If not specified,
-the default is <code class="filename">named.memstats</code>.</p></dd>
+<dd><p>
+ The pathname of the file the server writes memory
+ usage statistics to on exit. If not specified,
+ the default is
+ <code class="filename">named.memstats</code>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">pid-file</strong></span></span></dt>
-<dd><p>The pathname of the file the server writes its process ID
-in. If not specified, the default is <code class="filename">/var/run/named.pid</code>.
-The pid-file is used by programs that want to send signals to the running
-name server. Specifying <span><strong class="command">pid-file none</strong></span> disables the
-use of a PID file &#8212; no file will be written and any
-existing one will be removed. Note that <span><strong class="command">none</strong></span>
-is a keyword, not a file name, and therefore is not enclosed in
-double quotes.</p></dd>
+<dd><p>
+ The pathname of the file the server writes its process ID
+ in. If not specified, the default is <code class="filename">/var/run/named.pid</code>.
+ The pid-file is used by programs that want to send signals to
+ the running
+ name server. Specifying <span><strong class="command">pid-file none</strong></span> disables the
+ use of a PID file &#8212; no file will be written and any
+ existing one will be removed. Note that <span><strong class="command">none</strong></span>
+ is a keyword, not a file name, and therefore is not enclosed
+ in
+ double quotes.
+ </p></dd>
<dt><span class="term"><span><strong class="command">statistics-file</strong></span></span></dt>
-<dd><p>The pathname of the file the server appends statistics
-to when instructed to do so using <span><strong class="command">rndc stats</strong></span>.
-If not specified, the default is <code class="filename">named.stats</code> in the
-server's current directory. The format of the file is described
-in <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called &#8220;The Statistics File&#8221;</a>.</p></dd>
+<dd><p>
+ The pathname of the file the server appends statistics
+ to when instructed to do so using <span><strong class="command">rndc stats</strong></span>.
+ If not specified, the default is <code class="filename">named.stats</code> in the
+ server's current directory. The format of the file is
+ described
+ in <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called &#8220;The Statistics File&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">port</strong></span></span></dt>
<dd><p>
-The UDP/TCP port number the server uses for
-receiving and sending DNS protocol traffic.
-The default is 53. This option is mainly intended for server testing;
-a server using a port other than 53 will not be able to communicate with
-the global DNS.
-</p></dd>
+ The UDP/TCP port number the server uses for
+ receiving and sending DNS protocol traffic.
+ The default is 53. This option is mainly intended for server
+ testing;
+ a server using a port other than 53 will not be able to
+ communicate with
+ the global DNS.
+ </p></dd>
<dt><span class="term"><span><strong class="command">random-device</strong></span></span></dt>
<dd><p>
-The source of entropy to be used by the server. Entropy is primarily needed
-for DNSSEC operations, such as TKEY transactions and dynamic update of signed
-zones. This options specifies the device (or file) from which to read
-entropy. If this is a file, operations requiring entropy will fail when the
-file has been exhausted. If not specified, the default value is
-<code class="filename">/dev/random</code>
-(or equivalent) when present, and none otherwise. The
-<span><strong class="command">random-device</strong></span> option takes effect during
-the initial configuration load at server startup time and
-is ignored on subsequent reloads.</p></dd>
+ The source of entropy to be used by the server. Entropy is
+ primarily needed
+ for DNSSEC operations, such as TKEY transactions and dynamic
+ update of signed
+ zones. This options specifies the device (or file) from which
+ to read
+ entropy. If this is a file, operations requiring entropy will
+ fail when the
+ file has been exhausted. If not specified, the default value
+ is
+ <code class="filename">/dev/random</code>
+ (or equivalent) when present, and none otherwise. The
+ <span><strong class="command">random-device</strong></span> option takes
+ effect during
+ the initial configuration load at server startup time and
+ is ignored on subsequent reloads.
+ </p></dd>
<dt><span class="term"><span><strong class="command">preferred-glue</strong></span></span></dt>
<dd><p>
-If specified, the listed type (A or AAAA) will be emitted before other glue
-in the additional section of a query response.
-The default is not to prefer any type (NONE).
-</p></dd>
+ If specified, the listed type (A or AAAA) will be emitted
+ before other glue
+ in the additional section of a query response.
+ The default is not to prefer any type (NONE).
+ </p></dd>
<dt><span class="term"><span><strong class="command">root-delegation-only</strong></span></span></dt>
<dd>
<p>
-Turn on enforcement of delegation-only in TLDs (top level domains)
-and root zones with an optional exclude list.
-</p>
+ Turn on enforcement of delegation-only in TLDs (top level domains) and root zones
+ with an optional
+ exclude list.
+ </p>
<p>
-Note some TLDs are not delegation only (e.g. "DE", "LV", "US" and "MUSEUM").
-</p>
+ Note some TLDs are not delegation only (e.g. "DE", "LV", "US"
+ and "MUSEUM").
+ </p>
<pre class="programlisting">
options {
- root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
+ root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
};
</pre>
</dd>
<dt><span class="term"><span><strong class="command">disable-algorithms</strong></span></span></dt>
<dd><p>
-Disable the specified DNSSEC algorithms at and below the specified name.
-Multiple <span><strong class="command">disable-algorithms</strong></span> statements are allowed.
-Only the most specific will be applied.
-</p></dd>
+ Disable the specified DNSSEC algorithms at and below the
+ specified name.
+ Multiple <span><strong class="command">disable-algorithms</strong></span>
+ statements are allowed.
+ Only the most specific will be applied.
+ </p></dd>
<dt><span class="term"><span><strong class="command">dnssec-lookaside</strong></span></span></dt>
<dd><p>
-When set, <span><strong class="command">dnssec-lookaside</strong></span> provides the
-validator with an alternate method to validate DNSKEY records at the
-top of a zone. When a DNSKEY is at or below a domain specified by the
-deepest <span><strong class="command">dnssec-lookaside</strong></span>, and the normal dnssec validation
-has left the key untrusted, the trust-anchor will be append to the key
-name and a DLV record will be looked up to see if it can validate the
-key. If the DLV record validates a DNSKEY (similarly to the way a DS
-record does) the DNSKEY RRset is deemed to be trusted.
-</p></dd>
+ When set, <span><strong class="command">dnssec-lookaside</strong></span>
+ provides the
+ validator with an alternate method to validate DNSKEY records
+ at the
+ top of a zone. When a DNSKEY is at or below a domain
+ specified by the
+ deepest <span><strong class="command">dnssec-lookaside</strong></span>, and
+ the normal dnssec validation
+ has left the key untrusted, the trust-anchor will be append to
+ the key
+ name and a DLV record will be looked up to see if it can
+ validate the
+ key. If the DLV record validates a DNSKEY (similarly to the
+ way a DS
+ record does) the DNSKEY RRset is deemed to be trusted.
+ </p></dd>
<dt><span class="term"><span><strong class="command">dnssec-must-be-secure</strong></span></span></dt>
<dd><p>
-Specify heirarchies which must be or may not be secure (signed and validated).
-If <strong class="userinput"><code>yes</code></strong>, then named will only accept answers if they
-are secure.
-If <strong class="userinput"><code>no</code></strong>, then normal dnssec validation applies
-allowing for insecure answers to be accepted.
-The specified domain must be under a <span><strong class="command">trusted-key</strong></span> or
-<span><strong class="command">dnssec-lookaside</strong></span> must be active.
-</p></dd>
+ Specify hierarchies which must be or may not be secure (signed and
+ validated).
+ If <strong class="userinput"><code>yes</code></strong>, then named will only accept
+ answers if they
+ are secure.
+ If <strong class="userinput"><code>no</code></strong>, then normal dnssec validation
+ applies
+ allowing for insecure answers to be accepted.
+ The specified domain must be under a <span><strong class="command">trusted-key</strong></span> or
+ <span><strong class="command">dnssec-lookaside</strong></span> must be
+ active.
+ </p></dd>
</dl></div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="boolean_options"></a>Boolean Options</h4></div></div></div>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">auth-nxdomain</strong></span></span></dt>
-<dd><p>If <strong class="userinput"><code>yes</code></strong>, then the <span><strong class="command">AA</strong></span> bit
-is always set on NXDOMAIN responses, even if the server is not actually
-authoritative. The default is <strong class="userinput"><code>no</code></strong>; this is
-a change from <acronym class="acronym">BIND</acronym> 8. If you are using very old DNS software, you
-may need to set it to <strong class="userinput"><code>yes</code></strong>.</p></dd>
+<dd><p>
+ If <strong class="userinput"><code>yes</code></strong>, then the <span><strong class="command">AA</strong></span> bit
+ is always set on NXDOMAIN responses, even if the server is
+ not actually
+ authoritative. The default is <strong class="userinput"><code>no</code></strong>;
+ this is
+ a change from <acronym class="acronym">BIND</acronym> 8. If you
+ are using very old DNS software, you
+ may need to set it to <strong class="userinput"><code>yes</code></strong>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">deallocate-on-exit</strong></span></span></dt>
-<dd><p>This option was used in <acronym class="acronym">BIND</acronym> 8 to enable checking
-for memory leaks on exit. <acronym class="acronym">BIND</acronym> 9 ignores the option and always performs
-the checks.</p></dd>
+<dd><p>
+ This option was used in <acronym class="acronym">BIND</acronym>
+ 8 to enable checking
+ for memory leaks on exit. <acronym class="acronym">BIND</acronym> 9 ignores the option and always performs
+ the checks.
+ </p></dd>
<dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt>
<dd>
-<p>If <strong class="userinput"><code>yes</code></strong>, then the
-server treats all zones as if they are doing zone transfers across
-a dial-on-demand dialup link, which can be brought up by traffic
-originating from this server. This has different effects according
-to zone type and concentrates the zone maintenance so that it all
-happens in a short interval, once every <span><strong class="command">heartbeat-interval</strong></span> and
-hopefully during the one call. It also suppresses some of the normal
-zone maintenance traffic. The default is <strong class="userinput"><code>no</code></strong>.</p>
-<p>The <span><strong class="command">dialup</strong></span> option
-may also be specified in the <span><strong class="command">view</strong></span> and
-<span><strong class="command">zone</strong></span> statements,
-in which case it overrides the global <span><strong class="command">dialup</strong></span>
-option.</p>
-<p>If the zone is a master zone, then the server will send out a NOTIFY
-request to all the slaves (default). This should trigger the zone serial
-number check in the slave (providing it supports NOTIFY) allowing the slave
-to verify the zone while the connection is active.
-The set of servers to which NOTIFY is sent can be controlled by
-<span><strong class="command">notify</strong></span> and <span><strong class="command">also-notify</strong></span>.</p>
-<p>If the
-zone is a slave or stub zone, then the server will suppress the regular
-"zone up to date" (refresh) queries and only perform them when the
-<span><strong class="command">heartbeat-interval</strong></span> expires in addition to sending
-NOTIFY requests.</p>
-<p>Finer control can be achieved by using
-<strong class="userinput"><code>notify</code></strong> which only sends NOTIFY messages,
-<strong class="userinput"><code>notify-passive</code></strong> which sends NOTIFY messages and
-suppresses the normal refresh queries, <strong class="userinput"><code>refresh</code></strong>
-which suppresses normal refresh processing and sends refresh queries
-when the <span><strong class="command">heartbeat-interval</strong></span> expires, and
-<strong class="userinput"><code>passive</code></strong> which just disables normal refresh
-processing.</p>
+<p>
+ If <strong class="userinput"><code>yes</code></strong>, then the
+ server treats all zones as if they are doing zone transfers
+ across
+ a dial-on-demand dialup link, which can be brought up by
+ traffic
+ originating from this server. This has different effects
+ according
+ to zone type and concentrates the zone maintenance so that
+ it all
+ happens in a short interval, once every <span><strong class="command">heartbeat-interval</strong></span> and
+ hopefully during the one call. It also suppresses some of
+ the normal
+ zone maintenance traffic. The default is <strong class="userinput"><code>no</code></strong>.
+ </p>
+<p>
+ The <span><strong class="command">dialup</strong></span> option
+ may also be specified in the <span><strong class="command">view</strong></span> and
+ <span><strong class="command">zone</strong></span> statements,
+ in which case it overrides the global <span><strong class="command">dialup</strong></span>
+ option.
+ </p>
+<p>
+ If the zone is a master zone, then the server will send out a
+ NOTIFY
+ request to all the slaves (default). This should trigger the
+ zone serial
+ number check in the slave (providing it supports NOTIFY)
+ allowing the slave
+ to verify the zone while the connection is active.
+ The set of servers to which NOTIFY is sent can be controlled
+ by
+ <span><strong class="command">notify</strong></span> and <span><strong class="command">also-notify</strong></span>.
+ </p>
+<p>
+ If the
+ zone is a slave or stub zone, then the server will suppress
+ the regular
+ "zone up to date" (refresh) queries and only perform them
+ when the
+ <span><strong class="command">heartbeat-interval</strong></span> expires in
+ addition to sending
+ NOTIFY requests.
+ </p>
+<p>
+ Finer control can be achieved by using
+ <strong class="userinput"><code>notify</code></strong> which only sends NOTIFY
+ messages,
+ <strong class="userinput"><code>notify-passive</code></strong> which sends NOTIFY
+ messages and
+ suppresses the normal refresh queries, <strong class="userinput"><code>refresh</code></strong>
+ which suppresses normal refresh processing and sends refresh
+ queries
+ when the <span><strong class="command">heartbeat-interval</strong></span>
+ expires, and
+ <strong class="userinput"><code>passive</code></strong> which just disables normal
+ refresh
+ processing.
+ </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -1387,818 +2165,1377 @@ processing.</p>
</colgroup>
<tbody>
<tr>
-<td><p>dialup mode</p></td>
-<td><p>normal refresh</p></td>
-<td><p>heart-beat refresh</p></td>
-<td><p>heart-beat notify</p></td>
+<td>
+ <p>
+ dialup mode
+ </p>
+ </td>
+<td>
+ <p>
+ normal refresh
+ </p>
+ </td>
+<td>
+ <p>
+ heart-beat refresh
+ </p>
+ </td>
+<td>
+ <p>
+ heart-beat notify
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">no</strong></span> (default)</p></td>
-<td><p>yes</p></td>
-<td><p>no</p></td>
-<td><p>no</p></td>
+<td>
+ <p><span><strong class="command">no</strong></span> (default)</p>
+ </td>
+<td>
+ <p>
+ yes
+ </p>
+ </td>
+<td>
+ <p>
+ no
+ </p>
+ </td>
+<td>
+ <p>
+ no
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">yes</strong></span></p></td>
-<td><p>no</p></td>
-<td><p>yes</p></td>
-<td><p>yes</p></td>
+<td>
+ <p><span><strong class="command">yes</strong></span></p>
+ </td>
+<td>
+ <p>
+ no
+ </p>
+ </td>
+<td>
+ <p>
+ yes
+ </p>
+ </td>
+<td>
+ <p>
+ yes
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">notify</strong></span></p></td>
-<td><p>yes</p></td>
-<td><p>no</p></td>
-<td><p>yes</p></td>
+<td>
+ <p><span><strong class="command">notify</strong></span></p>
+ </td>
+<td>
+ <p>
+ yes
+ </p>
+ </td>
+<td>
+ <p>
+ no
+ </p>
+ </td>
+<td>
+ <p>
+ yes
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">refresh</strong></span></p></td>
-<td><p>no</p></td>
-<td><p>yes</p></td>
-<td><p>no</p></td>
+<td>
+ <p><span><strong class="command">refresh</strong></span></p>
+ </td>
+<td>
+ <p>
+ no
+ </p>
+ </td>
+<td>
+ <p>
+ yes
+ </p>
+ </td>
+<td>
+ <p>
+ no
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">passive</strong></span></p></td>
-<td><p>no</p></td>
-<td><p>no</p></td>
-<td><p>no</p></td>
+<td>
+ <p><span><strong class="command">passive</strong></span></p>
+ </td>
+<td>
+ <p>
+ no
+ </p>
+ </td>
+<td>
+ <p>
+ no
+ </p>
+ </td>
+<td>
+ <p>
+ no
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">notify-passive</strong></span></p></td>
-<td><p>no</p></td>
-<td><p>no</p></td>
-<td><p>yes</p></td>
+<td>
+ <p><span><strong class="command">notify-passive</strong></span></p>
+ </td>
+<td>
+ <p>
+ no
+ </p>
+ </td>
+<td>
+ <p>
+ no
+ </p>
+ </td>
+<td>
+ <p>
+ yes
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
-<p>Note that normal NOTIFY processing is not affected by
-<span><strong class="command">dialup</strong></span>.</p>
+<p>
+ Note that normal NOTIFY processing is not affected by
+ <span><strong class="command">dialup</strong></span>.
+ </p>
</dd>
<dt><span class="term"><span><strong class="command">fake-iquery</strong></span></span></dt>
-<dd><p>In <acronym class="acronym">BIND</acronym> 8, this option
-enabled simulating the obsolete DNS query type
-IQUERY. <acronym class="acronym">BIND</acronym> 9 never does IQUERY simulation.
-</p></dd>
+<dd><p>
+ In <acronym class="acronym">BIND</acronym> 8, this option
+ enabled simulating the obsolete DNS query type
+ IQUERY. <acronym class="acronym">BIND</acronym> 9 never does
+ IQUERY simulation.
+ </p></dd>
<dt><span class="term"><span><strong class="command">fetch-glue</strong></span></span></dt>
-<dd><p>This option is obsolete.
-In BIND 8, <strong class="userinput"><code>fetch-glue yes</code></strong>
-caused the server to attempt to fetch glue resource records it
-didn't have when constructing the additional
-data section of a response. This is now considered a bad idea
-and BIND 9 never does it.</p></dd>
+<dd><p>
+ This option is obsolete.
+ In BIND 8, <strong class="userinput"><code>fetch-glue yes</code></strong>
+ caused the server to attempt to fetch glue resource records
+ it
+ didn't have when constructing the additional
+ data section of a response. This is now considered a bad
+ idea
+ and BIND 9 never does it.
+ </p></dd>
<dt><span class="term"><span><strong class="command">flush-zones-on-shutdown</strong></span></span></dt>
-<dd><p>When the nameserver exits due receiving SIGTERM,
-flush or do not flush any pending zone writes. The default is
-<span><strong class="command">flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>.
-</p></dd>
+<dd><p>
+ When the nameserver exits due receiving SIGTERM,
+ flush or do not flush any pending zone writes. The default
+ is
+ <span><strong class="command">flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">has-old-clients</strong></span></span></dt>
-<dd><p>This option was incorrectly implemented
-in <acronym class="acronym">BIND</acronym> 8, and is ignored by <acronym class="acronym">BIND</acronym> 9.
-To achieve the intended effect
-of
-<span><strong class="command">has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify
-the two separate options <span><strong class="command">auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong>
-and <span><strong class="command">rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead.
-</p></dd>
+<dd><p>
+ This option was incorrectly implemented
+ in <acronym class="acronym">BIND</acronym> 8, and is ignored by <acronym class="acronym">BIND</acronym> 9.
+ To achieve the intended effect
+ of
+ <span><strong class="command">has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify
+ the two separate options <span><strong class="command">auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong>
+ and <span><strong class="command">rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead.
+ </p></dd>
<dt><span class="term"><span><strong class="command">host-statistics</strong></span></span></dt>
-<dd><p>In BIND 8, this enables keeping of
-statistics for every host that the name server interacts with.
-Not implemented in BIND 9.
-</p></dd>
+<dd><p>
+ In BIND 8, this enables keeping of
+ statistics for every host that the name server interacts
+ with.
+ Not implemented in BIND 9.
+ </p></dd>
<dt><span class="term"><span><strong class="command">maintain-ixfr-base</strong></span></span></dt>
-<dd><p><span class="emphasis"><em>This option is obsolete</em></span>.
- It was used in <acronym class="acronym">BIND</acronym> 8 to determine whether a transaction log was
-kept for Incremental Zone Transfer. <acronym class="acronym">BIND</acronym> 9 maintains a transaction
-log whenever possible. If you need to disable outgoing incremental zone
-transfers, use <span><strong class="command">provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>.
-</p></dd>
+<dd><p>
+ <span class="emphasis"><em>This option is obsolete</em></span>.
+ It was used in <acronym class="acronym">BIND</acronym> 8 to
+ determine whether a transaction log was
+ kept for Incremental Zone Transfer. <acronym class="acronym">BIND</acronym> 9 maintains a transaction
+ log whenever possible. If you need to disable outgoing
+ incremental zone
+ transfers, use <span><strong class="command">provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">minimal-responses</strong></span></span></dt>
-<dd><p>If <strong class="userinput"><code>yes</code></strong>, then when generating
-responses the server will only add records to the authority and
-additional data sections when they are required (e.g. delegations,
-negative responses). This may improve the performance of the server.
-The default is <strong class="userinput"><code>no</code></strong>.
-</p></dd>
+<dd><p>
+ If <strong class="userinput"><code>yes</code></strong>, then when generating
+ responses the server will only add records to the authority
+ and additional data sections when they are required (e.g.
+ delegations, negative responses). This may improve the
+ performance of the server.
+ The default is <strong class="userinput"><code>no</code></strong>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">multiple-cnames</strong></span></span></dt>
-<dd><p>This option was used in <acronym class="acronym">BIND</acronym> 8 to allow
-a domain name to have multiple CNAME records in violation of the
-DNS standards. <acronym class="acronym">BIND</acronym> 9.2 always strictly
-enforces the CNAME rules both in master files and dynamic updates.
-</p></dd>
+<dd><p>
+ This option was used in <acronym class="acronym">BIND</acronym> 8 to allow
+ a domain name to have multiple CNAME records in violation of
+ the DNS standards. <acronym class="acronym">BIND</acronym> 9.2 onwards
+ always strictly enforces the CNAME rules both in master
+ files and dynamic updates.
+ </p></dd>
<dt><span class="term"><span><strong class="command">notify</strong></span></span></dt>
<dd>
-<p>If <strong class="userinput"><code>yes</code></strong> (the default),
-DNS NOTIFY messages are sent when a zone the server is authoritative for
-changes, see <a href="Bv9ARM.ch04.html#notify" title="Notify">the section called &#8220;Notify&#8221;</a>. The messages are sent to the
-servers listed in the zone's NS records (except the master server identified
-in the SOA MNAME field), and to any servers listed in the
-<span><strong class="command">also-notify</strong></span> option.
-</p>
<p>
-If <strong class="userinput"><code>explicit</code></strong>, notifies are sent only to
-servers explicitly listed using <span><strong class="command">also-notify</strong></span>.
-If <strong class="userinput"><code>no</code></strong>, no notifies are sent.
-</p>
+ If <strong class="userinput"><code>yes</code></strong> (the default),
+ DNS NOTIFY messages are sent when a zone the server is
+ authoritative for
+ changes, see <a href="Bv9ARM.ch04.html#notify" title="Notify">the section called &#8220;Notify&#8221;</a>. The messages are
+ sent to the
+ servers listed in the zone's NS records (except the master
+ server identified
+ in the SOA MNAME field), and to any servers listed in the
+ <span><strong class="command">also-notify</strong></span> option.
+ </p>
<p>
-The <span><strong class="command">notify</strong></span> option may also be
-specified in the <span><strong class="command">zone</strong></span> statement,
-in which case it overrides the <span><strong class="command">options notify</strong></span> statement.
-It would only be necessary to turn off this option if it caused slaves
-to crash.</p>
+ If <strong class="userinput"><code>master-only</code></strong>, notifies are only
+ sent
+ for master zones.
+ If <strong class="userinput"><code>explicit</code></strong>, notifies are sent only
+ to
+ servers explicitly listed using <span><strong class="command">also-notify</strong></span>.
+ If <strong class="userinput"><code>no</code></strong>, no notifies are sent.
+ </p>
+<p>
+ The <span><strong class="command">notify</strong></span> option may also be
+ specified in the <span><strong class="command">zone</strong></span>
+ statement,
+ in which case it overrides the <span><strong class="command">options notify</strong></span> statement.
+ It would only be necessary to turn off this option if it
+ caused slaves
+ to crash.
+ </p>
</dd>
<dt><span class="term"><span><strong class="command">recursion</strong></span></span></dt>
-<dd><p>If <strong class="userinput"><code>yes</code></strong>, and a
-DNS query requests recursion, then the server will attempt to do
-all the work required to answer the query. If recursion is off
-and the server does not already know the answer, it will return a
-referral response. The default is <strong class="userinput"><code>yes</code></strong>.
-Note that setting <span><strong class="command">recursion no</strong></span> does not prevent
-clients from getting data from the server's cache; it only
-prevents new data from being cached as an effect of client queries.
-Caching may still occur as an effect the server's internal
-operation, such as NOTIFY address lookups.
-See also <span><strong class="command">fetch-glue</strong></span> above.
-</p></dd>
+<dd><p>
+ If <strong class="userinput"><code>yes</code></strong>, and a
+ DNS query requests recursion, then the server will attempt
+ to do
+ all the work required to answer the query. If recursion is
+ off
+ and the server does not already know the answer, it will
+ return a
+ referral response. The default is
+ <strong class="userinput"><code>yes</code></strong>.
+ Note that setting <span><strong class="command">recursion no</strong></span> does not prevent
+ clients from getting data from the server's cache; it only
+ prevents new data from being cached as an effect of client
+ queries.
+ Caching may still occur as an effect the server's internal
+ operation, such as NOTIFY address lookups.
+ See also <span><strong class="command">fetch-glue</strong></span> above.
+ </p></dd>
<dt><span class="term"><span><strong class="command">rfc2308-type1</strong></span></span></dt>
<dd>
-<p>Setting this to <strong class="userinput"><code>yes</code></strong> will
-cause the server to send NS records along with the SOA record for negative
-answers. The default is <strong class="userinput"><code>no</code></strong>.</p>
+<p>
+ Setting this to <strong class="userinput"><code>yes</code></strong> will
+ cause the server to send NS records along with the SOA
+ record for negative
+ answers. The default is <strong class="userinput"><code>no</code></strong>.
+ </p>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
-<p>Not yet implemented in <acronym class="acronym">BIND</acronym> 9.</p>
+<p>
+ Not yet implemented in <acronym class="acronym">BIND</acronym>
+ 9.
+ </p>
</div>
</dd>
<dt><span class="term"><span><strong class="command">use-id-pool</strong></span></span></dt>
-<dd><p><span class="emphasis"><em>This option is obsolete</em></span>.
-<acronym class="acronym">BIND</acronym> 9 always allocates query IDs from a pool.
-</p></dd>
+<dd><p>
+ <span class="emphasis"><em>This option is obsolete</em></span>.
+ <acronym class="acronym">BIND</acronym> 9 always allocates query
+ IDs from a pool.
+ </p></dd>
<dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt>
-<dd><p>If <strong class="userinput"><code>yes</code></strong>, the server will collect
-statistical data on all zones (unless specifically turned off
-on a per-zone basis by specifying <span><strong class="command">zone-statistics no</strong></span>
-in the <span><strong class="command">zone</strong></span> statement). These statistics may be accessed
-using <span><strong class="command">rndc stats</strong></span>, which will dump them to the file listed
-in the <span><strong class="command">statistics-file</strong></span>. See also <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called &#8220;The Statistics File&#8221;</a>.
-</p></dd>
+<dd><p>
+ If <strong class="userinput"><code>yes</code></strong>, the server will collect
+ statistical data on all zones (unless specifically turned
+ off
+ on a per-zone basis by specifying <span><strong class="command">zone-statistics no</strong></span>
+ in the <span><strong class="command">zone</strong></span> statement).
+ These statistics may be accessed
+ using <span><strong class="command">rndc stats</strong></span>, which will
+ dump them to the file listed
+ in the <span><strong class="command">statistics-file</strong></span>. See
+ also <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called &#8220;The Statistics File&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">use-ixfr</strong></span></span></dt>
-<dd><p><span class="emphasis"><em>This option is obsolete</em></span>.
-If you need to disable IXFR to a particular server or servers see
-the information on the <span><strong class="command">provide-ixfr</strong></span> option
-in <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and Usage&#8221;</a>. See also
-<a href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called &#8220;Incremental Zone Transfers (IXFR)&#8221;</a>.
-</p></dd>
+<dd><p>
+ <span class="emphasis"><em>This option is obsolete</em></span>.
+ If you need to disable IXFR to a particular server or
+ servers see
+ the information on the <span><strong class="command">provide-ixfr</strong></span> option
+ in <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
+ Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and
+ Usage&#8221;</a>.
+ See also
+ <a href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called &#8220;Incremental Zone Transfers (IXFR)&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">provide-ixfr</strong></span></span></dt>
<dd><p>
-See the description of
-<span><strong class="command">provide-ixfr</strong></span> in
-<a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and Usage&#8221;</a>.
-</p></dd>
+ See the description of
+ <span><strong class="command">provide-ixfr</strong></span> in
+ <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
+ Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and
+ Usage&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">request-ixfr</strong></span></span></dt>
<dd><p>
-See the description of
-<span><strong class="command">request-ixfr</strong></span> in
-<a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and Usage&#8221;</a>.
-</p></dd>
+ See the description of
+ <span><strong class="command">request-ixfr</strong></span> in
+ <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
+ Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and
+ Usage&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">treat-cr-as-space</strong></span></span></dt>
-<dd><p>This option was used in <acronym class="acronym">BIND</acronym> 8 to make
-the server treat carriage return ("<span><strong class="command">\r</strong></span>") characters the same way
-as a space or tab character,
-to facilitate loading of zone files on a UNIX system that were generated
-on an NT or DOS machine. In <acronym class="acronym">BIND</acronym> 9, both UNIX "<span><strong class="command">\n</strong></span>"
-and NT/DOS "<span><strong class="command">\r\n</strong></span>" newlines are always accepted,
-and the option is ignored.</p></dd>
+<dd><p>
+ This option was used in <acronym class="acronym">BIND</acronym>
+ 8 to make
+ the server treat carriage return ("<span><strong class="command">\r</strong></span>") characters the same way
+ as a space or tab character,
+ to facilitate loading of zone files on a UNIX system that
+ were generated
+ on an NT or DOS machine. In <acronym class="acronym">BIND</acronym> 9, both UNIX "<span><strong class="command">\n</strong></span>"
+ and NT/DOS "<span><strong class="command">\r\n</strong></span>" newlines
+ are always accepted,
+ and the option is ignored.
+ </p></dd>
<dt>
<span class="term"><span><strong class="command">additional-from-auth</strong></span>, </span><span class="term"><span><strong class="command">additional-from-cache</strong></span></span>
</dt>
<dd>
<p>
-These options control the behavior of an authoritative server when
-answering queries which have additional data, or when following CNAME
-and DNAME chains.
-</p>
+ These options control the behavior of an authoritative
+ server when
+ answering queries which have additional data, or when
+ following CNAME
+ and DNAME chains.
+ </p>
<p>
-When both of these options are set to <strong class="userinput"><code>yes</code></strong>
-(the default) and a
-query is being answered from authoritative data (a zone
-configured into the server), the additional data section of the
-reply will be filled in using data from other authoritative zones
-and from the cache. In some situations this is undesirable, such
-as when there is concern over the correctness of the cache, or
-in servers where slave zones may be added and modified by
-untrusted third parties. Also, avoiding
-the search for this additional data will speed up server operations
-at the possible expense of additional queries to resolve what would
-otherwise be provided in the additional section.
-</p>
+ When both of these options are set to <strong class="userinput"><code>yes</code></strong>
+ (the default) and a
+ query is being answered from authoritative data (a zone
+ configured into the server), the additional data section of
+ the
+ reply will be filled in using data from other authoritative
+ zones
+ and from the cache. In some situations this is undesirable,
+ such
+ as when there is concern over the correctness of the cache,
+ or
+ in servers where slave zones may be added and modified by
+ untrusted third parties. Also, avoiding
+ the search for this additional data will speed up server
+ operations
+ at the possible expense of additional queries to resolve
+ what would
+ otherwise be provided in the additional section.
+ </p>
<p>
-For example, if a query asks for an MX record for host <code class="literal">foo.example.com</code>,
-and the record found is "<code class="literal">MX 10 mail.example.net</code>", normally the address
-records (A and AAAA) for <code class="literal">mail.example.net</code> will be provided as well,
-if known, even though they are not in the example.com zone.
-Setting these options to <span><strong class="command">no</strong></span> disables this behavior and makes
-the server only search for additional data in the zone it answers from.
-</p>
+ For example, if a query asks for an MX record for host <code class="literal">foo.example.com</code>,
+ and the record found is "<code class="literal">MX 10 mail.example.net</code>", normally the address
+ records (A and AAAA) for <code class="literal">mail.example.net</code> will be provided as well,
+ if known, even though they are not in the example.com zone.
+ Setting these options to <span><strong class="command">no</strong></span>
+ disables this behavior and makes
+ the server only search for additional data in the zone it
+ answers from.
+ </p>
<p>
-These options are intended for use in authoritative-only
-servers, or in authoritative-only views. Attempts to set
-them to <span><strong class="command">no</strong></span> without also specifying
-<span><strong class="command">recursion no</strong></span> will cause the server to
-ignore the options and log a warning message.
-</p>
+ These options are intended for use in authoritative-only
+ servers, or in authoritative-only views. Attempts to set
+ them to <span><strong class="command">no</strong></span> without also
+ specifying
+ <span><strong class="command">recursion no</strong></span> will cause the
+ server to
+ ignore the options and log a warning message.
+ </p>
<p>
-Specifying <span><strong class="command">additional-from-cache no</strong></span> actually
-disables the use of the cache not only for additional data lookups
-but also when looking up the answer. This is usually the desired
-behavior in an authoritative-only server where the correctness of
-the cached data is an issue.
-</p>
+ Specifying <span><strong class="command">additional-from-cache no</strong></span> actually
+ disables the use of the cache not only for additional data
+ lookups
+ but also when looking up the answer. This is usually the
+ desired
+ behavior in an authoritative-only server where the
+ correctness of
+ the cached data is an issue.
+ </p>
<p>
-When a name server is non-recursively queried for a name that is not
-below the apex of any served zone, it normally answers with an
-"upwards referral" to the root servers or the servers of some other
-known parent of the query name. Since the data in an upwards referral
-comes from the cache, the server will not be able to provide upwards
-referrals when <span><strong class="command">additional-from-cache no</strong></span>
-has been specified. Instead, it will respond to such queries
-with REFUSED. This should not cause any problems since
-upwards referrals are not required for the resolution process.
-</p>
+ When a name server is non-recursively queried for a name
+ that is not
+ below the apex of any served zone, it normally answers with
+ an
+ "upwards referral" to the root servers or the servers of
+ some other
+ known parent of the query name. Since the data in an
+ upwards referral
+ comes from the cache, the server will not be able to provide
+ upwards
+ referrals when <span><strong class="command">additional-from-cache no</strong></span>
+ has been specified. Instead, it will respond to such
+ queries
+ with REFUSED. This should not cause any problems since
+ upwards referrals are not required for the resolution
+ process.
+ </p>
</dd>
<dt><span class="term"><span><strong class="command">match-mapped-addresses</strong></span></span></dt>
-<dd><p>If <strong class="userinput"><code>yes</code></strong>, then an
-IPv4-mapped IPv6 address will match any address match
-list entries that match the corresponding IPv4 address.
-Enabling this option is sometimes useful on IPv6-enabled Linux
-systems, to work around a kernel quirk that causes IPv4
-TCP connections such as zone transfers to be accepted
-on an IPv6 socket using mapped addresses, causing
-address match lists designed for IPv4 to fail to match.
-The use of this option for any other purpose is discouraged.
-</p></dd>
+<dd><p>
+ If <strong class="userinput"><code>yes</code></strong>, then an
+ IPv4-mapped IPv6 address will match any address match
+ list entries that match the corresponding IPv4 address.
+ Enabling this option is sometimes useful on IPv6-enabled
+ Linux
+ systems, to work around a kernel quirk that causes IPv4
+ TCP connections such as zone transfers to be accepted
+ on an IPv6 socket using mapped addresses, causing
+ address match lists designed for IPv4 to fail to match.
+ The use of this option for any other purpose is discouraged.
+ </p></dd>
<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
<dd>
<p>
-When <strong class="userinput"><code>yes</code></strong> and the server loads a new version of a master
-zone from its zone file or receives a new version of a slave
-file by a non-incremental zone transfer, it will compare
-the new version to the previous one and calculate a set
-of differences. The differences are then logged in the
-zone's journal file such that the changes can be transmitted
-to downstream slaves as an incremental zone transfer.
-</p>
+ When <strong class="userinput"><code>yes</code></strong> and the server loads a new version of a master
+ zone from its zone file or receives a new version of a slave
+ file by a non-incremental zone transfer, it will compare
+ the new version to the previous one and calculate a set
+ of differences. The differences are then logged in the
+ zone's journal file such that the changes can be transmitted
+ to downstream slaves as an incremental zone transfer.
+ </p>
<p>
-By allowing incremental zone transfers to be used for
-non-dynamic zones, this option saves bandwidth at the
-expense of increased CPU and memory consumption at the master.
-In particular, if the new version of a zone is completely
-different from the previous one, the set of differences
-will be of a size comparable to the combined size of the
-old and new zone version, and the server will need to
-temporarily allocate memory to hold this complete
-difference set.
-</p>
+ By allowing incremental zone transfers to be used for
+ non-dynamic zones, this option saves bandwidth at the
+ expense of increased CPU and memory consumption at the
+ master.
+ In particular, if the new version of a zone is completely
+ different from the previous one, the set of differences
+ will be of a size comparable to the combined size of the
+ old and new zone version, and the server will need to
+ temporarily allocate memory to hold this complete
+ difference set.
+ </p>
+<p><span><strong class="command">ixfr-from-differences</strong></span>
+ also accepts <span><strong class="command">master</strong></span> and
+ <span><strong class="command">slave</strong></span> at the view and options
+ levels which causes
+ <span><strong class="command">ixfr-from-differences</strong></span> to apply to
+ all <span><strong class="command">master</strong></span> or
+ <span><strong class="command">slave</strong></span> zones respectively.
+ </p>
</dd>
<dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt>
<dd><p>
-This should be set when you have multiple masters for a zone and the
-addresses refer to different machines. If <strong class="userinput"><code>yes</code></strong>, named will not log
-when the serial number on the master is less than what named currently
-has. The default is <strong class="userinput"><code>no</code></strong>.
-</p></dd>
+ This should be set when you have multiple masters for a zone
+ and the
+ addresses refer to different machines. If <strong class="userinput"><code>yes</code></strong>, named will
+ not log
+ when the serial number on the master is less than what named
+ currently
+ has. The default is <strong class="userinput"><code>no</code></strong>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">dnssec-enable</strong></span></span></dt>
<dd><p>
-Enable DNSSEC support in named. Unless set to <strong class="userinput"><code>yes</code></strong>,
-named behaves as if it does not support DNSSEC.
-The default is <strong class="userinput"><code>no</code></strong>.
-</p></dd>
+ Enable DNSSEC support in named. Unless set to <strong class="userinput"><code>yes</code></strong>,
+ named behaves as if it does not support DNSSEC.
+ The default is <strong class="userinput"><code>yes</code></strong>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">dnssec-validation</strong></span></span></dt>
+<dd><p>
+ Enable DNSSEC validation in named.
+ Note <span><strong class="command">dnssec-enable</strong></span> also needs to be
+ set to <strong class="userinput"><code>yes</code></strong> to be effective.
+ The default is <strong class="userinput"><code>no</code></strong>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">dnssec-accept-expired</strong></span></span></dt>
+<dd><p>
+ Accept expired signatures when verifying DNSSEC signatures.
+ The default is <strong class="userinput"><code>no</code></strong>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">querylog</strong></span></span></dt>
<dd><p>
-Specify whether query logging should be started when named starts.
-If <span><strong class="command">querylog</strong></span> is not specified, then the query logging
-is determined by the presence of the logging category <span><strong class="command">queries</strong></span>.
-</p></dd>
+ Specify whether query logging should be started when named
+ starts.
+ If <span><strong class="command">querylog</strong></span> is not specified,
+ then the query logging
+ is determined by the presence of the logging category <span><strong class="command">queries</strong></span>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt>
<dd>
<p>
-This option is used to restrict the character set and syntax of
-certain domain names in master files and/or DNS responses received
-from the network. The default varies according to usage area. For
-<span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>.
-For <span><strong class="command">slave</strong></span> zones the default is <span><strong class="command">warn</strong></span>.
-For answers received from the network (<span><strong class="command">response</strong></span>)
-the default is <span><strong class="command">ignore</strong></span>.
-</p>
-<p>The rules for legal hostnames and mail domains are derived from RFC 952
-and RFC 821 as modified by RFC 1123.
-</p>
-<p><span><strong class="command">check-names</strong></span> applies to the owner names of A, AAA and
-MX records. It also applies to the domain names in the RDATA of NS, SOA and MX
-records. It also applies to the RDATA of PTR records where the owner name
-indicated that it is a reverse lookup of a hostname (the owner name ends in
-IN-ADDR.ARPA, IP6.ARPA, IP6.INT).
-</p>
+ This option is used to restrict the character set and syntax
+ of
+ certain domain names in master files and/or DNS responses
+ received
+ from the network. The default varies according to usage
+ area. For
+ <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>.
+ For <span><strong class="command">slave</strong></span> zones the default
+ is <span><strong class="command">warn</strong></span>.
+ For answers received from the network (<span><strong class="command">response</strong></span>)
+ the default is <span><strong class="command">ignore</strong></span>.
+ </p>
+<p>
+ The rules for legal hostnames and mail domains are derived
+ from RFC 952 and RFC 821 as modified by RFC 1123.
+ </p>
+<p><span><strong class="command">check-names</strong></span>
+ applies to the owner names of A, AAA and MX records.
+ It also applies to the domain names in the RDATA of NS, SOA
+ and MX records.
+ It also applies to the RDATA of PTR records where the owner
+ name indicated that it is a reverse lookup of a hostname
+ (the owner name ends in IN-ADDR.ARPA, IP6.ARPA or IP6.INT).
+ </p>
</dd>
+<dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt>
+<dd><p>
+ Check whether the MX record appears to refer to a IP address.
+ The default is to <span><strong class="command">warn</strong></span>. Other possible
+ values are <span><strong class="command">fail</strong></span> and
+ <span><strong class="command">ignore</strong></span>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">check-wildcard</strong></span></span></dt>
+<dd><p>
+ This option is used to check for non-terminal wildcards.
+ The use of non-terminal wildcards is almost always as a
+ result of a failure
+ to understand the wildcard matching algorithm (RFC 1034).
+ This option
+ affects master zones. The default (<span><strong class="command">yes</strong></span>) is to check
+ for non-terminal wildcards and issue a warning.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">check-integrity</strong></span></span></dt>
+<dd><p>
+ Perform post load zone integrity checks on master
+ zones. This checks that MX and SRV records refer
+ to address (A or AAAA) records and that glue
+ address records exist for delegated zones. For
+ MX and SRV records only in-zone hostnames are
+ checked (for out-of-zone hostnames use named-checkzone).
+ For NS records only names below top of zone are
+ checked (for out-of-zone names and glue consistancy
+ checks use named-checkzone). The default is
+ <span><strong class="command">yes</strong></span>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">check-mx-cname</strong></span></span></dt>
+<dd><p>
+ If <span><strong class="command">check-integrity</strong></span> is set then
+ fail, warn or ignore MX records that refer
+ to CNAMES. The default is to <span><strong class="command">warn</strong></span>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">check-srv-cname</strong></span></span></dt>
+<dd><p>
+ If <span><strong class="command">check-integrity</strong></span> is set then
+ fail, warn or ignore SRV records that refer
+ to CNAMES. The default is to <span><strong class="command">warn</strong></span>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">check-sibling</strong></span></span></dt>
+<dd><p>
+ When performing integrity checks, also check that
+ sibling glue exists. The default is <span><strong class="command">yes</strong></span>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt>
+<dd><p>
+ When returning authoritative negative responses to
+ SOA queries set the TTL of the SOA recored returned in
+ the authority section to zero.
+ The default is <span><strong class="command">yes</strong></span>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">zero-no-soa-ttl-cache</strong></span></span></dt>
+<dd><p>
+ When caching a negative response to a SOA query
+ set the TTL to zero.
+ The default is <span><strong class="command">no</strong></span>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">update-check-ksk</strong></span></span></dt>
+<dd><p>
+ When regenerating the RRSIGs following a UPDATE
+ request to a secure zone, check the KSK flag on
+ the DNSKEY RR to determine if this key should be
+ used to generate the RRSIG. This flag is ignored
+ if there are not DNSKEY RRs both with and without
+ a KSK.
+ The default is <span><strong class="command">yes</strong></span>.
+ </p></dd>
</dl></div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2581312"></a>Forwarding</h4></div></div></div>
-<p>The forwarding facility can be used to create a large site-wide
-cache on a few servers, reducing traffic over links to external
-name servers. It can also be used to allow queries by servers that
-do not have direct access to the Internet, but wish to look up exterior
-names anyway. Forwarding occurs only on those queries for which
-the server is not authoritative and does not have the answer in
-its cache.</p>
+<a name="id2580408"></a>Forwarding</h4></div></div></div>
+<p>
+ The forwarding facility can be used to create a large site-wide
+ cache on a few servers, reducing traffic over links to external
+ name servers. It can also be used to allow queries by servers that
+ do not have direct access to the Internet, but wish to look up
+ exterior
+ names anyway. Forwarding occurs only on those queries for which
+ the server is not authoritative and does not have the answer in
+ its cache.
+ </p>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">forward</strong></span></span></dt>
-<dd><p>This option is only meaningful if the
-forwarders list is not empty. A value of <code class="varname">first</code>,
-the default, causes the server to query the forwarders first &#8212; and
-if that doesn't answer the question, the server will then look for
-the answer itself. If <code class="varname">only</code> is specified, the
-server will only query the forwarders.
-</p></dd>
+<dd><p>
+ This option is only meaningful if the
+ forwarders list is not empty. A value of <code class="varname">first</code>,
+ the default, causes the server to query the forwarders
+ first &#8212; and
+ if that doesn't answer the question, the server will then
+ look for
+ the answer itself. If <code class="varname">only</code> is
+ specified, the
+ server will only query the forwarders.
+ </p></dd>
<dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt>
-<dd><p>Specifies the IP addresses to be used
-for forwarding. The default is the empty list (no forwarding).
-</p></dd>
+<dd><p>
+ Specifies the IP addresses to be used
+ for forwarding. The default is the empty list (no
+ forwarding).
+ </p></dd>
</dl></div>
-<p>Forwarding can also be configured on a per-domain basis, allowing
-for the global forwarding options to be overridden in a variety
-of ways. You can set particular domains to use different forwarders,
-or have a different <span><strong class="command">forward only/first</strong></span> behavior,
-or not forward at all, see <a href="Bv9ARM.ch06.html#zone_statement_grammar" title="zone
-Statement Grammar">the section called &#8220;<span><strong class="command">zone</strong></span>
-Statement Grammar&#8221;</a>.</p>
+<p>
+ Forwarding can also be configured on a per-domain basis, allowing
+ for the global forwarding options to be overridden in a variety
+ of ways. You can set particular domains to use different
+ forwarders,
+ or have a different <span><strong class="command">forward only/first</strong></span> behavior,
+ or not forward at all, see <a href="Bv9ARM.ch06.html#zone_statement_grammar" title="zone
+ Statement Grammar">the section called &#8220;<span><strong class="command">zone</strong></span>
+ Statement Grammar&#8221;</a>.
+ </p>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2581362"></a>Dual-stack Servers</h4></div></div></div>
-<p>Dual-stack servers are used as servers of last resort to work around
-problems in reachability due the lack of support for either IPv4 or IPv6
-on the host machine.</p>
+<a name="id2580467"></a>Dual-stack Servers</h4></div></div></div>
+<p>
+ Dual-stack servers are used as servers of last resort to work
+ around
+ problems in reachability due the lack of support for either IPv4
+ or IPv6
+ on the host machine.
+ </p>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">dual-stack-servers</strong></span></span></dt>
-<dd><p>Specifies host names or addresses of machines with access to
-both IPv4 and IPv6 transports. If a hostname is used, the server must be able
-to resolve the name using only the transport it has. If the machine is dual
-stacked, then the <span><strong class="command">dual-stack-servers</strong></span> have no effect unless
-access to a transport has been disabled on the command line
-(e.g. <span><strong class="command">named -4</strong></span>).</p></dd>
+<dd><p>
+ Specifies host names or addresses of machines with access to
+ both IPv4 and IPv6 transports. If a hostname is used, the
+ server must be able
+ to resolve the name using only the transport it has. If the
+ machine is dual
+ stacked, then the <span><strong class="command">dual-stack-servers</strong></span> have no effect unless
+ access to a transport has been disabled on the command line
+ (e.g. <span><strong class="command">named -4</strong></span>).
+ </p></dd>
</dl></div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="access_control"></a>Access Control</h4></div></div></div>
-<p>Access to the server can be restricted based on the IP address
-of the requesting system. See <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called &#8220;Address Match Lists&#8221;</a> for
-details on how to specify IP address lists.</p>
+<p>
+ Access to the server can be restricted based on the IP address
+ of the requesting system. See <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called &#8220;Address Match Lists&#8221;</a> for
+ details on how to specify IP address lists.
+ </p>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
-<dd><p>Specifies which hosts are allowed to
-notify this server, a slave, of zone changes in addition
-to the zone masters.
-<span><strong class="command">allow-notify</strong></span> may also be specified in the
-<span><strong class="command">zone</strong></span> statement, in which case it overrides the
-<span><strong class="command">options allow-notify</strong></span> statement. It is only meaningful
-for a slave zone. If not specified, the default is to process notify messages
-only from a zone's master.</p></dd>
+<dd><p>
+ Specifies which hosts are allowed to
+ notify this server, a slave, of zone changes in addition
+ to the zone masters.
+ <span><strong class="command">allow-notify</strong></span> may also be
+ specified in the
+ <span><strong class="command">zone</strong></span> statement, in which case
+ it overrides the
+ <span><strong class="command">options allow-notify</strong></span>
+ statement. It is only meaningful
+ for a slave zone. If not specified, the default is to
+ process notify messages
+ only from a zone's master.
+ </p></dd>
<dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt>
-<dd><p>Specifies which hosts are allowed to
-ask ordinary DNS questions. <span><strong class="command">allow-query</strong></span> may also
-be specified in the <span><strong class="command">zone</strong></span> statement, in which
-case it overrides the <span><strong class="command">options allow-query</strong></span> statement. If
-not specified, the default is to allow queries from all hosts.</p></dd>
+<dd>
+<p>
+ Specifies which hosts are allowed to ask ordinary
+ DNS questions. <span><strong class="command">allow-query</strong></span> may
+ also be specified in the <span><strong class="command">zone</strong></span>
+ statement, in which case it overrides the
+ <span><strong class="command">options allow-query</strong></span> statement.
+ If not specified, the default is to allow queries
+ from all hosts.
+ </p>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+<p>
+ <span><strong class="command">allow-query-cache</strong></span> is now
+ used to specify access to the cache.
+ </p>
+</div>
+</dd>
+<dt><span class="term"><span><strong class="command">allow-query-cache</strong></span></span></dt>
+<dd>
+<p>
+ Specifies which hosts are allowed to get answers
+ from the cache. The default is the builtin acls
+ <span><strong class="command">localnets</strong></span> and
+ <span><strong class="command">localhost</strong></span>.
+ </p>
+<p>
+ The way to set query access to the cache is now
+ via <span><strong class="command">allow-query-cache</strong></span>.
+ This differs from earlier versions which used
+ <span><strong class="command">allow-query</strong></span>.
+ </p>
+</dd>
<dt><span class="term"><span><strong class="command">allow-recursion</strong></span></span></dt>
-<dd><p>Specifies which hosts are allowed to
-make recursive queries through this server. If not specified, the
-default is to allow recursive queries from all hosts.
-Note that disallowing recursive queries for a host does not prevent the
-host from retrieving data that is already in the server's cache.
-</p></dd>
+<dd><p>
+ Specifies which hosts are allowed to make recursive
+ queries through this server. If not specified,
+ the default is to allow recursive queries from
+ the builtin acls <span><strong class="command">localnets</strong></span> and
+ <span><strong class="command">localhost</strong></span>.
+ Note that disallowing recursive queries for a
+ host does not prevent the host from retrieving
+ data that is already in the server's cache.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt>
+<dd><p>
+ Specifies which hosts are allowed to
+ submit Dynamic DNS updates for master zones. The default is
+ to deny
+ updates from all hosts. Note that allowing updates based
+ on the requestor's IP address is insecure; see
+ <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a> for details.
+ </p></dd>
<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
<dd>
-<p>Specifies which hosts are allowed to
-submit Dynamic DNS updates to slave zones to be forwarded to the
-master. The default is <strong class="userinput"><code>{ none; }</code></strong>, which
-means that no update forwarding will be performed. To enable
-update forwarding, specify
-<strong class="userinput"><code>allow-update-forwarding { any; };</code></strong>.
-Specifying values other than <strong class="userinput"><code>{ none; }</code></strong> or
-<strong class="userinput"><code>{ any; }</code></strong> is usually counterproductive, since
-the responsibility for update access control should rest with the
-master server, not the slaves.</p>
-<p>Note that enabling the update forwarding feature on a slave server
-may expose master servers relying on insecure IP address based
-access control to attacks; see <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a>
-for more details.</p>
+<p>
+ Specifies which hosts are allowed to
+ submit Dynamic DNS updates to slave zones to be forwarded to
+ the
+ master. The default is <strong class="userinput"><code>{ none; }</code></strong>,
+ which
+ means that no update forwarding will be performed. To
+ enable
+ update forwarding, specify
+ <strong class="userinput"><code>allow-update-forwarding { any; };</code></strong>.
+ Specifying values other than <strong class="userinput"><code>{ none; }</code></strong> or
+ <strong class="userinput"><code>{ any; }</code></strong> is usually
+ counterproductive, since
+ the responsibility for update access control should rest
+ with the
+ master server, not the slaves.
+ </p>
+<p>
+ Note that enabling the update forwarding feature on a slave
+ server
+ may expose master servers relying on insecure IP address
+ based
+ access control to attacks; see <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a>
+ for more details.
+ </p>
</dd>
<dt><span class="term"><span><strong class="command">allow-v6-synthesis</strong></span></span></dt>
-<dd><p>This option was introduced for the smooth transition from AAAA
-to A6 and from "nibble labels" to binary labels.
-However, since both A6 and binary labels were then deprecated,
-this option was also deprecated.
-It is now ignored with some warning messages.
-</p></dd>
+<dd><p>
+ This option was introduced for the smooth transition from
+ AAAA
+ to A6 and from "nibble labels" to binary labels.
+ However, since both A6 and binary labels were then
+ deprecated,
+ this option was also deprecated.
+ It is now ignored with some warning messages.
+ </p></dd>
<dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt>
-<dd><p>Specifies which hosts are allowed to
-receive zone transfers from the server. <span><strong class="command">allow-transfer</strong></span> may
-also be specified in the <span><strong class="command">zone</strong></span> statement, in which
-case it overrides the <span><strong class="command">options allow-transfer</strong></span> statement.
-If not specified, the default is to allow transfers to all hosts.</p></dd>
+<dd><p>
+ Specifies which hosts are allowed to
+ receive zone transfers from the server. <span><strong class="command">allow-transfer</strong></span> may
+ also be specified in the <span><strong class="command">zone</strong></span>
+ statement, in which
+ case it overrides the <span><strong class="command">options allow-transfer</strong></span> statement.
+ If not specified, the default is to allow transfers to all
+ hosts.
+ </p></dd>
<dt><span class="term"><span><strong class="command">blackhole</strong></span></span></dt>
-<dd><p>Specifies a list of addresses that the
-server will not accept queries from or use to resolve a query. Queries
-from these addresses will not be responded to. The default is <strong class="userinput"><code>none</code></strong>.</p></dd>
+<dd><p>
+ Specifies a list of addresses that the
+ server will not accept queries from or use to resolve a
+ query. Queries
+ from these addresses will not be responded to. The default
+ is <strong class="userinput"><code>none</code></strong>.
+ </p></dd>
</dl></div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2581677"></a>Interfaces</h4></div></div></div>
-<p>The interfaces and ports that the server will answer queries
-from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
-an optional port, and an <code class="varname">address_match_list</code>.
-The server will listen on all interfaces allowed by the address
-match list. If a port is not specified, port 53 will be used.</p>
-<p>Multiple <span><strong class="command">listen-on</strong></span> statements are allowed.
-For example,</p>
+<a name="id2580942"></a>Interfaces</h4></div></div></div>
+<p>
+ The interfaces and ports that the server will answer queries
+ from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
+ an optional port, and an <code class="varname">address_match_list</code>.
+ The server will listen on all interfaces allowed by the address
+ match list. If a port is not specified, port 53 will be used.
+ </p>
+<p>
+ Multiple <span><strong class="command">listen-on</strong></span> statements are
+ allowed.
+ For example,
+ </p>
<pre class="programlisting">listen-on { 5.6.7.8; };
listen-on port 1234 { !1.2.3.4; 1.2/16; };
</pre>
-<p>will enable the name server on port 53 for the IP address
-5.6.7.8, and on port 1234 of an address on the machine in net
-1.2 that is not 1.2.3.4.</p>
-<p>If no <span><strong class="command">listen-on</strong></span> is specified, the
-server will listen on port 53 on all interfaces.</p>
-<p>The <span><strong class="command">listen-on-v6</strong></span> option is used to
-specify the interfaces and the ports on which the server will listen
-for incoming queries sent using IPv6.</p>
-<p>When </p>
+<p>
+ will enable the name server on port 53 for the IP address
+ 5.6.7.8, and on port 1234 of an address on the machine in net
+ 1.2 that is not 1.2.3.4.
+ </p>
+<p>
+ If no <span><strong class="command">listen-on</strong></span> is specified, the
+ server will listen on port 53 on all interfaces.
+ </p>
+<p>
+ The <span><strong class="command">listen-on-v6</strong></span> option is used to
+ specify the interfaces and the ports on which the server will
+ listen
+ for incoming queries sent using IPv6.
+ </p>
+<p>
+ When </p>
<pre class="programlisting">{ any; }</pre>
-<p> is specified
-as the <code class="varname">address_match_list</code> for the
-<span><strong class="command">listen-on-v6</strong></span> option,
-the server does not bind a separate socket to each IPv6 interface
-address as it does for IPv4 if the operating system has enough API
-support for IPv6 (specifically if it conforms to RFC 3493 and RFC 3542).
-Instead, it listens on the IPv6 wildcard address.
-If the system only has incomplete API support for IPv6, however,
-the behavior is the same as that for IPv4.</p>
-<p>A list of particular IPv6 addresses can also be specified, in which case
-the server listens on a separate socket for each specified address,
-regardless of whether the desired API is supported by the system.</p>
-<p>Multiple <span><strong class="command">listen-on-v6</strong></span> options can be used.
-For example,</p>
+<p> is
+ specified
+ as the <code class="varname">address_match_list</code> for the
+ <span><strong class="command">listen-on-v6</strong></span> option,
+ the server does not bind a separate socket to each IPv6 interface
+ address as it does for IPv4 if the operating system has enough API
+ support for IPv6 (specifically if it conforms to RFC 3493 and RFC
+ 3542).
+ Instead, it listens on the IPv6 wildcard address.
+ If the system only has incomplete API support for IPv6, however,
+ the behavior is the same as that for IPv4.
+ </p>
+<p>
+ A list of particular IPv6 addresses can also be specified, in
+ which case
+ the server listens on a separate socket for each specified
+ address,
+ regardless of whether the desired API is supported by the system.
+ </p>
+<p>
+ Multiple <span><strong class="command">listen-on-v6</strong></span> options can
+ be used.
+ For example,
+ </p>
<pre class="programlisting">listen-on-v6 { any; };
listen-on-v6 port 1234 { !2001:db8::/32; any; };
</pre>
-<p>will enable the name server on port 53 for any IPv6 addresses
-(with a single wildcard socket),
-and on port 1234 of IPv6 addresses that is not in the prefix
-2001:db8::/32 (with separate sockets for each matched address.)</p>
-<p>To make the server not listen on any IPv6 address, use</p>
+<p>
+ will enable the name server on port 53 for any IPv6 addresses
+ (with a single wildcard socket),
+ and on port 1234 of IPv6 addresses that is not in the prefix
+ 2001:db8::/32 (with separate sockets for each matched address.)
+ </p>
+<p>
+ To make the server not listen on any IPv6 address, use
+ </p>
<pre class="programlisting">listen-on-v6 { none; };
</pre>
-<p>If no <span><strong class="command">listen-on-v6</strong></span> option is specified,
-the server will not listen on any IPv6 address.</p>
+<p>
+ If no <span><strong class="command">listen-on-v6</strong></span> option is
+ specified,
+ the server will not listen on any IPv6 address.
+ </p>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2581834"></a>Query Address</h4></div></div></div>
-<p>If the server doesn't know the answer to a question, it will
-query other name servers. <span><strong class="command">query-source</strong></span> specifies
-the address and port used for such queries. For queries sent over
-IPv6, there is a separate <span><strong class="command">query-source-v6</strong></span> option.
-If <span><strong class="command">address</strong></span> is <span><strong class="command">*</strong></span> (asterisk) or is omitted,
-a wildcard IP address (<span><strong class="command">INADDR_ANY</strong></span>) will be used.
-If <span><strong class="command">port</strong></span> is <span><strong class="command">*</strong></span> or is omitted,
-a random unprivileged port will be used. The <span><strong class="command">avoid-v4-udp-ports</strong></span>
-and <span><strong class="command">avoid-v6-udp-ports</strong></span> options can be used to prevent named
-from selecting certain ports. The defaults are:</p>
+<a name="id2581099"></a>Query Address</h4></div></div></div>
+<p>
+ If the server doesn't know the answer to a question, it will
+ query other name servers. <span><strong class="command">query-source</strong></span> specifies
+ the address and port used for such queries. For queries sent over
+ IPv6, there is a separate <span><strong class="command">query-source-v6</strong></span> option.
+ If <span><strong class="command">address</strong></span> is <span><strong class="command">*</strong></span> (asterisk) or is omitted,
+ a wildcard IP address (<span><strong class="command">INADDR_ANY</strong></span>)
+ will be used.
+ If <span><strong class="command">port</strong></span> is <span><strong class="command">*</strong></span> or is omitted,
+ a random unprivileged port will be used. The <span><strong class="command">avoid-v4-udp-ports</strong></span>
+ and <span><strong class="command">avoid-v6-udp-ports</strong></span> options can be used
+ to prevent named
+ from selecting certain ports. The defaults are:
+ </p>
<pre class="programlisting">query-source address * port *;
query-source-v6 address * port *;
</pre>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
-<p>The address specified in the <span><strong class="command">query-source</strong></span> option
-is used for both UDP and TCP queries, but the port applies only to
-UDP queries. TCP queries always use a random
-unprivileged port.</p>
+<p>
+ The address specified in the <span><strong class="command">query-source</strong></span> option
+ is used for both UDP and TCP queries, but the port applies only
+ to
+ UDP queries. TCP queries always use a random
+ unprivileged port.
+ </p>
</div>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
-<p>See also <span><strong class="command">transfer-source</strong></span> and
-<span><strong class="command">notify-source</strong></span>.</p>
+<p>
+ Solaris 2.5.1 and earlier does not support setting the source
+ address for TCP sockets.
+ </p>
</div>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
<p>
- Solaris 2.5.1 and earlier does not support setting the source
- address for TCP sockets.
- </p>
+ See also <span><strong class="command">transfer-source</strong></span> and
+ <span><strong class="command">notify-source</strong></span>.
+ </p>
</div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="zone_transfers"></a>Zone Transfers</h4></div></div></div>
-<p><acronym class="acronym">BIND</acronym> has mechanisms in place to facilitate zone transfers
-and set limits on the amount of load that transfers place on the
-system. The following options apply to zone transfers.</p>
+<p>
+ <acronym class="acronym">BIND</acronym> has mechanisms in place to
+ facilitate zone transfers
+ and set limits on the amount of load that transfers place on the
+ system. The following options apply to zone transfers.
+ </p>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt>
-<dd><p>Defines a global list of IP addresses of name servers
-that are also sent NOTIFY messages whenever a fresh copy of the
-zone is loaded, in addition to the servers listed in the zone's NS records.
-This helps to ensure that copies of the zones will
-quickly converge on stealth servers. If an <span><strong class="command">also-notify</strong></span> list
-is given in a <span><strong class="command">zone</strong></span> statement, it will override
-the <span><strong class="command">options also-notify</strong></span> statement. When a <span><strong class="command">zone notify</strong></span> statement
-is set to <span><strong class="command">no</strong></span>, the IP addresses in the global <span><strong class="command">also-notify</strong></span> list will
-not be sent NOTIFY messages for that zone. The default is the empty
-list (no global notification list).</p></dd>
+<dd><p>
+ Defines a global list of IP addresses of name servers
+ that are also sent NOTIFY messages whenever a fresh copy of
+ the
+ zone is loaded, in addition to the servers listed in the
+ zone's NS records.
+ This helps to ensure that copies of the zones will
+ quickly converge on stealth servers. If an <span><strong class="command">also-notify</strong></span> list
+ is given in a <span><strong class="command">zone</strong></span> statement,
+ it will override
+ the <span><strong class="command">options also-notify</strong></span>
+ statement. When a <span><strong class="command">zone notify</strong></span>
+ statement
+ is set to <span><strong class="command">no</strong></span>, the IP
+ addresses in the global <span><strong class="command">also-notify</strong></span> list will
+ not be sent NOTIFY messages for that zone. The default is
+ the empty
+ list (no global notification list).
+ </p></dd>
<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
-<dd><p>Inbound zone transfers running longer than
-this many minutes will be terminated. The default is 120 minutes
-(2 hours). The maximum value is 28 days (40320 minutes).</p></dd>
+<dd><p>
+ Inbound zone transfers running longer than
+ this many minutes will be terminated. The default is 120
+ minutes
+ (2 hours). The maximum value is 28 days (40320 minutes).
+ </p></dd>
<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
-<dd><p>Inbound zone transfers making no progress
-in this many minutes will be terminated. The default is 60 minutes
-(1 hour). The maximum value is 28 days (40320 minutes).</p></dd>
+<dd><p>
+ Inbound zone transfers making no progress
+ in this many minutes will be terminated. The default is 60
+ minutes
+ (1 hour). The maximum value is 28 days (40320 minutes).
+ </p></dd>
<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
-<dd><p>Outbound zone transfers running longer than
-this many minutes will be terminated. The default is 120 minutes
-(2 hours). The maximum value is 28 days (40320 minutes).</p></dd>
+<dd><p>
+ Outbound zone transfers running longer than
+ this many minutes will be terminated. The default is 120
+ minutes
+ (2 hours). The maximum value is 28 days (40320 minutes).
+ </p></dd>
<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
-<dd><p>Outbound zone transfers making no progress
-in this many minutes will be terminated. The default is 60 minutes (1
-hour). The maximum value is 28 days (40320 minutes).</p></dd>
+<dd><p>
+ Outbound zone transfers making no progress
+ in this many minutes will be terminated. The default is 60
+ minutes (1
+ hour). The maximum value is 28 days (40320 minutes).
+ </p></dd>
<dt><span class="term"><span><strong class="command">serial-query-rate</strong></span></span></dt>
-<dd><p>Slave servers will periodically query master servers
-to find out if zone serial numbers have changed. Each such query uses
-a minute amount of the slave server's network bandwidth. To limit the
-amount of bandwidth used, BIND 9 limits the rate at which queries are
-sent. The value of the <span><strong class="command">serial-query-rate</strong></span> option,
-an integer, is the maximum number of queries sent per second.
-The default is 20.
-</p></dd>
+<dd><p>
+ Slave servers will periodically query master servers
+ to find out if zone serial numbers have changed. Each such
+ query uses
+ a minute amount of the slave server's network bandwidth. To
+ limit the
+ amount of bandwidth used, BIND 9 limits the rate at which
+ queries are
+ sent. The value of the <span><strong class="command">serial-query-rate</strong></span> option,
+ an integer, is the maximum number of queries sent per
+ second.
+ The default is 20.
+ </p></dd>
<dt><span class="term"><span><strong class="command">serial-queries</strong></span></span></dt>
-<dd><p>In BIND 8, the <span><strong class="command">serial-queries</strong></span> option
-set the maximum number of concurrent serial number queries
-allowed to be outstanding at any given time.
-BIND 9 does not limit the number of outstanding
-serial queries and ignores the <span><strong class="command">serial-queries</strong></span> option.
-Instead, it limits the rate at which the queries are sent
-as defined using the <span><strong class="command">serial-query-rate</strong></span> option.
-</p></dd>
+<dd><p>
+ In BIND 8, the <span><strong class="command">serial-queries</strong></span>
+ option
+ set the maximum number of concurrent serial number queries
+ allowed to be outstanding at any given time.
+ BIND 9 does not limit the number of outstanding
+ serial queries and ignores the <span><strong class="command">serial-queries</strong></span> option.
+ Instead, it limits the rate at which the queries are sent
+ as defined using the <span><strong class="command">serial-query-rate</strong></span> option.
+ </p></dd>
<dt><span class="term"><span><strong class="command">transfer-format</strong></span></span></dt>
<dd><p>
-Zone transfers can be sent using two different formats,
-<span><strong class="command">one-answer</strong></span> and <span><strong class="command">many-answers</strong></span>.
-The <span><strong class="command">transfer-format</strong></span> option is used
-on the master server to determine which format it sends.
-<span><strong class="command">one-answer</strong></span> uses one DNS message per
-resource record transferred.
-<span><strong class="command">many-answers</strong></span> packs as many resource records as
-possible into a message. <span><strong class="command">many-answers</strong></span> is more
-efficient, but is only supported by relatively new slave servers,
-such as <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym> 8.x and patched
-versions of <acronym class="acronym">BIND</acronym> 4.9.5. The <span><strong class="command">many-answers</strong></span>
-format is also supported by recent Microsoft Windows nameservers. The default is
-<span><strong class="command">many-answers</strong></span>. <span><strong class="command">transfer-format</strong></span>
-may be overridden on a per-server basis by using the
-<span><strong class="command">server</strong></span> statement.
-</p></dd>
+ Zone transfers can be sent using two different formats,
+ <span><strong class="command">one-answer</strong></span> and
+ <span><strong class="command">many-answers</strong></span>.
+ The <span><strong class="command">transfer-format</strong></span> option is used
+ on the master server to determine which format it sends.
+ <span><strong class="command">one-answer</strong></span> uses one DNS message per
+ resource record transferred.
+ <span><strong class="command">many-answers</strong></span> packs as many resource
+ records as possible into a message.
+ <span><strong class="command">many-answers</strong></span> is more efficient, but is
+ only supported by relatively new slave servers,
+ such as <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
+ 8.x and <acronym class="acronym">BIND</acronym> 4.9.5 onwards.
+ The <span><strong class="command">many-answers</strong></span> format is also supported by
+ recent Microsoft Windows nameservers.
+ The default is <span><strong class="command">many-answers</strong></span>.
+ <span><strong class="command">transfer-format</strong></span> may be overridden on a
+ per-server basis by using the <span><strong class="command">server</strong></span>
+ statement.
+ </p></dd>
<dt><span class="term"><span><strong class="command">transfers-in</strong></span></span></dt>
-<dd><p>The maximum number of inbound zone transfers
-that can be running concurrently. The default value is <code class="literal">10</code>.
-Increasing <span><strong class="command">transfers-in</strong></span> may speed up the convergence
-of slave zones, but it also may increase the load on the local system.</p></dd>
+<dd><p>
+ The maximum number of inbound zone transfers
+ that can be running concurrently. The default value is <code class="literal">10</code>.
+ Increasing <span><strong class="command">transfers-in</strong></span> may
+ speed up the convergence
+ of slave zones, but it also may increase the load on the
+ local system.
+ </p></dd>
<dt><span class="term"><span><strong class="command">transfers-out</strong></span></span></dt>
-<dd><p>The maximum number of outbound zone transfers
-that can be running concurrently. Zone transfer requests in excess
-of the limit will be refused. The default value is <code class="literal">10</code>.</p></dd>
+<dd><p>
+ The maximum number of outbound zone transfers
+ that can be running concurrently. Zone transfer requests in
+ excess
+ of the limit will be refused. The default value is <code class="literal">10</code>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">transfers-per-ns</strong></span></span></dt>
-<dd><p>The maximum number of inbound zone transfers
-that can be concurrently transferring from a given remote name server.
-The default value is <code class="literal">2</code>. Increasing <span><strong class="command">transfers-per-ns</strong></span> may
-speed up the convergence of slave zones, but it also may increase
-the load on the remote name server. <span><strong class="command">transfers-per-ns</strong></span> may
-be overridden on a per-server basis by using the <span><strong class="command">transfers</strong></span> phrase
-of the <span><strong class="command">server</strong></span> statement.</p></dd>
+<dd><p>
+ The maximum number of inbound zone transfers
+ that can be concurrently transferring from a given remote
+ name server.
+ The default value is <code class="literal">2</code>.
+ Increasing <span><strong class="command">transfers-per-ns</strong></span>
+ may
+ speed up the convergence of slave zones, but it also may
+ increase
+ the load on the remote name server. <span><strong class="command">transfers-per-ns</strong></span> may
+ be overridden on a per-server basis by using the <span><strong class="command">transfers</strong></span> phrase
+ of the <span><strong class="command">server</strong></span> statement.
+ </p></dd>
<dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt>
-<dd><p><span><strong class="command">transfer-source</strong></span> determines
-which local address will be bound to IPv4 TCP connections used to
-fetch zones transferred inbound by the server. It also determines
-the source IPv4 address, and optionally the UDP port, used for the
-refresh queries and forwarded dynamic updates. If not set, it defaults
-to a system controlled value which will usually be the address of
-the interface "closest to" the remote end. This address must appear
-in the remote end's <span><strong class="command">allow-transfer</strong></span> option for
-the zone being transferred, if one is specified. This statement
-sets the <span><strong class="command">transfer-source</strong></span> for all zones, but can
-be overridden on a per-view or per-zone basis by including a
-<span><strong class="command">transfer-source</strong></span> statement within the
-<span><strong class="command">view</strong></span> or <span><strong class="command">zone</strong></span> block
-in the configuration file.</p></dd>
+<dd>
+<p><span><strong class="command">transfer-source</strong></span>
+ determines which local address will be bound to IPv4
+ TCP connections used to fetch zones transferred
+ inbound by the server. It also determines the
+ source IPv4 address, and optionally the UDP port,
+ used for the refresh queries and forwarded dynamic
+ updates. If not set, it defaults to a system
+ controlled value which will usually be the address
+ of the interface "closest to" the remote end. This
+ address must appear in the remote end's
+ <span><strong class="command">allow-transfer</strong></span> option for the
+ zone being transferred, if one is specified. This
+ statement sets the
+ <span><strong class="command">transfer-source</strong></span> for all zones,
+ but can be overridden on a per-view or per-zone
+ basis by including a
+ <span><strong class="command">transfer-source</strong></span> statement within
+ the <span><strong class="command">view</strong></span> or
+ <span><strong class="command">zone</strong></span> block in the configuration
+ file.
+ </p>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+<p>
+ Solaris 2.5.1 and earlier does not support setting the
+ source address for TCP sockets.
+ </p>
+</div>
+</dd>
<dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt>
-<dd><p>The same as <span><strong class="command">transfer-source</strong></span>,
-except zone transfers are performed using IPv6.</p></dd>
+<dd><p>
+ The same as <span><strong class="command">transfer-source</strong></span>,
+ except zone transfers are performed using IPv6.
+ </p></dd>
<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
<dd>
<p>
- An alternate transfer source if the one listed in
- <span><strong class="command">transfer-source</strong></span> fails and
- <span><strong class="command">use-alt-transfer-source</strong></span> is
- set.
- </p>
+ An alternate transfer source if the one listed in
+ <span><strong class="command">transfer-source</strong></span> fails and
+ <span><strong class="command">use-alt-transfer-source</strong></span> is
+ set.
+ </p>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
- If you do not wish the alternate transfer source
- to be used, you should set
- <span><strong class="command">use-alt-transfer-source</strong></span>
- appropriately and you should not depend upon
- getting a answer back to the first refresh
- query.
- </div>
+ If you do not wish the alternate transfer source
+ to be used, you should set
+ <span><strong class="command">use-alt-transfer-source</strong></span>
+ appropriately and you should not depend upon
+ getting a answer back to the first refresh
+ query.
+ </div>
</dd>
<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
-<dd><p>An alternate transfer source if the one listed in
-<span><strong class="command">transfer-source-v6</strong></span> fails and
-<span><strong class="command">use-alt-transfer-source</strong></span> is set.</p></dd>
+<dd><p>
+ An alternate transfer source if the one listed in
+ <span><strong class="command">transfer-source-v6</strong></span> fails and
+ <span><strong class="command">use-alt-transfer-source</strong></span> is
+ set.
+ </p></dd>
<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
-<dd><p>Use the alternate transfer sources or not. If views are
-specified this defaults to <span><strong class="command">no</strong></span> otherwise it defaults to
-<span><strong class="command">yes</strong></span> (for BIND 8 compatibility).</p></dd>
+<dd><p>
+ Use the alternate transfer sources or not. If views are
+ specified this defaults to <span><strong class="command">no</strong></span>
+ otherwise it defaults to
+ <span><strong class="command">yes</strong></span> (for BIND 8
+ compatibility).
+ </p></dd>
<dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt>
<dd>
-<p><span><strong class="command">notify-source</strong></span> determines
-which local source address, and optionally UDP port, will be used to
-send NOTIFY messages.
-This address must appear in the slave server's <span><strong class="command">masters</strong></span>
-zone clause or in an <span><strong class="command">allow-notify</strong></span> clause.
-This statement sets the <span><strong class="command">notify-source</strong></span> for all zones,
-but can be overridden on a per-zone or per-view basis by including a
-<span><strong class="command">notify-source</strong></span> statement within the <span><strong class="command">zone</strong></span>
-or <span><strong class="command">view</strong></span> block in the configuration file.</p>
+<p><span><strong class="command">notify-source</strong></span>
+ determines which local source address, and
+ optionally UDP port, will be used to send NOTIFY
+ messages. This address must appear in the slave
+ server's <span><strong class="command">masters</strong></span> zone clause or
+ in an <span><strong class="command">allow-notify</strong></span> clause. This
+ statement sets the <span><strong class="command">notify-source</strong></span>
+ for all zones, but can be overridden on a per-zone or
+ per-view basis by including a
+ <span><strong class="command">notify-source</strong></span> statement within
+ the <span><strong class="command">zone</strong></span> or
+ <span><strong class="command">view</strong></span> block in the configuration
+ file.
+ </p>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
<p>
- Solaris 2.5.1 and earlier does not support setting the
- source address for TCP sockets.
- </p>
+ Solaris 2.5.1 and earlier does not support setting the
+ source address for TCP sockets.
+ </p>
</div>
</dd>
<dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt>
-<dd><p>Like <span><strong class="command">notify-source</strong></span>,
-but applies to notify messages sent to IPv6 addresses.</p></dd>
+<dd><p>
+ Like <span><strong class="command">notify-source</strong></span>,
+ but applies to notify messages sent to IPv6 addresses.
+ </p></dd>
</dl></div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2582444"></a>Bad UDP Port Lists</h4></div></div></div>
-<p>
-<span><strong class="command">avoid-v4-udp-ports</strong></span> and <span><strong class="command">avoid-v6-udp-ports</strong></span>
-specify a list of IPv4 and IPv6 UDP ports that will not be used as system
-assigned source ports for UDP sockets. These lists prevent named
-from choosing as its random source port a port that is blocked by
-your firewall. If a query went out with such a source port, the
-answer would not get by the firewall and the name server would have
-to query again.
-</p>
+<a name="id2581778"></a>Bad UDP Port Lists</h4></div></div></div>
+<p><span><strong class="command">avoid-v4-udp-ports</strong></span>
+ and <span><strong class="command">avoid-v6-udp-ports</strong></span> specify a list
+ of IPv4 and IPv6 UDP ports that will not be used as system
+ assigned source ports for UDP sockets. These lists
+ prevent named from choosing as its random source port a
+ port that is blocked by your firewall. If a query went
+ out with such a source port, the answer would not get by
+ the firewall and the name server would have to query
+ again.
+ </p>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2570036"></a>Operating System Resource Limits</h4></div></div></div>
-<p>The server's usage of many system resources can be limited.
-Scaled values are allowed when specifying resource limits. For
-example, <span><strong class="command">1G</strong></span> can be used instead of
-<span><strong class="command">1073741824</strong></span> to specify a limit of one
-gigabyte. <span><strong class="command">unlimited</strong></span> requests unlimited use, or the
-maximum available amount. <span><strong class="command">default</strong></span> uses the limit
-that was in force when the server was started. See the description
-of <span><strong class="command">size_spec</strong></span> in <a href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called &#8220;Configuration File Elements&#8221;</a>.</p>
-<p>The following options set operating system resource limits for
-the name server process. Some operating systems don't support some or
-any of the limits. On such systems, a warning will be issued if the
-unsupported limit is used.</p>
+<a name="id2581793"></a>Operating System Resource Limits</h4></div></div></div>
+<p>
+ The server's usage of many system resources can be limited.
+ Scaled values are allowed when specifying resource limits. For
+ example, <span><strong class="command">1G</strong></span> can be used instead of
+ <span><strong class="command">1073741824</strong></span> to specify a limit of
+ one
+ gigabyte. <span><strong class="command">unlimited</strong></span> requests
+ unlimited use, or the
+ maximum available amount. <span><strong class="command">default</strong></span>
+ uses the limit
+ that was in force when the server was started. See the description
+ of <span><strong class="command">size_spec</strong></span> in <a href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called &#8220;Configuration File Elements&#8221;</a>.
+ </p>
+<p>
+ The following options set operating system resource limits for
+ the name server process. Some operating systems don't support
+ some or
+ any of the limits. On such systems, a warning will be issued if
+ the
+ unsupported limit is used.
+ </p>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">coresize</strong></span></span></dt>
-<dd><p>The maximum size of a core dump. The default
-is <code class="literal">default</code>.</p></dd>
+<dd><p>
+ The maximum size of a core dump. The default
+ is <code class="literal">default</code>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">datasize</strong></span></span></dt>
-<dd><p>The maximum amount of data memory the server
-may use. The default is <code class="literal">default</code>.
-This is a hard limit on server memory usage.
-If the server attempts to allocate memory in excess of this
-limit, the allocation will fail, which may in turn leave
-the server unable to perform DNS service. Therefore,
-this option is rarely useful as a way of limiting the
-amount of memory used by the server, but it can be used
-to raise an operating system data size limit that is
-too small by default. If you wish to limit the amount
-of memory used by the server, use the
-<span><strong class="command">max-cache-size</strong></span> and
-<span><strong class="command">recursive-clients</strong></span>
-options instead.
-</p></dd>
+<dd><p>
+ The maximum amount of data memory the server
+ may use. The default is <code class="literal">default</code>.
+ This is a hard limit on server memory usage.
+ If the server attempts to allocate memory in excess of this
+ limit, the allocation will fail, which may in turn leave
+ the server unable to perform DNS service. Therefore,
+ this option is rarely useful as a way of limiting the
+ amount of memory used by the server, but it can be used
+ to raise an operating system data size limit that is
+ too small by default. If you wish to limit the amount
+ of memory used by the server, use the
+ <span><strong class="command">max-cache-size</strong></span> and
+ <span><strong class="command">recursive-clients</strong></span>
+ options instead.
+ </p></dd>
<dt><span class="term"><span><strong class="command">files</strong></span></span></dt>
-<dd><p>The maximum number of files the server
-may have open concurrently. The default is <code class="literal">unlimited</code>.
-</p></dd>
+<dd><p>
+ The maximum number of files the server
+ may have open concurrently. The default is <code class="literal">unlimited</code>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">stacksize</strong></span></span></dt>
-<dd><p>The maximum amount of stack memory the server
-may use. The default is <code class="literal">default</code>.</p></dd>
+<dd><p>
+ The maximum amount of stack memory the server
+ may use. The default is <code class="literal">default</code>.
+ </p></dd>
</dl></div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2570205"></a>Server Resource Limits</h4></div></div></div>
-<p>The following options set limits on the server's
-resource consumption that are enforced internally by the
-server rather than the operating system.</p>
+<a name="id2581976"></a>Server Resource Limits</h4></div></div></div>
+<p>
+ The following options set limits on the server's
+ resource consumption that are enforced internally by the
+ server rather than the operating system.
+ </p>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">max-ixfr-log-size</strong></span></span></dt>
-<dd><p>This option is obsolete; it is accepted
-and ignored for BIND 8 compatibility. The option
-<span><strong class="command">max-journal-size</strong></span> performs a similar
-function in BIND 8.
-</p></dd>
+<dd><p>
+ This option is obsolete; it is accepted
+ and ignored for BIND 8 compatibility. The option
+ <span><strong class="command">max-journal-size</strong></span> performs a
+ similar function in BIND 9.
+ </p></dd>
<dt><span class="term"><span><strong class="command">max-journal-size</strong></span></span></dt>
-<dd><p>Sets a maximum size for each journal file
-(see <a href="Bv9ARM.ch04.html#journal" title="The journal file">the section called &#8220;The journal file&#8221;</a>). When the journal file approaches
-the specified size, some of the oldest transactions in the journal
-will be automatically removed. The default is
-<code class="literal">unlimited</code>.</p></dd>
+<dd><p>
+ Sets a maximum size for each journal file
+ (see <a href="Bv9ARM.ch04.html#journal" title="The journal file">the section called &#8220;The journal file&#8221;</a>). When the journal file
+ approaches
+ the specified size, some of the oldest transactions in the
+ journal
+ will be automatically removed. The default is
+ <code class="literal">unlimited</code>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">host-statistics-max</strong></span></span></dt>
-<dd><p>In BIND 8, specifies the maximum number of host statistics
-entries to be kept.
-Not implemented in BIND 9.
-</p></dd>
+<dd><p>
+ In BIND 8, specifies the maximum number of host statistics
+ entries to be kept.
+ Not implemented in BIND 9.
+ </p></dd>
<dt><span class="term"><span><strong class="command">recursive-clients</strong></span></span></dt>
-<dd><p>The maximum number of simultaneous recursive lookups
-the server will perform on behalf of clients. The default is
-<code class="literal">1000</code>. Because each recursing client uses a fair
-bit of memory, on the order of 20 kilobytes, the value of the
-<span><strong class="command">recursive-clients</strong></span> option may have to be decreased
-on hosts with limited memory.
-</p></dd>
+<dd><p>
+ The maximum number of simultaneous recursive lookups
+ the server will perform on behalf of clients. The default
+ is
+ <code class="literal">1000</code>. Because each recursing
+ client uses a fair
+ bit of memory, on the order of 20 kilobytes, the value of
+ the
+ <span><strong class="command">recursive-clients</strong></span> option may
+ have to be decreased
+ on hosts with limited memory.
+ </p></dd>
<dt><span class="term"><span><strong class="command">tcp-clients</strong></span></span></dt>
-<dd><p>The maximum number of simultaneous client TCP
-connections that the server will accept.
-The default is <code class="literal">100</code>.</p></dd>
+<dd><p>
+ The maximum number of simultaneous client TCP
+ connections that the server will accept.
+ The default is <code class="literal">100</code>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">max-cache-size</strong></span></span></dt>
-<dd><p>The maximum amount of memory to use for the
-server's cache, in bytes. When the amount of data in the cache
-reaches this limit, the server will cause records to expire
-prematurely so that the limit is not exceeded. In a server with
-multiple views, the limit applies separately to the cache of each
-view. The default is <code class="literal">unlimited</code>, meaning that
-records are purged from the cache only when their TTLs expire.
-</p></dd>
+<dd><p>
+ The maximum amount of memory to use for the
+ server's cache, in bytes. When the amount of data in the
+ cache
+ reaches this limit, the server will cause records to expire
+ prematurely so that the limit is not exceeded. In a server
+ with
+ multiple views, the limit applies separately to the cache of
+ each
+ view. The default is <code class="literal">unlimited</code>, meaning that
+ records are purged from the cache only when their TTLs
+ expire.
+ </p></dd>
<dt><span class="term"><span><strong class="command">tcp-listen-queue</strong></span></span></dt>
-<dd><p>The listen queue depth. The default and minimum is 3.
-If the kernel supports the accept filter "dataready" this also controls how
-many TCP connections that will be queued in kernel space waiting for
-some data before being passed to accept. Values less than 3 will be
-silently raised.
-</p></dd>
+<dd><p>
+ The listen queue depth. The default and minimum is 3.
+ If the kernel supports the accept filter "dataready" this
+ also controls how
+ many TCP connections that will be queued in kernel space
+ waiting for
+ some data before being passed to accept. Values less than 3
+ will be
+ silently raised.
+ </p></dd>
</dl></div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2584723"></a>Periodic Task Intervals</h4></div></div></div>
+<a name="id2582178"></a>Periodic Task Intervals</h4></div></div></div>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">cleaning-interval</strong></span></span></dt>
-<dd><p>The server will remove expired resource records
-from the cache every <span><strong class="command">cleaning-interval</strong></span> minutes.
-The default is 60 minutes. The maximum value is 28 days (40320 minutes).
-If set to 0, no periodic cleaning will occur.</p></dd>
+<dd><p>
+ The server will remove expired resource records
+ from the cache every <span><strong class="command">cleaning-interval</strong></span> minutes.
+ The default is 60 minutes. The maximum value is 28 days
+ (40320 minutes).
+ If set to 0, no periodic cleaning will occur.
+ </p></dd>
<dt><span class="term"><span><strong class="command">heartbeat-interval</strong></span></span></dt>
-<dd><p>The server will perform zone maintenance tasks
-for all zones marked as <span><strong class="command">dialup</strong></span> whenever this
-interval expires. The default is 60 minutes. Reasonable values are up
-to 1 day (1440 minutes). The maximum value is 28 days (40320 minutes).
-If set to 0, no zone maintenance for these zones will occur.</p></dd>
+<dd><p>
+ The server will perform zone maintenance tasks
+ for all zones marked as <span><strong class="command">dialup</strong></span> whenever this
+ interval expires. The default is 60 minutes. Reasonable
+ values are up
+ to 1 day (1440 minutes). The maximum value is 28 days
+ (40320 minutes).
+ If set to 0, no zone maintenance for these zones will occur.
+ </p></dd>
<dt><span class="term"><span><strong class="command">interface-interval</strong></span></span></dt>
-<dd><p>The server will scan the network interface list
-every <span><strong class="command">interface-interval</strong></span> minutes. The default
-is 60 minutes. The maximum value is 28 days (40320 minutes).
-If set to 0, interface scanning will only occur when
-the configuration file is loaded. After the scan, the server will
-begin listening for queries on any newly discovered
-interfaces (provided they are allowed by the
-<span><strong class="command">listen-on</strong></span> configuration), and will
-stop listening on interfaces that have gone away.</p></dd>
+<dd><p>
+ The server will scan the network interface list
+ every <span><strong class="command">interface-interval</strong></span>
+ minutes. The default
+ is 60 minutes. The maximum value is 28 days (40320 minutes).
+ If set to 0, interface scanning will only occur when
+ the configuration file is loaded. After the scan, the
+ server will
+ begin listening for queries on any newly discovered
+ interfaces (provided they are allowed by the
+ <span><strong class="command">listen-on</strong></span> configuration), and
+ will
+ stop listening on interfaces that have gone away.
+ </p></dd>
<dt><span class="term"><span><strong class="command">statistics-interval</strong></span></span></dt>
<dd>
-<p>Name server statistics will be logged
-every <span><strong class="command">statistics-interval</strong></span> minutes. The default is
-60. The maximum value is 28 days (40320 minutes).
-If set to 0, no statistics will be logged.</p>
+<p>
+ Name server statistics will be logged
+ every <span><strong class="command">statistics-interval</strong></span>
+ minutes. The default is
+ 60. The maximum value is 28 days (40320 minutes).
+ If set to 0, no statistics will be logged.
+ </p>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
-<p>Not yet implemented in <acronym class="acronym">BIND</acronym>9.</p>
+<p>
+ Not yet implemented in
+ <acronym class="acronym">BIND</acronym>9.
+ </p>
</div>
</dd>
</dl></div>
@@ -2206,83 +3543,115 @@ If set to 0, no statistics will be logged.</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="topology"></a>Topology</h4></div></div></div>
-<p>All other things being equal, when the server chooses a name server
-to query from a list of name servers, it prefers the one that is
-topologically closest to itself. The <span><strong class="command">topology</strong></span> statement
-takes an <span><strong class="command">address_match_list</strong></span> and interprets it
-in a special way. Each top-level list element is assigned a distance.
-Non-negated elements get a distance based on their position in the
-list, where the closer the match is to the start of the list, the
-shorter the distance is between it and the server. A negated match
-will be assigned the maximum distance from the server. If there
-is no match, the address will get a distance which is further than
-any non-negated list element, and closer than any negated element.
-For example,</p>
+<p>
+ All other things being equal, when the server chooses a name
+ server
+ to query from a list of name servers, it prefers the one that is
+ topologically closest to itself. The <span><strong class="command">topology</strong></span> statement
+ takes an <span><strong class="command">address_match_list</strong></span> and
+ interprets it
+ in a special way. Each top-level list element is assigned a
+ distance.
+ Non-negated elements get a distance based on their position in the
+ list, where the closer the match is to the start of the list, the
+ shorter the distance is between it and the server. A negated match
+ will be assigned the maximum distance from the server. If there
+ is no match, the address will get a distance which is further than
+ any non-negated list element, and closer than any negated element.
+ For example,
+ </p>
<pre class="programlisting">topology {
10/8;
!1.2.3/24;
{ 1.2/16; 3/8; };
};</pre>
-<p>will prefer servers on network 10 the most, followed by hosts
-on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
-exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
-is preferred least of all.</p>
-<p>The default topology is</p>
+<p>
+ will prefer servers on network 10 the most, followed by hosts
+ on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
+ exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
+ is preferred least of all.
+ </p>
+<p>
+ The default topology is
+ </p>
<pre class="programlisting"> topology { localhost; localnets; };
</pre>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
-<p>The <span><strong class="command">topology</strong></span> option
-is not implemented in <acronym class="acronym">BIND</acronym> 9.
-</p>
+<p>
+ The <span><strong class="command">topology</strong></span> option
+ is not implemented in <acronym class="acronym">BIND</acronym> 9.
+ </p>
</div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="the_sortlist_statement"></a>The <span><strong class="command">sortlist</strong></span> Statement</h4></div></div></div>
-<p>The response to a DNS query may consist of multiple resource
-records (RRs) forming a resource records set (RRset).
-The name server will normally return the
-RRs within the RRset in an indeterminate order
-(but see the <span><strong class="command">rrset-order</strong></span>
-statement in <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called &#8220;RRset Ordering&#8221;</a>).
-The client resolver code should rearrange the RRs as appropriate,
-that is, using any addresses on the local net in preference to other addresses.
-However, not all resolvers can do this or are correctly configured.
-When a client is using a local server, the sorting can be performed
-in the server, based on the client's address. This only requires
-configuring the name servers, not all the clients.</p>
-<p>The <span><strong class="command">sortlist</strong></span> statement (see below) takes
-an <span><strong class="command">address_match_list</strong></span> and interprets it even
-more specifically than the <span><strong class="command">topology</strong></span> statement
-does (<a href="Bv9ARM.ch06.html#topology" title="Topology">the section called &#8220;Topology&#8221;</a>).
-Each top level statement in the <span><strong class="command">sortlist</strong></span> must
-itself be an explicit <span><strong class="command">address_match_list</strong></span> with
-one or two elements. The first element (which may be an IP address,
-an IP prefix, an ACL name or a nested <span><strong class="command">address_match_list</strong></span>)
-of each top level list is checked against the source address of
-the query until a match is found.</p>
-<p>Once the source address of the query has been matched, if
-the top level statement contains only one element, the actual primitive
-element that matched the source address is used to select the address
-in the response to move to the beginning of the response. If the
-statement is a list of two elements, then the second element is
-treated the same as the <span><strong class="command">address_match_list</strong></span> in
-a <span><strong class="command">topology</strong></span> statement. Each top level element
-is assigned a distance and the address in the response with the minimum
-distance is moved to the beginning of the response.</p>
-<p>In the following example, any queries received from any of
-the addresses of the host itself will get responses preferring addresses
-on any of the locally connected networks. Next most preferred are addresses
-on the 192.168.1/24 network, and after that either the 192.168.2/24
-or
-192.168.3/24 network with no preference shown between these two
-networks. Queries received from a host on the 192.168.1/24 network
-will prefer other addresses on that network to the 192.168.2/24
-and
-192.168.3/24 networks. Queries received from a host on the 192.168.4/24
-or the 192.168.5/24 network will only prefer other addresses on
-their directly connected networks.</p>
+<p>
+ The response to a DNS query may consist of multiple resource
+ records (RRs) forming a resource records set (RRset).
+ The name server will normally return the
+ RRs within the RRset in an indeterminate order
+ (but see the <span><strong class="command">rrset-order</strong></span>
+ statement in <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called &#8220;RRset Ordering&#8221;</a>).
+ The client resolver code should rearrange the RRs as appropriate,
+ that is, using any addresses on the local net in preference to
+ other addresses.
+ However, not all resolvers can do this or are correctly
+ configured.
+ When a client is using a local server, the sorting can be performed
+ in the server, based on the client's address. This only requires
+ configuring the name servers, not all the clients.
+ </p>
+<p>
+ The <span><strong class="command">sortlist</strong></span> statement (see below)
+ takes
+ an <span><strong class="command">address_match_list</strong></span> and
+ interprets it even
+ more specifically than the <span><strong class="command">topology</strong></span>
+ statement
+ does (<a href="Bv9ARM.ch06.html#topology" title="Topology">the section called &#8220;Topology&#8221;</a>).
+ Each top level statement in the <span><strong class="command">sortlist</strong></span> must
+ itself be an explicit <span><strong class="command">address_match_list</strong></span> with
+ one or two elements. The first element (which may be an IP
+ address,
+ an IP prefix, an ACL name or a nested <span><strong class="command">address_match_list</strong></span>)
+ of each top level list is checked against the source address of
+ the query until a match is found.
+ </p>
+<p>
+ Once the source address of the query has been matched, if
+ the top level statement contains only one element, the actual
+ primitive
+ element that matched the source address is used to select the
+ address
+ in the response to move to the beginning of the response. If the
+ statement is a list of two elements, then the second element is
+ treated the same as the <span><strong class="command">address_match_list</strong></span> in
+ a <span><strong class="command">topology</strong></span> statement. Each top
+ level element
+ is assigned a distance and the address in the response with the
+ minimum
+ distance is moved to the beginning of the response.
+ </p>
+<p>
+ In the following example, any queries received from any of
+ the addresses of the host itself will get responses preferring
+ addresses
+ on any of the locally connected networks. Next most preferred are
+ addresses
+ on the 192.168.1/24 network, and after that either the
+ 192.168.2/24
+ or
+ 192.168.3/24 network with no preference shown between these two
+ networks. Queries received from a host on the 192.168.1/24 network
+ will prefer other addresses on that network to the 192.168.2/24
+ and
+ 192.168.3/24 networks. Queries received from a host on the
+ 192.168.4/24
+ or the 192.168.5/24 network will only prefer other addresses on
+ their directly connected networks.
+ </p>
<pre class="programlisting">sortlist {
{ localhost; // IF the local host
{ localnets; // THEN first fit on the
@@ -2300,13 +3669,18 @@ their directly connected networks.</p>
{ { 192.168.4/24; 192.168.5/24; }; // if .4 or .5, prefer that net
};
};</pre>
-<p>The following example will give reasonable behavior for the
-local host and hosts on directly connected networks. It is similar
-to the behavior of the address sort in <acronym class="acronym">BIND</acronym> 4.9.x. Responses sent
-to queries from the local host will favor any of the directly connected
-networks. Responses sent to queries from any other hosts on a directly
-connected network will prefer addresses on that same network. Responses
-to other queries will not be sorted.</p>
+<p>
+ The following example will give reasonable behavior for the
+ local host and hosts on directly connected networks. It is similar
+ to the behavior of the address sort in <acronym class="acronym">BIND</acronym> 4.9.x. Responses sent
+ to queries from the local host will favor any of the directly
+ connected
+ networks. Responses sent to queries from any other hosts on a
+ directly
+ connected network will prefer addresses on that same network.
+ Responses
+ to other queries will not be sorted.
+ </p>
<pre class="programlisting">sortlist {
{ localhost; localnets; };
{ localnets; };
@@ -2316,21 +3690,34 @@ to other queries will not be sorted.</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="rrset_ordering"></a>RRset Ordering</h4></div></div></div>
-<p>When multiple records are returned in an answer it may be
-useful to configure the order of the records placed into the response.
-The <span><strong class="command">rrset-order</strong></span> statement permits configuration
-of the ordering of the records in a multiple record response.
-See also the <span><strong class="command">sortlist</strong></span> statement,
-<a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called &#8220;The <span><strong class="command">sortlist</strong></span> Statement&#8221;</a>.
-</p>
-<p>An <span><strong class="command">order_spec</strong></span> is defined as follows:</p>
-<pre class="programlisting">[<span class="optional"> class <em class="replaceable"><code>class_name</code></em> </span>][<span class="optional"> type <em class="replaceable"><code>type_name</code></em> </span>][<span class="optional"> name <em class="replaceable"><code>"domain_name"</code></em></span>]
- order <em class="replaceable"><code>ordering</code></em>
-</pre>
-<p>If no class is specified, the default is <span><strong class="command">ANY</strong></span>.
-If no type is specified, the default is <span><strong class="command">ANY</strong></span>.
-If no name is specified, the default is "<span><strong class="command">*</strong></span>" (asterisk).</p>
-<p>The legal values for <span><strong class="command">ordering</strong></span> are:</p>
+<p>
+ When multiple records are returned in an answer it may be
+ useful to configure the order of the records placed into the
+ response.
+ The <span><strong class="command">rrset-order</strong></span> statement permits
+ configuration
+ of the ordering of the records in a multiple record response.
+ See also the <span><strong class="command">sortlist</strong></span> statement,
+ <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called &#8220;The <span><strong class="command">sortlist</strong></span> Statement&#8221;</a>.
+ </p>
+<p>
+ An <span><strong class="command">order_spec</strong></span> is defined as
+ follows:
+ </p>
+<p>
+ [<span class="optional">class <em class="replaceable"><code>class_name</code></em></span>]
+ [<span class="optional">type <em class="replaceable"><code>type_name</code></em></span>]
+ [<span class="optional">name <em class="replaceable"><code>"domain_name"</code></em></span>]
+ order <em class="replaceable"><code>ordering</code></em>
+ </p>
+<p>
+ If no class is specified, the default is <span><strong class="command">ANY</strong></span>.
+ If no type is specified, the default is <span><strong class="command">ANY</strong></span>.
+ If no name is specified, the default is "<span><strong class="command">*</strong></span>" (asterisk).
+ </p>
+<p>
+ The legal values for <span><strong class="command">ordering</strong></span> are:
+ </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -2338,38 +3725,65 @@ If no name is specified, the default is "<span><strong class="command">*</strong
</colgroup>
<tbody>
<tr>
-<td><p><span><strong class="command">fixed</strong></span></p></td>
-<td><p>Records are returned in the order they
-are defined in the zone file.</p></td>
+<td>
+ <p><span><strong class="command">fixed</strong></span></p>
+ </td>
+<td>
+ <p>
+ Records are returned in the order they
+ are defined in the zone file.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">random</strong></span></p></td>
-<td><p>Records are returned in some random order.</p></td>
+<td>
+ <p><span><strong class="command">random</strong></span></p>
+ </td>
+<td>
+ <p>
+ Records are returned in some random order.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">cyclic</strong></span></p></td>
-<td><p>Records are returned in a round-robin
-order.</p></td>
+<td>
+ <p><span><strong class="command">cyclic</strong></span></p>
+ </td>
+<td>
+ <p>
+ Records are returned in a round-robin
+ order.
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
-<p>For example:</p>
+<p>
+ For example:
+ </p>
<pre class="programlisting">rrset-order {
class IN type A name "host.example.com" order random;
order cyclic;
};
</pre>
-<p>will cause any responses for type A records in class IN that
-have "<code class="literal">host.example.com</code>" as a suffix, to always be returned
-in random order. All other records are returned in cyclic order.</p>
-<p>If multiple <span><strong class="command">rrset-order</strong></span> statements appear,
-they are not combined &#8212; the last one applies.</p>
+<p>
+ will cause any responses for type A records in class IN that
+ have "<code class="literal">host.example.com</code>" as a
+ suffix, to always be returned
+ in random order. All other records are returned in cyclic order.
+ </p>
+<p>
+ If multiple <span><strong class="command">rrset-order</strong></span> statements
+ appear,
+ they are not combined &#8212; the last one applies.
+ </p>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
-<p>The <span><strong class="command">rrset-order</strong></span> statement
-is not yet fully implemented in <acronym class="acronym">BIND</acronym> 9.
-BIND 9 currently does not support "fixed" ordering.
-</p>
+<p>
+ The <span><strong class="command">rrset-order</strong></span> statement
+ is not yet fully implemented in <acronym class="acronym">BIND</acronym> 9.
+ BIND 9 currently does not fully support "fixed" ordering.
+ </p>
</div>
</div>
<div class="sect3" lang="en">
@@ -2377,143 +3791,370 @@ BIND 9 currently does not support "fixed" ordering.
<a name="tuning"></a>Tuning</h4></div></div></div>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">lame-ttl</strong></span></span></dt>
-<dd><p>Sets the number of seconds to cache a
-lame server indication. 0 disables caching. (This is
-<span class="bold"><strong>NOT</strong></span> recommended.)
-The default is <code class="literal">600</code> (10 minutes) and the maximum value is
-<code class="literal">1800</code> (30 minutes).</p></dd>
+<dd><p>
+ Sets the number of seconds to cache a
+ lame server indication. 0 disables caching. (This is
+ <span class="bold"><strong>NOT</strong></span> recommended.)
+ The default is <code class="literal">600</code> (10 minutes) and the
+ maximum value is
+ <code class="literal">1800</code> (30 minutes).
+ </p></dd>
<dt><span class="term"><span><strong class="command">max-ncache-ttl</strong></span></span></dt>
-<dd><p>To reduce network traffic and increase performance,
-the server stores negative answers. <span><strong class="command">max-ncache-ttl</strong></span> is
-used to set a maximum retention time for these answers in the server
-in seconds. The default
-<span><strong class="command">max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours).
-<span><strong class="command">max-ncache-ttl</strong></span> cannot exceed 7 days and will
-be silently truncated to 7 days if set to a greater value.</p></dd>
+<dd><p>
+ To reduce network traffic and increase performance,
+ the server stores negative answers. <span><strong class="command">max-ncache-ttl</strong></span> is
+ used to set a maximum retention time for these answers in
+ the server
+ in seconds. The default
+ <span><strong class="command">max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours).
+ <span><strong class="command">max-ncache-ttl</strong></span> cannot exceed
+ 7 days and will
+ be silently truncated to 7 days if set to a greater value.
+ </p></dd>
<dt><span class="term"><span><strong class="command">max-cache-ttl</strong></span></span></dt>
-<dd><p>Sets
-the maximum time for which the server will cache ordinary (positive)
-answers. The default is one week (7 days).</p></dd>
+<dd><p>
+ Sets the maximum time for which the server will
+ cache ordinary (positive) answers. The default is
+ one week (7 days).
+ </p></dd>
<dt><span class="term"><span><strong class="command">min-roots</strong></span></span></dt>
<dd>
-<p>The minimum number of root servers that
-is required for a request for the root servers to be accepted. The default
-is <strong class="userinput"><code>2</code></strong>.</p>
+<p>
+ The minimum number of root servers that
+ is required for a request for the root servers to be
+ accepted. The default
+ is <strong class="userinput"><code>2</code></strong>.
+ </p>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
-<p>Not implemented in <acronym class="acronym">BIND</acronym> 9.</p>
+<p>
+ Not implemented in <acronym class="acronym">BIND</acronym> 9.
+ </p>
</div>
</dd>
<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
-<dd><p>Specifies the number of days into the
-future when DNSSEC signatures automatically generated as a result
-of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called &#8220;Dynamic Update&#8221;</a>)
-will expire. The default is <code class="literal">30</code> days.
-The maximum value is 10 years (3660 days). The signature
-inception time is unconditionally set to one hour before the current time
-to allow for a limited amount of clock skew.</p></dd>
+<dd><p>
+ Specifies the number of days into the
+ future when DNSSEC signatures automatically generated as a
+ result
+ of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called &#8220;Dynamic Update&#8221;</a>)
+ will expire. The default is <code class="literal">30</code> days.
+ The maximum value is 10 years (3660 days). The signature
+ inception time is unconditionally set to one hour before the
+ current time
+ to allow for a limited amount of clock skew.
+ </p></dd>
<dt>
<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
</dt>
<dd>
<p>
-These options control the server's behavior on refreshing a zone
-(querying for SOA changes) or retrying failed transfers.
-Usually the SOA values for the zone are used, but these values
-are set by the master, giving slave server administrators little
-control over their contents.
-</p>
+ These options control the server's behavior on refreshing a
+ zone
+ (querying for SOA changes) or retrying failed transfers.
+ Usually the SOA values for the zone are used, but these
+ values
+ are set by the master, giving slave server administrators
+ little
+ control over their contents.
+ </p>
<p>
-These options allow the administrator to set a minimum and maximum
-refresh and retry time either per-zone, per-view, or globally.
-These options are valid for slave and stub zones,
-and clamp the SOA refresh and retry times to the specified values.
-</p>
+ These options allow the administrator to set a minimum and
+ maximum
+ refresh and retry time either per-zone, per-view, or
+ globally.
+ These options are valid for slave and stub zones,
+ and clamp the SOA refresh and retry times to the specified
+ values.
+ </p>
</dd>
<dt><span class="term"><span><strong class="command">edns-udp-size</strong></span></span></dt>
<dd><p>
-<span><strong class="command">edns-udp-size</strong></span> sets the advertised EDNS UDP buffer
-size in bytes. Valid values are 512 to 4096 bytes (values outside this range will be
-silently adjusted). The default value is 4096. The usual reason for
-setting edns-udp-size to a non-default value it to get UDP answers to
-pass through broken firewalls that block fragmented packets and/or
-block UDP packets that are greater than 512 bytes.
-</p></dd>
+ Sets the advertised EDNS UDP buffer size in bytes. Valid
+ values are 512 to 4096 (values outside this range
+ will be silently adjusted). The default value is
+ 4096. The usual reason for setting edns-udp-size to
+ a non-default value it to get UDP answers to pass
+ through broken firewalls that block fragmented
+ packets and/or block UDP packets that are greater
+ than 512 bytes.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">max-udp-size</strong></span></span></dt>
+<dd><p>
+ Sets the maximum EDNS UDP message size named will
+ send in bytes. Valid values are 512 to 4096 (values outside
+ this range will be silently adjusted). The default
+ value is 4096. The usual reason for setting
+ max-udp-size to a non-default value is to get UDP
+ answers to pass through broken firewalls that
+ block fragmented packets and/or block UDP packets
+ that are greater than 512 bytes.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">masterfile-format</strong></span></span></dt>
+<dd><p>Specifies
+ the file format of zone files (see
+ <a href="Bv9ARM.ch06.html#zonefile_format" title="Additional File Formats">the section called &#8220;Additional File Formats&#8221;</a>).
+ The default value is <code class="constant">text</code>, which is the
+ standard textual representation. Files in other formats
+ than <code class="constant">text</code> are typically expected
+ to be generated by the <span><strong class="command">named-compilezone</strong></span> tool.
+ Note that when a zone file in a different format than
+ <code class="constant">text</code> is loaded, <span><strong class="command">named</strong></span>
+ may omit some of the checks which would be performed for a
+ file in the <code class="constant">text</code> format. In particular,
+ <span><strong class="command">check-names</strong></span> checks do not apply
+ for the <code class="constant">raw</code> format. This means
+ a zone file in the <code class="constant">raw</code> format
+ must be generated with the same check level as that
+ specified in the <span><strong class="command">named</strong></span> configuration
+ file. This statement sets the
+ <span><strong class="command">masterfile-format</strong></span> for all zones,
+ but can be overridden on a per-zone or per-view basis
+ by including a <span><strong class="command">masterfile-format</strong></span>
+ statement within the <span><strong class="command">zone</strong></span> or
+ <span><strong class="command">view</strong></span> block in the configuration
+ file.
+ </p></dd>
+<dt>
+<span class="term"><span><strong class="command">clients-per-query</strong></span>, </span><span class="term"><span><strong class="command">max-clients-per-query</strong></span></span>
+</dt>
+<dd>
+<p>These set the
+ initial value (minimum) and maximum number of recursive
+ simultanious clients for any given query
+ (&lt;qname,qtype,qclass&gt;) that the server will accept
+ before dropping additional clients. named will attempt to
+ self tune this value and changes will be logged. The
+ default values are 10 and 100.
+ </p>
+<p>
+ This value should reflect how many queries come in for
+ a given name in the time it takes to resolve that name.
+ If the number of queries exceed this value, named will
+ assume that it is dealing with a non-responsive zone
+ and will drop additional queries. If it gets a response
+ after dropping queries, it will raise the estimate. The
+ estimate will then be lowered in 20 minutes if it has
+ remained unchanged.
+ </p>
+<p>
+ If <span><strong class="command">clients-per-query</strong></span> is set to zero,
+ then there is no limit on the number of clients per query
+ and no queries will be dropped.
+ </p>
+<p>
+ If <span><strong class="command">max-clients-per-query</strong></span> is set to zero,
+ then there is no upper bound other than imposed by
+ <span><strong class="command">recursive-clients</strong></span>.
+ </p>
+</dd>
</dl></div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="builtin"></a>Built-in server information zones</h4></div></div></div>
-<p>The server provides some helpful diagnostic information
-through a number of built-in zones under the
-pseudo-top-level-domain <code class="literal">bind</code> in the
-<span><strong class="command">CHAOS</strong></span> class. These zones are part of a
-built-in view (see <a href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called &#8220;<span><strong class="command">view</strong></span> Statement Grammar&#8221;</a>) of class
-<span><strong class="command">CHAOS</strong></span> which is separate from the default view of
-class <span><strong class="command">IN</strong></span>; therefore, any global server options
-such as <span><strong class="command">allow-query</strong></span> do not apply the these zones.
-If you feel the need to disable these zones, use the options
-below, or hide the built-in <span><strong class="command">CHAOS</strong></span> view by
-defining an explicit view of class <span><strong class="command">CHAOS</strong></span>
-that matches all clients.</p>
+<p>
+ The server provides some helpful diagnostic information
+ through a number of built-in zones under the
+ pseudo-top-level-domain <code class="literal">bind</code> in the
+ <span><strong class="command">CHAOS</strong></span> class. These zones are part
+ of a
+ built-in view (see <a href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called &#8220;<span><strong class="command">view</strong></span> Statement Grammar&#8221;</a>) of
+ class
+ <span><strong class="command">CHAOS</strong></span> which is separate from the
+ default view of
+ class <span><strong class="command">IN</strong></span>; therefore, any global
+ server options
+ such as <span><strong class="command">allow-query</strong></span> do not apply
+ the these zones.
+ If you feel the need to disable these zones, use the options
+ below, or hide the built-in <span><strong class="command">CHAOS</strong></span>
+ view by
+ defining an explicit view of class <span><strong class="command">CHAOS</strong></span>
+ that matches all clients.
+ </p>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">version</strong></span></span></dt>
-<dd><p>The version the server should report
-via a query of the name <code class="literal">version.bind</code>
-with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
-The default is the real version number of this server.
-Specifying <span><strong class="command">version none</strong></span>
-disables processing of the queries.</p></dd>
+<dd><p>
+ The version the server should report
+ via a query of the name <code class="literal">version.bind</code>
+ with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
+ The default is the real version number of this server.
+ Specifying <span><strong class="command">version none</strong></span>
+ disables processing of the queries.
+ </p></dd>
<dt><span class="term"><span><strong class="command">hostname</strong></span></span></dt>
-<dd><p>The hostname the server should report via a query of
-the name <code class="filename">hostname.bind</code>
-with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
-This defaults to the hostname of the machine hosting the name server as
-found by the gethostname() function. The primary purpose of such queries is to
-identify which of a group of anycast servers is actually
-answering your queries. Specifying <span><strong class="command">hostname none;</strong></span>
-disables processing of the queries.</p></dd>
+<dd><p>
+ The hostname the server should report via a query of
+ the name <code class="filename">hostname.bind</code>
+ with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
+ This defaults to the hostname of the machine hosting the
+ name server as
+ found by the gethostname() function. The primary purpose of such queries
+ is to
+ identify which of a group of anycast servers is actually
+ answering your queries. Specifying <span><strong class="command">hostname none;</strong></span>
+ disables processing of the queries.
+ </p></dd>
<dt><span class="term"><span><strong class="command">server-id</strong></span></span></dt>
-<dd><p>The ID of the server should report via a query of
-the name <code class="filename">ID.SERVER</code>
-with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
-The primary purpose of such queries is to
-identify which of a group of anycast servers is actually
-answering your queries. Specifying <span><strong class="command">server-id none;</strong></span>
-disables processing of the queries.
-Specifying <span><strong class="command">server-id hostname;</strong></span> will cause named to
-use the hostname as found by the gethostname() function.
-The default <span><strong class="command">server-id</strong></span> is <span><strong class="command">none</strong></span>.
-</p></dd>
+<dd><p>
+ The ID of the server should report via a query of
+ the name <code class="filename">ID.SERVER</code>
+ with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
+ The primary purpose of such queries is to
+ identify which of a group of anycast servers is actually
+ answering your queries. Specifying <span><strong class="command">server-id none;</strong></span>
+ disables processing of the queries.
+ Specifying <span><strong class="command">server-id hostname;</strong></span> will cause named to
+ use the hostname as found by the gethostname() function.
+ The default <span><strong class="command">server-id</strong></span> is <span><strong class="command">none</strong></span>.
+ </p></dd>
</dl></div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="statsfile"></a>The Statistics File</h4></div></div></div>
-<p>The statistics file generated by <acronym class="acronym">BIND</acronym> 9
-is similar, but not identical, to that
-generated by <acronym class="acronym">BIND</acronym> 8.
-</p>
-<p>The statistics dump begins with a line, like:</p>
-<p>
- <span><strong class="command">+++ Statistics Dump +++ (973798949)</strong></span>
- </p>
-<p>The numberr in parentheses is a standard
-Unix-style timestamp, measured as seconds since January 1, 1970. Following
-that line are a series of lines containing a counter type, the value of the
-counter, optionally a zone name, and optionally a view name.
-The lines without view and zone listed are global statistics for the entire server.
-Lines with a zone and view name for the given view and zone (the view name is
-omitted for the default view).
-</p>
+<a name="empty"></a>Built-in Empty Zones</h4></div></div></div>
<p>
-The statistics dump ends with the line where the
-number is identical to the number in the beginning line; for example:
-</p>
+ Named has some built-in empty zones (SOA and NS records only).
+ These are for zones that should normally be answered locally
+ and which queries should not be sent to the Internet's root
+ servers. The offical servers which cover these namespaces
+ return NXDOMAIN responses to these queries. In particular,
+ these cover the reverse namespace for addresses from RFC 1918 and
+ RFC 3330. They also include the reverse namespace for IPv6 local
+ address (locally assigned), IPv6 link local addresses, the IPv6
+ loopback address and the IPv6 unknown addresss.
+ </p>
+<p>
+ Named will attempt to determine if a built in zone already exists
+ or is active (covered by a forward-only forwarding declaration)
+ and will not not create a empty zone in that case.
+ </p>
+<p>
+ The current list of empty zones is:
+ </p>
+<div class="itemizedlist"><ul type="disc">
+<li>10.IN-ADDR.ARPA</li>
+<li>127.IN-ADDR.ARPA</li>
+<li>254.169.IN-ADDR.ARPA</li>
+<li>16.172.IN-ADDR.ARPA</li>
+<li>17.172.IN-ADDR.ARPA</li>
+<li>18.172.IN-ADDR.ARPA</li>
+<li>19.172.IN-ADDR.ARPA</li>
+<li>20.172.IN-ADDR.ARPA</li>
+<li>21.172.IN-ADDR.ARPA</li>
+<li>22.172.IN-ADDR.ARPA</li>
+<li>23.172.IN-ADDR.ARPA</li>
+<li>24.172.IN-ADDR.ARPA</li>
+<li>25.172.IN-ADDR.ARPA</li>
+<li>26.172.IN-ADDR.ARPA</li>
+<li>27.172.IN-ADDR.ARPA</li>
+<li>28.172.IN-ADDR.ARPA</li>
+<li>29.172.IN-ADDR.ARPA</li>
+<li>30.172.IN-ADDR.ARPA</li>
+<li>31.172.IN-ADDR.ARPA</li>
+<li>168.192.IN-ADDR.ARPA</li>
+<li>2.0.192.IN-ADDR.ARPA</li>
+<li>0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li>
+<li>1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li>
+<li>D.F.IP6.ARPA</li>
+<li>8.E.F.IP6.ARPA</li>
+<li>9.E.F.IP6.ARPA</li>
+<li>A.E.F.IP6.ARPA</li>
+<li>B.E.F.IP6.ARPA</li>
+</ul></div>
+<p>
+ </p>
<p>
-<span><strong class="command">--- Statistics Dump --- (973798949)</strong></span>
+ Empty zones are settable at the view level and only apply to
+ views of class IN. Disabled empty zones are only inherited
+ from options if there are no disabled empty zones specified
+ at the view level. To override the options list of disabled
+ zones, you can disable the root zone at the view level, for example:
</p>
-<p>The following statistics counters are maintained:</p>
+<pre class="programlisting">
+ disable-empty-zone ".";
+</pre>
+<p>
+ </p>
+<p>
+ If you are using the address ranges covered here, you should
+ already have reverse zones covering the addresses you use.
+ In practice this appears to not be the case with many queries
+ being made to the infrustructure servers for names in these
+ spaces. So many in fact that sacrificial servers were needed
+ to be deployed to channel the query load away from the
+ infrustructure servers.
+ </p>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+ The real parent servers for these zones should disable all
+ empty zone under the parent zone they serve. For the real
+ root servers, this is all built in empty zones. This will
+ enable them to return referrals to deeper in the tree.
+ </div>
+<div class="variablelist"><dl>
+<dt><span class="term"><span><strong class="command">empty-server</strong></span></span></dt>
+<dd><p>
+ Specify what server name will appear in the returned
+ SOA record for empty zones. If none is specified, then
+ the zone's name will be used.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">empty-contact</strong></span></span></dt>
+<dd><p>
+ Specify what contact name will appear in the returned
+ SOA record for empty zones. If none is specified, then
+ "." will be used.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">empty-zones-enable</strong></span></span></dt>
+<dd><p>
+ Enable or disable all empty zones. By default they
+ are enabled.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">disable-empty-zone</strong></span></span></dt>
+<dd><p>
+ Disable individual empty zones. By default none are
+ disabled. This option can be specified multiple times.
+ </p></dd>
+</dl></div>
+</div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="statsfile"></a>The Statistics File</h4></div></div></div>
+<p>
+ The statistics file generated by <acronym class="acronym">BIND</acronym> 9
+ is similar, but not identical, to that
+ generated by <acronym class="acronym">BIND</acronym> 8.
+ </p>
+<p>
+ The statistics dump begins with a line, like:
+ </p>
+<p>
+ <span><strong class="command">+++ Statistics Dump +++ (973798949)</strong></span>
+ </p>
+<p>
+ The number in parentheses is a standard
+ Unix-style timestamp, measured as seconds since January 1, 1970.
+ Following
+ that line are a series of lines containing a counter type, the
+ value of the
+ counter, optionally a zone name, and optionally a view name.
+ The lines without view and zone listed are global statistics for
+ the entire server.
+ Lines with a zone and view name for the given view and zone (the
+ view name is
+ omitted for the default view).
+ </p>
+<p>
+ The statistics dump ends with the line where the
+ number is identical to the number in the beginning line; for example:
+ </p>
+<p>
+ <span><strong class="command">--- Statistics Dump --- (973798949)</strong></span>
+ </p>
+<p>
+ The following statistics counters are maintained:
+ </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -2521,148 +4162,378 @@ number is identical to the number in the beginning line; for example:
</colgroup>
<tbody>
<tr>
-<td><p><span><strong class="command">success</strong></span></p></td>
-<td><p>The number of
-successful queries made to the server or zone. A successful query
-is defined as query which returns a NOERROR response with at least
-one answer RR.</p></td>
+<td>
+ <p><span><strong class="command">success</strong></span></p>
+ </td>
+<td>
+ <p>
+ The number of
+ successful queries made to the server or zone. A
+ successful query
+ is defined as query which returns a NOERROR response
+ with at least
+ one answer RR.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">referral</strong></span></p></td>
-<td><p>The number of queries which resulted
-in referral responses.</p></td>
+<td>
+ <p><span><strong class="command">referral</strong></span></p>
+ </td>
+<td>
+ <p>
+ The number of queries which resulted
+ in referral responses.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">nxrrset</strong></span></p></td>
-<td><p>The number of queries which resulted in
-NOERROR responses with no data.</p></td>
+<td>
+ <p><span><strong class="command">nxrrset</strong></span></p>
+ </td>
+<td>
+ <p>
+ The number of queries which resulted in
+ NOERROR responses with no data.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">nxdomain</strong></span></p></td>
-<td><p>The number
-of queries which resulted in NXDOMAIN responses.</p></td>
+<td>
+ <p><span><strong class="command">nxdomain</strong></span></p>
+ </td>
+<td>
+ <p>
+ The number
+ of queries which resulted in NXDOMAIN responses.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">failure</strong></span></p></td>
-<td><p>The number of queries which resulted in a
-failure response other than those above.</p></td>
+<td>
+ <p><span><strong class="command">failure</strong></span></p>
+ </td>
+<td>
+ <p>
+ The number of queries which resulted in a
+ failure response other than those above.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">recursion</strong></span></p></td>
-<td><p>The number of queries which caused the server
-to perform recursion in order to find the final answer.</p></td>
+<td>
+ <p><span><strong class="command">recursion</strong></span></p>
+ </td>
+<td>
+ <p>
+ The number of queries which caused the server
+ to perform recursion in order to find the final answer.
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
<p>
-Each query received by the server will cause exactly one of
-<span><strong class="command">success</strong></span>,
-<span><strong class="command">referral</strong></span>,
-<span><strong class="command">nxrrset</strong></span>,
-<span><strong class="command">nxdomain</strong></span>, or
-<span><strong class="command">failure</strong></span>
-to be incremented, and may additionally cause the
-<span><strong class="command">recursion</strong></span> counter to be incremented.
-</p>
+ Each query received by the server will cause exactly one of
+ <span><strong class="command">success</strong></span>,
+ <span><strong class="command">referral</strong></span>,
+ <span><strong class="command">nxrrset</strong></span>,
+ <span><strong class="command">nxdomain</strong></span>, or
+ <span><strong class="command">failure</strong></span>
+ to be incremented, and may additionally cause the
+ <span><strong class="command">recursion</strong></span> counter to be
+ incremented.
+ </p>
+</div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="acache"></a>Additional Section Caching</h4></div></div></div>
+<p>
+ The additional section cache, also called <span><strong class="command">acache</strong></span>,
+ is an internal cache to improve the response performance of BIND 9.
+ When additional section caching is enabled, BIND 9 will
+ cache an internal short-cut to the additional section content for
+ each answer RR.
+ Note that <span><strong class="command">acache</strong></span> is an internal caching
+ mechanism of BIND 9, and is not related to the DNS caching
+ server function.
+ </p>
+<p>
+ Additional section caching does not change the
+ response content (except the RRsets ordering of the additional
+ section, see below), but can improve the response performance
+ significantly.
+ It is particularly effective when BIND 9 acts as an authoritative
+ server for a zone that has many delegations with many glue RRs.
+ </p>
+<p>
+ In order to obtain the maximum performance improvement
+ from additional section caching, setting
+ <span><strong class="command">additional-from-cache</strong></span>
+ to <span><strong class="command">no</strong></span> is recommended, since the current
+ implementation of <span><strong class="command">acache</strong></span>
+ does not short-cut of additional section information from the
+ DNS cache data.
+ </p>
+<p>
+ One obvious disadvantage of <span><strong class="command">acache</strong></span> is
+ that it requires much more
+ memory for the internal cached data.
+ Thus, if the response performance does not matter and memory
+ consumption is much more critical, the
+ <span><strong class="command">acache</strong></span> mechanism can be
+ disabled by setting <span><strong class="command">acache-enable</strong></span> to
+ <span><strong class="command">no</strong></span>.
+ It is also possible to specify the upper limit of memory
+ consumption
+ for acache by using <span><strong class="command">max-acache-size</strong></span>.
+ </p>
+<p>
+ Additional section caching also has a minor effect on the
+ RRset ordering in the additional section.
+ Without <span><strong class="command">acache</strong></span>,
+ <span><strong class="command">cyclic</strong></span> order is effective for the additional
+ section as well as the answer and authority sections.
+ However, additional section caching fixes the ordering when it
+ first caches an RRset for the additional section, and the same
+ ordering will be kept in succeeding responses, regardless of the
+ setting of <span><strong class="command">rrset-order</strong></span>.
+ The effect of this should be minor, however, since an
+ RRset in the additional section
+ typically only contains a small number of RRs (and in many cases
+ it only contains a single RR), in which case the
+ ordering does not matter much.
+ </p>
+<p>
+ The following is a summary of options related to
+ <span><strong class="command">acache</strong></span>.
+ </p>
+<div class="variablelist"><dl>
+<dt><span class="term"><span><strong class="command">acache-enable</strong></span></span></dt>
+<dd><p>
+ If <span><strong class="command">yes</strong></span>, additional section caching is
+ enabled. The default value is <span><strong class="command">no</strong></span>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">acache-cleaning-interval</strong></span></span></dt>
+<dd><p>
+ The server will remove stale cache entries, based on an LRU
+ based
+ algorithm, every <span><strong class="command">acache-cleaning-interval</strong></span> minutes.
+ The default is 60 minutes.
+ If set to 0, no periodic cleaning will occur.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">max-acache-size</strong></span></span></dt>
+<dd><p>
+ The maximum amount of memory in bytes to use for the server's acache.
+ When the amount of data in the acache reaches this limit,
+ the server
+ will clean more aggressively so that the limit is not
+ exceeded.
+ In a server with multiple views, the limit applies
+ separately to the
+ acache of each view.
+ The default is <code class="literal">unlimited</code>,
+ meaning that
+ entries are purged from the acache only at the
+ periodic cleaning time.
+ </p></dd>
+</dl></div>
</div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="server_statement_grammar"></a><span><strong class="command">server</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting">server <em class="replaceable"><code>ip_addr</code></em> {
+<pre class="programlisting">server <em class="replaceable"><code>ip_addr[/prefixlen]</code></em> {
[<span class="optional"> bogus <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> edns <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
+ [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em> ; </span>]
+ [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> transfers <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em> ; ]</span>]
[<span class="optional"> keys <em class="replaceable"><code>{ string ; [<span class="optional"> string ; [<span class="optional">...</span>]</span>] }</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
+ [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
+ [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
+ [<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
+ [<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
};
</pre>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="server_statement_definition_and_usage"></a><span><strong class="command">server</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">server</strong></span> statement defines characteristics
-to be associated with a remote name server.</p>
-<p>
-The <span><strong class="command">server</strong></span> statement can occur at the top level of the
-configuration file or inside a <span><strong class="command">view</strong></span> statement.
-If a <span><strong class="command">view</strong></span> statement contains
-one or more <span><strong class="command">server</strong></span> statements, only those
-apply to the view and any top-level ones are ignored.
-If a view contains no <span><strong class="command">server</strong></span> statements,
-any top-level <span><strong class="command">server</strong></span> statements are used as
-defaults.
-</p>
-<p>If you discover that a remote server is giving out bad data,
-marking it as bogus will prevent further queries to it. The default
-value of <span><strong class="command">bogus</strong></span> is <span><strong class="command">no</strong></span>.</p>
-<p>The <span><strong class="command">provide-ixfr</strong></span> clause determines whether
-the local server, acting as master, will respond with an incremental
-zone transfer when the given remote server, a slave, requests it.
-If set to <span><strong class="command">yes</strong></span>, incremental transfer will be provided
-whenever possible. If set to <span><strong class="command">no</strong></span>, all transfers
-to the remote server will be non-incremental. If not set, the value
-of the <span><strong class="command">provide-ixfr</strong></span> option in the view or
-global options block is used as a default.</p>
-<p>The <span><strong class="command">request-ixfr</strong></span> clause determines whether
-the local server, acting as a slave, will request incremental zone
-transfers from the given remote server, a master. If not set, the
-value of the <span><strong class="command">request-ixfr</strong></span> option in the view or
-global options block is used as a default.</p>
-<p>IXFR requests to servers that do not support IXFR will automatically
-fall back to AXFR. Therefore, there is no need to manually list
-which servers support IXFR and which ones do not; the global default
-of <span><strong class="command">yes</strong></span> should always work.
-The purpose of the <span><strong class="command">provide-ixfr</strong></span> and
-<span><strong class="command">request-ixfr</strong></span> clauses is
-to make it possible to disable the use of IXFR even when both master
-and slave claim to support it, for example if one of the servers
-is buggy and crashes or corrupts data when IXFR is used.</p>
-<p>The <span><strong class="command">edns</strong></span> clause determines whether the local server
-will attempt to use EDNS when communicating with the remote server. The
-default is <span><strong class="command">yes</strong></span>.</p>
-<p>The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>,
-uses one DNS message per resource record transferred. <span><strong class="command">many-answers</strong></span> packs
-as many resource records as possible into a message. <span><strong class="command">many-answers</strong></span> is
-more efficient, but is only known to be understood by <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
-8.x, and patched versions of <acronym class="acronym">BIND</acronym> 4.9.5. You can specify which method
-to use for a server with the <span><strong class="command">transfer-format</strong></span> option.
-If <span><strong class="command">transfer-format</strong></span> is not specified, the <span><strong class="command">transfer-format</strong></span> specified
-by the <span><strong class="command">options</strong></span> statement will be used.</p>
-<p><span><strong class="command">transfers</strong></span> is used to limit the number of
-concurrent inbound zone transfers from the specified server. If
-no <span><strong class="command">transfers</strong></span> clause is specified, the limit is
-set according to the <span><strong class="command">transfers-per-ns</strong></span> option.</p>
-<p>The <span><strong class="command">keys</strong></span> clause identifies a
-<span><strong class="command">key_id</strong></span> defined by the <span><strong class="command">key</strong></span> statement,
-to be used for transaction security (TSIG, <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
-when talking to the remote server.
-When a request is sent to the remote server, a request signature
-will be generated using the key specified here and appended to the
-message. A request originating from the remote server is not required
-to be signed by this key.</p>
-<p>Although the grammar of the <span><strong class="command">keys</strong></span> clause
-allows for multiple keys, only a single key per server is currently
-supported.</p>
-<p>The <span><strong class="command">transfer-source</strong></span> and
-<span><strong class="command">transfer-source-v6</strong></span> clauses specify the IPv4 and IPv6 source
-address to be used for zone transfer with the remote server, respectively.
-For an IPv4 remote server, only <span><strong class="command">transfer-source</strong></span> can
-be specified.
-Similarly, for an IPv6 remote server, only
-<span><strong class="command">transfer-source-v6</strong></span> can be specified.
-For more details, see the description of
-<span><strong class="command">transfer-source</strong></span> and
-<span><strong class="command">transfer-source-v6</strong></span> in
-<a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.</p>
+<a name="server_statement_definition_and_usage"></a><span><strong class="command">server</strong></span> Statement Definition and
+ Usage</h3></div></div></div>
+<p>
+ The <span><strong class="command">server</strong></span> statement defines
+ characteristics
+ to be associated with a remote name server. If a prefix length is
+ specified, then a range of servers is covered. Only the most
+ specific
+ server clause applies regardless of the order in
+ <code class="filename">named.conf</code>.
+ </p>
+<p>
+ The <span><strong class="command">server</strong></span> statement can occur at
+ the top level of the
+ configuration file or inside a <span><strong class="command">view</strong></span>
+ statement.
+ If a <span><strong class="command">view</strong></span> statement contains
+ one or more <span><strong class="command">server</strong></span> statements, only
+ those
+ apply to the view and any top-level ones are ignored.
+ If a view contains no <span><strong class="command">server</strong></span>
+ statements,
+ any top-level <span><strong class="command">server</strong></span> statements are
+ used as
+ defaults.
+ </p>
+<p>
+ If you discover that a remote server is giving out bad data,
+ marking it as bogus will prevent further queries to it. The
+ default
+ value of <span><strong class="command">bogus</strong></span> is <span><strong class="command">no</strong></span>.
+ </p>
+<p>
+ The <span><strong class="command">provide-ixfr</strong></span> clause determines
+ whether
+ the local server, acting as master, will respond with an
+ incremental
+ zone transfer when the given remote server, a slave, requests it.
+ If set to <span><strong class="command">yes</strong></span>, incremental transfer
+ will be provided
+ whenever possible. If set to <span><strong class="command">no</strong></span>,
+ all transfers
+ to the remote server will be non-incremental. If not set, the
+ value
+ of the <span><strong class="command">provide-ixfr</strong></span> option in the
+ view or
+ global options block is used as a default.
+ </p>
+<p>
+ The <span><strong class="command">request-ixfr</strong></span> clause determines
+ whether
+ the local server, acting as a slave, will request incremental zone
+ transfers from the given remote server, a master. If not set, the
+ value of the <span><strong class="command">request-ixfr</strong></span> option in
+ the view or
+ global options block is used as a default.
+ </p>
+<p>
+ IXFR requests to servers that do not support IXFR will
+ automatically
+ fall back to AXFR. Therefore, there is no need to manually list
+ which servers support IXFR and which ones do not; the global
+ default
+ of <span><strong class="command">yes</strong></span> should always work.
+ The purpose of the <span><strong class="command">provide-ixfr</strong></span> and
+ <span><strong class="command">request-ixfr</strong></span> clauses is
+ to make it possible to disable the use of IXFR even when both
+ master
+ and slave claim to support it, for example if one of the servers
+ is buggy and crashes or corrupts data when IXFR is used.
+ </p>
+<p>
+ The <span><strong class="command">edns</strong></span> clause determines whether
+ the local server will attempt to use EDNS when communicating
+ with the remote server. The default is <span><strong class="command">yes</strong></span>.
+ </p>
+<p>
+ The <span><strong class="command">edns-udp-size</strong></span> option sets the EDNS UDP size
+ that is advertised by named when querying the remote server.
+ Valid values are 512 to 4096 bytes (values outside this range will be
+ silently adjusted). This option is useful when you wish to
+ advertises a different value to this server than the value you
+ advertise globally, for example, when there is a firewall at the
+ remote site that is blocking large replies.
+ </p>
+<p>
+ The <span><strong class="command">max-udp-size</strong></span> option sets the
+ maximum EDNS UDP message size named will send. Valid
+ values are 512 to 4096 bytes (values outside this range will
+ be silently adjusted). This option is useful when you
+ know that there is a firewall that is blocking large
+ replies from named.
+ </p>
+<p>
+ The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>,
+ uses one DNS message per resource record transferred. <span><strong class="command">many-answers</strong></span> packs
+ as many resource records as possible into a message. <span><strong class="command">many-answers</strong></span> is
+ more efficient, but is only known to be understood by <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
+ 8.x, and patched versions of <acronym class="acronym">BIND</acronym>
+ 4.9.5. You can specify which method
+ to use for a server with the <span><strong class="command">transfer-format</strong></span> option.
+ If <span><strong class="command">transfer-format</strong></span> is not
+ specified, the <span><strong class="command">transfer-format</strong></span>
+ specified
+ by the <span><strong class="command">options</strong></span> statement will be
+ used.
+ </p>
+<p><span><strong class="command">transfers</strong></span>
+ is used to limit the number of concurrent inbound zone
+ transfers from the specified server. If no
+ <span><strong class="command">transfers</strong></span> clause is specified, the
+ limit is set according to the
+ <span><strong class="command">transfers-per-ns</strong></span> option.
+ </p>
+<p>
+ The <span><strong class="command">keys</strong></span> clause identifies a
+ <span><strong class="command">key_id</strong></span> defined by the <span><strong class="command">key</strong></span> statement,
+ to be used for transaction security (TSIG, <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
+ when talking to the remote server.
+ When a request is sent to the remote server, a request signature
+ will be generated using the key specified here and appended to the
+ message. A request originating from the remote server is not
+ required
+ to be signed by this key.
+ </p>
+<p>
+ Although the grammar of the <span><strong class="command">keys</strong></span>
+ clause
+ allows for multiple keys, only a single key per server is
+ currently
+ supported.
+ </p>
+<p>
+ The <span><strong class="command">transfer-source</strong></span> and
+ <span><strong class="command">transfer-source-v6</strong></span> clauses specify
+ the IPv4 and IPv6 source
+ address to be used for zone transfer with the remote server,
+ respectively.
+ For an IPv4 remote server, only <span><strong class="command">transfer-source</strong></span> can
+ be specified.
+ Similarly, for an IPv6 remote server, only
+ <span><strong class="command">transfer-source-v6</strong></span> can be
+ specified.
+ For more details, see the description of
+ <span><strong class="command">transfer-source</strong></span> and
+ <span><strong class="command">transfer-source-v6</strong></span> in
+ <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+ </p>
+<p>
+ The <span><strong class="command">notify-source</strong></span> and
+ <span><strong class="command">notify-source-v6</strong></span> clauses specify the
+ IPv4 and IPv6 source address to be used for notify
+ messages sent to remote servers, respectively. For an
+ IPv4 remote server, only <span><strong class="command">notify-source</strong></span>
+ can be specified. Similarly, for an IPv6 remote server,
+ only <span><strong class="command">notify-source-v6</strong></span> can be specified.
+ </p>
+<p>
+ The <span><strong class="command">query-source</strong></span> and
+ <span><strong class="command">query-source-v6</strong></span> clauses specify the
+ IPv4 and IPv6 source address to be used for queries
+ sent to remote servers, respectively. For an IPv4
+ remote server, only <span><strong class="command">query-source</strong></span> can
+ be specified. Similarly, for an IPv6 remote server,
+ only <span><strong class="command">query-source-v6</strong></span> can be specified.
+ </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2586290"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2585018"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">trusted-keys {
<em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
[<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
@@ -2671,41 +4542,41 @@ For more details, see the description of
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2586338"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
- and Usage</h3></div></div></div>
-<p>
- The <span><strong class="command">trusted-keys</strong></span> statement defines
- DNSSEC security roots. DNSSEC is described in <a href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called &#8220;DNSSEC&#8221;</a>. A security root is defined when the
- public key for a non-authoritative zone is known, but
- cannot be securely obtained through DNS, either because
- it is the DNS root zone or because its parent zone is
- unsigned. Once a key has been configured as a trusted
- key, it is treated as if it had been validated and
- proven secure. The resolver attempts DNSSEC validation
- on all DNS data in subdomains of a security root.
- </p>
-<p>
- All keys (and corresponding zones) listed in
- <span><strong class="command">trusted-keys</strong></span> are deemed to exist regardless
- of what parent zones say. Similarly for all keys listed in
- <span><strong class="command">trusted-keys</strong></span> only those keys are
- used to validate the DNSKEY RRset. The parent's DS RRset
- will not be used.
- </p>
-<p>
- The <span><strong class="command">trusted-keys</strong></span> statement can contain
- multiple key entries, each consisting of the key's
- domain name, flags, protocol, algorithm, and the Base-64
- representation of the key data.
- </p>
+<a name="id2585136"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
+ and Usage</h3></div></div></div>
+<p>
+ The <span><strong class="command">trusted-keys</strong></span> statement defines
+ DNSSEC security roots. DNSSEC is described in <a href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called &#8220;DNSSEC&#8221;</a>. A security root is defined when the
+ public key for a non-authoritative zone is known, but
+ cannot be securely obtained through DNS, either because
+ it is the DNS root zone or because its parent zone is
+ unsigned. Once a key has been configured as a trusted
+ key, it is treated as if it had been validated and
+ proven secure. The resolver attempts DNSSEC validation
+ on all DNS data in subdomains of a security root.
+ </p>
+<p>
+ All keys (and corresponding zones) listed in
+ <span><strong class="command">trusted-keys</strong></span> are deemed to exist regardless
+ of what parent zones say. Similarly for all keys listed in
+ <span><strong class="command">trusted-keys</strong></span> only those keys are
+ used to validate the DNSKEY RRset. The parent's DS RRset
+ will not be used.
+ </p>
+<p>
+ The <span><strong class="command">trusted-keys</strong></span> statement can contain
+ multiple key entries, each consisting of the key's
+ domain name, flags, protocol, algorithm, and the Base-64
+ representation of the key data.
+ </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="view_statement_grammar"></a><span><strong class="command">view</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting">view <em class="replaceable"><code>view_name</code></em>
+<pre class="programlisting">view <em class="replaceable"><code>view_name</code></em>
[<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
- match-clients { <em class="replaceable"><code>address_match_list</code></em> } ;
- match-destinations { <em class="replaceable"><code>address_match_list</code></em> } ;
+ match-clients { <em class="replaceable"><code>address_match_list</code></em> };
+ match-destinations { <em class="replaceable"><code>address_match_list</code></em> };
match-recursive-only <em class="replaceable"><code>yes_or_no</code></em> ;
[<span class="optional"> <em class="replaceable"><code>view_option</code></em>; ...</span>]
[<span class="optional"> <em class="replaceable"><code>zone_statement</code></em>; ...</span>]
@@ -2714,53 +4585,91 @@ For more details, see the description of
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2586420"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">view</strong></span> statement is a powerful new feature
-of <acronym class="acronym">BIND</acronym> 9 that lets a name server answer a DNS query differently
-depending on who is asking. It is particularly useful for implementing
-split DNS setups without having to run multiple servers.</p>
-<p>Each <span><strong class="command">view</strong></span> statement defines a view of the
-DNS namespace that will be seen by a subset of clients. A client matches
-a view if its source IP address matches the
-<code class="varname">address_match_list</code> of the view's
-<span><strong class="command">match-clients</strong></span> clause and its destination IP address matches
-the <code class="varname">address_match_list</code> of the view's
-<span><strong class="command">match-destinations</strong></span> clause. If not specified, both
-<span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
-default to matching all addresses. In addition to checking IP addresses
-<span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
-can also take <span><strong class="command">keys</strong></span> which provide an mechanism for the
-client to select the view. A view can also be specified
-as <span><strong class="command">match-recursive-only</strong></span>, which means that only recursive
-requests from matching clients will match that view.
-The order of the <span><strong class="command">view</strong></span> statements is significant &#8212;
-a client request will be resolved in the context of the first
-<span><strong class="command">view</strong></span> that it matches.</p>
-<p>Zones defined within a <span><strong class="command">view</strong></span> statement will
-be only be accessible to clients that match the <span><strong class="command">view</strong></span>.
- By defining a zone of the same name in multiple views, different
-zone data can be given to different clients, for example, "internal"
-and "external" clients in a split DNS setup.</p>
-<p>Many of the options given in the <span><strong class="command">options</strong></span> statement
-can also be used within a <span><strong class="command">view</strong></span> statement, and then
-apply only when resolving queries with that view. When no view-specific
-value is given, the value in the <span><strong class="command">options</strong></span> statement
-is used as a default. Also, zone options can have default values specified
-in the <span><strong class="command">view</strong></span> statement; these view-specific defaults
-take precedence over those in the <span><strong class="command">options</strong></span> statement.</p>
-<p>Views are class specific. If no class is given, class IN
-is assumed. Note that all non-IN views must contain a hint zone,
-since only the IN class has compiled-in default hints.</p>
-<p>If there are no <span><strong class="command">view</strong></span> statements in the config
-file, a default view that matches any client is automatically created
-in class IN. Any <span><strong class="command">zone</strong></span> statements specified on
-the top level of the configuration file are considered to be part of
-this default view, and the <span><strong class="command">options</strong></span> statement will
-apply to the default view. If any explicit <span><strong class="command">view</strong></span>
-statements are present, all <span><strong class="command">zone</strong></span> statements must
-occur inside <span><strong class="command">view</strong></span> statements.</p>
-<p>Here is an example of a typical split DNS setup implemented
-using <span><strong class="command">view</strong></span> statements:</p>
+<a name="id2585216"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
+<p>
+ The <span><strong class="command">view</strong></span> statement is a powerful
+ feature
+ of <acronym class="acronym">BIND</acronym> 9 that lets a name server
+ answer a DNS query differently
+ depending on who is asking. It is particularly useful for
+ implementing
+ split DNS setups without having to run multiple servers.
+ </p>
+<p>
+ Each <span><strong class="command">view</strong></span> statement defines a view
+ of the
+ DNS namespace that will be seen by a subset of clients. A client
+ matches
+ a view if its source IP address matches the
+ <code class="varname">address_match_list</code> of the view's
+ <span><strong class="command">match-clients</strong></span> clause and its
+ destination IP address matches
+ the <code class="varname">address_match_list</code> of the
+ view's
+ <span><strong class="command">match-destinations</strong></span> clause. If not
+ specified, both
+ <span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
+ default to matching all addresses. In addition to checking IP
+ addresses
+ <span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
+ can also take <span><strong class="command">keys</strong></span> which provide an
+ mechanism for the
+ client to select the view. A view can also be specified
+ as <span><strong class="command">match-recursive-only</strong></span>, which
+ means that only recursive
+ requests from matching clients will match that view.
+ The order of the <span><strong class="command">view</strong></span> statements is
+ significant &#8212;
+ a client request will be resolved in the context of the first
+ <span><strong class="command">view</strong></span> that it matches.
+ </p>
+<p>
+ Zones defined within a <span><strong class="command">view</strong></span>
+ statement will
+ be only be accessible to clients that match the <span><strong class="command">view</strong></span>.
+ By defining a zone of the same name in multiple views, different
+ zone data can be given to different clients, for example,
+ "internal"
+ and "external" clients in a split DNS setup.
+ </p>
+<p>
+ Many of the options given in the <span><strong class="command">options</strong></span> statement
+ can also be used within a <span><strong class="command">view</strong></span>
+ statement, and then
+ apply only when resolving queries with that view. When no
+ view-specific
+ value is given, the value in the <span><strong class="command">options</strong></span> statement
+ is used as a default. Also, zone options can have default values
+ specified
+ in the <span><strong class="command">view</strong></span> statement; these
+ view-specific defaults
+ take precedence over those in the <span><strong class="command">options</strong></span> statement.
+ </p>
+<p>
+ Views are class specific. If no class is given, class IN
+ is assumed. Note that all non-IN views must contain a hint zone,
+ since only the IN class has compiled-in default hints.
+ </p>
+<p>
+ If there are no <span><strong class="command">view</strong></span> statements in
+ the config
+ file, a default view that matches any client is automatically
+ created
+ in class IN. Any <span><strong class="command">zone</strong></span> statements
+ specified on
+ the top level of the configuration file are considered to be part
+ of
+ this default view, and the <span><strong class="command">options</strong></span>
+ statement will
+ apply to the default view. If any explicit <span><strong class="command">view</strong></span>
+ statements are present, all <span><strong class="command">zone</strong></span>
+ statements must
+ occur inside <span><strong class="command">view</strong></span> statements.
+ </p>
+<p>
+ Here is an example of a typical split DNS setup implemented
+ using <span><strong class="command">view</strong></span> statements:
+ </p>
<pre class="programlisting">view "internal" {
// This should match our internal networks.
match-clients { 10.0.0.0/8; };
@@ -2795,17 +4704,22 @@ view "external" {
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="zone_statement_grammar"></a><span><strong class="command">zone</strong></span>
-Statement Grammar</h3></div></div></div>
-<pre class="programlisting">zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
+ Statement Grammar</h3></div></div></div>
+<pre class="programlisting">zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
type master;
- [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
- [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
- [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
- [<span class="optional"> update-policy { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] } ; </span>]
+ [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+ [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+ [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+ [<span class="optional"> update-policy { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] }; </span>]
[<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
+ [<span class="optional"> check-mx (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
+ [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
+ [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
[<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
+ [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
+ [<span class="optional"> journal <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>]
@@ -2814,7 +4728,7 @@ Statement Grammar</h3></div></div></div>
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> ; </span>]
+ [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
@@ -2826,30 +4740,34 @@ Statement Grammar</h3></div></div></div>
[<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
+ [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
};
-zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
+zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
type slave;
- [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
- [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
- [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
- [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
+ [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+ [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+ [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+ [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+ [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
[<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
+ [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
+ [<span class="optional"> journal <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] } ; </span>]
+ [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> ; </span>]
+ [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
@@ -2865,25 +4783,27 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
[<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
+ [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
};
-zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
+zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
type hint;
- [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
+ file <em class="replaceable"><code>string</code></em> ;
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; // Not Implemented. </span>]
};
-zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
+zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
type stub;
- [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
+ [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
+ [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
- [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] } ; </span>]
+ [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
@@ -2893,7 +4813,6 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
[<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
@@ -2902,24 +4821,25 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
[<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
};
-zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
+zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
type forward;
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
};
-zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
+zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
type delegation-only;
};
+
</pre>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2587635"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2586586"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2587641"></a>Zone Types</h4></div></div></div>
+<a name="id2586594"></a>Zone Types</h4></div></div></div>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -2927,324 +4847,587 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</colgroup>
<tbody>
<tr>
-<td><p><code class="varname">master</code></p></td>
-<td><p>The server has a master copy of the data
-for the zone and will be able to provide authoritative answers for
-it.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">slave</code></p></td>
-<td><p>A slave zone is a replica of a master
-zone. The <span><strong class="command">masters</strong></span> list specifies one or more IP addresses
-of master servers that the slave contacts to update its copy of the zone.
-Masters list elements can also be names of other masters lists.
-By default, transfers are made from port 53 on the servers; this can
-be changed for all servers by specifying a port number before the
-list of IP addresses, or on a per-server basis after the IP address.
-Authentication to the master can also be done with per-server TSIG keys.
-If a file is specified, then the
-replica will be written to this file whenever the zone is changed,
-and reloaded from this file on a server restart. Use of a file is
-recommended, since it often speeds server startup and eliminates
-a needless waste of bandwidth. Note that for large numbers (in the
-tens or hundreds of thousands) of zones per server, it is best to
-use a two-level naming scheme for zone file names. For example,
-a slave server for the zone <code class="literal">example.com</code> might place
-the zone contents into a file called
-<code class="filename">ex/example.com</code> where <code class="filename">ex/</code> is
-just the first two letters of the zone name. (Most operating systems
-behave very slowly if you put 100 000 files into
-a single directory.)</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">stub</code></p></td>
-<td>
-<p>A stub zone is similar to a slave zone,
-except that it replicates only the NS records of a master zone instead
-of the entire zone. Stub zones are not a standard part of the DNS;
-they are a feature specific to the <acronym class="acronym">BIND</acronym> implementation.
-</p>
+<td>
+ <p>
+ <code class="varname">master</code>
+ </p>
+ </td>
+<td>
+ <p>
+ The server has a master copy of the data
+ for the zone and will be able to provide authoritative
+ answers for
+ it.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p>
+ <code class="varname">slave</code>
+ </p>
+ </td>
+<td>
+ <p>
+ A slave zone is a replica of a master
+ zone. The <span><strong class="command">masters</strong></span> list
+ specifies one or more IP addresses
+ of master servers that the slave contacts to update
+ its copy of the zone.
+ Masters list elements can also be names of other
+ masters lists.
+ By default, transfers are made from port 53 on the
+ servers; this can
+ be changed for all servers by specifying a port number
+ before the
+ list of IP addresses, or on a per-server basis after
+ the IP address.
+ Authentication to the master can also be done with
+ per-server TSIG keys.
+ If a file is specified, then the
+ replica will be written to this file whenever the zone
+ is changed,
+ and reloaded from this file on a server restart. Use
+ of a file is
+ recommended, since it often speeds server startup and
+ eliminates
+ a needless waste of bandwidth. Note that for large
+ numbers (in the
+ tens or hundreds of thousands) of zones per server, it
+ is best to
+ use a two-level naming scheme for zone file names. For
+ example,
+ a slave server for the zone <code class="literal">example.com</code> might place
+ the zone contents into a file called
+ <code class="filename">ex/example.com</code> where <code class="filename">ex/</code> is
+ just the first two letters of the zone name. (Most
+ operating systems
+ behave very slowly if you put 100 000 files into
+ a single directory.)
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p>
+ <code class="varname">stub</code>
+ </p>
+ </td>
+<td>
+ <p>
+ A stub zone is similar to a slave zone,
+ except that it replicates only the NS records of a
+ master zone instead
+ of the entire zone. Stub zones are not a standard part
+ of the DNS;
+ they are a feature specific to the <acronym class="acronym">BIND</acronym> implementation.
+ </p>
-<p>Stub zones can be used to eliminate the need for glue NS record
-in a parent zone at the expense of maintaining a stub zone entry and
-a set of name server addresses in <code class="filename">named.conf</code>.
-This usage is not recommended for new configurations, and BIND 9
-supports it only in a limited way.
-In <acronym class="acronym">BIND</acronym> 4/8, zone transfers of a parent zone
-included the NS records from stub children of that zone. This meant
-that, in some cases, users could get away with configuring child stubs
-only in the master server for the parent zone. <acronym class="acronym">BIND</acronym>
-9 never mixes together zone data from different zones in this
-way. Therefore, if a <acronym class="acronym">BIND</acronym> 9 master serving a parent
-zone has child stub zones configured, all the slave servers for the
-parent zone also need to have the same child stub zones
-configured.</p>
+ <p>
+ Stub zones can be used to eliminate the need for glue
+ NS record
+ in a parent zone at the expense of maintaining a stub
+ zone entry and
+ a set of name server addresses in <code class="filename">named.conf</code>.
+ This usage is not recommended for new configurations,
+ and BIND 9
+ supports it only in a limited way.
+ In <acronym class="acronym">BIND</acronym> 4/8, zone
+ transfers of a parent zone
+ included the NS records from stub children of that
+ zone. This meant
+ that, in some cases, users could get away with
+ configuring child stubs
+ only in the master server for the parent zone. <acronym class="acronym">BIND</acronym>
+ 9 never mixes together zone data from different zones
+ in this
+ way. Therefore, if a <acronym class="acronym">BIND</acronym> 9 master serving a parent
+ zone has child stub zones configured, all the slave
+ servers for the
+ parent zone also need to have the same child stub
+ zones
+ configured.
+ </p>
-<p>Stub zones can also be used as a way of forcing the resolution
-of a given domain to use a particular set of authoritative servers.
-For example, the caching name servers on a private network using
-RFC1918 addressing may be configured with stub zones for
-<code class="literal">10.in-addr.arpa</code>
-to use a set of internal name servers as the authoritative
-servers for that domain.</p>
-</td>
+ <p>
+ Stub zones can also be used as a way of forcing the
+ resolution
+ of a given domain to use a particular set of
+ authoritative servers.
+ For example, the caching name servers on a private
+ network using
+ RFC1918 addressing may be configured with stub zones
+ for
+ <code class="literal">10.in-addr.arpa</code>
+ to use a set of internal name servers as the
+ authoritative
+ servers for that domain.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">forward</code></p></td>
-<td>
-<p>A "forward zone" is a way to configure
-forwarding on a per-domain basis. A <span><strong class="command">zone</strong></span> statement
-of type <span><strong class="command">forward</strong></span> can contain a <span><strong class="command">forward</strong></span> and/or <span><strong class="command">forwarders</strong></span> statement,
-which will apply to queries within the domain given by the zone
-name. If no <span><strong class="command">forwarders</strong></span> statement is present or
-an empty list for <span><strong class="command">forwarders</strong></span> is given, then no
-forwarding will be done for the domain, canceling the effects of
-any forwarders in the <span><strong class="command">options</strong></span> statement. Thus
-if you want to use this type of zone to change the behavior of the
-global <span><strong class="command">forward</strong></span> option (that is, "forward first"
-to, then "forward only", or vice versa, but want to use the same
-servers as set globally) you need to re-specify the global forwarders.</p>
-</td>
+<td>
+ <p>
+ <code class="varname">forward</code>
+ </p>
+ </td>
+<td>
+ <p>
+ A "forward zone" is a way to configure
+ forwarding on a per-domain basis. A <span><strong class="command">zone</strong></span> statement
+ of type <span><strong class="command">forward</strong></span> can
+ contain a <span><strong class="command">forward</strong></span>
+ and/or <span><strong class="command">forwarders</strong></span>
+ statement,
+ which will apply to queries within the domain given by
+ the zone
+ name. If no <span><strong class="command">forwarders</strong></span>
+ statement is present or
+ an empty list for <span><strong class="command">forwarders</strong></span> is given, then no
+ forwarding will be done for the domain, canceling the
+ effects of
+ any forwarders in the <span><strong class="command">options</strong></span> statement. Thus
+ if you want to use this type of zone to change the
+ behavior of the
+ global <span><strong class="command">forward</strong></span> option
+ (that is, "forward first"
+ to, then "forward only", or vice versa, but want to
+ use the same
+ servers as set globally) you need to re-specify the
+ global forwarders.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">hint</code></p></td>
-<td><p>The initial set of root name servers is
-specified using a "hint zone". When the server starts up, it uses
-the root hints to find a root name server and get the most recent
-list of root name servers. If no hint zone is specified for class
-IN, the server uses a compiled-in default set of root servers hints.
-Classes other than IN have no built-in defaults hints.</p></td>
+<td>
+ <p>
+ <code class="varname">hint</code>
+ </p>
+ </td>
+<td>
+ <p>
+ The initial set of root name servers is
+ specified using a "hint zone". When the server starts
+ up, it uses
+ the root hints to find a root name server and get the
+ most recent
+ list of root name servers. If no hint zone is
+ specified for class
+ IN, the server uses a compiled-in default set of root
+ servers hints.
+ Classes other than IN have no built-in defaults hints.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">delegation-only</code></p></td>
<td>
-<p>This is used to enforce the delegation-only
-status of infrastructure zones (e.g. COM, NET, ORG). Any answer that
-is received without an explicit or implicit delegation in the authority
-section will be treated as NXDOMAIN. This does not apply to the zone
-apex. This should not be applied to leaf zones.</p>
-<p><code class="varname">delegation-only</code> has no effect on answers received
-from forwarders.</p>
-</td>
+ <p>
+ <code class="varname">delegation-only</code>
+ </p>
+ </td>
+<td>
+ <p>
+ This is used to enforce the delegation-only
+ status of infrastructure zones (e.g. COM, NET, ORG).
+ Any answer that
+ is received without an explicit or implicit delegation
+ in the authority
+ section will be treated as NXDOMAIN. This does not
+ apply to the zone
+ apex. This should not be applied to leaf zones.
+ </p>
+ <p>
+ <code class="varname">delegation-only</code> has no
+ effect on answers received
+ from forwarders.
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2588084"></a>Class</h4></div></div></div>
-<p>The zone's name may optionally be followed by a class. If
-a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
-is assumed. This is correct for the vast majority of cases.</p>
-<p>The <code class="literal">hesiod</code> class is
-named for an information service from MIT's Project Athena. It is
-used to share information about various systems databases, such
-as users, groups, printers and so on. The keyword
-<code class="literal">HS</code> is
-a synonym for hesiod.</p>
-<p>Another MIT development is CHAOSnet, a LAN protocol created
-in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class.</p>
+<a name="id2587013"></a>Class</h4></div></div></div>
+<p>
+ The zone's name may optionally be followed by a class. If
+ a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
+ is assumed. This is correct for the vast majority of cases.
+ </p>
+<p>
+ The <code class="literal">hesiod</code> class is
+ named for an information service from MIT's Project Athena. It
+ is
+ used to share information about various systems databases, such
+ as users, groups, printers and so on. The keyword
+ <code class="literal">HS</code> is
+ a synonym for hesiod.
+ </p>
+<p>
+ Another MIT development is CHAOSnet, a LAN protocol created
+ in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class.
+ </p>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2588115"></a>Zone Options</h4></div></div></div>
+<a name="id2587046"></a>Zone Options</h4></div></div></div>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">allow-notify</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.</p></dd>
+<dd><p>
+ See the description of
+ <span><strong class="command">allow-notify</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.</p></dd>
+<dd><p>
+ See the description of
+ <span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt>
-<dd><p>See the description of <span><strong class="command">allow-transfer</strong></span>
-in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.</p></dd>
+<dd><p>
+ See the description of <span><strong class="command">allow-transfer</strong></span>
+ in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt>
-<dd><p>Specifies which hosts are allowed to
-submit Dynamic DNS updates for master zones. The default is to deny
-updates from all hosts. Note that allowing updates based
-on the requestor's IP address is insecure; see
-<a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a> for details.
-</p></dd>
+<dd><p>
+ See the description of <span><strong class="command">allow-update</strong></span>
+ in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">update-policy</strong></span></span></dt>
-<dd><p>Specifies a "Simple Secure Update" policy. See
-<a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>.</p></dd>
+<dd><p>
+ Specifies a "Simple Secure Update" policy. See
+ <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
-<dd><p>See the description of <span><strong class="command">allow-update-forwarding</strong></span>
-in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.</p></dd>
+<dd><p>
+ See the description of <span><strong class="command">allow-update-forwarding</strong></span>
+ in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt>
-<dd><p>Only meaningful if <span><strong class="command">notify</strong></span> is
-active for this zone. The set of machines that will receive a
-<code class="literal">DNS NOTIFY</code> message
-for this zone is made up of all the listed name servers (other than
-the primary master) for the zone plus any IP addresses specified
-with <span><strong class="command">also-notify</strong></span>. A port may be specified
-with each <span><strong class="command">also-notify</strong></span> address to send the notify
-messages to a port other than the default of 53.
-<span><strong class="command">also-notify</strong></span> is not meaningful for stub zones.
-The default is the empty list.</p></dd>
+<dd><p>
+ Only meaningful if <span><strong class="command">notify</strong></span>
+ is
+ active for this zone. The set of machines that will
+ receive a
+ <code class="literal">DNS NOTIFY</code> message
+ for this zone is made up of all the listed name servers
+ (other than
+ the primary master) for the zone plus any IP addresses
+ specified
+ with <span><strong class="command">also-notify</strong></span>. A port
+ may be specified
+ with each <span><strong class="command">also-notify</strong></span>
+ address to send the notify
+ messages to a port other than the default of 53.
+ <span><strong class="command">also-notify</strong></span> is not
+ meaningful for stub zones.
+ The default is the empty list.
+ </p></dd>
<dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt>
<dd><p>
-This option is used to restrict the character set and syntax of
-certain domain names in master files and/or DNS responses received from the
-network. The default varies according to zone type. For <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>. For <span><strong class="command">slave</strong></span>
-zones the default is <span><strong class="command">warn</strong></span>.
-</p></dd>
+ This option is used to restrict the character set and
+ syntax of
+ certain domain names in master files and/or DNS responses
+ received from the
+ network. The default varies according to zone type. For <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>. For <span><strong class="command">slave</strong></span>
+ zones the default is <span><strong class="command">warn</strong></span>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt>
+<dd><p>
+ See the description of
+ <span><strong class="command">check-mx</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">check-wildcard</strong></span></span></dt>
+<dd><p>
+ See the description of
+ <span><strong class="command">check-wildcard</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">check-integrity</strong></span></span></dt>
+<dd><p>
+ See the description of
+ <span><strong class="command">check-integrity</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">check-sibling</strong></span></span></dt>
+<dd><p>
+ See the description of
+ <span><strong class="command">check-sibling</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt>
+<dd><p>
+ See the description of
+ <span><strong class="command">zero-no-soa-ttl</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">update-check-ksk</strong></span></span></dt>
+<dd><p>
+ See the description of
+ <span><strong class="command">update-check-ksk</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">database</strong></span></span></dt>
<dd>
-<p>Specify the type of database to be used for storing the
-zone data. The string following the <span><strong class="command">database</strong></span> keyword
-is interpreted as a list of whitespace-delimited words. The first word
-identifies the database type, and any subsequent words are passed
-as arguments to the database to be interpreted in a way specific
-to the database type.</p>
-<p>The default is <strong class="userinput"><code>"rbt"</code></strong>, BIND 9's native in-memory
-red-black-tree database. This database does not take arguments.</p>
-<p>Other values are possible if additional database drivers
-have been linked into the server. Some sample drivers are included
-with the distribution but none are linked in by default.</p>
+<p>
+ Specify the type of database to be used for storing the
+ zone data. The string following the <span><strong class="command">database</strong></span> keyword
+ is interpreted as a list of whitespace-delimited words.
+ The first word
+ identifies the database type, and any subsequent words are
+ passed
+ as arguments to the database to be interpreted in a way
+ specific
+ to the database type.
+ </p>
+<p>
+ The default is <strong class="userinput"><code>"rbt"</code></strong>, BIND 9's
+ native in-memory
+ red-black-tree database. This database does not take
+ arguments.
+ </p>
+<p>
+ Other values are possible if additional database drivers
+ have been linked into the server. Some sample drivers are
+ included
+ with the distribution but none are linked in by default.
+ </p>
</dd>
<dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">dialup</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.</p></dd>
+<dd><p>
+ See the description of
+ <span><strong class="command">dialup</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">delegation-only</strong></span></span></dt>
-<dd><p>The flag only applies to hint and stub zones. If set
-to <strong class="userinput"><code>yes</code></strong>, then the zone will also be treated as if it
-is also a delegation-only type zone.
-</p></dd>
+<dd><p>
+ The flag only applies to hint and stub zones. If set
+ to <strong class="userinput"><code>yes</code></strong>, then the zone will also be
+ treated as if it
+ is also a delegation-only type zone.
+ </p></dd>
<dt><span class="term"><span><strong class="command">forward</strong></span></span></dt>
-<dd><p>Only meaningful if the zone has a forwarders
-list. The <span><strong class="command">only</strong></span> value causes the lookup to fail
-after trying the forwarders and getting no answer, while <span><strong class="command">first</strong></span> would
-allow a normal lookup to be tried.</p></dd>
+<dd><p>
+ Only meaningful if the zone has a forwarders
+ list. The <span><strong class="command">only</strong></span> value causes
+ the lookup to fail
+ after trying the forwarders and getting no answer, while <span><strong class="command">first</strong></span> would
+ allow a normal lookup to be tried.
+ </p></dd>
<dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt>
-<dd><p>Used to override the list of global forwarders.
-If it is not specified in a zone of type <span><strong class="command">forward</strong></span>,
-no forwarding is done for the zone and the global options are not used.</p></dd>
+<dd><p>
+ Used to override the list of global forwarders.
+ If it is not specified in a zone of type <span><strong class="command">forward</strong></span>,
+ no forwarding is done for the zone and the global options are
+ not used.
+ </p></dd>
<dt><span class="term"><span><strong class="command">ixfr-base</strong></span></span></dt>
-<dd><p>Was used in <acronym class="acronym">BIND</acronym> 8 to specify the name
-of the transaction log (journal) file for dynamic update and IXFR.
-<acronym class="acronym">BIND</acronym> 9 ignores the option and constructs the name of the journal
-file by appending "<code class="filename">.jnl</code>" to the name of the
-zone file.</p></dd>
+<dd><p>
+ Was used in <acronym class="acronym">BIND</acronym> 8 to
+ specify the name
+ of the transaction log (journal) file for dynamic update
+ and IXFR.
+ <acronym class="acronym">BIND</acronym> 9 ignores the option
+ and constructs the name of the journal
+ file by appending "<code class="filename">.jnl</code>"
+ to the name of the
+ zone file.
+ </p></dd>
<dt><span class="term"><span><strong class="command">ixfr-tmp-file</strong></span></span></dt>
-<dd><p>Was an undocumented option in <acronym class="acronym">BIND</acronym> 8.
-Ignored in <acronym class="acronym">BIND</acronym> 9.</p></dd>
+<dd><p>
+ Was an undocumented option in <acronym class="acronym">BIND</acronym> 8.
+ Ignored in <acronym class="acronym">BIND</acronym> 9.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">journal</strong></span></span></dt>
+<dd><p>
+ Allow the default journal's file name to be overridden.
+ The default is the zone's file with "<code class="filename">.jnl</code>" appended.
+ This is applicable to <span><strong class="command">master</strong></span> and <span><strong class="command">slave</strong></span> zones.
+ </p></dd>
<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">max-transfer-time-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.</p></dd>
+<dd><p>
+ See the description of
+ <span><strong class="command">max-transfer-time-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">max-transfer-idle-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.</p></dd>
+<dd><p>
+ See the description of
+ <span><strong class="command">max-transfer-idle-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">max-transfer-time-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.</p></dd>
+<dd><p>
+ See the description of
+ <span><strong class="command">max-transfer-time-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">max-transfer-idle-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.</p></dd>
+<dd><p>
+ See the description of
+ <span><strong class="command">max-transfer-idle-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">notify</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">notify</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.</p></dd>
+<dd><p>
+ See the description of
+ <span><strong class="command">notify</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">pubkey</strong></span></span></dt>
-<dd><p>In <acronym class="acronym">BIND</acronym> 8, this option was intended for specifying
-a public zone key for verification of signatures in DNSSEC signed
-zones when they are loaded from disk. <acronym class="acronym">BIND</acronym> 9 does not verify signatures
-on load and ignores the option.</p></dd>
+<dd><p>
+ In <acronym class="acronym">BIND</acronym> 8, this option was
+ intended for specifying
+ a public zone key for verification of signatures in DNSSEC
+ signed
+ zones when they are loaded from disk. <acronym class="acronym">BIND</acronym> 9 does not verify signatures
+ on load and ignores the option.
+ </p></dd>
<dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt>
-<dd><p>If <strong class="userinput"><code>yes</code></strong>, the server will keep statistical
-information for this zone, which can be dumped to the
-<span><strong class="command">statistics-file</strong></span> defined in the server options.</p></dd>
+<dd><p>
+ If <strong class="userinput"><code>yes</code></strong>, the server will keep
+ statistical
+ information for this zone, which can be dumped to the
+ <span><strong class="command">statistics-file</strong></span> defined in
+ the server options.
+ </p></dd>
<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">sig-validity-interval</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.</p></dd>
+<dd><p>
+ See the description of
+ <span><strong class="command">sig-validity-interval</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-</p></dd>
+<dd><p>
+ See the description of
+ <span><strong class="command">transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-</p></dd>
+<dd><p>
+ See the description of
+ <span><strong class="command">transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-</p></dd>
+<dd><p>
+ See the description of
+ <span><strong class="command">alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">alt-transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-</p></dd>
+<dd><p>
+ See the description of
+ <span><strong class="command">alt-transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">use-alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-</p></dd>
+<dd><p>
+ See the description of
+ <span><strong class="command">use-alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">notify-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>
-</p></dd>
+<dd><p>
+ See the description of
+ <span><strong class="command">notify-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">notify-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-</p></dd>
+<dd><p>
+ See the description of
+ <span><strong class="command">notify-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+ </p></dd>
<dt>
<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
</dt>
<dd><p>
-See the description in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
-</p></dd>
+ See the description in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">ixfr-from-differences</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.</p></dd>
+<dd><p>
+ See the description of
+ <span><strong class="command">ixfr-from-differences</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">key-directory</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called &#8220;<span><strong class="command">options</strong></span> Statement Definition and Usage&#8221;</a>.</p></dd>
+<dd><p>
+ See the description of
+ <span><strong class="command">key-directory</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
+ Usage">the section called &#8220;<span><strong class="command">options</strong></span> Statement Definition and
+ Usage&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">multi-master</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.</p></dd>
+<dd><p>
+ See the description of <span><strong class="command">multi-master</strong></span> in
+ <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">masterfile-format</strong></span></span></dt>
+<dd><p>
+ See the description of <span><strong class="command">masterfile-format</strong></span>
+ in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
+ </p></dd>
</dl></div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="dynamic_update_policies"></a>Dynamic Update Policies</h4></div></div></div>
-<p><acronym class="acronym">BIND</acronym> 9 supports two alternative methods of granting clients
-the right to perform dynamic updates to a zone,
-configured by the <span><strong class="command">allow-update</strong></span> and
-<span><strong class="command">update-policy</strong></span> option, respectively.</p>
-<p>The <span><strong class="command">allow-update</strong></span> clause works the same
-way as in previous versions of <acronym class="acronym">BIND</acronym>. It grants given clients the
-permission to update any record of any name in the zone.</p>
-<p>The <span><strong class="command">update-policy</strong></span> clause is new in <acronym class="acronym">BIND</acronym>
-9 and allows more fine-grained control over what updates are allowed.
-A set of rules is specified, where each rule either grants or denies
-permissions for one or more names to be updated by one or more identities.
- If the dynamic update request message is signed (that is, it includes
-either a TSIG or SIG(0) record), the identity of the signer can
-be determined.</p>
-<p>Rules are specified in the <span><strong class="command">update-policy</strong></span> zone
-option, and are only meaningful for master zones. When the <span><strong class="command">update-policy</strong></span> statement
-is present, it is a configuration error for the <span><strong class="command">allow-update</strong></span> statement
-to be present. The <span><strong class="command">update-policy</strong></span> statement only
-examines the signer of a message; the source address is not relevant.</p>
-<p>This is how a rule definition looks:</p>
+<p>
+ <acronym class="acronym">BIND</acronym> 9 supports two alternative
+ methods of granting clients
+ the right to perform dynamic updates to a zone,
+ configured by the <span><strong class="command">allow-update</strong></span>
+ and
+ <span><strong class="command">update-policy</strong></span> option,
+ respectively.
+ </p>
+<p>
+ The <span><strong class="command">allow-update</strong></span> clause works the
+ same
+ way as in previous versions of <acronym class="acronym">BIND</acronym>. It grants given clients the
+ permission to update any record of any name in the zone.
+ </p>
+<p>
+ The <span><strong class="command">update-policy</strong></span> clause is new
+ in <acronym class="acronym">BIND</acronym>
+ 9 and allows more fine-grained control over what updates are
+ allowed.
+ A set of rules is specified, where each rule either grants or
+ denies
+ permissions for one or more names to be updated by one or more
+ identities.
+ If the dynamic update request message is signed (that is, it
+ includes
+ either a TSIG or SIG(0) record), the identity of the signer can
+ be determined.
+ </p>
+<p>
+ Rules are specified in the <span><strong class="command">update-policy</strong></span> zone
+ option, and are only meaningful for master zones. When the <span><strong class="command">update-policy</strong></span> statement
+ is present, it is a configuration error for the <span><strong class="command">allow-update</strong></span> statement
+ to be present. The <span><strong class="command">update-policy</strong></span>
+ statement only
+ examines the signer of a message; the source address is not
+ relevant.
+ </p>
+<p>
+ This is how a rule definition looks:
+ </p>
<pre class="programlisting">
( <span><strong class="command">grant</strong></span> | <span><strong class="command">deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> <em class="replaceable"><code>name</code></em> [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>]
</pre>
-<p>Each rule grants or denies privileges. Once a message has
-successfully matched a rule, the operation is immediately granted
-or denied and no further rules are examined. A rule is matched
-when the signer matches the identity field, the name matches the
-name field in accordance with the nametype field, and the type matches
-the types specified in the type field.</p>
-<p>The identity field specifies a name or a wildcard name. Normally, this
-is the name of the TSIG or SIG(0) key used to sign the update request. When a
-TKEY exchange has been used to create a shared secret, the identity of the
-shared secret is the same as the identity of the key used to authenticate the
-TKEY exchange. When the <em class="replaceable"><code>identity</code></em> field specifies a
-wildcard name, it is subject to DNS wildcard expansion, so the rule will apply
-to multiple identities. The <em class="replaceable"><code>identity</code></em> field must
-contain a fully qualified domain name.</p>
-<p>The <em class="replaceable"><code>nametype</code></em> field has 4 values:
-<code class="varname">name</code>, <code class="varname">subdomain</code>,
-<code class="varname">wildcard</code>, and <code class="varname">self</code>.
-</p>
+<p>
+ Each rule grants or denies privileges. Once a message has
+ successfully matched a rule, the operation is immediately
+ granted
+ or denied and no further rules are examined. A rule is matched
+ when the signer matches the identity field, the name matches the
+ name field in accordance with the nametype field, and the type
+ matches
+ the types specified in the type field.
+ </p>
+<p>
+ The identity field specifies a name or a wildcard name.
+ Normally, this
+ is the name of the TSIG or SIG(0) key used to sign the update
+ request. When a
+ TKEY exchange has been used to create a shared secret, the
+ identity of the
+ shared secret is the same as the identity of the key used to
+ authenticate the
+ TKEY exchange. When the <em class="replaceable"><code>identity</code></em> field specifies a
+ wildcard name, it is subject to DNS wildcard expansion, so the
+ rule will apply
+ to multiple identities. The <em class="replaceable"><code>identity</code></em> field must
+ contain a fully qualified domain name.
+ </p>
+<p>
+ The <em class="replaceable"><code>nametype</code></em> field has 6
+ values:
+ <code class="varname">name</code>, <code class="varname">subdomain</code>,
+ <code class="varname">wildcard</code>, <code class="varname">self</code>,
+ <code class="varname">selfsub</code>, and <code class="varname">selfwild</code>.
+ </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -3252,69 +5435,151 @@ contain a fully qualified domain name.</p>
</colgroup>
<tbody>
<tr>
-<td><p><code class="varname">name</code></p></td>
-<td><p>Exact-match semantics. This rule matches when the
-name being updated is identical to the contents of the
-<em class="replaceable"><code>name</code></em> field.</p></td>
+<td>
+ <p>
+ <code class="varname">name</code>
+ </p>
+ </td>
+<td>
+ <p>
+ Exact-match semantics. This rule matches
+ when the name being updated is identical
+ to the contents of the
+ <em class="replaceable"><code>name</code></em> field.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p>
+ <code class="varname">subdomain</code>
+ </p>
+ </td>
+<td>
+ <p>
+ This rule matches when the name being updated
+ is a subdomain of, or identical to, the
+ contents of the <em class="replaceable"><code>name</code></em>
+ field.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p>
+ <code class="varname">wildcard</code>
+ </p>
+ </td>
+<td>
+ <p>
+ The <em class="replaceable"><code>name</code></em> field
+ is subject to DNS wildcard expansion, and
+ this rule matches when the name being updated
+ name is a valid expansion of the wildcard.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">subdomain</code></p></td>
-<td><p>This rule matches when the name being updated
-is a subdomain of, or identical to, the contents of the
-<em class="replaceable"><code>name</code></em> field.</p></td>
+<td>
+ <p>
+ <code class="varname">self</code>
+ </p>
+ </td>
+<td>
+ <p>
+ This rule matches when the name being updated
+ matches the contents of the
+ <em class="replaceable"><code>identity</code></em> field.
+ The <em class="replaceable"><code>name</code></em> field
+ is ignored, but should be the same as the
+ <em class="replaceable"><code>identity</code></em> field.
+ The <code class="varname">self</code> nametype is
+ most useful when allowing using one key per
+ name to update, where the key has the same
+ name as the name to be updated. The
+ <em class="replaceable"><code>identity</code></em> would
+ be specified as <code class="constant">*</code> (an asterisk) in
+ this case.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">wildcard</code></p></td>
-<td><p>The <em class="replaceable"><code>name</code></em> field is
-subject to DNS wildcard expansion, and this rule matches when the name
-being updated name is a valid expansion of the wildcard.</p></td>
+<td>
+ <p>
+ <code class="varname">selfsub</code>
+ </p>
+ </td>
+<td>
+ <p>
+ This rule is similar to <code class="varname">self</code>
+ except that subdomains of <code class="varname">self</code>
+ can also be updated.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">self</code></p></td>
-<td><p>This rule matches when the name being updated
-matches the contents of the <em class="replaceable"><code>identity</code></em> field.
-The <em class="replaceable"><code>name</code></em> field is ignored, but should be
-the same as the <em class="replaceable"><code>identity</code></em> field. The
-<code class="varname">self</code> nametype is most useful when allowing using
-one key per name to update, where the key has the same name as the name
-to be updated. The <em class="replaceable"><code>identity</code></em> would be
-specified as <code class="constant">*</code> in this case.</p></td>
+<td>
+ <p>
+ <code class="varname">selfwild</code>
+ </p>
+ </td>
+<td>
+ <p>
+ This rule is similar to <code class="varname">self</code>
+ except that only subdomains of
+ <code class="varname">self</code> can be updated.
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
-<p>In all cases, the <em class="replaceable"><code>name</code></em> field must
-specify a fully qualified domain name.</p>
-<p>If no types are explicitly specified, this rule matches all types except
-SIG, NS, SOA, and NXT. Types may be specified by name, including
-"ANY" (ANY matches all types except NXT, which can never be updated).
-Note that when an attempt is made to delete all records associated with a
-name, the rules are checked for each existing record type.
-</p>
+<p>
+ In all cases, the <em class="replaceable"><code>name</code></em>
+ field must
+ specify a fully qualified domain name.
+ </p>
+<p>
+ If no types are explicitly specified, this rule matches all
+ types except
+ RRSIG, NS, SOA, and NSEC. Types may be specified by name, including
+ "ANY" (ANY matches all types except NSEC, which can never be
+ updated).
+ Note that when an attempt is made to delete all records
+ associated with a
+ name, the rules are checked for each existing record type.
+ </p>
</div>
</div>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2589173"></a>Zone File</h2></div></div></div>
+<a name="id2588846"></a>Zone File</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
-<p>This section, largely borrowed from RFC 1034, describes the
-concept of a Resource Record (RR) and explains when each is used.
-Since the publication of RFC 1034, several new RRs have been identified
-and implemented in the DNS. These are also included.</p>
+<p>
+ This section, largely borrowed from RFC 1034, describes the
+ concept of a Resource Record (RR) and explains when each is used.
+ Since the publication of RFC 1034, several new RRs have been
+ identified
+ and implemented in the DNS. These are also included.
+ </p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2589191"></a>Resource Records</h4></div></div></div>
-<p>A domain name identifies a node. Each node has a set of
- resource information, which may be empty. The set of resource
- information associated with a particular name is composed of
- separate RRs. The order of RRs in a set is not significant and
- need not be preserved by name servers, resolvers, or other
- parts of the DNS. However, sorting of multiple RRs is
- permitted for optimization purposes, for example, to specify
- that a particular nearby server be tried first. See <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called &#8220;The <span><strong class="command">sortlist</strong></span> Statement&#8221;</a> and <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called &#8220;RRset Ordering&#8221;</a>.</p>
-<p>The components of a Resource Record are:</p>
+<a name="id2588865"></a>Resource Records</h4></div></div></div>
+<p>
+ A domain name identifies a node. Each node has a set of
+ resource information, which may be empty. The set of resource
+ information associated with a particular name is composed of
+ separate RRs. The order of RRs in a set is not significant and
+ need not be preserved by name servers, resolvers, or other
+ parts of the DNS. However, sorting of multiple RRs is
+ permitted for optimization purposes, for example, to specify
+ that a particular nearby server be tried first. See <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called &#8220;The <span><strong class="command">sortlist</strong></span> Statement&#8221;</a> and <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called &#8220;RRset Ordering&#8221;</a>.
+ </p>
+<p>
+ The components of a Resource Record are:
+ </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -3322,34 +5587,78 @@ and implemented in the DNS. These are also included.</p>
</colgroup>
<tbody>
<tr>
-<td><p>owner name</p></td>
-<td><p>the domain name where the RR is found.</p></td>
+<td>
+ <p>
+ owner name
+ </p>
+ </td>
+<td>
+ <p>
+ The domain name where the RR is found.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>type</p></td>
-<td><p>an encoded 16-bit value that specifies
-the type of the resource record.</p></td>
+<td>
+ <p>
+ type
+ </p>
+ </td>
+<td>
+ <p>
+ An encoded 16-bit value that specifies
+ the type of the resource record.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>TTL</p></td>
-<td><p>the time-to-live of the RR. This field
-is a 32-bit integer in units of seconds, and is primarily used by
-resolvers when they cache RRs. The TTL describes how long a RR can
-be cached before it should be discarded.</p></td>
+<td>
+ <p>
+ TTL
+ </p>
+ </td>
+<td>
+ <p>
+ The time-to-live of the RR. This field
+ is a 32-bit integer in units of seconds, and is
+ primarily used by
+ resolvers when they cache RRs. The TTL describes how
+ long a RR can
+ be cached before it should be discarded.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>class</p></td>
-<td><p>an encoded 16-bit value that identifies
-a protocol family or instance of a protocol.</p></td>
+<td>
+ <p>
+ class
+ </p>
+ </td>
+<td>
+ <p>
+ An encoded 16-bit value that identifies
+ a protocol family or instance of a protocol.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>RDATA</p></td>
-<td><p>the resource data. The format of the
-data is type (and sometimes class) specific.</p></td>
+<td>
+ <p>
+ RDATA
+ </p>
+ </td>
+<td>
+ <p>
+ The resource data. The format of the
+ data is type (and sometimes class) specific.
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
-<p>The following are <span class="emphasis"><em>types</em></span> of valid RRs:</p>
+<p>
+ The following are <span class="emphasis"><em>types</em></span> of valid RRs:
+ </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -3357,160 +5666,463 @@ data is type (and sometimes class) specific.</p></td>
</colgroup>
<tbody>
<tr>
-<td><p>A</p></td>
-<td><p>a host address. In the IN class, this is a
-32-bit IP address. Described in RFC 1035.</p></td>
+<td>
+ <p>
+ A
+ </p>
+ </td>
+<td>
+ <p>
+ A host address. In the IN class, this is a
+ 32-bit IP address. Described in RFC 1035.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>AAAA</p></td>
-<td><p>IPv6 address. Described in RFC 1886.</p></td>
+<td>
+ <p>
+ AAAA
+ </p>
+ </td>
+<td>
+ <p>
+ IPv6 address. Described in RFC 1886.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>A6</p></td>
-<td><p>IPv6 address. This can be a partial
-address (a suffix) and an indirection to the name where the rest of the
-address (the prefix) can be found. Experimental. Described in RFC 2874.</p></td>
+<td>
+ <p>
+ A6
+ </p>
+ </td>
+<td>
+ <p>
+ IPv6 address. This can be a partial
+ address (a suffix) and an indirection to the name
+ where the rest of the
+ address (the prefix) can be found. Experimental.
+ Described in RFC 2874.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>AFSDB</p></td>
-<td><p>location of AFS database servers.
-Experimental. Described in RFC 1183.</p></td>
+<td>
+ <p>
+ AFSDB
+ </p>
+ </td>
+<td>
+ <p>
+ Location of AFS database servers.
+ Experimental. Described in RFC 1183.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>APL</p></td>
-<td><p>address prefix list. Experimental.
-Described in RFC 3123.</p></td>
+<td>
+ <p>
+ APL
+ </p>
+ </td>
+<td>
+ <p>
+ Address prefix list. Experimental.
+ Described in RFC 3123.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>CERT</p></td>
-<td><p>holds a digital certificate.
-Described in RFC 2538.</p></td>
+<td>
+ <p>
+ CERT
+ </p>
+ </td>
+<td>
+ <p>
+ Holds a digital certificate.
+ Described in RFC 2538.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>CNAME</p></td>
-<td><p>identifies the canonical name of an alias.
-Described in RFC 1035.</p></td>
+<td>
+ <p>
+ CNAME
+ </p>
+ </td>
+<td>
+ <p>
+ Identifies the canonical name of an alias.
+ Described in RFC 1035.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>DNAME</p></td>
-<td><p>Replaces the domain name specified with
-another name to be looked up, effectively aliasing an entire
-subtree of the domain name space rather than a single record
-as in the case of the CNAME RR.
-Described in RFC 2672.</p></td>
+<td>
+ <p>
+ DNAME
+ </p>
+ </td>
+<td>
+ <p>
+ Replaces the domain name specified with
+ another name to be looked up, effectively aliasing an
+ entire
+ subtree of the domain name space rather than a single
+ record
+ as in the case of the CNAME RR.
+ Described in RFC 2672.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>GPOS</p></td>
-<td><p>Specifies the global position. Superseded by LOC.</p></td>
+<td>
+ <p>
+ DNSKEY
+ </p>
+ </td>
+<td>
+ <p>
+ Stores a public key associated with a signed
+ DNS zone. Described in RFC 4034.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>HINFO</p></td>
-<td><p>identifies the CPU and OS used by a host.
-Described in RFC 1035.</p></td>
+<td>
+ <p>
+ DS
+ </p>
+ </td>
+<td>
+ <p>
+ Stores the hash of a public key associated with a
+ signed DNS zone. Described in RFC 4034.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>ISDN</p></td>
-<td><p>representation of ISDN addresses.
-Experimental. Described in RFC 1183.</p></td>
+<td>
+ <p>
+ GPOS
+ </p>
+ </td>
+<td>
+ <p>
+ Specifies the global position. Superseded by LOC.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>KEY</p></td>
-<td><p>stores a public key associated with a
-DNS name. Described in RFC 2535.</p></td>
+<td>
+ <p>
+ HINFO
+ </p>
+ </td>
+<td>
+ <p>
+ Identifies the CPU and OS used by a host.
+ Described in RFC 1035.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>KX</p></td>
-<td><p>identifies a key exchanger for this
-DNS name. Described in RFC 2230.</p></td>
+<td>
+ <p>
+ ISDN
+ </p>
+ </td>
+<td>
+ <p>
+ Representation of ISDN addresses.
+ Experimental. Described in RFC 1183.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>LOC</p></td>
-<td><p>for storing GPS info. Described in RFC 1876.
-Experimental.</p></td>
+<td>
+ <p>
+ KEY
+ </p>
+ </td>
+<td>
+ <p>
+ Stores a public key associated with a
+ DNS name. Used in original DNSSEC; replaced
+ by DNSKEY in DNSSECbis, but still used with
+ SIG(0). Described in RFCs 2535 and 2931.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>MX</p></td>
-<td><p>identifies a mail exchange for the domain.
-A 16-bit preference value (lower is better)
-followed by the host name of the mail exchange.
-Described in RFC 974, RFC 1035.</p></td>
+<td>
+ <p>
+ KX
+ </p>
+ </td>
+<td>
+ <p>
+ Identifies a key exchanger for this
+ DNS name. Described in RFC 2230.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>NAPTR</p></td>
-<td><p>name authority pointer. Described in RFC 2915.</p></td>
+<td>
+ <p>
+ LOC
+ </p>
+ </td>
+<td>
+ <p>
+ For storing GPS info. Described in RFC 1876.
+ Experimental.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>NSAP</p></td>
-<td><p>a network service access point.
-Described in RFC 1706.</p></td>
+<td>
+ <p>
+ MX
+ </p>
+ </td>
+<td>
+ <p>
+ Identifies a mail exchange for the domain with
+ a 16-bit preference value (lower is better)
+ followed by the host name of the mail exchange.
+ Described in RFC 974, RFC 1035.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>NS</p></td>
-<td><p>the authoritative name server for the
-domain. Described in RFC 1035.</p></td>
+<td>
+ <p>
+ NAPTR
+ </p>
+ </td>
+<td>
+ <p>
+ Name authority pointer. Described in RFC 2915.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>NXT</p></td>
-<td><p>used in DNSSEC to securely indicate that
-RRs with an owner name in a certain name interval do not exist in
-a zone and indicate what RR types are present for an existing name.
-Described in RFC 2535.</p></td>
+<td>
+ <p>
+ NSAP
+ </p>
+ </td>
+<td>
+ <p>
+ A network service access point.
+ Described in RFC 1706.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>PTR</p></td>
-<td><p>a pointer to another part of the domain
-name space. Described in RFC 1035.</p></td>
+<td>
+ <p>
+ NS
+ </p>
+ </td>
+<td>
+ <p>
+ The authoritative name server for the
+ domain. Described in RFC 1035.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>PX</p></td>
-<td><p>provides mappings between RFC 822 and X.400
-addresses. Described in RFC 2163.</p></td>
+<td>
+ <p>
+ NSEC
+ </p>
+ </td>
+<td>
+ <p>
+ Used in DNSSECbis to securely indicate that
+ RRs with an owner name in a certain name interval do
+ not exist in
+ a zone and indicate what RR types are present for an
+ existing name.
+ Described in RFC 4034.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>RP</p></td>
-<td><p>information on persons responsible
-for the domain. Experimental. Described in RFC 1183.</p></td>
+<td>
+ <p>
+ NXT
+ </p>
+ </td>
+<td>
+ <p>
+ Used in DNSSEC to securely indicate that
+ RRs with an owner name in a certain name interval do
+ not exist in
+ a zone and indicate what RR types are present for an
+ existing name.
+ Used in original DNSSEC; replaced by NSEC in
+ DNSSECbis.
+ Described in RFC 2535.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>RT</p></td>
-<td><p>route-through binding for hosts that
-do not have their own direct wide area network addresses.
-Experimental. Described in RFC 1183.</p></td>
+<td>
+ <p>
+ PTR
+ </p>
+ </td>
+<td>
+ <p>
+ A pointer to another part of the domain
+ name space. Described in RFC 1035.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>SIG</p></td>
-<td><p>("signature") contains data authenticated
-in the secure DNS. Described in RFC 2535.</p></td>
+<td>
+ <p>
+ PX
+ </p>
+ </td>
+<td>
+ <p>
+ Provides mappings between RFC 822 and X.400
+ addresses. Described in RFC 2163.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>SOA</p></td>
-<td><p>identifies the start of a zone of authority.
-Described in RFC 1035.</p></td>
+<td>
+ <p>
+ RP
+ </p>
+ </td>
+<td>
+ <p>
+ Information on persons responsible
+ for the domain. Experimental. Described in RFC 1183.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>SRV</p></td>
-<td><p>information about well known network
-services (replaces WKS). Described in RFC 2782.</p></td>
+<td>
+ <p>
+ RRSIG
+ </p>
+ </td>
+<td>
+ <p>
+ Contains DNSSECbis signature data. Described
+ in RFC 4034.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>TXT</p></td>
-<td><p>text records. Described in RFC 1035.</p></td>
+<td>
+ <p>
+ RT
+ </p>
+ </td>
+<td>
+ <p>
+ Route-through binding for hosts that
+ do not have their own direct wide area network
+ addresses.
+ Experimental. Described in RFC 1183.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>WKS</p></td>
-<td><p>information about which well known
-network services, such as SMTP, that a domain supports. Historical.
-</p></td>
+<td>
+ <p>
+ SIG
+ </p>
+ </td>
+<td>
+ <p>
+ Contains DNSSEC signature data. Used in
+ original DNSSEC; replaced by RRSIG in
+ DNSSECbis, but still used for SIG(0).
+ Described in RFCs 2535 and 2931.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>X25</p></td>
-<td><p>representation of X.25 network addresses.
-Experimental. Described in RFC 1183.</p></td>
+<td>
+ <p>
+ SOA
+ </p>
+ </td>
+<td>
+ <p>
+ Identifies the start of a zone of authority.
+ Described in RFC 1035.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p>
+ SRV
+ </p>
+ </td>
+<td>
+ <p>
+ Information about well known network
+ services (replaces WKS). Described in RFC 2782.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p>
+ TXT
+ </p>
+ </td>
+<td>
+ <p>
+ Text records. Described in RFC 1035.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p>
+ WKS
+ </p>
+ </td>
+<td>
+ <p>
+ Information about which well known
+ network services, such as SMTP, that a domain
+ supports. Historical.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p>
+ X25
+ </p>
+ </td>
+<td>
+ <p>
+ Representation of X.25 network addresses.
+ Experimental. Described in RFC 1183.
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
-<p>The following <span class="emphasis"><em>classes</em></span> of resource records
-are currently valid in the DNS:</p>
+<p>
+ The following <span class="emphasis"><em>classes</em></span> of resource records
+ are currently valid in the DNS:
+ </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -3518,72 +6130,131 @@ are currently valid in the DNS:</p>
</colgroup>
<tbody>
<tr>
-<td><p>IN</p></td>
-<td><p>The Internet.</p></td>
+<td>
+ <p>
+ IN
+ </p>
+ </td>
+<td>
+ <p>
+ The Internet.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>CH</p></td>
-<td><p>
-CHAOSnet, a LAN protocol created at MIT in the mid-1970s.
-Rarely used for its historical purpose, but reused for BIND's
-built-in server information zones, e.g.,
-<code class="literal">version.bind</code>.
-</p></td>
+<td>
+ <p>
+ CH
+ </p>
+ </td>
+<td>
+ <p>
+ CHAOSnet, a LAN protocol created at MIT in the
+ mid-1970s.
+ Rarely used for its historical purpose, but reused for
+ BIND's
+ built-in server information zones, e.g.,
+ <code class="literal">version.bind</code>.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>HS</p></td>
-<td><p>
-Hesiod, an information service
-developed by MIT's Project Athena. It is used to share information
-about various systems databases, such as users, groups, printers
-and so on.
-</p></td>
+<td>
+ <p>
+ HS
+ </p>
+ </td>
+<td>
+ <p>
+ Hesiod, an information service
+ developed by MIT's Project Athena. It is used to share
+ information
+ about various systems databases, such as users,
+ groups, printers
+ and so on.
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
-<p>The owner name is often implicit, rather than forming an integral
-part of the RR. For example, many name servers internally form tree
-or hash structures for the name space, and chain RRs off nodes.
- The remaining RR parts are the fixed header (type, class, TTL)
-which is consistent for all RRs, and a variable part (RDATA) that
-fits the needs of the resource being described.</p>
-<p>The meaning of the TTL field is a time limit on how long an
-RR can be kept in a cache. This limit does not apply to authoritative
-data in zones; it is also timed out, but by the refreshing policies
-for the zone. The TTL is assigned by the administrator for the
-zone where the data originates. While short TTLs can be used to
-minimize caching, and a zero TTL prohibits caching, the realities
-of Internet performance suggest that these times should be on the
-order of days for the typical host. If a change can be anticipated,
-the TTL can be reduced prior to the change to minimize inconsistency
-during the change, and then increased back to its former value following
-the change.</p>
-<p>The data in the RDATA section of RRs is carried as a combination
-of binary strings and domain names. The domain names are frequently
-used as "pointers" to other data in the DNS.</p>
+<p>
+ The owner name is often implicit, rather than forming an
+ integral
+ part of the RR. For example, many name servers internally form
+ tree
+ or hash structures for the name space, and chain RRs off nodes.
+ The remaining RR parts are the fixed header (type, class, TTL)
+ which is consistent for all RRs, and a variable part (RDATA)
+ that
+ fits the needs of the resource being described.
+ </p>
+<p>
+ The meaning of the TTL field is a time limit on how long an
+ RR can be kept in a cache. This limit does not apply to
+ authoritative
+ data in zones; it is also timed out, but by the refreshing
+ policies
+ for the zone. The TTL is assigned by the administrator for the
+ zone where the data originates. While short TTLs can be used to
+ minimize caching, and a zero TTL prohibits caching, the
+ realities
+ of Internet performance suggest that these times should be on
+ the
+ order of days for the typical host. If a change can be
+ anticipated,
+ the TTL can be reduced prior to the change to minimize
+ inconsistency
+ during the change, and then increased back to its former value
+ following
+ the change.
+ </p>
+<p>
+ The data in the RDATA section of RRs is carried as a combination
+ of binary strings and domain names. The domain names are
+ frequently
+ used as "pointers" to other data in the DNS.
+ </p>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2590180"></a>Textual expression of RRs</h4></div></div></div>
-<p>RRs are represented in binary form in the packets of the DNS
-protocol, and are usually represented in highly encoded form when
-stored in a name server or resolver. In the examples provided in
-RFC 1034, a style similar to that used in master files was employed
-in order to show the contents of RRs. In this format, most RRs
-are shown on a single line, although continuation lines are possible
-using parentheses.</p>
-<p>The start of the line gives the owner of the RR. If a line
-begins with a blank, then the owner is assumed to be the same as
-that of the previous RR. Blank lines are often included for readability.</p>
-<p>Following the owner, we list the TTL, type, and class of the
-RR. Class and type use the mnemonics defined above, and TTL is
-an integer before the type field. In order to avoid ambiguity in
-parsing, type and class mnemonics are disjoint, TTLs are integers,
-and the type mnemonic is always last. The IN class and TTL values
-are often omitted from examples in the interests of clarity.</p>
-<p>The resource data or RDATA section of the RR are given using
-knowledge of the typical representation for the data.</p>
-<p>For example, we might show the RRs carried in a message as:</p>
+<a name="id2590279"></a>Textual expression of RRs</h4></div></div></div>
+<p>
+ RRs are represented in binary form in the packets of the DNS
+ protocol, and are usually represented in highly encoded form
+ when
+ stored in a name server or resolver. In the examples provided
+ in
+ RFC 1034, a style similar to that used in master files was
+ employed
+ in order to show the contents of RRs. In this format, most RRs
+ are shown on a single line, although continuation lines are
+ possible
+ using parentheses.
+ </p>
+<p>
+ The start of the line gives the owner of the RR. If a line
+ begins with a blank, then the owner is assumed to be the same as
+ that of the previous RR. Blank lines are often included for
+ readability.
+ </p>
+<p>
+ Following the owner, we list the TTL, type, and class of the
+ RR. Class and type use the mnemonics defined above, and TTL is
+ an integer before the type field. In order to avoid ambiguity
+ in
+ parsing, type and class mnemonics are disjoint, TTLs are
+ integers,
+ and the type mnemonic is always last. The IN class and TTL
+ values
+ are often omitted from examples in the interests of clarity.
+ </p>
+<p>
+ The resource data or RDATA section of the RR are given using
+ knowledge of the typical representation for the data.
+ </p>
+<p>
+ For example, we might show the RRs carried in a message as:
+ </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -3592,43 +6263,116 @@ knowledge of the typical representation for the data.</p>
</colgroup>
<tbody>
<tr>
-<td><p><code class="literal">ISI.EDU.</code></p></td>
-<td><p><code class="literal">MX</code></p></td>
-<td><p><code class="literal">10 VENERA.ISI.EDU.</code></p></td>
+<td>
+ <p>
+ <code class="literal">ISI.EDU.</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">MX</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">10 VENERA.ISI.EDU.</code>
+ </p>
+ </td>
</tr>
<tr>
-<td><p></p></td>
-<td><p><code class="literal">MX</code></p></td>
-<td><p><code class="literal">10 VAXA.ISI.EDU</code></p></td>
+<td>
+ <p></p>
+ </td>
+<td>
+ <p>
+ <code class="literal">MX</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">10 VAXA.ISI.EDU</code>
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="literal">VENERA.ISI.EDU</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">128.9.0.32</code></p></td>
+<td>
+ <p>
+ <code class="literal">VENERA.ISI.EDU</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">A</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">128.9.0.32</code>
+ </p>
+ </td>
</tr>
<tr>
-<td><p></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.1.0.52</code></p></td>
+<td>
+ <p></p>
+ </td>
+<td>
+ <p>
+ <code class="literal">A</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">10.1.0.52</code>
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="literal">VAXA.ISI.EDU</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.2.0.27</code></p></td>
+<td>
+ <p>
+ <code class="literal">VAXA.ISI.EDU</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">A</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">10.2.0.27</code>
+ </p>
+ </td>
</tr>
<tr>
-<td><p></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">128.9.0.33</code></p></td>
+<td>
+ <p></p>
+ </td>
+<td>
+ <p>
+ <code class="literal">A</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">128.9.0.33</code>
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
-<p>The MX RRs have an RDATA section which consists of a 16-bit
-number followed by a domain name. The address RRs use a standard
-IP address format to contain a 32-bit internet address.</p>
-<p>The above example shows six RRs, with two RRs at each of three
-domain names.</p>
-<p>Similarly we might see:</p>
+<p>
+ The MX RRs have an RDATA section which consists of a 16-bit
+ number followed by a domain name. The address RRs use a
+ standard
+ IP address format to contain a 32-bit internet address.
+ </p>
+<p>
+ The above example shows six RRs, with two RRs at each of three
+ domain names.
+ </p>
+<p>
+ Similarly we might see:
+ </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -3637,45 +6381,83 @@ domain names.</p>
</colgroup>
<tbody>
<tr>
-<td><p><code class="literal">XX.LCS.MIT.EDU. IN</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.0.0.44</code></p></td>
+<td>
+ <p>
+ <code class="literal">XX.LCS.MIT.EDU.</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">IN A</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">10.0.0.44</code>
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="literal">CH</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">MIT.EDU. 2420</code></p></td>
+<td> </td>
+<td>
+ <p>
+ <code class="literal">CH A</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">MIT.EDU. 2420</code>
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
-<p>This example shows two addresses for <code class="literal">XX.LCS.MIT.EDU</code>,
-each of a different class.</p>
+<p>
+ This example shows two addresses for
+ <code class="literal">XX.LCS.MIT.EDU</code>, each of a different class.
+ </p>
</div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2590605"></a>Discussion of MX Records</h3></div></div></div>
-<p>As described above, domain servers store information as a
-series of resource records, each of which contains a particular
-piece of information about a given domain name (which is usually,
-but not always, a host). The simplest way to think of a RR is as
-a typed pair of data, a domain name matched with a relevant datum,
-and stored with some additional type information to help systems
-determine when the RR is relevant.</p>
-<p>MX records are used to control delivery of email. The data
-specified in the record is a priority and a domain name. The priority
-controls the order in which email delivery is attempted, with the
-lowest number first. If two priorities are the same, a server is
-chosen randomly. If no servers at a given priority are responding,
-the mail transport agent will fall back to the next largest priority.
-Priority numbers do not have any absolute meaning &#8212; they are relevant
-only respective to other MX records for that domain name. The domain
-name given is the machine to which the mail will be delivered. It <span class="emphasis"><em>must</em></span> have
-an associated A record &#8212; CNAME is not sufficient.</p>
-<p>For a given domain, if there is both a CNAME record and an
-MX record, the MX record is in error, and will be ignored. Instead,
-the mail will be delivered to the server specified in the MX record
-pointed to by the CNAME.</p>
+<a name="id2590800"></a>Discussion of MX Records</h3></div></div></div>
+<p>
+ As described above, domain servers store information as a
+ series of resource records, each of which contains a particular
+ piece of information about a given domain name (which is usually,
+ but not always, a host). The simplest way to think of a RR is as
+ a typed pair of data, a domain name matched with a relevant datum,
+ and stored with some additional type information to help systems
+ determine when the RR is relevant.
+ </p>
+<p>
+ MX records are used to control delivery of email. The data
+ specified in the record is a priority and a domain name. The
+ priority
+ controls the order in which email delivery is attempted, with the
+ lowest number first. If two priorities are the same, a server is
+ chosen randomly. If no servers at a given priority are responding,
+ the mail transport agent will fall back to the next largest
+ priority.
+ Priority numbers do not have any absolute meaning &#8212; they are
+ relevant
+ only respective to other MX records for that domain name. The
+ domain
+ name given is the machine to which the mail will be delivered.
+ It <span class="emphasis"><em>must</em></span> have an associated address record
+ (A or AAAA) &#8212; CNAME is not sufficient.
+ </p>
+<p>
+ For a given domain, if there is both a CNAME record and an
+ MX record, the MX record is in error, and will be ignored.
+ Instead,
+ the mail will be delivered to the server specified in the MX
+ record
+ pointed to by the CNAME.
+ </p>
+<p>
+ For example:
+ </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -3686,56 +6468,152 @@ pointed to by the CNAME.</p>
</colgroup>
<tbody>
<tr>
-<td><p><code class="literal">example.com.</code></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">MX</code></p></td>
-<td><p><code class="literal">10</code></p></td>
-<td><p><code class="literal">mail.example.com.</code></p></td>
+<td>
+ <p>
+ <code class="literal">example.com.</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">IN</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">MX</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">10</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">mail.example.com.</code>
+ </p>
+ </td>
</tr>
<tr>
-<td><p></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">MX</code></p></td>
-<td><p><code class="literal">10</code></p></td>
-<td><p><code class="literal">mail2.example.com.</code></p></td>
+<td>
+ <p></p>
+ </td>
+<td>
+ <p>
+ <code class="literal">IN</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">MX</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">10</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">mail2.example.com.</code>
+ </p>
+ </td>
</tr>
<tr>
-<td><p></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">MX</code></p></td>
-<td><p><code class="literal">20</code></p></td>
-<td><p><code class="literal">mail.backup.org.</code></p></td>
+<td>
+ <p></p>
+ </td>
+<td>
+ <p>
+ <code class="literal">IN</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">MX</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">20</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">mail.backup.org.</code>
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="literal">mail.example.com.</code></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.0.0.1</code></p></td>
-<td><p></p></td>
+<td>
+ <p>
+ <code class="literal">mail.example.com.</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">IN</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">A</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">10.0.0.1</code>
+ </p>
+ </td>
+<td>
+ <p></p>
+ </td>
</tr>
<tr>
-<td><p><code class="literal">mail2.example.com.</code></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.0.0.2</code></p></td>
-<td><p></p></td>
+<td>
+ <p>
+ <code class="literal">mail2.example.com.</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">IN</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">A</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">10.0.0.2</code>
+ </p>
+ </td>
+<td>
+ <p></p>
+ </td>
</tr>
</tbody>
</table></div>
-<p>For example:</p>
-<p>Mail delivery will be attempted to <code class="literal">mail.example.com</code> and
-<code class="literal">mail2.example.com</code> (in
-any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will
-be attempted.</p>
+<p>
+ Mail delivery will be attempted to <code class="literal">mail.example.com</code> and
+ <code class="literal">mail2.example.com</code> (in
+ any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will
+ be attempted.
+ </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="Setting_TTLs"></a>Setting TTLs</h3></div></div></div>
-<p>The time-to-live of the RR field is a 32-bit integer represented
-in units of seconds, and is primarily used by resolvers when they
-cache RRs. The TTL describes how long a RR can be cached before it
-should be discarded. The following three types of TTL are currently
-used in a zone file.</p>
+<p>
+ The time-to-live of the RR field is a 32-bit integer represented
+ in units of seconds, and is primarily used by resolvers when they
+ cache RRs. The TTL describes how long a RR can be cached before it
+ should be discarded. The following three types of TTL are
+ currently
+ used in a zone file.
+ </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -3743,46 +6621,79 @@ used in a zone file.</p>
</colgroup>
<tbody>
<tr>
-<td><p>SOA</p></td>
<td>
-<p>The last field in the SOA is the negative
-caching TTL. This controls how long other servers will cache no-such-domain
-(NXDOMAIN) responses from you.</p>
-<p>The maximum time for
-negative caching is 3 hours (3h).</p>
-</td>
+ <p>
+ SOA
+ </p>
+ </td>
+<td>
+ <p>
+ The last field in the SOA is the negative
+ caching TTL. This controls how long other servers will
+ cache no-such-domain
+ (NXDOMAIN) responses from you.
+ </p>
+ <p>
+ The maximum time for
+ negative caching is 3 hours (3h).
+ </p>
+ </td>
</tr>
<tr>
-<td><p>$TTL</p></td>
-<td><p>The $TTL directive at the top of the
-zone file (before the SOA) gives a default TTL for every RR without
-a specific TTL set.</p></td>
+<td>
+ <p>
+ $TTL
+ </p>
+ </td>
+<td>
+ <p>
+ The $TTL directive at the top of the
+ zone file (before the SOA) gives a default TTL for every
+ RR without
+ a specific TTL set.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>RR TTLs</p></td>
-<td><p>Each RR can have a TTL as the second
-field in the RR, which will control how long other servers can cache
-the it.</p></td>
+<td>
+ <p>
+ RR TTLs
+ </p>
+ </td>
+<td>
+ <p>
+ Each RR can have a TTL as the second
+ field in the RR, which will control how long other
+ servers can cache
+ the it.
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
-<p>All of these TTLs default to units of seconds, though units
-can be explicitly specified, for example, <code class="literal">1h30m</code>. </p>
+<p>
+ All of these TTLs default to units of seconds, though units
+ can be explicitly specified, for example, <code class="literal">1h30m</code>.
+ </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2591102"></a>Inverse Mapping in IPv4</h3></div></div></div>
-<p>Reverse name resolution (that is, translation from IP address
-to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain
-and PTR records. Entries in the in-addr.arpa domain are made in
-least-to-most significant order, read left to right. This is the
-opposite order to the way IP addresses are usually written. Thus,
-a machine with an IP address of 10.1.2.3 would have a corresponding
-in-addr.arpa name of
-3.2.1.10.in-addr.arpa. This name should have a PTR resource record
-whose data field is the name of the machine or, optionally, multiple
-PTR records if the machine has more than one name. For example,
-in the [<span class="optional">example.com</span>] domain:</p>
+<a name="id2591419"></a>Inverse Mapping in IPv4</h3></div></div></div>
+<p>
+ Reverse name resolution (that is, translation from IP address
+ to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain
+ and PTR records. Entries in the in-addr.arpa domain are made in
+ least-to-most significant order, read left to right. This is the
+ opposite order to the way IP addresses are usually written. Thus,
+ a machine with an IP address of 10.1.2.3 would have a
+ corresponding
+ in-addr.arpa name of
+ 3.2.1.10.in-addr.arpa. This name should have a PTR resource record
+ whose data field is the name of the machine or, optionally,
+ multiple
+ PTR records if the machine has more than one name. For example,
+ in the [<span class="optional">example.com</span>] domain:
+ </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -3790,95 +6701,167 @@ in the [<span class="optional">example.com</span>] domain:</p>
</colgroup>
<tbody>
<tr>
-<td><p><code class="literal">$ORIGIN</code></p></td>
-<td><p><code class="literal">2.1.10.in-addr.arpa</code></p></td>
+<td>
+ <p>
+ <code class="literal">$ORIGIN</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">2.1.10.in-addr.arpa</code>
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="literal">3</code></p></td>
-<td><p><code class="literal">IN PTR foo.example.com.</code></p></td>
+<td>
+ <p>
+ <code class="literal">3</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">IN PTR foo.example.com.</code>
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
-<p>The <span><strong class="command">$ORIGIN</strong></span> lines in the examples
-are for providing context to the examples only-they do not necessarily
-appear in the actual usage. They are only used here to indicate
-that the example is relative to the listed origin.</p>
+<p>
+ The <span><strong class="command">$ORIGIN</strong></span> lines in the examples
+ are for providing context to the examples only-they do not
+ necessarily
+ appear in the actual usage. They are only used here to indicate
+ that the example is relative to the listed origin.
+ </p>
</div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2591208"></a>Other Zone File Directives</h3></div></div></div>
-<p>The Master File Format was initially defined in RFC 1035 and
-has subsequently been extended. While the Master File Format itself
-is class independent all records in a Master File must be of the same
-class.</p>
-<p>Master File Directives include <span><strong class="command">$ORIGIN</strong></span>, <span><strong class="command">$INCLUDE</strong></span>,
-and <span><strong class="command">$TTL.</strong></span></p>
+<a name="id2591546"></a>Other Zone File Directives</h3></div></div></div>
+<p>
+ The Master File Format was initially defined in RFC 1035 and
+ has subsequently been extended. While the Master File Format
+ itself
+ is class independent all records in a Master File must be of the
+ same
+ class.
+ </p>
+<p>
+ Master File Directives include <span><strong class="command">$ORIGIN</strong></span>, <span><strong class="command">$INCLUDE</strong></span>,
+ and <span><strong class="command">$TTL.</strong></span>
+ </p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2591227"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
-<p>Syntax: <span><strong class="command">$ORIGIN
-</strong></span><em class="replaceable"><code>domain-name</code></em> [<span class="optional"> <em class="replaceable"><code>comment</code></em></span>]</p>
-<p><span><strong class="command">$ORIGIN</strong></span> sets the domain name that will
-be appended to any unqualified records. When a zone is first read
-in there is an implicit <span><strong class="command">$ORIGIN</strong></span> &lt;<code class="varname">zone-name</code>&gt;<span><strong class="command">.</strong></span> The
-current <span><strong class="command">$ORIGIN</strong></span> is appended to the domain specified
-in the <span><strong class="command">$ORIGIN</strong></span> argument if it is not absolute.</p>
-<pre class="programlisting">$ORIGIN example.com.
-WWW CNAME MAIN-SERVER</pre>
-<p>is equivalent to</p>
-<pre class="programlisting">WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.</pre>
+<a name="id2591569"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
+<p>
+ Syntax: <span><strong class="command">$ORIGIN</strong></span>
+ <em class="replaceable"><code>domain-name</code></em>
+ [<span class="optional"><em class="replaceable"><code>comment</code></em></span>]
+ </p>
+<p><span><strong class="command">$ORIGIN</strong></span>
+ sets the domain name that will be appended to any
+ unqualified records. When a zone is first read in there
+ is an implicit <span><strong class="command">$ORIGIN</strong></span>
+ &lt;<code class="varname">zone-name</code>&gt;<span><strong class="command">.</strong></span>
+ The current <span><strong class="command">$ORIGIN</strong></span> is appended to
+ the domain specified in the <span><strong class="command">$ORIGIN</strong></span>
+ argument if it is not absolute.
+ </p>
+<pre class="programlisting">
+$ORIGIN example.com.
+WWW CNAME MAIN-SERVER
+</pre>
+<p>
+ is equivalent to
+ </p>
+<pre class="programlisting">
+WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
+</pre>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2591283"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
-<p>Syntax: <span><strong class="command">$INCLUDE</strong></span>
-<em class="replaceable"><code>filename</code></em> [<span class="optional">
-<em class="replaceable"><code>origin</code></em> </span>] [<span class="optional"> <em class="replaceable"><code>comment</code></em> </span>]</p>
-<p>Read and process the file <code class="filename">filename</code> as
-if it were included into the file at this point. If <span><strong class="command">origin</strong></span> is
-specified the file is processed with <span><strong class="command">$ORIGIN</strong></span> set
-to that value, otherwise the current <span><strong class="command">$ORIGIN</strong></span> is
-used.</p>
-<p>The origin and the current domain name
-revert to the values they had prior to the <span><strong class="command">$INCLUDE</strong></span> once
-the file has been read.</p>
+<a name="id2591629"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
+<p>
+ Syntax: <span><strong class="command">$INCLUDE</strong></span>
+ <em class="replaceable"><code>filename</code></em>
+ [<span class="optional">
+<em class="replaceable"><code>origin</code></em> </span>]
+ [<span class="optional"> <em class="replaceable"><code>comment</code></em> </span>]
+ </p>
+<p>
+ Read and process the file <code class="filename">filename</code> as
+ if it were included into the file at this point. If <span><strong class="command">origin</strong></span> is
+ specified the file is processed with <span><strong class="command">$ORIGIN</strong></span> set
+ to that value, otherwise the current <span><strong class="command">$ORIGIN</strong></span> is
+ used.
+ </p>
+<p>
+ The origin and the current domain name
+ revert to the values they had prior to the <span><strong class="command">$INCLUDE</strong></span> once
+ the file has been read.
+ </p>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
<p>
-RFC 1035 specifies that the current origin should be restored after
-an <span><strong class="command">$INCLUDE</strong></span>, but it is silent on whether the current
-domain name should also be restored. BIND 9 restores both of them.
-This could be construed as a deviation from RFC 1035, a feature, or both.
-</p>
+ RFC 1035 specifies that the current origin should be restored
+ after
+ an <span><strong class="command">$INCLUDE</strong></span>, but it is silent
+ on whether the current
+ domain name should also be restored. BIND 9 restores both of
+ them.
+ This could be construed as a deviation from RFC 1035, a
+ feature, or both.
+ </p>
</div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2591346"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
-<p>Syntax: <span><strong class="command">$TTL</strong></span>
-<em class="replaceable"><code>default-ttl</code></em> [<span class="optional">
-<em class="replaceable"><code>comment</code></em> </span>]</p>
-<p>Set the default Time To Live (TTL) for subsequent records
-with undefined TTLs. Valid TTLs are of the range 0-2147483647 seconds.</p>
-<p><span><strong class="command">$TTL</strong></span> is defined in RFC 2308.</p>
+<a name="id2591767"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
+<p>
+ Syntax: <span><strong class="command">$TTL</strong></span>
+ <em class="replaceable"><code>default-ttl</code></em>
+ [<span class="optional">
+<em class="replaceable"><code>comment</code></em> </span>]
+ </p>
+<p>
+ Set the default Time To Live (TTL) for subsequent records
+ with undefined TTLs. Valid TTLs are of the range 0-2147483647
+ seconds.
+ </p>
+<p><span><strong class="command">$TTL</strong></span>
+ is defined in RFC 2308.
+ </p>
</div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2591377"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
-<p>Syntax: <span><strong class="command">$GENERATE</strong></span> <em class="replaceable"><code>range</code></em> <em class="replaceable"><code>lhs</code></em> [<span class="optional"><em class="replaceable"><code>ttl</code></em></span>] [<span class="optional"><em class="replaceable"><code>class</code></em></span>] <em class="replaceable"><code>type</code></em> <em class="replaceable"><code>rhs</code></em> [<span class="optional"> <em class="replaceable"><code>comment</code></em> </span>]</p>
-<p><span><strong class="command">$GENERATE</strong></span> is used to create a series of
-resource records that only differ from each other by an iterator. <span><strong class="command">$GENERATE</strong></span> can
-be used to easily generate the sets of records required to support
-sub /24 reverse delegations described in RFC 2317: Classless IN-ADDR.ARPA
-delegation.</p>
+<a name="id2591803"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
+<p>
+ Syntax: <span><strong class="command">$GENERATE</strong></span>
+ <em class="replaceable"><code>range</code></em>
+ <em class="replaceable"><code>lhs</code></em>
+ [<span class="optional"><em class="replaceable"><code>ttl</code></em></span>]
+ [<span class="optional"><em class="replaceable"><code>class</code></em></span>]
+ <em class="replaceable"><code>type</code></em>
+ <em class="replaceable"><code>rhs</code></em>
+ [<span class="optional"><em class="replaceable"><code>comment</code></em></span>]
+ </p>
+<p><span><strong class="command">$GENERATE</strong></span>
+ is used to create a series of resource records that only
+ differ from each other by an
+ iterator. <span><strong class="command">$GENERATE</strong></span> can be used to
+ easily generate the sets of records required to support
+ sub /24 reverse delegations described in RFC 2317:
+ Classless IN-ADDR.ARPA delegation.
+ </p>
<pre class="programlisting">$ORIGIN 0.0.192.IN-ADDR.ARPA.
$GENERATE 1-2 0 NS SERVER$.EXAMPLE.
$GENERATE 1-127 $ CNAME $.0</pre>
-<p>is equivalent to</p>
+<p>
+ is equivalent to
+ </p>
<pre class="programlisting">0.0.0.192.IN-ADDR.ARPA NS SERVER1.EXAMPLE.
0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
@@ -3893,72 +6876,168 @@ $GENERATE 1-127 $ CNAME $.0</pre>
</colgroup>
<tbody>
<tr>
-<td><p><span><strong class="command">range</strong></span></p></td>
-<td><p>This can be one of two forms: start-stop
-or start-stop/step. If the first form is used, then step is set to
- 1. All of start, stop and step must be positive.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">lhs</strong></span></p></td>
-<td>
-<p><span><strong class="command">lhs</strong></span> describes the
-owner name of the resource records to be created. Any single
-<span><strong class="command">$</strong></span> (dollar sign) symbols
-within the <span><strong class="command">lhs</strong></span> side are replaced by the iterator
-value.
-To get a $ in the output you need to escape the <span><strong class="command">$</strong></span>
-using a backslash <span><strong class="command">\</strong></span>,
-e.g. <span><strong class="command">\$</strong></span>. The <span><strong class="command">$</strong></span> may optionally be followed
-by modifiers which change the offset from the iterator, field width and base.
-Modifiers are introduced by a <span><strong class="command">{</strong></span> immediately following the
-<span><strong class="command">$</strong></span> as <span><strong class="command">${offset[,width[,base]]}</strong></span>.
-For example, <span><strong class="command">${-20,3,d}</strong></span> which subtracts 20 from the current value,
-prints the result as a decimal in a zero-padded field of width 3. Available
-output forms are decimal (<span><strong class="command">d</strong></span>), octal (<span><strong class="command">o</strong></span>)
-and hexadecimal (<span><strong class="command">x</strong></span> or <span><strong class="command">X</strong></span> for uppercase).
-The default modifier is <span><strong class="command">${0,0,d}</strong></span>.
-If the <span><strong class="command">lhs</strong></span> is not
-absolute, the current <span><strong class="command">$ORIGIN</strong></span> is appended to
-the name.</p>
-<p>For compatibility with earlier versions, <span><strong class="command">$$</strong></span> is still
-recognized as indicating a literal $ in the output.</p>
-</td>
+<td>
+ <p><span><strong class="command">range</strong></span></p>
+ </td>
+<td>
+ <p>
+ This can be one of two forms: start-stop
+ or start-stop/step. If the first form is used, then step
+ is set to
+ 1. All of start, stop and step must be positive.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">ttl</strong></span></p></td>
<td>
-<p>Specifies the
- ttl of the generated records. If not specified this will be
- inherited using the normal ttl inheritance rules.</p>
- <p><span><strong class="command">class</strong></span> and <span><strong class="command">ttl</strong></span> can be
- entered in either order.</p>
-</td>
+ <p><span><strong class="command">lhs</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command">lhs</strong></span>
+ describes the owner name of the resource records
+ to be created. Any single <span><strong class="command">$</strong></span>
+ (dollar sign)
+ symbols within the <span><strong class="command">lhs</strong></span> side
+ are replaced by the iterator value.
+
+ To get a $ in the output you need to escape the
+ <span><strong class="command">$</strong></span> using a backslash
+ <span><strong class="command">\</strong></span>,
+ e.g. <span><strong class="command">\$</strong></span>. The
+ <span><strong class="command">$</strong></span> may optionally be followed
+ by modifiers which change the offset from the
+ iterator, field width and base.
+
+ Modifiers are introduced by a
+ <span><strong class="command">{</strong></span> immediately following the
+ <span><strong class="command">$</strong></span> as
+ <span><strong class="command">${offset[,width[,base]]}</strong></span>.
+ For example, <span><strong class="command">${-20,3,d}</strong></span>
+ subtracts 20 from the current value, prints the
+ result as a decimal in a zero-padded field of
+ width 3.
+
+ Available output forms are decimal
+ (<span><strong class="command">d</strong></span>), octal
+ (<span><strong class="command">o</strong></span>) and hexadecimal
+ (<span><strong class="command">x</strong></span> or <span><strong class="command">X</strong></span>
+ for uppercase). The default modifier is
+ <span><strong class="command">${0,0,d}</strong></span>. If the
+ <span><strong class="command">lhs</strong></span> is not absolute, the
+ current <span><strong class="command">$ORIGIN</strong></span> is appended
+ to the name.
+ </p>
+ <p>
+ For compatibility with earlier versions, <span><strong class="command">$$</strong></span> is still
+ recognized as indicating a literal $ in the output.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">class</strong></span></p></td>
<td>
-<p>Specifies the
- class of the generated records. This must match the zone class if
- it is specified.</p>
- <p><span><strong class="command">class</strong></span> and <span><strong class="command">ttl</strong></span> can be
- entered in either order.</p>
-</td>
+ <p><span><strong class="command">ttl</strong></span></p>
+ </td>
+<td>
+ <p>
+ Specifies the time-to-live of the generated records. If
+ not specified this will be inherited using the
+ normal ttl inheritance rules.
+ </p>
+ <p><span><strong class="command">class</strong></span>
+ and <span><strong class="command">ttl</strong></span> can be
+ entered in either order.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">class</strong></span></p>
+ </td>
+<td>
+ <p>
+ Specifies the class of the generated records.
+ This must match the zone class if it is
+ specified.
+ </p>
+ <p><span><strong class="command">class</strong></span>
+ and <span><strong class="command">ttl</strong></span> can be
+ entered in either order.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">type</strong></span></p></td>
-<td><p>At present the only supported types are
-PTR, CNAME, DNAME, A, AAAA and NS.</p></td>
+<td>
+ <p><span><strong class="command">type</strong></span></p>
+ </td>
+<td>
+ <p>
+ At present the only supported types are
+ PTR, CNAME, DNAME, A, AAAA and NS.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">rhs</strong></span></p></td>
-<td><p>A domain name. It is processed
-similarly to lhs.</p></td>
+<td>
+ <p><span><strong class="command">rhs</strong></span></p>
+ </td>
+<td>
+ <p>
+ A domain name. It is processed
+ similarly to lhs.
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
-<p>The <span><strong class="command">$GENERATE</strong></span> directive is a <acronym class="acronym">BIND</acronym> extension
-and not part of the standard zone file format.</p>
-<p>BIND 8 does not support the optional TTL and CLASS fields.</p>
+<p>
+ The <span><strong class="command">$GENERATE</strong></span> directive is a <acronym class="acronym">BIND</acronym> extension
+ and not part of the standard zone file format.
+ </p>
+<p>
+ BIND 8 does not support the optional TTL and CLASS fields.
+ </p>
+</div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="zonefile_format"></a>Additional File Formats</h3></div></div></div>
+<p>
+ In addition to the standard textual format, BIND 9
+ supports the ability to read or dump to zone files in
+ other formats. The <code class="constant">raw</code> format is
+ currently available as an additional format. It is a
+ binary format representing BIND 9's internal data
+ structure directly, thereby remarkably improving the
+ loading time.
+ </p>
+<p>
+ For a primary server, a zone file in the
+ <code class="constant">raw</code> format is expected to be
+ generated from a textual zone file by the
+ <span><strong class="command">named-compilezone</strong></span> command. For a
+ secondary server or for a dynamic zone, it is automatically
+ generated (if this format is specified by the
+ <span><strong class="command">masterfile-format</strong></span> option) when
+ <span><strong class="command">named</strong></span> dumps the zone contents after
+ zone transfer or when applying prior updates.
+ </p>
+<p>
+ If a zone file in a binary format needs manual modification,
+ it first must be converted to a textual form by the
+ <span><strong class="command">named-compilezone</strong></span> command. All
+ necessary modification should go to the text file, which
+ should then be converted to the binary form by the
+ <span><strong class="command">named-compilezone</strong></span> command again.
+ </p>
+<p>
+ Although the <code class="constant">raw</code> format uses the
+ network byte order and avoids architecture-dependent
+ data alignment so that it is as much portable as
+ possible, it is primarily expected to be used inside
+ the same single system. In order to export a zone
+ file in the <code class="constant">raw</code> format or make a
+ portable backup of the file, it is recommended to
+ convert the file to the standard textual representation.
+ </p>
</div>
</div>
</div>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch07.html b/contrib/bind9/doc/arm/Bv9ARM.ch07.html
index f4e26f06..7286dc9 100644
--- a/contrib/bind9/doc/arm/Bv9ARM.ch07.html
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch07.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
@@ -14,12 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch07.html,v 1.50.2.9.2.33 2006/09/13 02:56:21 marka Exp $ -->
+<!-- $Id: Bv9ARM.ch07.html,v 1.75.18.54 2007/01/30 00:23:46 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Chapter 7. BIND 9 Security Considerations</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter 6. BIND 9 Configuration Reference">
@@ -46,11 +46,10 @@
<p><b>Table of Contents</b></p>
<dl>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2591971"><span><strong class="command">chroot</strong></span> and <span><strong class="command">setuid</strong></span> (for
-UNIX servers)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2592480"><span><strong class="command">chroot</strong></span> and <span><strong class="command">setuid</strong></span></a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2592046">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2592172">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2592625">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2592684">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
</dl>
@@ -58,26 +57,37 @@ UNIX servers)</a></span></dt>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
-<p>Access Control Lists (ACLs), are address match lists that
-you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
-<span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-recursion</strong></span>,
-<span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
-etc.</p>
-<p>Using ACLs allows you to have finer control over who can access
-your name server, without cluttering up your config files with huge
-lists of IP addresses.</p>
-<p>It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
-control access to your server. Limiting access to your server by
-outside parties can help prevent spoofing and denial of service (DoS)
-attacks against your server.</p>
-<p>Here is an example of how to properly apply ACLs:</p>
+<p>
+ Access Control Lists (ACLs), are address match lists that
+ you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
+ <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-recursion</strong></span>,
+ <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
+ etc.
+ </p>
+<p>
+ Using ACLs allows you to have finer control over who can access
+ your name server, without cluttering up your config files with huge
+ lists of IP addresses.
+ </p>
+<p>
+ It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
+ control access to your server. Limiting access to your server by
+ outside parties can help prevent spoofing and denial of service (DoS) attacks against
+ your server.
+ </p>
+<p>
+ Here is an example of how to properly apply ACLs:
+ </p>
<pre class="programlisting">
-// Set up an ACL named "bogusnets" that will block RFC1918 space,
-// which is commonly used in spoofing attacks.
-acl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
+// Set up an ACL named "bogusnets" that will block RFC1918 space
+// and some reserved space, which is commonly used in spoofing attacks.
+acl bogusnets {
+ 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
+ 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
+};
// Set up an ACL called our-nets. Replace this with the real IP numbers.
-acl our-nets { x.x.x.x/24; x.x.x.x/21; };
+acl our-nets { x.x.x.x/24; x.x.x.x/21; };
options {
...
...
@@ -94,91 +104,132 @@ zone "example.com" {
allow-query { any; };
};
</pre>
-<p>This allows recursive queries of the server from the outside
-unless recursion has been previously disabled.</p>
-<p>For more information on how to use ACLs to protect your server,
-see the <span class="emphasis"><em>AUSCERT</em></span> advisory at
-<a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" target="_top">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</a></p>
+<p>
+ This allows recursive queries of the server from the outside
+ unless recursion has been previously disabled.
+ </p>
+<p>
+ For more information on how to use ACLs to protect your server,
+ see the <span class="emphasis"><em>AUSCERT</em></span> advisory at:
+ </p>
+<p>
+ <a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" target="_top">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</a>
+ </p>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2591971"></a><span><strong class="command">chroot</strong></span> and <span><strong class="command">setuid</strong></span> (for
-UNIX servers)</h2></div></div></div>
-<p>On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym> in a <span class="emphasis"><em>chrooted</em></span> environment
-(using the <span><strong class="command">chroot()</strong></span> function) by specifying the "<code class="option">-t</code>"
-option. This can help improve system security by placing <acronym class="acronym">BIND</acronym> in
-a "sandbox", which will limit the damage done if a server is compromised.</p>
-<p>Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
-ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
-We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.</p>
-<p>Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
-<span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
-user 202:</p>
-<p><strong class="userinput"><code>/usr/local/bin/named -u 202 -t /var/named</code></strong></p>
+<a name="id2592480"></a><span><strong class="command">chroot</strong></span> and <span><strong class="command">setuid</strong></span>
+</h2></div></div></div>
+<p>
+ On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym> in a <span class="emphasis"><em>chrooted</em></span> environment
+ (using the <span><strong class="command">chroot()</strong></span> function) by specifying the "<code class="option">-t</code>"
+ option. This can help improve system security by placing <acronym class="acronym">BIND</acronym> in
+ a "sandbox", which will limit the damage done if a server is
+ compromised.
+ </p>
+<p>
+ Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
+ ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
+ We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
+ </p>
+<p>
+ Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
+ <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
+ user 202:
+ </p>
+<p>
+ <strong class="userinput"><code>/usr/local/bin/named -u 202 -t /var/named</code></strong>
+ </p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2592046"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
-<p>In order for a <span><strong class="command">chroot</strong></span> environment to
-work properly in a particular directory
-(for example, <code class="filename">/var/named</code>),
-you will need to set up an environment that includes everything
-<acronym class="acronym">BIND</acronym> needs to run.
-From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
-the root of the filesystem. You will need to adjust the values of options like
-like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
-for this.
-</p>
-<p>
-Unlike with earlier versions of BIND, you will typically
-<span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
-statically nor install shared libraries under the new root.
-However, depending on your operating system, you may need
-to set up things like
-<code class="filename">/dev/zero</code>,
-<code class="filename">/dev/random</code>,
-<code class="filename">/dev/log</code>, and
-<code class="filename">/etc/localtime</code>.
-</p>
+<a name="id2592625"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
+<p>
+ In order for a <span><strong class="command">chroot</strong></span> environment
+ to
+ work properly in a particular directory
+ (for example, <code class="filename">/var/named</code>),
+ you will need to set up an environment that includes everything
+ <acronym class="acronym">BIND</acronym> needs to run.
+ From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
+ the root of the filesystem. You will need to adjust the values of
+ options like
+ like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
+ for this.
+ </p>
+<p>
+ Unlike with earlier versions of BIND, you will typically
+ <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
+ statically nor install shared libraries under the new root.
+ However, depending on your operating system, you may need
+ to set up things like
+ <code class="filename">/dev/zero</code>,
+ <code class="filename">/dev/random</code>,
+ <code class="filename">/dev/log</code>, and
+ <code class="filename">/etc/localtime</code>.
+ </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2592172"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
-<p>Prior to running the <span><strong class="command">named</strong></span> daemon, use
-the <span><strong class="command">touch</strong></span> utility (to change file access and
-modification times) or the <span><strong class="command">chown</strong></span> utility (to
-set the user id and/or group id) on files
-to which you want <acronym class="acronym">BIND</acronym>
-to write. Note that if the <span><strong class="command">named</strong></span> daemon is running as an
-unprivileged user, it will not be able to bind to new restricted ports if the
-server is reloaded.</p>
+<a name="id2592684"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
+<p>
+ Prior to running the <span><strong class="command">named</strong></span> daemon,
+ use
+ the <span><strong class="command">touch</strong></span> utility (to change file
+ access and
+ modification times) or the <span><strong class="command">chown</strong></span>
+ utility (to
+ set the user id and/or group id) on files
+ to which you want <acronym class="acronym">BIND</acronym>
+ to write.
+ </p>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+ Note that if the <span><strong class="command">named</strong></span> daemon is running as an
+ unprivileged user, it will not be able to bind to new restricted
+ ports if the server is reloaded.
+ </div>
</div>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
-<p>Access to the dynamic
-update facility should be strictly limited. In earlier versions of
-<acronym class="acronym">BIND</acronym>, the only way to do this was based on the IP
-address of the host requesting the update, by listing an IP address or
-network prefix in the <span><strong class="command">allow-update</strong></span> zone option.
-This method is insecure since the source address of the update UDP packet
-is easily forged. Also note that if the IP addresses allowed by the
-<span><strong class="command">allow-update</strong></span> option include the address of a slave
-server which performs forwarding of dynamic updates, the master can be
-trivially attacked by sending the update to the slave, which will
-forward it to the master with its own source IP address causing the
-master to approve it without question.</p>
-<p>For these reasons, we strongly recommend that updates be
-cryptographically authenticated by means of transaction signatures
-(TSIG). That is, the <span><strong class="command">allow-update</strong></span> option should
-list only TSIG key names, not IP addresses or network
-prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
-option can be used.</p>
-<p>Some sites choose to keep all dynamically-updated DNS data
-in a subdomain and delegate that subdomain to a separate zone. This
-way, the top-level zone containing critical data such as the IP addresses
-of public web and mail servers need not allow dynamic update at
-all.</p>
+<p>
+ Access to the dynamic
+ update facility should be strictly limited. In earlier versions of
+ <acronym class="acronym">BIND</acronym>, the only way to do this was
+ based on the IP
+ address of the host requesting the update, by listing an IP address
+ or
+ network prefix in the <span><strong class="command">allow-update</strong></span>
+ zone option.
+ This method is insecure since the source address of the update UDP
+ packet
+ is easily forged. Also note that if the IP addresses allowed by the
+ <span><strong class="command">allow-update</strong></span> option include the
+ address of a slave
+ server which performs forwarding of dynamic updates, the master can
+ be
+ trivially attacked by sending the update to the slave, which will
+ forward it to the master with its own source IP address causing the
+ master to approve it without question.
+ </p>
+<p>
+ For these reasons, we strongly recommend that updates be
+ cryptographically authenticated by means of transaction signatures
+ (TSIG). That is, the <span><strong class="command">allow-update</strong></span>
+ option should
+ list only TSIG key names, not IP addresses or network
+ prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
+ option can be used.
+ </p>
+<p>
+ Some sites choose to keep all dynamically-updated DNS data
+ in a subdomain and delegate that subdomain to a separate zone. This
+ way, the top-level zone containing critical data such as the IP
+ addresses
+ of public web and mail servers need not allow dynamic update at
+ all.
+ </p>
</div>
</div>
<div class="navfooter">
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch08.html b/contrib/bind9/doc/arm/Bv9ARM.ch08.html
index 98dbbed..c2a4827 100644
--- a/contrib/bind9/doc/arm/Bv9ARM.ch08.html
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch08.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
@@ -14,12 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch08.html,v 1.50.2.9.2.33 2006/09/13 02:56:22 marka Exp $ -->
+<!-- $Id: Bv9ARM.ch08.html,v 1.75.18.53 2007/01/30 00:23:46 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Chapter 8. Troubleshooting</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="prev" href="Bv9ARM.ch07.html" title="Chapter 7. BIND 9 Security Considerations">
@@ -45,62 +45,77 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2592243">Common Problems</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2592248">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2592260">Incrementing and Changing the Serial Number</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2592277">Where Can I Get Help?</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2592764">Common Problems</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2592838">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2592850">Incrementing and Changing the Serial Number</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2592867">Where Can I Get Help?</a></span></dt>
</dl>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2592243"></a>Common Problems</h2></div></div></div>
+<a name="id2592764"></a>Common Problems</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2592248"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
-<p>The best solution to solving installation and
- configuration issues is to take preventative measures by setting
- up logging files beforehand. The log files provide a
- source of hints and information that can be used to figure out
- what went wrong and how to fix the problem.</p>
+<a name="id2592838"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
+<p>
+ The best solution to solving installation and
+ configuration issues is to take preventative measures by setting
+ up logging files beforehand. The log files provide a
+ source of hints and information that can be used to figure out
+ what went wrong and how to fix the problem.
+ </p>
</div>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2592260"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
-<p>Zone serial numbers are just numbers-they aren't date
- related. A lot of people set them to a number that represents a
- date, usually of the form YYYYMMDDRR. A number of people have been
- testing these numbers for Y2K compliance and have set the number
- to the year 2000 to see if it will work. They then try to restore
- the old serial number. This will cause problems because serial
- numbers are used to indicate that a zone has been updated. If the
- serial number on the slave server is lower than the serial number
- on the master, the slave server will attempt to update its copy of
- the zone.</p>
-<p>Setting the serial number to a lower number on the master
- server than the slave server means that the slave will not perform
- updates to its copy of the zone.</p>
-<p>The solution to this is to add 2147483647 (2^31-1) to the
- number, reload the zone and make sure all slaves have updated to
- the new zone serial number, then reset the number to what you want
- it to be, and reload the zone again.</p>
+<a name="id2592850"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
+<p>
+ Zone serial numbers are just numbers-they aren't date
+ related. A lot of people set them to a number that represents a
+ date, usually of the form YYYYMMDDRR. A number of people have been
+ testing these numbers for Y2K compliance and have set the number
+ to the year 2000 to see if it will work. They then try to restore
+ the old serial number. This will cause problems because serial
+ numbers are used to indicate that a zone has been updated. If the
+ serial number on the slave server is lower than the serial number
+ on the master, the slave server will attempt to update its copy of
+ the zone.
+ </p>
+<p>
+ Setting the serial number to a lower number on the master
+ server than the slave server means that the slave will not perform
+ updates to its copy of the zone.
+ </p>
+<p>
+ The solution to this is to add 2147483647 (2^31-1) to the
+ number, reload the zone and make sure all slaves have updated to
+ the new zone serial number, then reset the number to what you want
+ it to be, and reload the zone again.
+ </p>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2592277"></a>Where Can I Get Help?</h2></div></div></div>
-<p>The Internet Software Consortium (<acronym class="acronym">ISC</acronym>) offers a wide range
- of support and service agreements for <acronym class="acronym">BIND</acronym> and <acronym class="acronym">DHCP</acronym> servers. Four
- levels of premium support are available and each level includes
- support for all <acronym class="acronym">ISC</acronym> programs, significant discounts on products
- and training, and a recognized priority on bug fixes and
- non-funded feature requests. In addition, <acronym class="acronym">ISC</acronym> offers a standard
- support agreement package which includes services ranging from bug
- fix announcements to remote support. It also includes training in
- <acronym class="acronym">BIND</acronym> and <acronym class="acronym">DHCP</acronym>.</p>
-<p>To discuss arrangements for support, contact
- <a href="mailto:info@isc.org" target="_top">info@isc.org</a> or visit the
- <acronym class="acronym">ISC</acronym> web page at <a href="http://www.isc.org/services/support/" target="_top">http://www.isc.org/services/support/</a>
- to read more.</p>
+<a name="id2592867"></a>Where Can I Get Help?</h2></div></div></div>
+<p>
+ The Internet Systems Consortium
+ (<acronym class="acronym">ISC</acronym>) offers a wide range
+ of support and service agreements for <acronym class="acronym">BIND</acronym> and <acronym class="acronym">DHCP</acronym> servers. Four
+ levels of premium support are available and each level includes
+ support for all <acronym class="acronym">ISC</acronym> programs,
+ significant discounts on products
+ and training, and a recognized priority on bug fixes and
+ non-funded feature requests. In addition, <acronym class="acronym">ISC</acronym> offers a standard
+ support agreement package which includes services ranging from bug
+ fix announcements to remote support. It also includes training in
+ <acronym class="acronym">BIND</acronym> and <acronym class="acronym">DHCP</acronym>.
+ </p>
+<p>
+ To discuss arrangements for support, contact
+ <a href="mailto:info@isc.org" target="_top">info@isc.org</a> or visit the
+ <acronym class="acronym">ISC</acronym> web page at
+ <a href="http://www.isc.org/services/support/" target="_top">http://www.isc.org/services/support/</a>
+ to read more.
+ </p>
</div>
</div>
<div class="navfooter">
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch09.html b/contrib/bind9/doc/arm/Bv9ARM.ch09.html
index ccf9ee1..e8bbea8 100644
--- a/contrib/bind9/doc/arm/Bv9ARM.ch09.html
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch09.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
@@ -14,15 +14,16 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch09.html,v 1.50.2.9.2.35 2006/11/15 04:33:42 marka Exp $ -->
+<!-- $Id: Bv9ARM.ch09.html,v 1.75.18.56 2007/01/30 00:23:46 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Appendix A. Appendices</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter 8. Troubleshooting">
+<link rel="next" href="Bv9ARM.ch10.html" title="Manual pages">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<div class="navheader">
@@ -32,7 +33,8 @@
<td width="20%" align="left">
<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a> </td>
<th width="60%" align="center"> </th>
-<td width="20%" align="right"> </td>
+<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
+</td>
</tr>
</table>
<hr>
@@ -43,205 +45,167 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2592339">Acknowledgments</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2592344">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#historical_dns_information">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2592997">Acknowledgments</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#historical_dns_information">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2593159">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2594702">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2596326">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
</dl></dd>
</dl>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2592339"></a>Acknowledgments</h2></div></div></div>
+<a name="id2592997"></a>Acknowledgments</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2592344"></a>A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></h3></div></div></div>
-<p>Although the "official" beginning of the Domain Name
- System occurred in 1984 with the publication of RFC 920, the
- core of the new system was described in 1983 in RFCs 882 and
- 883. From 1984 to 1987, the ARPAnet (the precursor to today's
- Internet) became a testbed of experimentation for developing the
- new naming/addressing scheme in a rapidly expanding,
- operational network environment. New RFCs were written and
- published in 1987 that modified the original documents to
- incorporate improvements based on the working model. RFC 1034,
- "Domain Names-Concepts and Facilities", and RFC 1035, "Domain
- Names-Implementation and Specification" were published and
- became the standards upon which all <acronym class="acronym">DNS</acronym> implementations are
- built.
-</p>
-<p>The first working domain name server, called "Jeeves", was
-written in 1983-84 by Paul Mockapetris for operation on DEC Tops-20
-machines located at the University of Southern California's Information
-Sciences Institute (USC-ISI) and SRI International's Network Information
-Center (SRI-NIC). A <acronym class="acronym">DNS</acronym> server for Unix machines, the Berkeley Internet
-Name Domain (<acronym class="acronym">BIND</acronym>) package, was written soon after by a group of
-graduate students at the University of California at Berkeley under
-a grant from the US Defense Advanced Research Projects Administration
-(DARPA).
-</p>
+<a name="historical_dns_information"></a>A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
+</h3></div></div></div>
<p>
-Versions of <acronym class="acronym">BIND</acronym> through 4.8.3 were maintained by the Computer
-Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
-Painter, David Riggle and Songnian Zhou made up the initial <acronym class="acronym">BIND</acronym>
-project team. After that, additional work on the software package
-was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment Corporation
-employee on loan to the CSRG, worked on <acronym class="acronym">BIND</acronym> for 2 years, from 1985
-to 1987. Many other people also contributed to <acronym class="acronym">BIND</acronym> development
-during that time: Doug Kingston, Craig Partridge, Smoot Carl-Mitchell,
-Mike Muuss, Jim Bloom and Mike Schwartz. <acronym class="acronym">BIND</acronym> maintenance was subsequently
-handled by Mike Karels and O. Kure.</p>
-<p><acronym class="acronym">BIND</acronym> versions 4.9 and 4.9.1 were released by Digital Equipment
-Corporation (now Compaq Computer Corporation). Paul Vixie, then
-a DEC employee, became <acronym class="acronym">BIND</acronym>'s primary caretaker. He was assisted
-by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan Beecher, Andrew
-Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
-Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
-Wolfhugel, and others.</p>
-<p><acronym class="acronym">BIND</acronym> version 4.9.2 was sponsored by Vixie Enterprises. Paul
-Vixie became <acronym class="acronym">BIND</acronym>'s principal architect/programmer.</p>
-<p><acronym class="acronym">BIND</acronym> versions from 4.9.3 onward have been developed and maintained
-by the Internet Software Consortium with support being provided
-by ISC's sponsors. As co-architects/programmers, Bob Halley and
-Paul Vixie released the first production-ready version of <acronym class="acronym">BIND</acronym> version
-8 in May 1997.</p>
-<p><acronym class="acronym">BIND</acronym> development work is made possible today by the sponsorship
-of several corporations, and by the tireless work efforts of numerous
-individuals.</p>
+ Although the "official" beginning of the Domain Name
+ System occurred in 1984 with the publication of RFC 920, the
+ core of the new system was described in 1983 in RFCs 882 and
+ 883. From 1984 to 1987, the ARPAnet (the precursor to today's
+ Internet) became a testbed of experimentation for developing the
+ new naming/addressing scheme in a rapidly expanding,
+ operational network environment. New RFCs were written and
+ published in 1987 that modified the original documents to
+ incorporate improvements based on the working model. RFC 1034,
+ "Domain Names-Concepts and Facilities", and RFC 1035, "Domain
+ Names-Implementation and Specification" were published and
+ became the standards upon which all <acronym class="acronym">DNS</acronym> implementations are
+ built.
+ </p>
+<p>
+ The first working domain name server, called "Jeeves", was
+ written in 1983-84 by Paul Mockapetris for operation on DEC
+ Tops-20
+ machines located at the University of Southern California's
+ Information
+ Sciences Institute (USC-ISI) and SRI International's Network
+ Information
+ Center (SRI-NIC). A <acronym class="acronym">DNS</acronym> server for
+ Unix machines, the Berkeley Internet
+ Name Domain (<acronym class="acronym">BIND</acronym>) package, was
+ written soon after by a group of
+ graduate students at the University of California at Berkeley
+ under
+ a grant from the US Defense Advanced Research Projects
+ Administration
+ (DARPA).
+ </p>
+<p>
+ Versions of <acronym class="acronym">BIND</acronym> through
+ 4.8.3 were maintained by the Computer
+ Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
+ Painter, David Riggle and Songnian Zhou made up the initial <acronym class="acronym">BIND</acronym>
+ project team. After that, additional work on the software package
+ was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment
+ Corporation
+ employee on loan to the CSRG, worked on <acronym class="acronym">BIND</acronym> for 2 years, from 1985
+ to 1987. Many other people also contributed to <acronym class="acronym">BIND</acronym> development
+ during that time: Doug Kingston, Craig Partridge, Smoot
+ Carl-Mitchell,
+ Mike Muuss, Jim Bloom and Mike Schwartz. <acronym class="acronym">BIND</acronym> maintenance was subsequently
+ handled by Mike Karels and O. Kure.
+ </p>
+<p>
+ <acronym class="acronym">BIND</acronym> versions 4.9 and 4.9.1 were
+ released by Digital Equipment
+ Corporation (now Compaq Computer Corporation). Paul Vixie, then
+ a DEC employee, became <acronym class="acronym">BIND</acronym>'s
+ primary caretaker. He was assisted
+ by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan
+ Beecher, Andrew
+ Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
+ Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
+ Wolfhugel, and others.
+ </p>
+<p>
+ <acronym class="acronym">BIND</acronym> version 4.9.2 was sponsored by
+ Vixie Enterprises. Paul
+ Vixie became <acronym class="acronym">BIND</acronym>'s principal
+ architect/programmer.
+ </p>
+<p>
+ <acronym class="acronym">BIND</acronym> versions from 4.9.3 onward
+ have been developed and maintained
+ by the Internet Systems Consortium and its predecessor,
+ the Internet Software Consortium, with support being provided
+ by ISC's sponsors. As co-architects/programmers, Bob Halley and
+ Paul Vixie released the first production-ready version of
+ <acronym class="acronym">BIND</acronym> version 8 in May 1997.
+ </p>
+<p>
+ <acronym class="acronym">BIND</acronym> development work is made
+ possible today by the sponsorship
+ of several corporations, and by the tireless work efforts of
+ numerous individuals.
+ </p>
</div>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="historical_dns_information"></a>General <acronym class="acronym">DNS</acronym> Reference Information</h2></div></div></div>
+<a name="id2593159"></a>General <acronym class="acronym">DNS</acronym> Reference Information</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="ipv6addresses"></a>IPv6 addresses (AAAA)</h3></div></div></div>
-<p>IPv6 addresses are 128-bit identifiers for interfaces and
-sets of interfaces which were introduced in the <acronym class="acronym">DNS</acronym> to facilitate
-scalable Internet routing. There are three types of addresses: <span class="emphasis"><em>Unicast</em></span>,
-an identifier for a single interface; <span class="emphasis"><em>Anycast</em></span>,
-an identifier for a set of interfaces; and <span class="emphasis"><em>Multicast</em></span>,
-an identifier for a set of interfaces. Here we describe the global
-Unicast address scheme. For more information, see RFC 2374.</p>
-<p>The aggregatable global Unicast address format is as follows:</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-<col>
-<col>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p>3</p></td>
-<td><p>13</p></td>
-<td><p>8</p></td>
-<td><p>24</p></td>
-<td><p>16</p></td>
-<td><p>64 bits</p></td>
-</tr>
-<tr>
-<td><p>FP</p></td>
-<td><p>TLA ID</p></td>
-<td><p>RES</p></td>
-<td><p>NLA ID</p></td>
-<td><p>SLA ID</p></td>
-<td><p>Interface ID</p></td>
-</tr>
-<tr>
-<td colspan="4"><p>&lt;------ Public Topology
-------&gt;</p></td>
-<td><p></p></td>
-<td><p></p></td>
-</tr>
-<tr>
-<td><p></p></td>
-<td><p></p></td>
-<td><p></p></td>
-<td><p></p></td>
-<td><p>&lt;-Site Topology-&gt;</p></td>
-<td><p></p></td>
-</tr>
-<tr>
-<td><p></p></td>
-<td><p></p></td>
-<td><p></p></td>
-<td><p></p></td>
-<td><p></p></td>
-<td><p>&lt;------ Interface Identifier ------&gt;</p></td>
-</tr>
-</tbody>
-</table></div>
-<p>Where
-</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p>FP</p></td>
-<td><p>=</p></td>
-<td><p>Format Prefix (001)</p></td>
-</tr>
-<tr>
-<td><p>TLA ID</p></td>
-<td><p>=</p></td>
-<td><p>Top-Level Aggregation Identifier</p></td>
-</tr>
-<tr>
-<td><p>RES</p></td>
-<td><p>=</p></td>
-<td><p>Reserved for future use</p></td>
-</tr>
-<tr>
-<td><p>NLA ID</p></td>
-<td><p>=</p></td>
-<td><p>Next-Level Aggregation Identifier</p></td>
-</tr>
-<tr>
-<td><p>SLA ID</p></td>
-<td><p>=</p></td>
-<td><p>Site-Level Aggregation Identifier</p></td>
-</tr>
-<tr>
-<td><p>INTERFACE ID</p></td>
-<td><p>=</p></td>
-<td><p>Interface Identifier</p></td>
-</tr>
-</tbody>
-</table></div>
-<p>The <span class="emphasis"><em>Public Topology</em></span> is provided by the
-upstream provider or ISP, and (roughly) corresponds to the IPv4 <span class="emphasis"><em>network</em></span> section
-of the address range. The <span class="emphasis"><em>Site Topology</em></span> is
-where you can subnet this space, much the same as subnetting an
-IPv4 /16 network into /24 subnets. The <span class="emphasis"><em>Interface Identifier</em></span> is
-the address of an individual interface on a given network. (With
-IPv6, addresses belong to interfaces rather than machines.)</p>
-<p>The subnetting capability of IPv6 is much more flexible than
-that of IPv4: subnetting can now be carried out on bit boundaries,
-in much the same way as Classless InterDomain Routing (CIDR).</p>
-<p>The Interface Identifier must be unique on that network. On
-ethernet networks, one way to ensure this is to set the address
-to the first three bytes of the hardware address, "FFFE", then the
-last three bytes of the hardware address. The lowest significant
-bit of the first byte should then be complemented. Addresses are
-written as 32-bit blocks separated with a colon, and leading zeros
-of a block may be omitted, for example:</p>
-<p><span><strong class="command">2001:db8:201:9:a00:20ff:fe81:2b32</strong></span></p>
-<p>IPv6 address specifications are likely to contain long strings
-of zeros, so the architects have included a shorthand for specifying
-them. The double colon (`::') indicates the longest possible string
-of zeros that can fit, and can be used only once in an address.</p>
+<p>
+ IPv6 addresses are 128-bit identifiers for interfaces and
+ sets of interfaces which were introduced in the <acronym class="acronym">DNS</acronym> to facilitate
+ scalable Internet routing. There are three types of addresses: <span class="emphasis"><em>Unicast</em></span>,
+ an identifier for a single interface;
+ <span class="emphasis"><em>Anycast</em></span>,
+ an identifier for a set of interfaces; and <span class="emphasis"><em>Multicast</em></span>,
+ an identifier for a set of interfaces. Here we describe the global
+ Unicast address scheme. For more information, see RFC 3587.
+ </p>
+<p>
+ IPv6 unicast addresses consist of a
+ <span class="emphasis"><em>global routing prefix</em></span>, a
+ <span class="emphasis"><em>subnet identifier</em></span>, and an
+ <span class="emphasis"><em>interface identifier</em></span>.
+ </p>
+<p>
+ The global routing prefix is provided by the
+ upstream provider or ISP, and (roughly) corresponds to the
+ IPv4 <span class="emphasis"><em>network</em></span> section
+ of the address range.
+
+ The subnet identifier is for local subnetting, much the
+ same as subnetting an
+ IPv4 /16 network into /24 subnets.
+
+ The interface identifier is the address of an individual
+ interface on a given network; in IPv6, addresses belong to
+ interfaces rather than to machines.
+ </p>
+<p>
+ The subnetting capability of IPv6 is much more flexible than
+ that of IPv4: subnetting can be carried out on bit boundaries,
+ in much the same way as Classless InterDomain Routing
+ (CIDR), and the DNS PTR representation ("nibble" format)
+ makes setting up reverse zones easier.
+ </p>
+<p>
+ The Interface Identifier must be unique on the local link,
+ and is usually generated automatically by the IPv6
+ implementation, although it is usually possible to
+ override the default setting if necessary. A typical IPv6
+ address might look like:
+ <span><strong class="command">2001:db8:201:9:a00:20ff:fe81:2b32</strong></span>
+ </p>
+<p>
+ IPv6 address specifications often contain long strings
+ of zeros, so the architects have included a shorthand for
+ specifying
+ them. The double colon (`::') indicates the longest possible
+ string
+ of zeros that can fit, and can be used only once in an address.
+ </p>
</div>
</div>
<div class="sect1" lang="en">
@@ -250,173 +214,355 @@ of zeros that can fit, and can be used only once in an address.</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="rfcs"></a>Request for Comments (RFCs)</h3></div></div></div>
-<p>Specification documents for the Internet protocol suite, including
-the <acronym class="acronym">DNS</acronym>, are published as part of the Request for Comments (RFCs)
-series of technical notes. The standards themselves are defined
-by the Internet Engineering Task Force (IETF) and the Internet Engineering
-Steering Group (IESG). RFCs can be obtained online via FTP at
-<a href="ftp://www.isi.edu/in-notes/" target="_top">ftp://www.isi.edu/in-notes/RFC<em class="replaceable"><code>xxx</code></em>.txt</a> (where <em class="replaceable"><code>xxx</code></em> is
-the number of the RFC). RFCs are also available via the Web at
-<a href="http://www.ietf.org/rfc/" target="_top">http://www.ietf.org/rfc/</a>.
-</p>
+<p>
+ Specification documents for the Internet protocol suite, including
+ the <acronym class="acronym">DNS</acronym>, are published as part of
+ the Request for Comments (RFCs)
+ series of technical notes. The standards themselves are defined
+ by the Internet Engineering Task Force (IETF) and the Internet
+ Engineering Steering Group (IESG). RFCs can be obtained online via FTP at:
+ </p>
+<p>
+ <a href="ftp://www.isi.edu/in-notes/" target="_top">
+ ftp://www.isi.edu/in-notes/RFC<em class="replaceable"><code>xxxx</code></em>.txt
+ </a>
+ </p>
+<p>
+ (where <em class="replaceable"><code>xxxx</code></em> is
+ the number of the RFC). RFCs are also available via the Web at:
+ </p>
+<p>
+ <a href="http://www.ietf.org/rfc/" target="_top">http://www.ietf.org/rfc/</a>.
+ </p>
<div class="bibliography">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2593259"></a>Bibliography</h4></div></div></div>
+<a name="id2593347"></a>Bibliography</h4></div></div></div>
<div class="bibliodiv">
<h3 class="title">Standards</h3>
<div class="biblioentry">
-<a name="id2593270"></a><p>[<abbr class="abbrev">RFC974</abbr>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p>
+<a name="id2593357"></a><p>[<abbr class="abbrev">RFC974</abbr>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p>
</div>
<div class="biblioentry">
-<a name="id2593293"></a><p>[<abbr class="abbrev">RFC1034</abbr>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p>
+<a name="id2593381"></a><p>[<abbr class="abbrev">RFC1034</abbr>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p>
</div>
<div class="biblioentry">
-<a name="id2593317"></a><p>[<abbr class="abbrev">RFC1035</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Implementation and
-Specification</i>. </span><span class="pubdate">November 1987. </span></p>
+<a name="id2593404"></a><p>[<abbr class="abbrev">RFC1035</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Implementation and
+ Specification</i>. </span><span class="pubdate">November 1987. </span></p>
</div>
</div>
<div class="bibliodiv">
<h3 class="title">
<a name="proposed_standards"></a>Proposed Standards</h3>
<div class="biblioentry">
-<a name="id2593354"></a><p>[<abbr class="abbrev">RFC2181</abbr>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <acronym class="acronym">DNS</acronym> Specification</i>. </span><span class="pubdate">July 1997. </span></p>
+<a name="id2593441"></a><p>[<abbr class="abbrev">RFC2181</abbr>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <acronym class="acronym">DNS</acronym>
+ Specification</i>. </span><span class="pubdate">July 1997. </span></p>
</div>
<div class="biblioentry">
-<a name="id2593380"></a><p>[<abbr class="abbrev">RFC2308</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <acronym class="acronym">DNS</acronym> Queries</i>. </span><span class="pubdate">March 1998. </span></p>
+<a name="id2593467"></a><p>[<abbr class="abbrev">RFC2308</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <acronym class="acronym">DNS</acronym>
+ Queries</i>. </span><span class="pubdate">March 1998. </span></p>
</div>
<div class="biblioentry">
-<a name="id2593405"></a><p>[<abbr class="abbrev">RFC1995</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">August 1996. </span></p>
+<a name="id2593493"></a><p>[<abbr class="abbrev">RFC1995</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">August 1996. </span></p>
</div>
<div class="biblioentry">
-<a name="id2593430"></a><p>[<abbr class="abbrev">RFC1996</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p>
+<a name="id2593517"></a><p>[<abbr class="abbrev">RFC1996</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p>
</div>
<div class="biblioentry">
-<a name="id2593522"></a><p>[<abbr class="abbrev">RFC2136</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p>
+<a name="id2593541"></a><p>[<abbr class="abbrev">RFC2136</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p>
</div>
<div class="biblioentry">
-<a name="id2593577"></a><p>[<abbr class="abbrev">RFC2845</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p>
+<a name="id2593596"></a><p>[<abbr class="abbrev">RFC2671</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Extension Mechanisms for DNS (EDNS0)</i>. </span><span class="pubdate">August 1997. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2593623"></a><p>[<abbr class="abbrev">RFC2672</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Non-Terminal DNS Name Redirection</i>. </span><span class="pubdate">August 1999. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2593650"></a><p>[<abbr class="abbrev">RFC2845</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2593712"></a><p>[<abbr class="abbrev">RFC2930</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secret Key Establishment for DNS (TKEY RR)</i>. </span><span class="pubdate">September 2000. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2593741"></a><p>[<abbr class="abbrev">RFC2931</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DNS Request and Transaction Signatures (SIG(0)s)</i>. </span><span class="pubdate">September 2000. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2593771"></a><p>[<abbr class="abbrev">RFC3007</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secure Domain Name System (DNS) Dynamic Update</i>. </span><span class="pubdate">November 2000. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2593798"></a><p>[<abbr class="abbrev">RFC3645</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span><span class="title"><i>Generic Security Service Algorithm for Secret
+ Key Transaction Authentication for DNS
+ (GSS-TSIG)</i>. </span><span class="pubdate">October 2003. </span></p>
</div>
</div>
<div class="bibliodiv">
-<h3 class="title">Proposed Standards Still Under Development</h3>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p><span class="emphasis"><em>Note:</em></span> the following list of
-RFCs are undergoing major revision by the IETF.</p>
+<h3 class="title">
+<acronym class="acronym">DNS</acronym> Security Proposed Standards</h3>
+<div class="biblioentry">
+<a name="id2593880"></a><p>[<abbr class="abbrev">RFC3225</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span><span class="title"><i>Indicating Resolver Support of DNSSEC</i>. </span><span class="pubdate">December 2001. </span></p>
</div>
<div class="biblioentry">
-<a name="id2593653"></a><p>[<abbr class="abbrev">RFC1886</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Extensions to support IP version 6</i>. </span><span class="pubdate">December 1995. </span></p>
+<a name="id2593907"></a><p>[<abbr class="abbrev">RFC3833</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span><span class="title"><i>Threat Analysis of the Domain Name System (DNS)</i>. </span><span class="pubdate">August 2004. </span></p>
</div>
<div class="biblioentry">
-<a name="id2593691"></a><p>[<abbr class="abbrev">RFC2065</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p>
+<a name="id2593943"></a><p>[<abbr class="abbrev">RFC4033</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>DNS Security Introduction and Requirements</i>. </span><span class="pubdate">March 2005. </span></p>
</div>
<div class="biblioentry">
-<a name="id2593731"></a><p>[<abbr class="abbrev">RFC2137</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p>
+<a name="id2594008"></a><p>[<abbr class="abbrev">RFC4044</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Resource Records for the DNS Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2594073"></a><p>[<abbr class="abbrev">RFC4035</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Protocol Modifications for the DNS
+ Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
</div>
</div>
<div class="bibliodiv">
-<h3 class="title">Other Important RFCs About <acronym class="acronym">DNS</acronym> Implementation</h3>
+<h3 class="title">Other Important RFCs About <acronym class="acronym">DNS</acronym>
+ Implementation</h3>
<div class="biblioentry">
-<a name="id2593767"></a><p>[<abbr class="abbrev">RFC1535</abbr>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely Deployed <acronym class="acronym">DNS</acronym> Software.</i>. </span><span class="pubdate">October 1993. </span></p>
+<a name="id2594147"></a><p>[<abbr class="abbrev">RFC1535</abbr>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely
+ Deployed <acronym class="acronym">DNS</acronym> Software.</i>. </span><span class="pubdate">October 1993. </span></p>
</div>
<div class="biblioentry">
-<a name="id2593793"></a><p>[<abbr class="abbrev">RFC1536</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Implementation Errors and Suggested Fixes</i>. </span><span class="pubdate">October 1993. </span></p>
+<a name="id2594172"></a><p>[<abbr class="abbrev">RFC1536</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Implementation
+ Errors and Suggested Fixes</i>. </span><span class="pubdate">October 1993. </span></p>
</div>
<div class="biblioentry">
-<a name="id2593860"></a><p>[<abbr class="abbrev">RFC1982</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p>
+<a name="id2594241"></a><p>[<abbr class="abbrev">RFC1982</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2594276"></a><p>[<abbr class="abbrev">RFC4074</abbr>] <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span><span class="title"><i>Common Misbehaviour Against <acronym class="acronym">DNS</acronym>
+ Queries for IPv6 Addresses</i>. </span><span class="pubdate">May 2005. </span></p>
</div>
</div>
<div class="bibliodiv">
<h3 class="title">Resource Record Types</h3>
<div class="biblioentry">
-<a name="id2593901"></a><p>[<abbr class="abbrev">RFC1183</abbr>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <acronym class="acronym">DNS</acronym> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p>
+<a name="id2594322"></a><p>[<abbr class="abbrev">RFC1183</abbr>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <acronym class="acronym">DNS</acronym> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2594448"></a><p>[<abbr class="abbrev">RFC1706</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2594485"></a><p>[<abbr class="abbrev">RFC2168</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using
+ the Domain Name System</i>. </span><span class="pubdate">June 1997. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2594520"></a><p>[<abbr class="abbrev">RFC1876</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the
+ Domain
+ Name System</i>. </span><span class="pubdate">January 1996. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2594574"></a><p>[<abbr class="abbrev">RFC2052</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <acronym class="acronym">DNS</acronym> RR for Specifying the
+ Location of
+ Services.</i>. </span><span class="pubdate">October 1996. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2594613"></a><p>[<abbr class="abbrev">RFC2163</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <acronym class="acronym">DNS</acronym> to
+ Distribute MIXER
+ Conformant Global Address Mapping</i>. </span><span class="pubdate">January 1998. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2594638"></a><p>[<abbr class="abbrev">RFC2230</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">October 1997. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2594664"></a><p>[<abbr class="abbrev">RFC2536</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DSA KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2594691"></a><p>[<abbr class="abbrev">RFC2537</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2594717"></a><p>[<abbr class="abbrev">RFC2538</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Storing Certificates in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2594757"></a><p>[<abbr class="abbrev">RFC2539</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
-<a name="id2593959"></a><p>[<abbr class="abbrev">RFC1706</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p>
+<a name="id2594787"></a><p>[<abbr class="abbrev">RFC2540</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Detached Domain Name System (DNS) Information</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
-<a name="id2593996"></a><p>[<abbr class="abbrev">RFC2168</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using
-the Domain Name System</i>. </span><span class="pubdate">June 1997. </span></p>
+<a name="id2594817"></a><p>[<abbr class="abbrev">RFC2782</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span><span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span><span class="title"><i>A DNS RR for specifying the location of services (DNS SRV)</i>. </span><span class="pubdate">February 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id2594032"></a><p>[<abbr class="abbrev">RFC1876</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the Domain
-Name System</i>. </span><span class="pubdate">January 1996. </span></p>
+<a name="id2594859"></a><p>[<abbr class="abbrev">RFC2915</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span><span class="title"><i>The Naming Authority Pointer (NAPTR) DNS Resource Record</i>. </span><span class="pubdate">September 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id2594086"></a><p>[<abbr class="abbrev">RFC2052</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <acronym class="acronym">DNS</acronym> RR for Specifying the Location of
-Services.</i>. </span><span class="pubdate">October 1996. </span></p>
+<a name="id2594892"></a><p>[<abbr class="abbrev">RFC3110</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</i>. </span><span class="pubdate">May 2001. </span></p>
</div>
<div class="biblioentry">
-<a name="id2594125"></a><p>[<abbr class="abbrev">RFC2163</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <acronym class="acronym">DNS</acronym> to Distribute MIXER
-Conformant Global Address Mapping</i>. </span><span class="pubdate">January 1998. </span></p>
+<a name="id2594919"></a><p>[<abbr class="abbrev">RFC3123</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span><span class="title"><i>A DNS RR Type for Lists of Address Prefixes (APL RR)</i>. </span><span class="pubdate">June 2001. </span></p>
</div>
<div class="biblioentry">
-<a name="id2594152"></a><p>[<abbr class="abbrev">RFC2230</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">October 1997. </span></p>
+<a name="id2594942"></a><p>[<abbr class="abbrev">RFC3596</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Extensions to support IP
+ version 6</i>. </span><span class="pubdate">October 2003. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2595000"></a><p>[<abbr class="abbrev">RFC3597</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span><span class="title"><i>Handling of Unknown DNS Resource Record (RR) Types</i>. </span><span class="pubdate">September 2003. </span></p>
</div>
</div>
<div class="bibliodiv">
<h3 class="title">
<acronym class="acronym">DNS</acronym> and the Internet</h3>
<div class="biblioentry">
-<a name="id2594186"></a><p>[<abbr class="abbrev">RFC1101</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Network Names and Other Types</i>. </span><span class="pubdate">April 1989. </span></p>
+<a name="id2595032"></a><p>[<abbr class="abbrev">RFC1101</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Network Names
+ and Other Types</i>. </span><span class="pubdate">April 1989. </span></p>
</div>
<div class="biblioentry">
-<a name="id2594212"></a><p>[<abbr class="abbrev">RFC1123</abbr>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and Support</i>. </span><span class="pubdate">October 1989. </span></p>
+<a name="id2595058"></a><p>[<abbr class="abbrev">RFC1123</abbr>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and
+ Support</i>. </span><span class="pubdate">October 1989. </span></p>
</div>
<div class="biblioentry">
-<a name="id2594235"></a><p>[<abbr class="abbrev">RFC1591</abbr>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p>
+<a name="id2595080"></a><p>[<abbr class="abbrev">RFC1591</abbr>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p>
</div>
<div class="biblioentry">
-<a name="id2594257"></a><p>[<abbr class="abbrev">RFC2317</abbr>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p>
+<a name="id2595104"></a><p>[<abbr class="abbrev">RFC2317</abbr>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2595149"></a><p>[<abbr class="abbrev">RFC2826</abbr>] <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span><span class="title"><i>IAB Technical Comment on the Unique DNS Root</i>. </span><span class="pubdate">May 2000. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2595173"></a><p>[<abbr class="abbrev">RFC2929</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span><span class="title"><i>Domain Name System (DNS) IANA Considerations</i>. </span><span class="pubdate">September 2000. </span></p>
</div>
</div>
<div class="bibliodiv">
<h3 class="title">
<acronym class="acronym">DNS</acronym> Operations</h3>
<div class="biblioentry">
-<a name="id2594311"></a><p>[<abbr class="abbrev">RFC1537</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Data File Configuration Errors</i>. </span><span class="pubdate">October 1993. </span></p>
+<a name="id2595230"></a><p>[<abbr class="abbrev">RFC1033</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span><span class="title"><i>Domain administrators operations guide.</i>. </span><span class="pubdate">November 1987. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2595254"></a><p>[<abbr class="abbrev">RFC1537</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Data File
+ Configuration Errors</i>. </span><span class="pubdate">October 1993. </span></p>
</div>
<div class="biblioentry">
-<a name="id2594337"></a><p>[<abbr class="abbrev">RFC1912</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Operational and Configuration Errors</i>. </span><span class="pubdate">February 1996. </span></p>
+<a name="id2595281"></a><p>[<abbr class="abbrev">RFC1912</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Operational and
+ Configuration Errors</i>. </span><span class="pubdate">February 1996. </span></p>
</div>
<div class="biblioentry">
-<a name="id2594363"></a><p>[<abbr class="abbrev">RFC2010</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers.</i>. </span><span class="pubdate">October 1996. </span></p>
+<a name="id2595307"></a><p>[<abbr class="abbrev">RFC2010</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers.</i>. </span><span class="pubdate">October 1996. </span></p>
</div>
<div class="biblioentry">
-<a name="id2594400"></a><p>[<abbr class="abbrev">RFC2219</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <acronym class="acronym">DNS</acronym> Aliases for Network Services.</i>. </span><span class="pubdate">October 1997. </span></p>
+<a name="id2595344"></a><p>[<abbr class="abbrev">RFC2219</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <acronym class="acronym">DNS</acronym> Aliases for
+ Network Services.</i>. </span><span class="pubdate">October 1997. </span></p>
+</div>
+</div>
+<div class="bibliodiv">
+<h3 class="title">Internationalized Domain Names</h3>
+<div class="biblioentry">
+<a name="id2595389"></a><p>[<abbr class="abbrev">RFC2825</abbr>] <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span><span class="title"><i>A Tangled Web: Issues of I18N, Domain Names,
+ and the Other Internet protocols</i>. </span><span class="pubdate">May 2000. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2595421"></a><p>[<abbr class="abbrev">RFC3490</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Internationalizing Domain Names in Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2595467"></a><p>[<abbr class="abbrev">RFC3491</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span><span class="title"><i>Nameprep: A Stringprep Profile for Internationalized Domain Names</i>. </span><span class="pubdate">March 2003. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2595502"></a><p>[<abbr class="abbrev">RFC3492</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Punycode: A Bootstring encoding of Unicode
+ for Internationalized Domain Names in
+ Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
</div>
</div>
<div class="bibliodiv">
<h3 class="title">Other <acronym class="acronym">DNS</acronym>-related RFCs</h3>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
-<p>Note: the following list of RFCs, although
-<acronym class="acronym">DNS</acronym>-related, are not concerned with implementing software.</p>
+<p>
+ Note: the following list of RFCs, although
+ <acronym class="acronym">DNS</acronym>-related, are not
+ concerned with implementing software.
+ </p>
+</div>
+<div class="biblioentry">
+<a name="id2595547"></a><p>[<abbr class="abbrev">RFC1464</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String
+ Attributes</i>. </span><span class="pubdate">May 1993. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2595570"></a><p>[<abbr class="abbrev">RFC1713</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <acronym class="acronym">DNS</acronym> Debugging</i>. </span><span class="pubdate">November 1994. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2595595"></a><p>[<abbr class="abbrev">RFC1794</abbr>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Support for Load
+ Balancing</i>. </span><span class="pubdate">April 1995. </span></p>
</div>
<div class="biblioentry">
-<a name="id2594459"></a><p>[<abbr class="abbrev">RFC1464</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String Attributes</i>. </span><span class="pubdate">May 1993. </span></p>
+<a name="id2595621"></a><p>[<abbr class="abbrev">RFC2240</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p>
</div>
<div class="biblioentry">
-<a name="id2594482"></a><p>[<abbr class="abbrev">RFC1713</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <acronym class="acronym">DNS</acronym> Debugging</i>. </span><span class="pubdate">November 1994. </span></p>
+<a name="id2595644"></a><p>[<abbr class="abbrev">RFC2345</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p>
</div>
<div class="biblioentry">
-<a name="id2594506"></a><p>[<abbr class="abbrev">RFC1794</abbr>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Support for Load Balancing</i>. </span><span class="pubdate">April 1995. </span></p>
+<a name="id2595690"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
</div>
<div class="biblioentry">
-<a name="id2594531"></a><p>[<abbr class="abbrev">RFC2240</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p>
+<a name="id2595714"></a><p>[<abbr class="abbrev">RFC3071</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span><span class="title"><i>Reflections on the DNS, RFC 1591, and Categories of Domains</i>. </span><span class="pubdate">February 2001. </span></p>
</div>
<div class="biblioentry">
-<a name="id2594553"></a><p>[<abbr class="abbrev">RFC2345</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p>
+<a name="id2595740"></a><p>[<abbr class="abbrev">RFC3258</abbr>] <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span><span class="title"><i>Distributing Authoritative Name Servers via
+ Shared Unicast Addresses</i>. </span><span class="pubdate">April 2002. </span></p>
</div>
<div class="biblioentry">
-<a name="id2594599"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
+<a name="id2595766"></a><p>[<abbr class="abbrev">RFC3901</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span><span class="title"><i>DNS IPv6 Transport Operational Guidelines</i>. </span><span class="pubdate">September 2004. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2595802"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
+</div>
+</div>
+<div class="bibliodiv">
+<h3 class="title">Obsolete and Unimplemented Experimental RFC</h3>
+<div class="biblioentry">
+<a name="id2595833"></a><p>[<abbr class="abbrev">RFC1712</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Geographical
+ Location</i>. </span><span class="pubdate">November 1994. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2595891"></a><p>[<abbr class="abbrev">RFC2673</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Binary Labels in the Domain Name System</i>. </span><span class="pubdate">August 1999. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2595917"></a><p>[<abbr class="abbrev">RFC2874</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i>DNS Extensions to Support IPv6 Address Aggregation
+ and Renumbering</i>. </span><span class="pubdate">July 2000. </span></p>
</div>
</div>
<div class="bibliodiv">
-<h3 class="title">Obsolete and Unimplemented Experimental RRs</h3>
+<h3 class="title">Obsoleted DNS Security RFCs</h3>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+<p>
+ Most of these have been consolidated into RFC4033,
+ RFC4034 and RFC4035 which collectively describe DNSSECbis.
+ </p>
+</div>
+<div class="biblioentry">
+<a name="id2595965"></a><p>[<abbr class="abbrev">RFC2065</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2596005"></a><p>[<abbr class="abbrev">RFC2137</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p>
+</div>
<div class="biblioentry">
-<a name="id2594630"></a><p>[<abbr class="abbrev">RFC1712</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Geographical
-Location</i>. </span><span class="pubdate">November 1994. </span></p>
+<a name="id2596032"></a><p>[<abbr class="abbrev">RFC2535</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">March 1999. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2596061"></a><p>[<abbr class="abbrev">RFC3008</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Domain Name System Security (DNSSEC)
+ Signing Authority</i>. </span><span class="pubdate">November 2000. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2596087"></a><p>[<abbr class="abbrev">RFC3090</abbr>] <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>DNS Security Extension Clarification on Zone Status</i>. </span><span class="pubdate">March 2001. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2596114"></a><p>[<abbr class="abbrev">RFC3445</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Limiting the Scope of the KEY Resource Record (RR)</i>. </span><span class="pubdate">December 2002. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2596150"></a><p>[<abbr class="abbrev">RFC3655</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Redefinition of DNS Authenticated Data (AD) bit</i>. </span><span class="pubdate">November 2003. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2596186"></a><p>[<abbr class="abbrev">RFC3658</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Delegation Signer (DS) Resource Record (RR)</i>. </span><span class="pubdate">December 2003. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2596213"></a><p>[<abbr class="abbrev">RFC3755</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span><span class="title"><i>Legacy Resolver Compatibility for Delegation Signer (DS)</i>. </span><span class="pubdate">May 2004. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2596240"></a><p>[<abbr class="abbrev">RFC3757</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>Domain Name System KEY (DNSKEY) Resource Record
+ (RR) Secure Entry Point (SEP) Flag</i>. </span><span class="pubdate">April 2004. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2596284"></a><p>[<abbr class="abbrev">RFC3845</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span><span class="title"><i>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</i>. </span><span class="pubdate">August 2004. </span></p>
</div>
</div>
</div>
@@ -424,24 +570,27 @@ Location</i>. </span><span class="pubdate">November 1994. </span></p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="internet_drafts"></a>Internet Drafts</h3></div></div></div>
-<p>Internet Drafts (IDs) are rough-draft working documents of
-the Internet Engineering Task Force. They are, in essence, RFCs
-in the preliminary stages of development. Implementors are cautioned not
-to regard IDs as archival, and they should not be quoted or cited
-in any formal documents unless accompanied by the disclaimer that
-they are "works in progress." IDs have a lifespan of six months
-after which they are deleted unless updated by their authors.
-</p>
+<p>
+ Internet Drafts (IDs) are rough-draft working documents of
+ the Internet Engineering Task Force. They are, in essence, RFCs
+ in the preliminary stages of development. Implementors are
+ cautioned not
+ to regard IDs as archival, and they should not be quoted or cited
+ in any formal documents unless accompanied by the disclaimer that
+ they are "works in progress." IDs have a lifespan of six months
+ after which they are deleted unless updated by their authors.
+ </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2594702"></a>Other Documents About <acronym class="acronym">BIND</acronym></h3></div></div></div>
+<a name="id2596326"></a>Other Documents About <acronym class="acronym">BIND</acronym>
+</h3></div></div></div>
<p></p>
<div class="bibliography">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2594712"></a>Bibliography</h4></div></div></div>
+<a name="id2596336"></a>Bibliography</h4></div></div></div>
<div class="biblioentry">
-<a name="id2594714"></a><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></i>. </span><span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span></p>
+<a name="id2596338"></a><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></i>. </span><span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span></p>
</div>
</div>
</div>
@@ -454,12 +603,13 @@ after which they are deleted unless updated by their authors.
<td width="40%" align="left">
<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a> </td>
<td width="20%" align="center"> </td>
-<td width="40%" align="right"> </td>
+<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
+</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">Chapter 8. Troubleshooting </td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> </td>
+<td width="40%" align="right" valign="top"> Manual pages</td>
</tr>
</table>
</div>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch10.html b/contrib/bind9/doc/arm/Bv9ARM.ch10.html
new file mode 100644
index 0000000..03cce5a
--- /dev/null
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch10.html
@@ -0,0 +1,102 @@
+<!--
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: Bv9ARM.ch10.html,v 1.2.2.6 2007/01/30 00:23:46 marka Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Manual pages</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="prev" href="Bv9ARM.ch09.html" title="Appendix A. Appendices">
+<link rel="next" href="man.dig.html" title="dig">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center">Manual pages</th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="Bv9ARM.ch09.html">Prev</a> </td>
+<th width="60%" align="center"> </th>
+<td width="20%" align="right"> <a accesskey="n" href="man.dig.html">Next</a>
+</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="reference" lang="en">
+<div class="titlepage">
+<div><div><h1 class="title">
+<a name="Bv9ARM.ch10"></a>Manual pages</h1></div></div>
+<hr>
+</div>
+<div class="toc">
+<p><b>Table of Contents</b></p>
+<dl>
+<dt>
+<span class="refentrytitle"><a href="man.dig.html">dig</a></span><span class="refpurpose"> &#8212; DNS lookup utility</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.host.html">host</a></span><span class="refpurpose"> &#8212; DNS lookup utility</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-keygen.html"><span class="application">dnssec-keygen</span></a></span><span class="refpurpose"> &#8212; DNSSEC key generation tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-signzone.html"><span class="application">dnssec-signzone</span></a></span><span class="refpurpose"> &#8212; DNSSEC zone signing tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.named-checkconf.html"><span class="application">named-checkconf</span></a></span><span class="refpurpose"> &#8212; named configuration file syntax checking tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.named-checkzone.html"><span class="application">named-checkzone</span></a></span><span class="refpurpose"> &#8212; zone file validity checking or converting tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.named.html"><span class="application">named</span></a></span><span class="refpurpose"> &#8212; Internet domain name server</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.rndc.html"><span class="application">rndc</span></a></span><span class="refpurpose"> &#8212; name server control utility</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.rndc.conf.html"><code class="filename">rndc.conf</code></a></span><span class="refpurpose"> &#8212; rndc configuration file</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.rndc-confgen.html"><span class="application">rndc-confgen</span></a></span><span class="refpurpose"> &#8212; rndc key generation tool</span>
+</dt>
+</dl>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="Bv9ARM.ch09.html">Prev</a> </td>
+<td width="20%" align="center"> </td>
+<td width="40%" align="right"> <a accesskey="n" href="man.dig.html">Next</a>
+</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">Appendix A. Appendices </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> dig</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.html b/contrib/bind9/doc/arm/Bv9ARM.html
index 6c62d12..bf70423 100644
--- a/contrib/bind9/doc/arm/Bv9ARM.html
+++ b/contrib/bind9/doc/arm/Bv9ARM.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
@@ -14,14 +14,14 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.html,v 1.60.2.9.2.38 2006/11/15 04:33:42 marka Exp $ -->
+<!-- $Id: Bv9ARM.html,v 1.85.18.57 2007/01/30 00:23:46 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>BIND 9 Administrator Reference Manual</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="next" href="Bv9ARM.ch01.html" title="Chapter 1. Introduction ">
+<link rel="next" href="Bv9ARM.ch01.html" title="Chapter 1. Introduction">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<div class="navheader">
@@ -40,8 +40,8 @@
<div class="titlepage">
<div>
<div><h1 class="title">
-<a name="id2482844"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="copyright">Copyright © 2004-2006 Internet Systems Consortium, Inc. ("ISC")</p></div>
+<a name="id2563153"></a>BIND 9 Administrator Reference Manual</h1></div>
+<div><p class="copyright">Copyright © 2004-2007 Internet Systems Consortium, Inc. ("ISC")</p></div>
<div><p class="copyright">Copyright © 2000-2003 Internet Software Consortium.</p></div>
</div>
<hr>
@@ -49,41 +49,41 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
-<dt><span class="chapter"><a href="Bv9ARM.ch01.html">1. Introduction </a></span></dt>
+<dt><span class="chapter"><a href="Bv9ARM.ch01.html">1. Introduction</a></span></dt>
<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2569434">Scope of Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2569460">Organization of This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2569736">Conventions Used in This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2569994">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564115">Scope of Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564138">Organization of This Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563473">Conventions Used in This Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564746">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2570014">DNS Fundamentals</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2570323">Domains and Domain Names</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2570407">Zones</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2570550">Authoritative Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2570642">Caching Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2570699">Name Servers in Multiple Roles</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564768">DNS Fundamentals</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564802">Domains and Domain Names</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564886">Zones</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567284">Authoritative Name Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567525">Caching Name Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567587">Name Servers in Multiple Roles</a></span></dt>
</dl></dd>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch02.html">2. <acronym class="acronym">BIND</acronym> Resource Requirements</a></span></dt>
<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2570868">Hardware requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2570892">CPU Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2570903">Memory Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2570918">Name Server Intensive Environment Issues</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2570995">Supported Operating Systems</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567621">Hardware requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567648">CPU Requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567660">Memory Requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567687">Name Server Intensive Environment Issues</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567698">Supported Operating Systems</a></span></dt>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch03.html">3. Name Server Configuration</a></span></dt>
<dd><dl>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2571026">A Caching-only Name Server</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2571042">An Authoritative-only Name Server</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568003">A Caching-only Name Server</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568019">An Authoritative-only Name Server</a></span></dt>
</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2571064">Load Balancing</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2571484">Name Server Operations</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568041">Load Balancing</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568465">Name Server Operations</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2571490">Tools for Use With the Name Server Daemon</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2572723">Signals</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568470">Tools for Use With the Name Server Daemon</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2569972">Signals</a></span></dt>
</dl></dd>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch04.html">4. Advanced DNS Features</a></span></dt>
@@ -92,33 +92,33 @@
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2573147">Split DNS</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570429">Split DNS</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573709">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573776">Copying the Shared Secret to Both Machines</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573784">Informing the Servers of the Key's Existence</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573824">Instructing the Server to Use the Key</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573876">TSIG Key Based Access Control</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573920">Errors</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570949">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571022">Copying the Shared Secret to Both Machines</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571033">Informing the Servers of the Key's Existence</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571141">Instructing the Server to Use the Key</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571198">TSIG Key Based Access Control</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571243">Errors</a></span></dt>
</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2573933">TKEY</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2573982">SIG(0)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571257">TKEY</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571306">SIG(0)</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574049">Generating Keys</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574116">Signing the Zone</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574259">Configuring Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571579">Generating Keys</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571649">Signing the Zone</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571728">Configuring Servers</a></span></dt>
</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2574396">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571802">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574455">Address Lookups Using AAAA Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574475">Address to Name Lookups Using Nibble Format</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572001">Address Lookups Using AAAA Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572022">Address to Name Lookups Using Nibble Format</a></span></dt>
</dl></dd>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch05.html">5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</a></span></dt>
<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2574507">The Lightweight Resolver Library</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572055">The Lightweight Resolver Library</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch06.html">6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</a></span></dt>
@@ -126,79 +126,118 @@
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575672">Comment Syntax</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573470">Comment Syntax</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576157"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574151"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
-Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576326"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576672"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576686"><span><strong class="command">include</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576709"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576730"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576870"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577064"><span><strong class="command">logging</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578270"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578343"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578406"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578518"><span><strong class="command">masters</strong></span> Statement Definition and Usage </a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578533"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and Usage</a></span></dt>
+ Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574341"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
+ Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574770"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574785"><span><strong class="command">include</strong></span> Statement Definition and
+ Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574808"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574829"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574920"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575046"><span><strong class="command">logging</strong></span> Statement Definition and
+ Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576396"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576470"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576534"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576578"><span><strong class="command">masters</strong></span> Statement Definition and
+ Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576593"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
+ Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586290"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586338"><span><strong class="command">trusted-keys</strong></span> Statement Definition
- and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
+ Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585018"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585136"><span><strong class="command">trusted-keys</strong></span> Statement Definition
+ and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586420"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585216"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
-Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587635"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
+ Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586586"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2589173">Zone File</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2588846">Zone File</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590605">Discussion of MX Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590800">Discussion of MX Records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591102">Inverse Mapping in IPv4</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591208">Other Zone File Directives</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591377"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591419">Inverse Mapping in IPv4</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591546">Other Zone File Directives</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591803"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
</dl></dd>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch07.html">7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</a></span></dt>
<dd><dl>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2591971"><span><strong class="command">chroot</strong></span> and <span><strong class="command">setuid</strong></span> (for
-UNIX servers)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2592480"><span><strong class="command">chroot</strong></span> and <span><strong class="command">setuid</strong></span></a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2592046">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2592172">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2592625">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2592684">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch08.html">8. Troubleshooting</a></span></dt>
<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2592243">Common Problems</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2592248">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2592260">Incrementing and Changing the Serial Number</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2592277">Where Can I Get Help?</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2592764">Common Problems</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2592838">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2592850">Incrementing and Changing the Serial Number</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2592867">Where Can I Get Help?</a></span></dt>
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Appendices</a></span></dt>
<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2592339">Acknowledgments</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2592344">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#historical_dns_information">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2592997">Acknowledgments</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#historical_dns_information">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2593159">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2594702">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2596326">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
</dl></dd>
</dl></dd>
+<dt><span class="reference"><a href="Bv9ARM.ch10.html">I. Manual pages</a></span></dt>
+<dd><dl>
+<dt>
+<span class="refentrytitle"><a href="man.dig.html">dig</a></span><span class="refpurpose"> &#8212; DNS lookup utility</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.host.html">host</a></span><span class="refpurpose"> &#8212; DNS lookup utility</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-keygen.html"><span class="application">dnssec-keygen</span></a></span><span class="refpurpose"> &#8212; DNSSEC key generation tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-signzone.html"><span class="application">dnssec-signzone</span></a></span><span class="refpurpose"> &#8212; DNSSEC zone signing tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.named-checkconf.html"><span class="application">named-checkconf</span></a></span><span class="refpurpose"> &#8212; named configuration file syntax checking tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.named-checkzone.html"><span class="application">named-checkzone</span></a></span><span class="refpurpose"> &#8212; zone file validity checking or converting tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.named.html"><span class="application">named</span></a></span><span class="refpurpose"> &#8212; Internet domain name server</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.rndc.html"><span class="application">rndc</span></a></span><span class="refpurpose"> &#8212; name server control utility</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.rndc.conf.html"><code class="filename">rndc.conf</code></a></span><span class="refpurpose"> &#8212; rndc configuration file</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.rndc-confgen.html"><span class="application">rndc-confgen</span></a></span><span class="refpurpose"> &#8212; rndc key generation tool</span>
+</dt>
+</dl></dd>
</dl>
</div>
</div>
@@ -214,7 +253,7 @@ UNIX servers)</a></span></dt>
<tr>
<td width="40%" align="left" valign="top"> </td>
<td width="20%" align="center"> </td>
-<td width="40%" align="right" valign="top"> Chapter 1. Introduction </td>
+<td width="40%" align="right" valign="top"> Chapter 1. Introduction</td>
</tr>
</table>
</div>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.pdf b/contrib/bind9/doc/arm/Bv9ARM.pdf
index cf61e9c..ea25edd 100755
--- a/contrib/bind9/doc/arm/Bv9ARM.pdf
+++ b/contrib/bind9/doc/arm/Bv9ARM.pdf
@@ -609,1719 +609,3231 @@ endobj
<< /S /GoTo /D (subsubsection.6.2.16.17) >>
endobj
412 0 obj
-(6.2.16.17 The Statistics File)
+(6.2.16.17 Built-in Empty Zones)
endobj
413 0 obj
-<< /S /GoTo /D (subsection.6.2.17) >>
+<< /S /GoTo /D (subsubsection.6.2.16.18) >>
endobj
416 0 obj
-(6.2.17 server Statement Grammar)
+(6.2.16.18 The Statistics File)
endobj
417 0 obj
-<< /S /GoTo /D (subsection.6.2.18) >>
+<< /S /GoTo /D (subsubsection.6.2.16.19) >>
endobj
420 0 obj
-(6.2.18 server Statement Definition and Usage)
+(6.2.16.19 Additional Section Caching)
endobj
421 0 obj
-<< /S /GoTo /D (subsection.6.2.19) >>
+<< /S /GoTo /D (subsection.6.2.17) >>
endobj
424 0 obj
-(6.2.19 trusted-keys Statement Grammar)
+(6.2.17 server Statement Grammar)
endobj
425 0 obj
-<< /S /GoTo /D (subsection.6.2.20) >>
+<< /S /GoTo /D (subsection.6.2.18) >>
endobj
428 0 obj
-(6.2.20 trusted-keys Statement Definition and Usage)
+(6.2.18 server Statement Definition and Usage)
endobj
429 0 obj
-<< /S /GoTo /D (subsection.6.2.21) >>
+<< /S /GoTo /D (subsection.6.2.19) >>
endobj
432 0 obj
-(6.2.21 view Statement Grammar)
+(6.2.19 trusted-keys Statement Grammar)
endobj
433 0 obj
-<< /S /GoTo /D (subsection.6.2.22) >>
+<< /S /GoTo /D (subsection.6.2.20) >>
endobj
436 0 obj
-(6.2.22 view Statement Definition and Usage)
+(6.2.20 trusted-keys Statement Definition and Usage)
endobj
437 0 obj
-<< /S /GoTo /D (subsection.6.2.23) >>
+<< /S /GoTo /D (subsection.6.2.21) >>
endobj
440 0 obj
-(6.2.23 zone Statement Grammar)
+(6.2.21 view Statement Grammar)
endobj
441 0 obj
-<< /S /GoTo /D (subsection.6.2.24) >>
+<< /S /GoTo /D (subsection.6.2.22) >>
endobj
444 0 obj
-(6.2.24 zone Statement Definition and Usage)
+(6.2.22 view Statement Definition and Usage)
endobj
445 0 obj
-<< /S /GoTo /D (subsubsection.6.2.24.1) >>
+<< /S /GoTo /D (subsection.6.2.23) >>
endobj
448 0 obj
-(6.2.24.1 Zone Types)
+(6.2.23 zone Statement Grammar)
endobj
449 0 obj
-<< /S /GoTo /D (subsubsection.6.2.24.2) >>
+<< /S /GoTo /D (subsection.6.2.24) >>
endobj
452 0 obj
-(6.2.24.2 Class)
+(6.2.24 zone Statement Definition and Usage)
endobj
453 0 obj
-<< /S /GoTo /D (subsubsection.6.2.24.3) >>
+<< /S /GoTo /D (subsubsection.6.2.24.1) >>
endobj
456 0 obj
-(6.2.24.3 Zone Options)
+(6.2.24.1 Zone Types)
endobj
457 0 obj
-<< /S /GoTo /D (subsubsection.6.2.24.4) >>
+<< /S /GoTo /D (subsubsection.6.2.24.2) >>
endobj
460 0 obj
-(6.2.24.4 Dynamic Update Policies)
+(6.2.24.2 Class)
endobj
461 0 obj
-<< /S /GoTo /D (section.6.3) >>
+<< /S /GoTo /D (subsubsection.6.2.24.3) >>
endobj
464 0 obj
-(6.3 Zone File)
+(6.2.24.3 Zone Options)
endobj
465 0 obj
-<< /S /GoTo /D (subsection.6.3.1) >>
+<< /S /GoTo /D (subsubsection.6.2.24.4) >>
endobj
468 0 obj
-(6.3.1 Types of Resource Records and When to Use Them)
+(6.2.24.4 Dynamic Update Policies)
endobj
469 0 obj
-<< /S /GoTo /D (subsubsection.6.3.1.1) >>
+<< /S /GoTo /D (section.6.3) >>
endobj
472 0 obj
-(6.3.1.1 Resource Records)
+(6.3 Zone File)
endobj
473 0 obj
-<< /S /GoTo /D (subsubsection.6.3.1.2) >>
+<< /S /GoTo /D (subsection.6.3.1) >>
endobj
476 0 obj
-(6.3.1.2 Textual expression of RRs)
+(6.3.1 Types of Resource Records and When to Use Them)
endobj
477 0 obj
-<< /S /GoTo /D (subsection.6.3.2) >>
+<< /S /GoTo /D (subsubsection.6.3.1.1) >>
endobj
480 0 obj
-(6.3.2 Discussion of MX Records)
+(6.3.1.1 Resource Records)
endobj
481 0 obj
-<< /S /GoTo /D (subsection.6.3.3) >>
+<< /S /GoTo /D (subsubsection.6.3.1.2) >>
endobj
484 0 obj
-(6.3.3 Setting TTLs)
+(6.3.1.2 Textual expression of RRs)
endobj
485 0 obj
-<< /S /GoTo /D (subsection.6.3.4) >>
+<< /S /GoTo /D (subsection.6.3.2) >>
endobj
488 0 obj
-(6.3.4 Inverse Mapping in IPv4)
+(6.3.2 Discussion of MX Records)
endobj
489 0 obj
-<< /S /GoTo /D (subsection.6.3.5) >>
+<< /S /GoTo /D (subsection.6.3.3) >>
endobj
492 0 obj
-(6.3.5 Other Zone File Directives)
+(6.3.3 Setting TTLs)
endobj
493 0 obj
-<< /S /GoTo /D (subsubsection.6.3.5.1) >>
+<< /S /GoTo /D (subsection.6.3.4) >>
endobj
496 0 obj
-(6.3.5.1 The \044ORIGIN Directive)
+(6.3.4 Inverse Mapping in IPv4)
endobj
497 0 obj
-<< /S /GoTo /D (subsubsection.6.3.5.2) >>
+<< /S /GoTo /D (subsection.6.3.5) >>
endobj
500 0 obj
-(6.3.5.2 The \044INCLUDE Directive)
+(6.3.5 Other Zone File Directives)
endobj
501 0 obj
-<< /S /GoTo /D (subsubsection.6.3.5.3) >>
+<< /S /GoTo /D (subsubsection.6.3.5.1) >>
endobj
504 0 obj
-(6.3.5.3 The \044TTL Directive)
+(6.3.5.1 The \044ORIGIN Directive)
endobj
505 0 obj
-<< /S /GoTo /D (subsection.6.3.6) >>
+<< /S /GoTo /D (subsubsection.6.3.5.2) >>
endobj
508 0 obj
-(6.3.6 BIND Master File Extension: the \044GENERATE Directive)
+(6.3.5.2 The \044INCLUDE Directive)
endobj
509 0 obj
-<< /S /GoTo /D (chapter.7) >>
+<< /S /GoTo /D (subsubsection.6.3.5.3) >>
endobj
512 0 obj
-(7 BIND 9 Security Considerations)
+(6.3.5.3 The \044TTL Directive)
endobj
513 0 obj
-<< /S /GoTo /D (section.7.1) >>
+<< /S /GoTo /D (subsection.6.3.6) >>
endobj
516 0 obj
-(7.1 Access Control Lists)
+(6.3.6 BIND Master File Extension: the \044GENERATE Directive)
endobj
517 0 obj
-<< /S /GoTo /D (section.7.2) >>
+<< /S /GoTo /D (subsection.6.3.7) >>
endobj
520 0 obj
-(7.2 chroot and setuid \(for UNIX servers\))
+(6.3.7 Additional File Formats)
endobj
521 0 obj
-<< /S /GoTo /D (subsection.7.2.1) >>
+<< /S /GoTo /D (chapter.7) >>
endobj
524 0 obj
-(7.2.1 The chroot Environment)
+(7 BIND 9 Security Considerations)
endobj
525 0 obj
-<< /S /GoTo /D (subsection.7.2.2) >>
+<< /S /GoTo /D (section.7.1) >>
endobj
528 0 obj
-(7.2.2 Using the setuid Function)
+(7.1 Access Control Lists)
endobj
529 0 obj
-<< /S /GoTo /D (section.7.3) >>
+<< /S /GoTo /D (section.7.2) >>
endobj
532 0 obj
-(7.3 Dynamic Update Security)
+(7.2 chroot and setuid)
endobj
533 0 obj
-<< /S /GoTo /D (chapter.8) >>
+<< /S /GoTo /D (subsection.7.2.1) >>
endobj
536 0 obj
-(8 Troubleshooting)
+(7.2.1 The chroot Environment)
endobj
537 0 obj
-<< /S /GoTo /D (section.8.1) >>
+<< /S /GoTo /D (subsection.7.2.2) >>
endobj
540 0 obj
-(8.1 Common Problems)
+(7.2.2 Using the setuid Function)
endobj
541 0 obj
-<< /S /GoTo /D (subsection.8.1.1) >>
+<< /S /GoTo /D (section.7.3) >>
endobj
544 0 obj
-(8.1.1 It's not working; how can I figure out what's wrong?)
+(7.3 Dynamic Update Security)
endobj
545 0 obj
-<< /S /GoTo /D (section.8.2) >>
+<< /S /GoTo /D (chapter.8) >>
endobj
548 0 obj
-(8.2 Incrementing and Changing the Serial Number)
+(8 Troubleshooting)
endobj
549 0 obj
-<< /S /GoTo /D (section.8.3) >>
+<< /S /GoTo /D (section.8.1) >>
endobj
552 0 obj
-(8.3 Where Can I Get Help?)
+(8.1 Common Problems)
endobj
553 0 obj
-<< /S /GoTo /D (appendix.A) >>
+<< /S /GoTo /D (subsection.8.1.1) >>
endobj
556 0 obj
-(A Appendices)
+(8.1.1 It's not working; how can I figure out what's wrong?)
endobj
557 0 obj
-<< /S /GoTo /D (section.A.1) >>
+<< /S /GoTo /D (section.8.2) >>
endobj
560 0 obj
-(A.1 Acknowledgments)
+(8.2 Incrementing and Changing the Serial Number)
endobj
561 0 obj
-<< /S /GoTo /D (subsection.A.1.1) >>
+<< /S /GoTo /D (section.8.3) >>
endobj
564 0 obj
-(A.1.1 A Brief History of the DNS and BIND)
+(8.3 Where Can I Get Help?)
endobj
565 0 obj
-<< /S /GoTo /D (section.A.2) >>
+<< /S /GoTo /D (appendix.A) >>
endobj
568 0 obj
-(A.2 General DNS Reference Information)
+(A Appendices)
endobj
569 0 obj
-<< /S /GoTo /D (subsection.A.2.1) >>
+<< /S /GoTo /D (section.A.1) >>
endobj
572 0 obj
-(A.2.1 IPv6 addresses \(AAAA\))
+(A.1 Acknowledgments)
endobj
573 0 obj
-<< /S /GoTo /D (section.A.3) >>
+<< /S /GoTo /D (subsection.A.1.1) >>
endobj
576 0 obj
-(A.3 Bibliography \(and Suggested Reading\))
+(A.1.1 A Brief History of the DNS and BIND)
endobj
577 0 obj
-<< /S /GoTo /D (subsection.A.3.1) >>
+<< /S /GoTo /D (section.A.2) >>
endobj
580 0 obj
-(A.3.1 Request for Comments \(RFCs\))
+(A.2 General DNS Reference Information)
endobj
581 0 obj
-<< /S /GoTo /D (subsection.A.3.2) >>
+<< /S /GoTo /D (subsection.A.2.1) >>
endobj
584 0 obj
-(A.3.2 Internet Drafts)
+(A.2.1 IPv6 addresses \(AAAA\))
endobj
585 0 obj
-<< /S /GoTo /D (subsection.A.3.3) >>
+<< /S /GoTo /D (section.A.3) >>
endobj
588 0 obj
-(A.3.3 Other Documents About BIND)
+(A.3 Bibliography \(and Suggested Reading\))
endobj
589 0 obj
-<< /S /GoTo /D [590 0 R /FitH ] >>
+<< /S /GoTo /D (subsection.A.3.1) >>
+endobj
+592 0 obj
+(A.3.1 Request for Comments \(RFCs\))
+endobj
+593 0 obj
+<< /S /GoTo /D (subsection.A.3.2) >>
+endobj
+596 0 obj
+(A.3.2 Internet Drafts)
+endobj
+597 0 obj
+<< /S /GoTo /D (subsection.A.3.3) >>
+endobj
+600 0 obj
+(A.3.3 Other Documents About BIND)
+endobj
+601 0 obj
+<< /S /GoTo /D (appendix.B) >>
+endobj
+604 0 obj
+(B Manual pages)
+endobj
+605 0 obj
+<< /S /GoTo /D (section.B.1) >>
+endobj
+608 0 obj
+(B.1 dig)
+endobj
+609 0 obj
+<< /S /GoTo /D (section.B.2) >>
+endobj
+612 0 obj
+(B.2 host)
+endobj
+613 0 obj
+<< /S /GoTo /D (section.B.3) >>
+endobj
+616 0 obj
+(B.3 dnssec-keygen)
+endobj
+617 0 obj
+<< /S /GoTo /D (section.B.4) >>
+endobj
+620 0 obj
+(B.4 dnssec-signzone)
+endobj
+621 0 obj
+<< /S /GoTo /D (section.B.5) >>
+endobj
+624 0 obj
+(B.5 named-checkconf)
+endobj
+625 0 obj
+<< /S /GoTo /D (section.B.6) >>
+endobj
+628 0 obj
+(B.6 named-checkzone)
+endobj
+629 0 obj
+<< /S /GoTo /D (section.B.7) >>
+endobj
+632 0 obj
+(B.7 named)
endobj
-592 0 obj <<
-/Length 223
+633 0 obj
+<< /S /GoTo /D (section.B.8) >>
+endobj
+636 0 obj
+(B.8 rndc)
+endobj
+637 0 obj
+<< /S /GoTo /D (section.B.9) >>
+endobj
+640 0 obj
+(B.9 rndc.conf)
+endobj
+641 0 obj
+<< /S /GoTo /D (section.B.10) >>
+endobj
+644 0 obj
+(B.10 rndc-confgen)
+endobj
+645 0 obj
+<< /S /GoTo /D [646 0 R /FitH ] >>
+endobj
+649 0 obj <<
+/Length 236
/Filter /FlateDecode
>>
stream
-xÚÍjÃ0„ï~Š=&PmµÚ][:6$--4‡¢[ÉÁM”ˆp~ž¿rì†B{(:hVû1ƒ†ÀæCà-*ª%…uSXøÌ»§‚FF”Q…9l F/ìÁ8ïQµt?±_8‰`Å>€Q«²yÏbqÿ(¨BG*·@°r–áÆÅÍûdö¼œOS; Ãõ°ivíîxêêÓ¡žÞÒ6u©]§a|­Ûs½Ÿ®âKŽ`  ê®YsÈÚxÁÒ;½F,—Ô|¤ÑÌù»QX[ö&Å"Þ~ó]+öý»¼/g—RÇendstream
+xÚÁJA †ïó9¶‡M'™d2s´T¥‚Beoâai·Rp·t­ïïÔÕ*êArÉÿ‘ü /A}È–ՓºsžŠvíèƒ ¨B)þP+!ÃlQ¡bJÕÂwìNì1úÈP©)&>áóÚÍ®˜€-A½bEM¦pæêÍÃd¾¼[L+V?ÉcºØt»~÷ršã~[÷í¶Ú~ÝNë a¤(±ø˘’å÷9·MÿÚ<Ÿ
endobj
-590 0 obj <<
+646 0 obj <<
/Type /Page
-/Contents 592 0 R
-/Resources 591 0 R
+/Contents 649 0 R
+/Resources 648 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 601 0 R
+/Parent 655 0 R
>> endobj
-593 0 obj <<
-/D [590 0 R /XYZ 85.0394 794.5015 null]
+647 0 obj <<
+/Type /XObject
+/Subtype /Form
+/FormType 1
+/PTEX.FileName (./isc-logo.pdf)
+/PTEX.PageNumber 1
+/PTEX.InfoDict 656 0 R
+/Matrix [1.00000000 0.00000000 0.00000000 1.00000000 0.00000000 0.00000000]
+/BBox [0.00000000 0.00000000 255.00000000 149.00000000]
+/Resources <<
+/ProcSet [ /PDF /Text ]
+/ColorSpace <<
+/R15 657 0 R
+/R9 658 0 R
+/R11 659 0 R
+/R13 660 0 R
+>>/ExtGState <<
+/R17 661 0 R
+/R8 662 0 R
+>>/Font << /R19 663 0 R >>
+>>
+/Length 664 0 R
+/Filter /FlateDecode
+>>
+stream
+xœu˜;“d9…ýû+®Ùe´R©— lG`XËkz#†10gwÙ~6ßÉ[53}+ˆ}tI%åóäÉT½ßs*{Ö?·¿××í'¿ûŸ?lï·¼Ÿ#5Û_7}÷n³æ3õùæóýÌ»íwû7\^ûõÃVö×oøÿ_·ÒvþmÕSéœmqöÚ¾æh)ŸÏŽ™,ײ—Zjj•ÅVÊ•ëµÍÔÆn¹§±†Ö5͵[+i6}Ÿk’¨Í–§ºØ±ÖRöÝVIƒ e´Ä¶yKfZWTp¾ÜÏç9ùÀ–ÆŒõÒý>R_­êÂJsJƒ¥.ŸËÊiôÝ×\
+û”_g'®Û_6´§ÖØËÍ“[8føƒ”œKj“È4­¹¯5Ã#6ÆJ²4·œª+ÚøاkÇä~¤ž19wR7ñm¦U%s˜,ÃT|
+Û2Æ‚ŒjUçq¥K"ηbøR<™¬¨™ãŸ¹×²RU| Ñ$ÞÕZ*Š–ŒCõu«|ˆhL$,I˜–¼`¥Y|ÃNżŠLó’#pÕ‹BÖŽj9-- 9@‘ €DÌ©….¶áJ{N]Á©¥Z*zÃ3…?´T®²$À“%ÁXF°Zê%.ä’@ŽO­—€!$t\'<Ž¶*W
+èj˵ãB;Žþ"%«ê;¥+ßÚ)Éú¾Œ¤IJ5yÝGN>³ʧ*=5Dt'ŸtˇÀùiQ{
+ ˜‚ÚIq%˜3vH­wÁKAįr‹þq n[Uz¯!*â)ôàKG°€ÝgG-dL#¹X0¹Â“@ñ´×£^ëµ½æHÕÊ_7S41Ã,ëÀO%ê*\ç/1v¢\¨Î¡¨êG´P:‘Sœ¸1ÀÞ£q‹uc¤,¯J¶”e— '‚; F/É&N(AWÖšNfãÀŠq‚ì’htËØ“ªØOàÙ‰GÎ4óHD'ª:SÙ#Oœ™äD4Ltæª3—=Ý™pÂSè¬F$_)^"åÛ•.ªd­Ôd´ÁJŒÓ¤¨,à}‹F:IòP<Á:‚é¡û½¶H­JŒŒÀvÎ9±”8G
+%S}8\Ž»Ä{!•pŸj yî8NíÖL-»Ä¼1_yk¦“ˆÔøèus‘#¸W™˜ÁAŹ{0º¤Œ4±à8pª0ŠÚž]#H ªiÓºhS”28Ú*7»Å'¤«ÎwMpíD¦9d=‹rêÀ Öd ðlÎmF1Û\ÓjÍ J$¾›ƒlHO†¯,x!Fàqê*i!ߪ ‰ ž£‘\·î"o6,âM(¨$‡^êP^Å>˜³ ÔV¬ˆ¦#Z†ª¼§?Áj¹“LÃ¥R»š¨¦VÅo€Ž –eõT¥ Ø€ùU¢ÙÜ* „2ÊNvÊ@ÈËY#E?°+êEn£±¦h“ÊFØläƒbY3Âc0CEW'ñÖÆ4€»Öm"ŒÙ©˜94A¬#—ª Áõ¢ÙëN)ÅZþÅÖ…µˆ‘ç#µxì‡Ð:Å ÑqYŠ¢ŽÞ\U¢ÜÆÕ²hb \´ÑP£’šð¢>Ô9Ž¨Ñ¸ˆùUm!‰§¢Zh!ú‹~(Ât~¿ÙA,«×>*"œD0QEuÑ|Îóî`‰ö™%„U™&2WjDó5EŠ)€®ä
+«SÕ0Ý4jÆ0çU6Ñœ5Õ”ê0*ÊBóî" gܲ¥–ÃÄHgæ:2®xļô¨ ¤èCúð¨˜*#{ëÖâsôÎ
+¯Éæ’×M¼ 1ÖQQ ½»î0@yP,£§"cf6‹ÃH%aDšjÑ÷ÄPjëš(²f§ Ø®ì·q,fÙLhgÌŒ#Çd±0xDÉYWíû¾0yš’*á_àºFî®.˜tƨj²ùKÐõàº5£7¬bi«¸3׽Ŕ
+óÔPĮ́Yu¢e¢a5エ0kÓ,¤×äþ¤V¡Ò(*Gãë0[;=‚Ãát çX3pD¦iÜ'ÃëÑ+ aqz JC "Ê1ô(Œ
+FÑÞIca­Ç0Ú) ¹A¿+ÇÀº ¸|-Tuùa>‚s:½¯•~K“ÒÞV׋„OÒAŠI… ɪÁr2Q“°Ø¨Á>.z
+ÏÆ狼eÇNdæÌdï"gK2cëÉ—GoOá8GëÏϦ:B Àht[
+endobj
+656 0 obj
+<<
+/Producer (AFPL Ghostscript 8.51)
+/CreationDate (D:20050606145621)
+/ModDate (D:20050606145621)
+/Title (Alternate-ISC-logo-v2.ai)
+/Creator (Adobe Illustrator\(R\) 11)
+/Author (Douglas E. Appelt)
+>>
+endobj
+657 0 obj
+[/Separation/PANTONE#201805#20C/DeviceCMYK 665 0 R]
+endobj
+658 0 obj
+[/Separation/PANTONE#207506#20C/DeviceCMYK 666 0 R]
+endobj
+659 0 obj
+[/Separation/PANTONE#20301#20C/DeviceCMYK 667 0 R]
+endobj
+660 0 obj
+[/Separation/PANTONE#20871#20C/DeviceCMYK 668 0 R]
+endobj
+661 0 obj
+<<
+/Type /ExtGState
+/SA true
+>>
+endobj
+662 0 obj
+<<
+/Type /ExtGState
+/OPM 1
+>>
+endobj
+663 0 obj
+<<
+/BaseFont /NVXWCK#2BTrajanPro-Bold
+/FontDescriptor 669 0 R
+/Type /Font
+/FirstChar 67
+/LastChar 136
+/Widths [ 800 0 0 0 0 0 452 0 0 0 0 0 0 0 0 0 582 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 841 633 576 686 590 540 923 827 407 760]
+/Encoding 670 0 R
+/Subtype /Type1
+>>
+endobj
+664 0 obj
+2362
+endobj
+665 0 obj
+<<
+/Filter /FlateDecode
+/FunctionType 4
+/Domain [ 0 1]
+/Range [ 0 1 0 1 0 1 0 1]
+/Length 39
+>>
+stream
+xœ«N)-P0PÈ-ÍQH­HÎP
+endobj
+666 0 obj
+<<
+/Filter /FlateDecode
+/FunctionType 4
+/Domain [ 0 1]
+/Range [ 0 1 0 1 0 1 0 1]
+/Length 36
+>>
+stream
+xœ«N)-P0PÈ-ÍQH­HÎP
+endobj
+667 0 obj
+<<
+/Filter /FlateDecode
+/FunctionType 4
+/Domain [ 0 1]
+/Range [ 0 1 0 1 0 1 0 1]
+/Length 40
+>>
+stream
+xœ«N)-P0TÈ-ÍQH­HÎP
+endobj
+668 0 obj
+<<
+/Filter /FlateDecode
+/FunctionType 4
+/Domain [ 0 1]
+/Range [ 0 1 0 1 0 1 0 1]
+/Length 50
+>>
+stream
+xœ«N)-P0Ð365³TÈ-ÍQH­HÎP€Š™X ‹™›#Ä ô -,ŒÀüZ
+endobj
+669 0 obj
+<<
+/Type /FontDescriptor
+/FontName /NVXWCK#2BTrajanPro-Bold
+/FontBBox [ -45 -17 923 767]
+/Flags 4
+/Ascent 767
+/CapHeight 767
+/Descent -17
+/ItalicAngle 0
+/StemV 138
+/MissingWidth 500
+/CharSet (/Msmall/C/Ysmall/Nsmall/Osmall/Esmall/Rsmall/S/Ssmall/I/Tsmall/Ismall/Usmall)
+/FontFile3 671 0 R
+>>
+endobj
+670 0 obj
+<<
+/Type /Encoding
+/BaseEncoding /WinAnsiEncoding
+/Differences [ 127/Nsmall/Tsmall/Esmall/Rsmall/Ysmall/Ssmall/Msmall/Osmall/Ismall/Usmall]
+>>
+endobj
+671 0 obj
+<<
+/Filter /FlateDecode
+/Subtype /Type1C
+/Length 2657
+>>
+stream
+xœ}VkpUž!!i0dHÈ:=«°î"ŠÏ*QpYWÊD@p• ‘$$ç$!a2ïžé×éîéǼ’ÌäÍC Ãû)Á]^º+–B-®k)ZˆËµîÄf‹½´J«¬ýÓÕ÷ÜÛçÜïœï|§Í¦Ì1&³Ù<q™£d]IM‘£ö¾§j«J ÓŒty•óûÙ#ÚØ;M¦7Õ “9™§~•cŒ†oGÛ&¢ŽIÆÁã jë6:*×V4ÚzàìóKk_+³/ÝØÐXVÝ`/¬YS먫u”4–•ÞoŸ_Ue_bm°/)k(slÀÆ[¡í• ö²ÊÆŠ2‡½Äî([[‰?w”•Ú%¥eÕ%ŽõöZcç'ËòÿÉ^YcǾì/ÖT«¥ØØ`/©)½ÔŽFYSÛTÓè¨,k¸ßd2MX°´0Dyi ècX“iºéÓL³Í<ÓLšíæ)æ»ÍÓÍ3ÌÓÌ¿1åâ|™^0!óæ1 3ò2­™h쬞ì=ÄêqóÇ}>þdš…Ãhëôõa3NO?œ™iv¤è›…$}ت?‰´±èË,Ý®³"cqC;‘µjô=©ãuVú¨ÕxÓUîÈçðÈœCæè×éÎþŒt§Óz>Tww$Õ°,'£ÛãŸBœÐ85HqL+kc6zjœ-kŠ_ô?„>M/DãQàZçÕ çɽ»Oö|
+_ÀźŠþúD…PE¸EJ‹ˆZ»`»øâ€8(ÅA…‘}Bµ´>R&+åáE ÿf­YPxïÃôñð Ìܤg~ý(qe.Ê®Fw‘›¾ä<8ò§ý“?ßúzñÛW»§Z>CšÓjùè¼9üÆûzÞƒa¸ºú=}•Úî¼ÇN7Â~â}CØ,ÎÂÖêö–îz¹
+„W
+©š¤õ\ o…„ TZ
+ˆõjIt!†CΞ«y|×ÓhÌ£¤åËýk?^Ø^ /ç/õùmþ ÉF'™nH P¬ÏÅÛøVf1,ƒ&‰î–ÏZ†ö‡ rÓ/±©‘Ò”=†&eàÇn+Ì„¹t [r63Î˹€ð2,TÙ¹NK½°N³çàpÎÝ1MReZò¹šDÑMV‡ƒ)v33—àþ˜ hlßµäf9.jBˆ¨"j
+%zÈ2(bPÏIe†§VŠ Q
+'x6FöÐQ§X)®‡ZÐg¹ßÏÆwÌk6'¾¿+ãóËV¦–ªl`Ý\‚@h†¡T.Bn·¤$tÀnv§á0¡‰Z8¦(J\¤Kò*x¯Mˆ‰ío¡Oò¤¬­EGíjk´áïú”îÒ¶ú¨3Qµ®Ýè…ô$¼èF¦ÔÀùi.?Ä1,0@ËL7?È¡Û™ Q <$Q>· :È:ꥎ=‘îÉcSþH( ‚A·î»Ñ˜§ûÒ5ÞÞP8
+n¨`×rŽ`ëF†â|¼?C3A•‹“pJê>8Åž0`ÅUI Ó²ßÛ"à$Ö‡©®ŸÛƒÐF¼› [¸M‰m;Ðd´jëöÎ^MëŒ$”Žpç] +rHô“Nxkz¨k `(¨ñG¶³a|oð1®@‹§Þ®/ô5»úôlôJë¦`œ‰‚
+ªVŶ° 
+-R¶5ðöU…¢Ëðå q¡Âª±v:#“TsOÕ¶U(G_¬xâm#¹#—ÙTpÃȤd{ód4åÌMóqŸé¦ižÏ4Õ2€3¿Ú*e%]_Nÿj6a©úâ!4æ®/Eñ@;ªªu’Ñô€pPmïSóc’
+.9,«”à%WÃ:Î-°R,6îâ ðAZbbñn d7¥¹„‘¹yL–'®C9‹O–¤~º]ÏC¾˜«Ý›ða2…¼N’º!ðóÙÆÆP¾—m5jA…šÒø8¹SLÃ4ÚÞ­…&bö‡ýn§ »H§âëâÎa„ïº÷§ßßg>ˆ¦¤+ÐÔŒô,·5£»Ð}hZ¡ÛÐDÝ¡wÍЋôú½ßè Q„ܱߪ?~²¡¨eý«ø­Ûk‘¹é ô¡•)eúÇ~Ô|À•Tqî¦c1[Ö5ÕÒæï¬Õ2ÇóàYf-ë 1‹Ë_|åç=>–fH|
+&–ê„n>ÚÝ)D 6Á
+x¸ \3§gA34–ITž-‹R8õ-ǵÛö2ªWuÉ~Á!"(0Š*FÂ͢ùĨ¸SˆˆoÊQPˆ0¦šåiFäݸVN^_!Ô‚–bž "-Qy$ÑÎsªm ¥Ä¡@·âJ=Ŧ¿íÝëL ÍDËQÆTË?GúÓlRÎ$F*4’ƒð6–š\`Œª Ñ“Œôöd]˜é`û™ü9¸DijeI Û.q
+ȼLçÇ<;— *X³«¥×ÛGâ_Y1ETïƒ4ˆÒ-U…_>´üØ¢æ}õï÷v¼ §ádù#¹rÛŸå¥@ÔÁ\5l…hð<8Ús·
+»O·Øèv61Bá5*È<6ÞÍ,‡bh‘˜¶ž\Î]Çé#¹#ØÔÍ1Oúñ°Ï¤5oÂ]цÆß4}h˜î0$å,6ü¼”A,¯?/å;Rôcy6Ò½UJ¿§Y½X^é¶ÙÉŸ‡‹º–2¸K|o½Ø”/Ȩ/ƒ( Â2Ð#žNMKðrˆ rœÛf9ËyZ¸Ú}$«Ö õ–©)  h`iÎGàAç÷´€H+Šˆ…Õ&*áX$žèìVŽhª”—›¾÷‡A1Ý£¤œÏ0‰÷—Hi éƒw~I(Áö2;à]¸L ™x4[¡OÜ,¾®ÆûÂQQ°”FdQ“ƒ¢¬„%\î¢Åâ:Ó;ÈÑ”ÌEb1ž’¡ˆÿ§=$¸¥?Iš¿CÐõ3¾C=VÐ'>·¯ôÌÒ+Ü~8 ç#;úÁ_£×á*qň+ô 8®‚ãÆpêŒ_YR”¾d%a ç¡H\eÄõãDf£Ñ¨­ŽR[kφG¸ù/WT®ò•A5”H¥ÛVoo8hnû)¼ÞÃDn…ñëqÌzfåhý&þcQbµXÇß‚çLŽúõ;{²Ðñðué¿ÊÛÙ†-©[SÄ-Û¼ÔyubÜñhüm´œ4^Ë™ ääšLÿQ‹¡endstream
+endobj
+650 0 obj <<
+/D [646 0 R /XYZ 85.0394 794.5015 null]
>> endobj
-594 0 obj <<
-/D [590 0 R /XYZ 85.0394 769.5949 null]
+651 0 obj <<
+/D [646 0 R /XYZ 85.0394 769.5949 null]
>> endobj
-591 0 obj <<
-/Font << /F42 597 0 R /F43 600 0 R >>
+648 0 obj <<
+/Font << /F21 654 0 R >>
+/XObject << /Im1 647 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-604 0 obj <<
-/Length 308
+674 0 obj <<
+/Length 994
/Filter /FlateDecode
>>
stream
-xÚµ’ÁnÂ0 †ï}Š©DŒÄIs»ÒÛØab…q€N¥ÓÄÛÏQ­›vA9ä·üɱÿ˜Ê!Å|4Q…耑X­vªä2úf[`g­W²ÚFÏ\ˆrPHµ!õƒ&ŠÀ:¥GðÖØ„ß•Ùd權½ñª\+2Ò§ ÎXùú4šÖïÇf»ykóçòQ1BÀ(}Eì€UJLf䥴àcPzÀ-eÖ½xdÚ4i‚ ¢çÚ0&ɽôšïÛªÙWm-Ž‡¶Úº`ZïuÓn?v㻂\[ByšqiŒ›/¦é’R'Ù}yv‰¬‘á½WÁ‘üOä¿-=Ñzˆ_±ÔùÇûª¿Yjni)ö>R/M/íUwëuûùÒäTŒªK‹áÒ¿ÓV[†´·ÿÞé/6¯žendstream
+xÚµVË’¢JÝû,5¢­©¯Z҈ʂ83³°»‰hÅ+8ý÷7¡ªDÐÛ›‰.*«ò˜yòd@4 ?¢&29åšÅud`bh›ý
+Qm]»ÀÒíÏ¡[?NùËk5ú~Õ Œ,Ìr À¦v|™ý*Ô˜"ËäV£ŠÂýí´›•"("6 Š±þ0SצњfkZÂòUv:d•Ø%e•íK±q‹CYœªü¼PØ ÁÀÂÀ¿(ÕýÄ­Ø’šÔÀK/‚F‘aš¦féZÏÏÕUèñ5üŽºÌ‚¾Z¼ú_êÒÿS]ÜêHZ“¶&»«n±«Þק±‡Y_bÔ×ÏĈSÓÖ,Ê€'ŸÉ§Àãkô­z¦8¶I³.g™öyYæÅApª
+±žËLÖ³yG„¡Üï‹m¾ëœ¬[aló²:åÏçJX½æršÊ›âwÅIýûCÇóéX”ÒýžW¯ÂR¸ú¤8K1w™ÄA‚ºëpßAÜ0hSÚk&ò=Ëø/§54d+Igñ'ßf[Åv])KF_?²V1eÍöPTù&ëÕßÖ{ìÉÚÙZ•Kÿúí­©ƒpšTß„ëJ wž•ÍÀàbŽ˜Îêb-ĵH:÷ä˜EÓôiÄéЉ剟ˆuGßý‰7»úæ:‰BÔ;a;áDºÂ˜€8þB‚ †Ì;aê{Òùä§saÅÞ̉'âJÂó•‘nIi­~$ é\Q¼C>tƒÕÄg½äþbøª–{L¢©X^ìÎÁ1²ô¡óè~ú£-´fg"®Û–bGvS? ½$AŠƒXCÉ×ûîA<AxÞ2Rz=Jêï<ÒžF±Ê*Ó'KÏõàAi{nÃQ=mÛ#Ñ
+½YàϼÐõº™¢&ró°Ðµ é¶\ d<b­’ëœ2²ûÉE‹h•v©D=Ú@-ô®(·WãrWA NkëË—^ ópÚz¦ŸÝš›7‰úôbª¿ˆî~x©|ýá5VÙƺ…˜mÓûo"jÃËbRÍ{õ†8Ì9e&½Ãü_®…dµendstream
endobj
-603 0 obj <<
+673 0 obj <<
/Type /Page
-/Contents 604 0 R
-/Resources 602 0 R
+/Contents 674 0 R
+/Resources 672 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 601 0 R
+/Parent 655 0 R
>> endobj
-605 0 obj <<
-/D [603 0 R /XYZ 56.6929 794.5015 null]
+675 0 obj <<
+/D [673 0 R /XYZ 56.6929 794.5015 null]
>> endobj
-602 0 obj <<
-/Font << /F43 600 0 R /F14 608 0 R >>
+672 0 obj <<
+/Font << /F23 678 0 R /F14 681 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-611 0 obj <<
-/Length 2200
+684 0 obj <<
+/Length 2884
/Filter /FlateDecode
>>
stream
-xÚÝYKã6¾ûWø¨ÆZ>ÄWn;3›Å‹Yìv9$9¨%¶-Œ,)ztÇùõ[d‘¶lË3ƒ6X4ЦJUd±ê«E›® üѵ)á&[+“¥‚P±.ö+²Þ»¿¯hÐÉOEÆ9<,¼Ý®S¡™Zo擼}XýåûŒ­I¥dbýðt\K*ž™õCùsòn—w£íï6L„Þýúðše©ÒŠ:3KˆT¢½Á‡fìÛr*ƪm‚:_›ÔH&£¶[p×i?ì,L­¥3³}cG|zßîóªÁñÇ|tîÃh÷8þ…òþã=|P'PIÑ6C5Œ¾nŸðsŒó‡fÌÂ6È:[TO‡ ÍÖ»˜Å6c5V(UIuG“‡ÎöèvEij„`1a3œ‘Äm„3šäø¸«lŸ÷wT'Å®*ò¥û¼i Ì*KÞ€€kôǽéït2Õnq7É4ØåOmƒÒÖv›U³ ëLã®í«Ü< ¤}¶A×o.¬7a¦°… ù
-v¶yÆÉÚÆÏ¥ž1¹šW-_Ç3™f\_ÅÁðå80atÌÒ°0%%)!1c>|ÚÀQŽÛ_Ï'²TnŽY®ŽÆ0ã4Fdç1ìBÀg‡¡foàøò¸AëÕ<þmxõ45~ƒþ¨¤”º£ž™Pvð>¯J´EO"K 0$€qÀ7HÄ,_ÈÖÌ"¦{îÁœ{\’ˆöçÍÂY5’ažÜ¡ÈÔuûUKÙz=A—œ-$„«”+«Ö‡Ç$/;èdªb‡fPW®ðÛ·G6…§¼|ΡêÊ£¦¯@ô6t+ 12óvgCN©k„ϲ9ùºr“@¢4ÖwbPêOñÝñÌÅ^ $…íGÞº‡¶s»_f 5—ôšd"n0‚á|‰d¤*9c#ƒ‚ºÚîÆëþš "åÌdK41´õ3¶¤îüV2ô'Šùز⃠lµ.“Sf<»â`g —’Cª"œŽIu]L ÊÃÒU˜Ñw+4¸þ„í‰
-ÇݘšrÁèyÅ49.ÄÂG#ȹ¨»ë(\S ˜ª¥ ÉTj‚³þ9¬g‹ šÿºáoE%4¸y® ˜ô\µ.˜¢š/y¢—<Ñ©V:z2+Kw£ø#Ü[vmëëñ–ÁÀ~Ž·­;‡1IƤNB›*UòØ–ùàJ‚ ƒY Ož˜ä19ó`<X@3``©ø Üuê_»Î6eåNþ…ÂÓ@hÇ]¿ì—¤ŠÀ¸¥=M5Ž¯‰‘ ¸NÊóH̺Ý7Ž¤·'·ˆçÊÝ#—Ž=à£DðëmõXWí¶Ï»Ýaé܃¢ZFù怾
-hÎ77°ÌYãí^ã É¶Aß’Ó 4£Øi*¤ x/)Nè¯.XFp.P!/Êï÷_×bòÐbBGþì·mB?ùã/vUóm½&öÎÑöÔkúÇ—ÐSC¦/ºlD_¸‘dk;T:t˜¼Ý¸6üèþwΫÕߎßÜ M¢¦k*tJ$´rÅ~õÛêç_ɺ\‘õ+’r£Åú šHa¿Ê8 ‰ÐQR¯îWÿú/­¢³öà¦hG`®0Œ >Ÿj÷´¡™„%5=~ugžRî!`Ri²pÏñMS¸£Ä3ï*lœ‰ôôz¾Ä·y}œò nsh3­Ì¹Û?Ý#Þ„Ë0êëM×K!^qƒKæjlÿwpbNzèÒ¿~OÑâ&œþ3üôÕ&_„“k03d›Üñk7ðqç¾qt›q¸ÑVÛ£€%?þûoPs×ãLx­ŽçÚÅ5)f7èû«o¸Ü7ö%@ÀöûóW¡c½èÙ.¿-p3D_FN¨EDÏ"÷}õ»ãX ôûR•ãî6x_Íß?xc¢_‘ ‰˜ä à¥<%œEˆ§cX¥g^7}?³…^/‡Ð-ágîü @?y
+xÚí]wÛ¸†ïó+tWûB(¾ ^:Ž“u·ÉæÄÎé×ö‚GflõX¤KQÞº¿¾ €# œÍ&»±tra9Òp&ó>ÀPa3jÿ°™Q„Š\β\E™š-V/èìÚ¾÷æsŸ‘J%…°¿DÞ+aˆ2<›ÍáE^^¾øãkÎf\’Ìdlvùiô¥8á\ä³Ë«ÖU[VíúøŸ—ê r’k®»ÏÓÙ\s"0ý'ÙñœQJΫ¶©¯6‹vYWÕ‹³ËŒ‚hÊäL›œd’².”áÍæz6¼ø°»ûüøØÇPv¯ÛE”íºw©€WC¶ëT
+ËLƒ uÎ8'&Ϭsž.¯Yd_µp›+þ@ÂëMuUtCDqÛFì]òDL|&“1†&P)“H&¨ó–¦¨˜pI?’¸É¤¨®âã‹}_hù,©˜ÄÁg,`ˆá
+P £
+jŠ×uóKÑï°_õ¬Èïdó &” Ï^2ÀccK„H¨÷qøà”-ÇJC»á#¶Þ
+9>¹Éä
+€°'u^-Æ6N÷(eXRУ¦¨ÖŸBûi÷xþù__žÏ×yöœÁ™DÅg3`ˆ¡ÕâÓM¨±80TPï;Þ¨ÜøŠÈw©\ÜÝ.[X*}¨…¾æpäeHf bŒA™1Æ"q`Œ¡ÞcŒ›½Ü1æû_./ÎßÏí‡Åö7[÷)’9†gPj>}®‹ã õj&–")ó5“
+5Ó›²ê^üþøëw‹áˇǛígÅÂí¯¿/–Íö—`ýP¯ÛþY?ý}õØ…ì¤j í·²h‹Ñ÷öO™ÑDP¡FíÃŽúɦ­WEØPw0 _n¦÷äÆéIbâÃôcâGâÀÄG½âgv…DâûÍó·Eµñµ.T>3j¯Fþ¢d
+ad7‚DÂ4ç91±¯$ï†C×”8v±.&º^Í­7*gîCÃÐÓdø+yoÿ)X¯öendstream
endobj
-610 0 obj <<
+683 0 obj <<
+/Type /Page
+/Contents 684 0 R
+/Resources 682 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 655 0 R
+/Annots [ 687 0 R 688 0 R 689 0 R 690 0 R 691 0 R 692 0 R 693 0 R 694 0 R 695 0 R 696 0 R 697 0 R 698 0 R 699 0 R 700 0 R 701 0 R 702 0 R 703 0 R 704 0 R 705 0 R 706 0 R 707 0 R 708 0 R 709 0 R 710 0 R 711 0 R 712 0 R 713 0 R 714 0 R 715 0 R 716 0 R 717 0 R 718 0 R 719 0 R 720 0 R 721 0 R 722 0 R 723 0 R 724 0 R 725 0 R 726 0 R 727 0 R 728 0 R 729 0 R 730 0 R 731 0 R 732 0 R 733 0 R 734 0 R 735 0 R 736 0 R ]
+>> endobj
+687 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 688.709 539.579 697.2967]
+/Subtype /Link
+/A << /S /GoTo /D (chapter.1) >>
+>> endobj
+688 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 676.5858 539.579 685.4425]
+/Subtype /Link
+/A << /S /GoTo /D (section.1.1) >>
+>> endobj
+689 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 664.4876 539.579 673.3442]
+/Subtype /Link
+/A << /S /GoTo /D (section.1.2) >>
+>> endobj
+690 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 652.3894 539.579 661.246]
+/Subtype /Link
+/A << /S /GoTo /D (section.1.3) >>
+>> endobj
+691 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 640.1914 539.579 649.1477]
+/Subtype /Link
+/A << /S /GoTo /D (section.1.4) >>
+>> endobj
+692 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 628.0932 539.579 637.0495]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.1.4.1) >>
+>> endobj
+693 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 615.995 539.579 624.9512]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.1.4.2) >>
+>> endobj
+694 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 603.8967 539.579 612.853]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.1.4.3) >>
+>> endobj
+695 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 591.7985 539.579 600.7547]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.1.4.4) >>
+>> endobj
+696 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 579.7002 539.579 588.6565]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.1.4.4.1) >>
+>> endobj
+697 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 567.6019 539.579 576.5582]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.1.4.4.2) >>
+>> endobj
+698 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 555.5037 539.579 564.46]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.1.4.4.3) >>
+>> endobj
+699 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 543.4055 539.579 552.5112]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.1.4.5) >>
+>> endobj
+700 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 531.3072 539.579 540.413]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.1.4.5.1) >>
+>> endobj
+701 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 519.209 539.579 528.3147]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.1.4.6) >>
+>> endobj
+702 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 496.7003 539.579 505.4125]
+/Subtype /Link
+/A << /S /GoTo /D (chapter.2) >>
+>> endobj
+703 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 484.5772 539.579 493.5832]
+/Subtype /Link
+/A << /S /GoTo /D (section.2.1) >>
+>> endobj
+704 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 472.4789 539.579 481.485]
+/Subtype /Link
+/A << /S /GoTo /D (section.2.2) >>
+>> endobj
+705 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 460.3806 539.579 469.3867]
+/Subtype /Link
+/A << /S /GoTo /D (section.2.3) >>
+>> endobj
+706 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 448.2824 539.579 457.2885]
+/Subtype /Link
+/A << /S /GoTo /D (section.2.4) >>
+>> endobj
+707 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 436.1841 539.579 445.1902]
+/Subtype /Link
+/A << /S /GoTo /D (section.2.5) >>
+>> endobj
+708 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 413.4314 539.579 422.288]
+/Subtype /Link
+/A << /S /GoTo /D (chapter.3) >>
+>> endobj
+709 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 401.353 539.579 410.4588]
+/Subtype /Link
+/A << /S /GoTo /D (section.3.1) >>
+>> endobj
+710 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 389.2548 539.579 398.3605]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.3.1.1) >>
+>> endobj
+711 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 377.1565 539.579 386.2623]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.3.1.2) >>
+>> endobj
+712 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 365.1579 539.579 374.164]
+/Subtype /Link
+/A << /S /GoTo /D (section.3.2) >>
+>> endobj
+713 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 353.0597 539.579 362.0658]
+/Subtype /Link
+/A << /S /GoTo /D (section.3.3) >>
+>> endobj
+714 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 340.9614 539.579 349.9675]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.3.3.1) >>
+>> endobj
+715 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 328.7635 539.579 337.8693]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.3.3.1.1) >>
+>> endobj
+716 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 316.6653 539.579 325.771]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.3.3.1.2) >>
+>> endobj
+717 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 304.567 539.579 313.6728]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.3.3.2) >>
+>> endobj
+718 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 281.9139 539.579 290.7706]
+/Subtype /Link
+/A << /S /GoTo /D (chapter.4) >>
+>> endobj
+719 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 269.8356 539.579 278.9413]
+/Subtype /Link
+/A << /S /GoTo /D (section.4.1) >>
+>> endobj
+720 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 257.7373 539.579 266.8431]
+/Subtype /Link
+/A << /S /GoTo /D (section.4.2) >>
+>> endobj
+721 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 245.6391 539.579 254.7448]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.2.1) >>
+>> endobj
+722 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 233.5408 539.579 242.4971]
+/Subtype /Link
+/A << /S /GoTo /D (section.4.3) >>
+>> endobj
+723 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 221.4426 539.579 230.3988]
+/Subtype /Link
+/A << /S /GoTo /D (section.4.4) >>
+>> endobj
+724 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 209.3443 539.579 218.3006]
+/Subtype /Link
+/A << /S /GoTo /D (section.4.5) >>
+>> endobj
+725 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 197.2461 539.579 206.2023]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.5.1) >>
+>> endobj
+726 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 185.1478 539.579 194.1041]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.4.5.1.1) >>
+>> endobj
+727 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 173.1492 539.579 182.1553]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.4.5.1.2) >>
+>> endobj
+728 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 161.051 539.579 170.0571]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.5.2) >>
+>> endobj
+729 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 148.9527 539.579 157.9588]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.5.3) >>
+>> endobj
+730 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 136.8545 539.579 145.8606]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.5.4) >>
+>> endobj
+731 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 124.7562 539.579 133.7623]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.5.5) >>
+>> endobj
+732 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 112.5583 539.579 121.5146]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.5.6) >>
+>> endobj
+733 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 100.4601 539.579 109.4163]
+/Subtype /Link
+/A << /S /GoTo /D (section.4.6) >>
+>> endobj
+734 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 88.3618 539.579 97.3181]
+/Subtype /Link
+/A << /S /GoTo /D (section.4.7) >>
+>> endobj
+735 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 76.2636 539.579 85.2199]
+/Subtype /Link
+/A << /S /GoTo /D (section.4.8) >>
+>> endobj
+736 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 64.1653 539.579 73.1216]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.8.1) >>
+>> endobj
+685 0 obj <<
+/D [683 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+686 0 obj <<
+/D [683 0 R /XYZ 85.0394 711.9273 null]
+>> endobj
+682 0 obj <<
+/Font << /F21 654 0 R /F23 678 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+739 0 obj <<
+/Length 3160
+/Filter /FlateDecode
+>>
+stream
+xÚí[wÛ¸Çßý)ôh?Åýò˜ëžìi“lâ¾t»ŒÌØ:‘DW’“z?}A‘
+0ÄHba¤$âÀHÙñžls%'V²SÝ·¹;MíPÁUëi³ä|®—õbRç3N~ïö`í- Z°|ÆÀé°LíxM~§%–ºN&ÛÛdj^OÃØâÕ¬ž×‹µ€(fµ^ÉòRZü͆Ø7 J†q’ˆãõÞZ5³Ä˜~"Ðã’/TþV­'W¡S^µ¨hÃ5íTB:‹Q†*P.Áó¨$âÀPA½3®‰LŽ4ÕÄH­X6¸ˆv>äv±®þ}6N§VïJHe1(ÀJ…’ˆõAQ¾u1LZ
+ïAyY·ýÐb:ôBÕâ"Ô½Õe;;ÿ3ŒôÄ,{ÌR)Ða`K„T¸÷¾_Q–mÅЯð8Ë>oGý,jßj(kŽ­ŠJHg1*ÀCÊ%D•D*¨÷¡¹0”håßDXŽýÊ JHe1(ÀJ…’ˆõ>€¢,ÑÌ
+ý¢Ý`׶ͬí4Ž×=‰+ÆbX@a0,q`X Þ,´#V¹­¾CuX¼YøösåÙ8kÊŽ—/¦ñ ,Æbx@T¾IÅázðP†Xn¶ºÝáñÛMÝÞ¼hsC7xCaÌ‘Š˜·b*€!FÔEå¯SKÅQz¨Š§¤ÂtTtw¡m¡8?sôtY-VŸ7ƒ
+eØ‹˜¸b,€!†Ã"†ê}ÀBbôvbû¢´
+“ /ßwoÞÇ[Œö·\±\ ![Å,
+endobj
+738 0 obj <<
/Type /Page
-/Contents 611 0 R
-/Resources 609 0 R
+/Contents 739 0 R
+/Resources 737 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 601 0 R
+/Parent 655 0 R
+/Annots [ 744 0 R 745 0 R 746 0 R 747 0 R 748 0 R 749 0 R 750 0 R 751 0 R 752 0 R 753 0 R 754 0 R 755 0 R 756 0 R 757 0 R 758 0 R 759 0 R 760 0 R 761 0 R 762 0 R 763 0 R 764 0 R 765 0 R 766 0 R 767 0 R 768 0 R 769 0 R 770 0 R 771 0 R 772 0 R 773 0 R 774 0 R 775 0 R 776 0 R 777 0 R 778 0 R 779 0 R 780 0 R 781 0 R 782 0 R 783 0 R 784 0 R 785 0 R 786 0 R 787 0 R 788 0 R 789 0 R 790 0 R 791 0 R 792 0 R 793 0 R 794 0 R 795 0 R 796 0 R 797 0 R 798 0 R 799 0 R 800 0 R ]
+>> endobj
+744 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 758.4766 511.2325 767.4329]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.8.2) >>
+>> endobj
+745 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 746.5446 511.2325 755.4012]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.8.3) >>
+>> endobj
+746 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 734.4133 511.2325 743.3696]
+/Subtype /Link
+/A << /S /GoTo /D (section.4.9) >>
+>> endobj
+747 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 722.3816 511.2325 731.3379]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.9.1) >>
+>> endobj
+748 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 710.3499 511.2325 719.3062]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.9.2) >>
>> endobj
-612 0 obj <<
-/D [610 0 R /XYZ 85.0394 794.5015 null]
+749 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 688.0297 511.2325 696.7618]
+/Subtype /Link
+/A << /S /GoTo /D (chapter.5) >>
+>> endobj
+750 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 676.0179 511.2325 684.9742]
+/Subtype /Link
+/A << /S /GoTo /D (section.5.1) >>
+>> endobj
+751 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 663.9862 511.2325 672.9425]
+/Subtype /Link
+/A << /S /GoTo /D (section.5.2) >>
+>> endobj
+752 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 641.666 511.2325 650.5226]
+/Subtype /Link
+/A << /S /GoTo /D (chapter.6) >>
+>> endobj
+753 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 629.6542 511.2325 638.7599]
+/Subtype /Link
+/A << /S /GoTo /D (section.6.1) >>
+>> endobj
+754 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 617.6225 511.2325 626.5788]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.1.1) >>
+>> endobj
+755 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 605.5908 511.2325 614.5471]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.1.1.1) >>
+>> endobj
+756 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 593.5591 511.2325 602.5154]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.1.1.2) >>
+>> endobj
+757 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 581.5275 511.2325 590.4837]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.1.2) >>
+>> endobj
+758 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 569.4958 511.2325 578.4521]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.1.2.1) >>
+>> endobj
+759 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 557.4641 511.2325 566.4204]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.1.2.2) >>
+>> endobj
+760 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 545.4324 511.2325 554.5382]
+/Subtype /Link
+/A << /S /GoTo /D (section.6.2) >>
+>> endobj
+761 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 533.4007 511.2325 542.357]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.1) >>
+>> endobj
+762 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 521.3691 511.2325 530.3254]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.2) >>
+>> endobj
+763 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 509.3374 511.2325 518.2937]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.3) >>
+>> endobj
+764 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 497.3057 511.2325 506.262]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.4) >>
+>> endobj
+765 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 485.274 511.2325 494.2303]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.5) >>
+>> endobj
+766 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 473.2424 511.2325 482.1986]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.6) >>
+>> endobj
+767 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 461.2107 511.2325 470.167]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.7) >>
+>> endobj
+768 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 449.179 511.2325 458.1353]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.8) >>
+>> endobj
+769 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 437.1473 511.2325 446.1036]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.9) >>
+>> endobj
+770 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 425.1157 511.2325 434.0719]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.10) >>
+>> endobj
+771 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 413.084 511.2325 422.0403]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.10.1) >>
+>> endobj
+772 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 401.0523 511.2325 410.158]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.10.2) >>
+>> endobj
+773 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 389.1203 511.2325 398.1264]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.11) >>
+>> endobj
+774 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 377.0886 511.2325 386.0947]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.12) >>
+>> endobj
+775 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 365.0569 511.2325 374.063]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.13) >>
+>> endobj
+776 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 353.0252 511.2325 362.0313]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.14) >>
+>> endobj
+777 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 340.9936 511.2325 349.9997]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.15) >>
+>> endobj
+778 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 328.9619 511.2325 337.968]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.16) >>
+>> endobj
+779 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 316.8305 511.2325 325.9363]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.1) >>
+>> endobj
+780 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 304.7989 511.2325 313.7552]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.2) >>
+>> endobj
+781 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 292.7672 511.2325 301.873]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.3) >>
+>> endobj
+782 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 280.7355 511.2325 289.8413]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.4) >>
+>> endobj
+783 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 268.7038 511.2325 277.6601]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.5) >>
+>> endobj
+784 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 256.6722 511.2325 265.6285]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.6) >>
+>> endobj
+785 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 244.6405 511.2325 253.5968]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.7) >>
+>> endobj
+786 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 232.6088 511.2325 241.5651]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.8) >>
+>> endobj
+787 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 220.5771 511.2325 229.5334]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.9) >>
+>> endobj
+788 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 208.5455 511.2325 217.5017]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.10) >>
+>> endobj
+789 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 196.5138 511.2325 205.4701]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.11) >>
+>> endobj
+790 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 184.4821 511.2325 193.4384]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.12) >>
+>> endobj
+791 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 172.4504 511.2325 181.4067]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.13) >>
+>> endobj
+792 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 160.4187 511.2325 169.375]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.14) >>
+>> endobj
+793 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 148.3871 511.2325 157.3433]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.15) >>
+>> endobj
+794 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 136.3554 511.2325 145.4611]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.16) >>
+>> endobj
+795 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 124.3237 511.2325 133.4295]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.17) >>
+>> endobj
+796 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 112.292 511.2325 121.2483]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.18) >>
+>> endobj
+797 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 100.2604 511.2325 109.3661]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.19) >>
+>> endobj
+798 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 88.2287 511.2325 97.3344]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.17) >>
+>> endobj
+799 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 76.197 511.2325 85.1533]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.18) >>
+>> endobj
+800 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 64.1653 511.2325 73.1216]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.19) >>
+>> endobj
+740 0 obj <<
+/D [738 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+737 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F21 654 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+803 0 obj <<
+/Length 3296
+/Filter /FlateDecode
+>>
+stream
+xÚíYs7€ßõ+øª•„Å}ì>lé²£”-{%¹²µIhrL±,>ö×/†3À4ELKHbÙ–èTJ”4=ÝìþÐè0ëQÿëYE¨p²gœ$Š2ÕLvhoä÷|‡5×쇋öáU‡—;&Lϧ¹î]¾÷²„ZËz—Ã_v^]žœ]^ìývùÓÎÉe¼)T̨¨îøûÎ/¿ÑÞÐëÿi‡á¬ê}ôßPÂœã½ÉŽT‚()DøÉõÎÅοã ÁoW¢©7¢„%Êr“x'\€wÂ8'ÖorD ÿ»ê­h §Õñ—3p¹`ÄZ*½Žê²Ål9_Ãý÷Åçys1¼·²Äq«›‹/ýE1)ÊÅÞ>Wt÷¸ø•R^ŽãiYÿ¤_ëoæýQQ½»do_Qú…¿Hç²nÅWqK4§¬uáF@f£^ýâ†(ÈíCÁÍmÞ"½aGyÊ T{ ˆ4DÃZ@Ø€|`péßQi0žÏú“Iæ-(þÅMLÁÝÙ0A ¦µp"0%ìÀ`Bµ·0 E g®…‰˜îÎ2ÚéïNh‚[³¡‚4kaC IØAƒjo¡á‚­m ¸šÿMË" 5ÎÜ•¬}Ì©ç.˜‚»³a‚Lká4Ý0%ìÀ`Bµ·01Ï cº…I~˜îÎ@F±G4m·fC1h`Ø í†&a ª)IŒ1®§#Vi  !lÏw t÷¿«°^î9ºûù¦˜{_Éo¼„yø¬]˜ D
+`L÷âWÊŒT{; Pß–2Å"¼™ŽÇóÁ2î—ÿI$ùUÃÿµ×Ú£³ ‚!0FÆv’°#Õ QÎ7ʹHˆh¹(‹q9jfõË+䶾Ìæ'z8—(ˆð³A„Ÿ”?¸ö–K‰ 2ö2Uûºâç´üPÌBUø²sa79çôõ1·bÛŠD/f31F`”Œëf$aƪ½eD["¤k[Õ0òjqUÌjn7¿«-•q]– ãU»"${ÂóPôb6#@cF c$aƪ=Ö«Jy0œlÛÛßR&vì´ïŠ˜ ›q?¼:?}~z–Ø´“†ObsÝR{ûN±ïšN\‚C³q‚.0`. ;0\Pí-.R)¸ð\NÏŽ^¼9>IfS„jÑÅ /¯Wfƒ1P`¨0Pv`  Ú[P'ÒJ@9 øÊ7u@+]$æë,˽â%¸8 ˆCh»wzSv`
+ÇÚ~x~rvr~P­Ð\¦²“„R!ÓàéêÓ;A®Êb ÀP` $ìÀ@@µ· P/`„‰ ˜„ƒápuê',§µ<›Î&ý…¯\µÑÛ&':0 ˆád»·rSv`xlhg‰'¤ÕD+ÕtáÕŽÞZŠpõ—‹b°œŸë>? ‹Y¿Þ÷ïò[¼µ7à^þ‚›oÞwå/Ñé/x;ÄO›ZS{ŸÒø‰™Ò¦]ÕøÕÞçÁ`PÌçÑ-‹U^›6êÅx¾XýNn÷<³G]tx‚Ȩ[ (FQÂŒ&T{¤Isb¤jzV’:[îÓ·c’53æàj6.«`„&Öj§31W;"|&h®™‹åx˜º•/2Ã<ñü?nˆm6¸@²c»€¤ìÀÀEµÇjB*JŒ£2ÛnÏ'ËDÅ•VäQ|R~¨ ÄiYŸSZ<¼ØÉUð|6W@ã
+Fã*aƪ½åÊ X¡Dä*ìø½™Çøt'âë»3»y3hìŸ-ËA}â]š§0çvBÜž Ä ‚aÅ JØA…j³lµÜai³CÏ«užPl«\£ôß#ì&ø4 ˆc†“°fC{²¢²úYCkÓ ]î1ÆvgÓåÛëb~åç¯*uº'ÜáÞ=Àzž5˺cÀÛaîØК?ÂU«6Í#˜6ö<GÓÉ$œ¿x]ÏÓÞ5“j¹@Êm‹“=¤¢›s‡D†Ôz»ÙIÙ0„k»°¾T<0ëÅÓÅßš¾¹œ6¢}œÎÞûÁõÏú»«éÇúÅ 6Þë/Õój£ú\`“¸§Ëp‡«~¼íǦ„ýËçsf¿¡I7¸$;Þ­nèp$Ú›F`ÁÆTÇ|¡¡®y`Ò®*¸*_œ–ƒ:XU1‹¹x(÷èª_ŽÖj¼f2žÃÊäÙrò¶Z¨ö
+A!Ý” ˆ°„€„¨öÈ€2„ÉæùGk®Ÿ«í€=º5¤ŸÍ
+"`¬ÅÆuŸ HÙ€k9‚[C$,rÄéëºôÃaxÆ&<y÷«/èü?ÿÕ_®…Ùˆ~̦b”À8a”$ìÀ(AµÇôa‘Í샪¢¯²Çáøíõx:šõo®>·XÄ)âb9Õgï…¬Òú¯&FpþDrGã¸l(Z9Œ  ‰M#0"0ÕmÚЂHÇ#!mœ¿/}Ôë˜ûI#œ‹˜4ejÀäüÙѼfÁ
+þ4jÍè²l€ F †CÂŒT{ „bD £#¼™GÊE1+Cs<ë¿«0pŽo“û0¼šÍ ĘQsÝ{-);0fPí-3ÂU*2#jfÀÃ5ÇÓÁ¤Žƒ·q¡·nA{*Ù#ø*› ˆ‘
+Œ!LwDHbý¿†!U3Tö'ÅppU ަ廽ês˶ðüax‚³é‚>0†ŒvïP§ Á
+endobj
+802 0 obj <<
+/Type /Page
+/Contents 803 0 R
+/Resources 801 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 655 0 R
+/Annots [ 805 0 R 806 0 R 807 0 R 808 0 R 809 0 R 810 0 R 811 0 R 812 0 R 813 0 R 814 0 R 815 0 R 816 0 R 817 0 R 818 0 R 819 0 R 820 0 R 821 0 R 822 0 R 823 0 R 824 0 R 825 0 R 826 0 R 827 0 R 828 0 R 829 0 R 830 0 R 831 0 R 832 0 R 833 0 R 834 0 R 835 0 R 836 0 R 837 0 R 838 0 R 839 0 R 840 0 R 841 0 R 842 0 R 843 0 R 844 0 R 845 0 R 846 0 R 847 0 R 848 0 R 849 0 R 850 0 R 851 0 R 852 0 R 853 0 R 854 0 R 855 0 R 859 0 R 860 0 R ]
+>> endobj
+805 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 758.4766 539.579 767.4329]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.20) >>
+>> endobj
+806 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 746.5215 539.579 755.4777]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.21) >>
+>> endobj
+807 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 734.5663 539.579 743.5226]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.22) >>
+>> endobj
+808 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 722.6111 539.579 731.5674]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.23) >>
+>> endobj
+809 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 710.656 539.579 719.6122]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.24) >>
+>> endobj
+810 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 698.7008 539.579 707.6571]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.24.1) >>
+>> endobj
+811 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 686.8453 539.579 695.8514]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.24.2) >>
+>> endobj
+812 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 674.8901 539.579 683.8962]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.24.3) >>
+>> endobj
+813 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 662.935 539.579 671.941]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.24.4) >>
+>> endobj
+814 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 650.8801 539.579 659.8364]
+/Subtype /Link
+/A << /S /GoTo /D (section.6.3) >>
+>> endobj
+815 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 638.925 539.579 647.8812]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.3.1) >>
+>> endobj
+816 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 626.9698 539.579 635.9261]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.3.1.1) >>
+>> endobj
+817 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 615.1143 539.579 623.9709]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.3.1.2) >>
+>> endobj
+818 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 603.0594 539.579 612.0157]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.3.2) >>
+>> endobj
+819 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 591.1043 539.579 600.0606]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.3.3) >>
+>> endobj
+820 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 579.1491 539.579 588.1054]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.3.4) >>
+>> endobj
+821 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 567.1939 539.579 576.1502]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.3.5) >>
+>> endobj
+822 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 555.2388 539.579 564.1951]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.3.5.1) >>
+>> endobj
+823 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 543.2836 539.579 552.2399]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.3.5.2) >>
+>> endobj
+824 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 531.3284 539.579 540.2847]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.3.5.3) >>
+>> endobj
+825 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 519.3733 539.579 528.3296]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.3.6) >>
+>> endobj
+826 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 507.4181 539.579 516.5239]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.3.7) >>
+>> endobj
+827 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 485.4804 539.579 494.2126]
+/Subtype /Link
+/A << /S /GoTo /D (chapter.7) >>
+>> endobj
+828 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 473.5451 539.579 482.5014]
+/Subtype /Link
+/A << /S /GoTo /D (section.7.1) >>
+>> endobj
+829 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 461.59 539.579 470.6957]
+/Subtype /Link
+/A << /S /GoTo /D (section.7.2) >>
+>> endobj
+830 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 449.6348 539.579 458.7405]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.7.2.1) >>
+>> endobj
+831 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 437.6796 539.579 446.7854]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.7.2.2) >>
+>> endobj
+832 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 425.7245 539.579 434.8302]
+/Subtype /Link
+/A << /S /GoTo /D (section.7.3) >>
+>> endobj
+833 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 403.7868 539.579 412.5189]
+/Subtype /Link
+/A << /S /GoTo /D (chapter.8) >>
+>> endobj
+834 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 391.8515 539.579 400.8078]
+/Subtype /Link
+/A << /S /GoTo /D (section.8.1) >>
+>> endobj
+835 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 379.8963 539.579 388.8526]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.8.1.1) >>
+>> endobj
+836 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 367.9411 539.579 376.8974]
+/Subtype /Link
+/A << /S /GoTo /D (section.8.2) >>
+>> endobj
+837 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 355.986 539.579 364.9423]
+/Subtype /Link
+/A << /S /GoTo /D (section.8.3) >>
+>> endobj
+838 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 334.0483 539.579 342.7804]
+/Subtype /Link
+/A << /S /GoTo /D (appendix.A) >>
+>> endobj
+839 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 322.113 539.579 331.0693]
+/Subtype /Link
+/A << /S /GoTo /D (section.A.1) >>
+>> endobj
+840 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 310.1578 539.579 319.1141]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.A.1.1) >>
+>> endobj
+841 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 298.2027 539.579 307.1589]
+/Subtype /Link
+/A << /S /GoTo /D (section.A.2) >>
+>> endobj
+842 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 286.2475 539.579 295.2038]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.A.2.1) >>
+>> endobj
+843 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 274.2923 539.579 283.2486]
+/Subtype /Link
+/A << /S /GoTo /D (section.A.3) >>
+>> endobj
+844 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 262.3372 539.579 271.2934]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.A.3.1) >>
+>> endobj
+845 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 250.382 539.579 259.4877]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.A.3.2) >>
+>> endobj
+846 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 238.4268 539.579 247.5326]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.A.3.3) >>
+>> endobj
+847 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 216.4891 539.579 225.2213]
+/Subtype /Link
+/A << /S /GoTo /D (appendix.B) >>
+>> endobj
+848 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 204.5538 539.579 213.5101]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.1) >>
+>> endobj
+849 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 192.5987 539.579 201.7044]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.2) >>
+>> endobj
+850 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 180.6435 539.579 189.7493]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.3) >>
+>> endobj
+851 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 168.6883 539.579 177.7941]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.4) >>
+>> endobj
+852 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 156.7332 539.579 165.8389]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.5) >>
+>> endobj
+853 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 144.778 539.579 153.8838]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.6) >>
+>> endobj
+854 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 132.8228 539.579 141.9286]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.7) >>
+>> endobj
+855 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 120.8677 539.579 129.9734]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.8) >>
+>> endobj
+859 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 109.0122 539.579 118.0182]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.9) >>
+>> endobj
+860 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 96.9573 539.579 106.0631]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.10) >>
+>> endobj
+804 0 obj <<
+/D [802 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+801 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F21 654 0 R /F39 858 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+863 0 obj <<
+/Length 69
+/Filter /FlateDecode
+>>
+stream
+xÚ3T0
+endobj
+862 0 obj <<
+/Type /Page
+/Contents 863 0 R
+/Resources 861 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 655 0 R
+>> endobj
+864 0 obj <<
+/D [862 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+861 0 obj <<
+/ProcSet [ /PDF ]
+>> endobj
+867 0 obj <<
+/Length 2199
+/Filter /FlateDecode
+>>
+stream
+xÚÝYÝã¶÷_áG-pVù-2o½»¦¸ ¸¢Ý òäA+qmádIÑÇnœ¿¾Ci˶|wè-РX`M†äpæ7¿ÚtMவL 7b‘JBåºØ¯Èz ïþ¾¢AGHžJÁ9<,¼ÝH®S©Y¶ÞÌyû°úË÷Œ®I•brýðtÜKe:5\˜õCùsòn—w£íï6L’„ÞýúðNi¦3ê¦ØB¦™!ÚOøÐŒ}[NÅXµMPçk“ÅTÔÎ`.˜ë´v–ÖÊM³}cG|zßîóªÁñÇ|tîÃh÷8þ…Hòþã=|P'È’¢m†j|Ý>áç×͘ÿ„mu¶¨žš ìw±ŠmÆj¬Pš%ÕMºIpFw*JS#%‹>‡áŒ$î œÑ$ÇÇ]eû¼¿£:)vU‘×(ÝçMnÎDò\£=îM§“©v›»E¦Á–(j{”¶¶Û|¬šmØgwm_`æ%í³ ºþpa‡¼ +…­(8É;øìDÔŸ¨ÚwµÝƒr× CÇ]î•É$/Æ)¯ëÊ÷y7à(ºT¼ÏA4‹³›X–Þvì‚š'UT-ó1Gµjˆ+W`AÕ8¸g· >nýZíÔ¡¢·›@ÒWÓè‘KñpR·ùcî­Š˜§"åB±€bAR¦8bž¦
+ôœA)*l7Fê8³“fD Ö±›Ö±  R
++úF…ÓŸ°3±
+šD n:%
+Z¹b¿úmõó¯d]®Èú‡I¹оÀxÓ¶Þ¯‡!‘:JêÕýê_ÿå¬hǬ=¸iÎ#°VFPŸ/µ‰gÚP¡`KM_C]À™§” XF˜Tî9¾i
+w”Xó®ÜÆ™LAO¯ç[|›ÕÇ%¿`6‡†QèÌœ›ýÓ#ÉM¸ 㡾>„t±’ò!\:”ŽM˜û¿ƒãPé¡Kÿú3Å7áÄ(ðŸá§o5ù"œ\ƒ)mrǯnàãÎ}âèVp¸ÑVÛ£€%?þûoPs×ãLx­Žuíâ;ƒˆ£ôýÕ7\îû `ûýù«Ð±ÞFôì”ß渢/=÷¡%DÏ<÷}õ»ãXôûR•ãî6x_ÍÞ?xc _‘ ‰I…êKà¥<%œEˆ§²¬ÒÇš×MŸÁÏl£WcÄKã…^ÄÏÜø€~ò
+B·€ójæþYpÃÜW\Uî
+7&æ?ø]ýðÇ<¡nÀ|­õ⯃ñG¿ —©û q=23"ÖAÉE!»r{üñ´RÜí?q7{endstream
+endobj
+866 0 obj <<
+/Type /Page
+/Contents 867 0 R
+/Resources 865 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 881 0 R
+>> endobj
+868 0 obj <<
+/D [866 0 R /XYZ 85.0394 794.5015 null]
>> endobj
6 0 obj <<
-/D [610 0 R /XYZ 85.0394 769.5949 null]
+/D [866 0 R /XYZ 85.0394 769.5949 null]
>> endobj
-613 0 obj <<
-/D [610 0 R /XYZ 85.0394 582.8476 null]
+869 0 obj <<
+/D [866 0 R /XYZ 85.0394 582.8476 null]
>> endobj
10 0 obj <<
-/D [610 0 R /XYZ 85.0394 512.9824 null]
+/D [866 0 R /XYZ 85.0394 512.9824 null]
>> endobj
-614 0 obj <<
-/D [610 0 R /XYZ 85.0394 474.7837 null]
+870 0 obj <<
+/D [866 0 R /XYZ 85.0394 474.7837 null]
>> endobj
14 0 obj <<
-/D [610 0 R /XYZ 85.0394 399.5462 null]
+/D [866 0 R /XYZ 85.0394 399.5462 null]
>> endobj
-615 0 obj <<
-/D [610 0 R /XYZ 85.0394 363.8828 null]
+871 0 obj <<
+/D [866 0 R /XYZ 85.0394 363.8828 null]
>> endobj
18 0 obj <<
-/D [610 0 R /XYZ 85.0394 223.0066 null]
+/D [866 0 R /XYZ 85.0394 223.0066 null]
>> endobj
-619 0 obj <<
-/D [610 0 R /XYZ 85.0394 190.9009 null]
+875 0 obj <<
+/D [866 0 R /XYZ 85.0394 190.9009 null]
>> endobj
-620 0 obj <<
-/D [610 0 R /XYZ 85.0394 170.4169 null]
+876 0 obj <<
+/D [866 0 R /XYZ 85.0394 170.4169 null]
>> endobj
-621 0 obj <<
-/D [610 0 R /XYZ 85.0394 158.4617 null]
+877 0 obj <<
+/D [866 0 R /XYZ 85.0394 158.4617 null]
>> endobj
-609 0 obj <<
-/Font << /F42 597 0 R /F43 600 0 R /F56 618 0 R /F57 624 0 R /F58 627 0 R >>
+865 0 obj <<
+/Font << /F21 654 0 R /F23 678 0 R /F47 874 0 R /F39 858 0 R /F48 880 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-630 0 obj <<
-/Length 3297
+884 0 obj <<
+/Length 3270
/Filter /FlateDecode
>>
stream
-xÚÍZÝsÛÆ×_ÁGhÆDï8àúæÄv£ÌÄN-u2m’
-·ú]ù=ÛüTæýÃóÚ"FìŸ\]FB'_W—T°› xð˜ÊlS¨®F\üyue,ÄÇ(¿®+±6¦4óÁ…»¬ò‘°=öpqðóݵUAñ¥ç9Ž‰E½­šYìì>'ÑusȶŸŠ¾ûõYŽyý£4zÎ0ÿ𪄠Ó’ÒLk=Nu³”§’4ŒR )Ï€ý4$ë³Õ@Ô(ÔäÃQÎ3°«° 9†`'~;d¿7Í>óæxŸí™zûÔõÅ~ÜÕ˜¸dOØÄŽ²jª‚öxh‰SIˆýƒó äÍö¸‡4Kt¢Â|C³Å—¶"®ÜK¼KYw}VU>sÂTVç48¶ŸŠ¢½<Œßãô ¤®Ùõ§³Ç!›àpÙ}ñ
-%g:”…vQpÂÅàÛ›âÞ1¤Í‘h¯Ç²`
-ßV%˜ÞÅî8¨šæŽ-='*%=rÅÞL°¹–Á Á”ÃlpcN³f’f!$§&â4ËÚl*ÐÙ‚ j )AK^\•<O%¾¢óNà=tZWÔ9KóùXJg ˜mĦf¾›=÷ìC \®•Ñ¡²6ö:§œX“·»Ãhå–!(§ŠÅ9¼h§<°MKç¡ÎµW$X -XªèÐÓUÌ·-Ž9²áÈòÑ“
-^ ±c$<‹0q7|9_²­Õ†å}žW³kö'Fó;;
-¬´Ä‚T*L’T _Å’º#H¸Âª‘¾v—‹17ûÍ6e½( ¤V!ý^‹au­¢$Œ5:ÆexU>¼ºðØ]hâ2%àšQ¸•
-
-^OaÝÇ…¥ºðˆ¢©+Æßp©KHª4>•€ñ9”•=º–o~Íðƒox¼Ã{©¥… Û·^&­
- v}¬ÏX0Ú¹w”ð«­á(ã'A…ý·}›ÕKaNÅ
-®ˆðNóvrüM½ —J”¿šÛæXåtÞ¦Xh"D°’Œ6Ë*d!C`ka{GR7Ÿ<3–¡ˆaÁÄ3O Gx%™ªdàré(È‚V¤^ôniSR”¬àZ-Qªâ=‡ÞnaCëqÍY‰¡²õ±®9ÐF/ˆ/eÆ‘õ™\±©ï="˜l¯1’
-/!ﺄt˜Ê!âz)3â½;nÎ1Bfš„IES=Ãå\Ü J^P0Öö*C¡{Ò
-B†Oƒ³qù°à®ié ŽÁtáK4¼ Ý «&÷cT¤Á à±þÂ…㊠Ûýç›e8 ÀµÓÈxV‡eí¦o¶MµT«AôUƒ€¡
-2”6¾¸/d€$e8Ž£¬ëšmÉ)~c^¤›#9GP³aäŒω1Î+{£  Qir_T©ÑPýø"ëHÞƒ¨€¬óE Ÿ
-nÏ´ 1Ì)*¡q<u´îض͡÷þµÀÓ@õhŸ-ûÔKŸãü‡ ³Ã^4ŽU1‚©‚úÍJ)±[Js‡û >NÚ«´|=^?ï‰ÏvEán‹íù›ÔL¡¼d!¿”JN¸™µx‡U/01ßmä¨*´!­ZDWæÜÞp•V^¸¸QVT‰%-3¬¾è
-N
-JÐ}y_s5·[®6¹æʹÙÔø: 5
-ê<eX¿¿0·Ò|ß™¯¼^òñÒ)'üÌ?øU/p1ßíù.rlMªæ] Í]Œ=“{§=
-ü„6ÓC¨m‹ÖHÁ±kXkenׂÐbÒƒ‚âK špxÞ(÷G²šÉ=Ÿe;¤ž|NsºÀA^îƒgÖzË'oŠþT`y†‹–Ò\$L˜¥G¨c tH@ª‰œ4öžÙЕ–PœG‹µøKå¿¿ÝLäËM
-º±±ûZÑô@­r µþ;Esì*בå>i¤`À5”RñÍ’wÊègÛ”NÑ@q÷HyQ÷>>Xêÿ"n¹ÿë(Ü”pêLGõg¹nd³#:ííOüv´pͱyYÞA jà¶x$F‹ g"^sîF™‰C[ g%MšÅQ<¦ñ ]¢>d|ȶ±ÐpŸ]bsÙ÷Ýl*oÒ ‚õ„Úx{ê:8”=YÊ!½Ø}âÀUç®[êZ-ˆÿ1¹¡8‘Áà¹i
-endobj
-629 0 obj <<
+xÚÍZK“Ûƾï¯à‘[%NægnkKŠå*­l-S®ÄÖ$†$J
+“&áì?¤Piªgû› 4" Œñ3åÍÃÍÏý†ƒU÷ꤦ”ÚDzBUÚL©*LEd` UµÜYoS—e}*ª-ý\×Õ£­º¢®ZšÈ·*™3ñ±µ9ŠŠž¹mׇ¢¼PoèÙù¾{sÿ²ßü7)õöxÈð¯©Kû×K•F‰ˆ”®ƒ@ÀÿïÒ©NE,ã þgoy>ä œB¤aøè= {ñп1ÞjáeZÄF‹P½½‚¡kÇH“x›|IFd®[¥Ô¼ê|:[¨D3ÿåVˉ.ôßvOú ÒX¤*Åsz^þ;éPîâÿDaZŠ0„½'=ÜkLÃí ÂÀiì£}:ÕÎwóe‡ø‘^Ñ:¦¥£~]|FÏŽ¤œÿRäÝîym#éŸ\]FæWÕ¥4ì&)<f‡"[•öÕÕ€‹?¯®¢âc„_וÄXRšyçÂ]VúHØ;¸‰‘‘áü×åmªçösÇkmµ.ë«ØÙ~:Ž¢ëê­?Ú®ýð¬F‡¼þQ=g˜ÿGxÕ2I *_ “c†©î*åé8Ab åE`?Éúl55S0äÃA΋`W™‚æ€$ømŸý^ÖûÌ›ã>ÛóìÃSÛÙý5<pWcä@<™Æé «&zÞMí"q¢(#Âd·sþ
+`{<gV‘¼z†ÕH‰( ¼ªº]ÖýÙ/ âv›UÅ|ÆŒ±D‘3ûÙzÍ !N´šž4O””©% /§;'ë‘kbè¢Ã3Ë÷E…wV-Í­jÌ€èpá™Î_e.ÀRUçLDXÃx¬az~ÑÏSå¢KXxÈ„^NDŒUÝH±×Ú„˜˜$q8¸D°9¡&3ßÏ•?Ã=ÊleKfÝÄ)Å€R¢ 2ãkëm©•æû¯Ë¥<†R½ÈŠ±Úp B d[ùL
+âNœªa©ënB·
+`wù
+!A=]Ĺ%aØ€ <Éä»!ÉDA‚Šž§CÑu–`Ò¤QÆïgôÀícÀ@ž¥×ŽÁAýÎå Åv×ÑÐ)‰í†g(Ààþ¶ÉÀÁýÀ3¯;ôp(…æwcð@·Æ±@a©²¾€««’1ÅÊw]ª’*O
+Ý€+ë}“USaNC²0&ò×ñÕèø7ÕZL¥óX$‘ñ¡q]ËœŽYÙ‰N‚I…†¼ÅÔõñ€|
+–S
+L.ß»Çeð¨ï³gLÉ©s"gÀÒ&ñÂØk
+€
+ŠÆáîW}ÞžêL\ï6pTCÙ©R=ÔÐôí WiåÖÅ¢¤J,÷w\õEWpTP‚î‹mÅÕÜfºÚŒ¸Ë¡â‰¥áÄ m €`Ù2q¸±‡aµ÷.và bÍÆß¼fR£¹õM…¶{ÞQT
+U+”­3-›Ä|ÃSzúÅð…k+]ï{å+wS¾¢!^F‘R#~®¿ xªopq½Ûó] ä8}ÝÅ0ÜÅøç3ywÜ£ÀAh3Ó‡ÚÆ°vÀ»®µÑ©+øMŒõ  xÅR‚–€7Š=Æ‘¬âéŽÏ²RHG>g8]à /6ÈÁ†3kµæ“W¶;Y,Ïh*Í2Œ¯Í
+endobj
+883 0 obj <<
/Type /Page
-/Contents 630 0 R
-/Resources 628 0 R
+/Contents 884 0 R
+/Resources 882 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 601 0 R
-/Annots [ 640 0 R 641 0 R ]
+/Parent 881 0 R
+/Annots [ 891 0 R 892 0 R ]
>> endobj
-640 0 obj <<
+891 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [272.8897 231.1055 329.1084 243.1651]
/Subtype /Link
/A << /S /GoTo /D (types_of_resource_records_and_when_to_use_them) >>
>> endobj
-641 0 obj <<
+892 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [190.6691 203.5826 249.6573 212.9922]
/Subtype /Link
/A << /S /GoTo /D (rfcs) >>
>> endobj
-631 0 obj <<
-/D [629 0 R /XYZ 56.6929 794.5015 null]
+885 0 obj <<
+/D [883 0 R /XYZ 56.6929 794.5015 null]
>> endobj
-635 0 obj <<
-/D [629 0 R /XYZ 56.6929 756.8229 null]
+886 0 obj <<
+/D [883 0 R /XYZ 56.6929 756.8229 null]
>> endobj
-636 0 obj <<
-/D [629 0 R /XYZ 56.6929 744.8677 null]
+887 0 obj <<
+/D [883 0 R /XYZ 56.6929 744.8677 null]
>> endobj
22 0 obj <<
-/D [629 0 R /XYZ 56.6929 651.295 null]
+/D [883 0 R /XYZ 56.6929 651.295 null]
>> endobj
-637 0 obj <<
-/D [629 0 R /XYZ 56.6929 612.4036 null]
+888 0 obj <<
+/D [883 0 R /XYZ 56.6929 612.4036 null]
>> endobj
26 0 obj <<
-/D [629 0 R /XYZ 56.6929 567.3837 null]
+/D [883 0 R /XYZ 56.6929 567.3837 null]
>> endobj
-638 0 obj <<
-/D [629 0 R /XYZ 56.6929 542.6255 null]
+889 0 obj <<
+/D [883 0 R /XYZ 56.6929 542.6255 null]
>> endobj
30 0 obj <<
-/D [629 0 R /XYZ 56.6929 441.1968 null]
+/D [883 0 R /XYZ 56.6929 441.1968 null]
>> endobj
-639 0 obj <<
-/D [629 0 R /XYZ 56.6929 415.1634 null]
+890 0 obj <<
+/D [883 0 R /XYZ 56.6929 415.1634 null]
>> endobj
34 0 obj <<
-/D [629 0 R /XYZ 56.6929 188.7253 null]
+/D [883 0 R /XYZ 56.6929 188.7253 null]
>> endobj
-642 0 obj <<
-/D [629 0 R /XYZ 56.6929 161.3171 null]
+893 0 obj <<
+/D [883 0 R /XYZ 56.6929 161.3171 null]
>> endobj
-628 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F56 618 0 R /F57 624 0 R /F42 597 0 R >>
+882 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F47 874 0 R /F39 858 0 R /F21 654 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-647 0 obj <<
-/Length 3284
+898 0 obj <<
+/Length 3430
/Filter /FlateDecode
>>
stream
-xÚ¥ZKsÛF¾ëWð¶TÕ™f
->悺¾­ßó=ñä-„¸Éüò~T”¡Òå6¯™tÈ<€­·é¦»†‰9ÿ´eýPÉ›ì¾*:YnúŽUe@Vk¼ ªÒâ_}µ»]Y­—yÕ6<;àƒ3 ù˜Ÿ:5÷ò
-ÿ aR>½xºÕé²h/^‘xÂá„÷FÞKBîD 6=ñÃŽGmqz*N-‡:÷€·0CŠrò‚Q~I!­Øi
-ì(ÏÀ¸kŽåv?¬I6IiùZª…UjùýûoxÄü zçUE®8ƒ
-t6ƒôÎ.žEÛœ˜®ý"´†)ÐPÖ'Y >sú®Ø@1çLä 8
-N]6öÌšbóg&r™¦Öž'O |žöäaýjúÂuO~½/Jð¥Ø²êW±…–êÂù†¼g#éèêB[zOqª Ñ÷zöÖ`Xµš.»–ðz7Ñ‘ŽfÔ ¥12Ô-Æp0“Ú1ß‚ œq‚ü?¨xᇠ¾™iS$ÉU*œ¤ œ~ÆÂ+u)d¤PÆÛæøÂÓ„^’$,ó!IÒ^€ç°Jbº¤¤>¡¨K6ºÎæ1š;<í(
-`S‡¹3k^S Ôd gh&øäIL½Il9©A’oKHá¨âؼ"8žÎŒ»é²2‘.":ï;æR5ù®™MúìXSuÀ—“,ˆòTâ=@< ¸ —»’šU¤o^øwßòZ¶ ÷ÚAJô…úŽìûü(IE õ…w„àPl÷y]n²à‚i’Žƒx@$‡Ã )Ì’y¸Çb솤Ax“ð0Ç“¤ÐËÂëâP3hyÞ”ÚGÐwøó[º±¤½glê"'á…f#ê(õ.´È!z¾ºk¬#§­\e&M "I-FòD<ÉFòÄƉ ‡qv@4%ÀPÌ f’BK@H½ªL)FÒÌÄ!ä`
- ‰\ù€uó\ ú›»‹ÐÊE&KÆ lvó¡ÛbÜœóäzO ²¡®×˜€äFTŠ˜®–Úb1¢ÓËëP‰T ù
-–Úñ S;É´v¬Ç@Ι‰÷XA\u·zI éGÞp[´Â!è·oÃת1ø©KÝ™cãâ b{?›ØÅÇzÌWÎgˆBÕòåâ݆û ÜKò<Š"…ƒµ£{Ážçñ'Œy%R¨%?Êbr†ø’€¶’dH²ô !%©;é>‘Öl“ú‚¿rׂ4m[n(]$rQ‰5'hƒßêæd¬ˆSäÓ˜‰
-f²}¿¾ewÅk<A{syFÍáòKWäU·ÿ‹æ—6ô·´YU8H?811ÐGÿÖʪ‹ä&HŸæ âǶ|9 tí¿„‡]ˆ«m0ÄtQpd‡È×aD#{k1=¶Å°çŒ½¯8`s€ß‚º²ë;iæB4M
->ðű„€q™°? BBGÏ$3)ɶN.Žq
-,õ@ž/$½ñŸI:,ºHˆ>\)H÷R§oó…, È8šÊ/>R"<ã7$a RÚ…ÛɧaÝ”µé¹ÛÂN‰ _º‘o}K ¦è Hz,Š#£áãH:t6ôžH¤(? „µRבõ±(äƒMä©|Ë Š>¬4²<|i\ÃΔ âxš½ÕjB5~ ŵÃM |á„RæCEÊË*ß„ò= €%ól¼¸jÆï#e^ÉUÖx»Æ¬ÚyþùTR€
-¤„H¯DÃÊhuy¿ÄÄÉÅ>2/­& MO‹žÀ=A;ZT¢Éà²Á›.ß‘uÍ}Wˆ ,À¾Ô´ 'þ6Œ¨­}¹Ûõ\§(b‹J!.éÞÅËO\Ïbôd°¶½“ÏX3¯2‘'\ç
-À‚I£Ê€:¨lòΦؗtË$dÀ§~FWùÚ—².Xê¾™Z¿¯Gÿ >½m‡ûü
+xÚ¥ZÝsÛ6÷_¡·È35@>ºMrMg’ôwn:m(‰²8¦HHÅõýõ·‹]€” 'íÜøAà\,»¿ý åBÀŸ\&ºÌ®Ì3#¤Y¬÷Wbqsÿ¼’¼æ&,º™¯úþîêoµ[”Yi•]Ümg¼ŠL…\Üm~[þðãíÏwo>]ß(#–2»¾1V,ß}¸ûôñõ/?ܽûøáúFJëp.çÙ»ßÐò×ßß¾û@ã·ï™úù×ÏwoÞÓøwaÄëŸáG^ÿq÷ÓÕ›»(õüdRhù?W¿ý!8àOW"Óeað 2Y–j±¿ÊÎL®u ´WŸ¯þÎfý«)M]d¦P.¡*¥Sª2ef5L¡ªÞöG8•Ê—M7ŒU·®¿ƒG-–뾚Mí'ÍrÜÕxTÐ}9c(¥ÎÊ6žUýgµ?´u¶î÷´ølwë²²’×nú}Õt´óã®YïhŸ¦[·§M=ÐDWíih–É–äËjHIba\JËÜwý0fUUeA$|eq£ÌJ•ƒMI£üâ´¸JdÊšVÝ&µk™)¡Ô|ÓÕj•}]Rɬ(\x«þR£t:îO÷xHý’¾Î¬2QÝè%/ýoßÕ´ÉLÁ°MßµODßÔm}_ Ü:MmÁ.HiBg© ¥½`&+Jk‚Òf²”™ËÕ7”\€™ ®oë÷œ'ž|
+ýÄ ¿W¾ñx-‹e=\¼Âþ„ÃÙÞ+~‡oºfòÈõÀôHCt; õñK}È}Ĺ¼¯(Ã/(a—Þ¥Ù¯
+Ææï"î„¢ly«1nù|/@We]Î<Æú¸oºªMl¦s¸YaÏ7wÕÈ› LÚU|²®Olgm&TpÊá´¢³ ‰ýr—¹°Ð›¯™+<¾Ê.ê :X)Ï/ÈëX;o¾ÚNˆ‹$ð4?¨™' §y n°®#Ñé*aà/°ïGZ¹{“Žû¸I6[ƒ¬wá}Ònßö÷¼#±° *ÞªéÆS36_êIÊ3Ã#zDãN÷÷dûàœtH~êOD"ƒ«6Dþôö‡F—µw¤‡9½FxÖ0Ëž(÷^-š€
+ÔXCõ@ÏMÛ’ia’ÐÑ£9<Wô”ºM"c÷Dñ˜‚ZÈ
+¸{|*./ðÎ4ÏçR!`Ã
+ÖëÓè‚9„ó÷?ÄTvODp„'¦õDò³ ’úHx ôM½‚ÐO¸Þtp
+üÈ4vÕ'îëbq„Ç}½ÞU]<PfâÁ‹‡)Äa†QR‡^˜¡ô£ð†Òü%13JP=°&¢ÔÄW0³©0ðÅEò‚¡–´6?où¦§g–¸h“ÉÜËê“i¦›1gp©¯rÍef¤6Ñ~øÊJ@^(€Î*¡wˆoÒ5C¾®J …ÙõõÌÖ•dã’f^‰ºòô'"Ra*)ÛöÝ…pHãEÑb€æÛ@%óöØ:gŠ}V_•ÎG™8²¾P#öÛ´vUîbÿù`³&õž
+L8éí”_éü%›•VfBä¡
+¥BÒ=ó8°k„Óâ²sÍ€¨µ!Žö“ S= szJ†€\… îÐ|€Å>[@ú®ëw:AöC`ñ\5ª<0…9\<BV?l“ÁÉÀ½Ø\NÁÂØò2XèЊB^dQŽÚ¤¥û¯Àó\K¼1­ôµ„醹ÛëÎÒmR]çb„óŒŒ%EÎî ë}ÎÌÁ¹-† úahV[÷”1àmÐ[cJ†x‹8åmʨw]
+îcpËGªd6¡*©¸T™¼4TF04a‡ºåZêx g<æèí3cZñ¾M‡°óž ½̈¾è€/
+#qÙÜ#â¬kƒ\E‰YÒ&g‹œ¥=r–íHV‰¤L—Ekº|‡×õÛ±fH€³üRrj$9{¢ÏøøˆÚÚ5›MÌàXlV)8ÂÅ¡îM¾üHñ,GK¦iÛþâ˜x•ˆ4i¸—ªl(<4© ¨Qe³wVõ®ñwr|$átêG4•¯}ÔÃMmûùퟺÉþ‚M¯ûýþ„í”B^äê˜ß6!ŒæÕŸFü¥˜ÿ¶›ì¥ÎÒ&Ãÿ¨J´9EüfôÿãÖôÿk¹Ã¬V¥û¥Z”øQ(TZù¬þÁë¹äÿ2/I¾endstream
endobj
-646 0 obj <<
+897 0 obj <<
/Type /Page
-/Contents 647 0 R
-/Resources 645 0 R
+/Contents 898 0 R
+/Resources 896 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 601 0 R
-/Annots [ 650 0 R 651 0 R ]
+/Parent 881 0 R
+/Annots [ 901 0 R 902 0 R ]
>> endobj
-650 0 obj <<
+901 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [519.8432 488.7856 539.579 500.8452]
+/Rect [519.8432 497.8292 539.579 509.8889]
/Subtype /Link
/A << /S /GoTo /D (diagnostic_tools) >>
>> endobj
-651 0 obj <<
+902 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [84.0431 477.498 133.308 488.8901]
+/Rect [84.0431 486.5416 133.308 497.9337]
/Subtype /Link
/A << /S /GoTo /D (diagnostic_tools) >>
>> endobj
-648 0 obj <<
-/D [646 0 R /XYZ 85.0394 794.5015 null]
+899 0 obj <<
+/D [897 0 R /XYZ 85.0394 794.5015 null]
>> endobj
38 0 obj <<
-/D [646 0 R /XYZ 85.0394 599.0929 null]
+/D [897 0 R /XYZ 85.0394 603.5324 null]
>> endobj
-649 0 obj <<
-/D [646 0 R /XYZ 85.0394 568.7172 null]
+900 0 obj <<
+/D [897 0 R /XYZ 85.0394 575.1064 null]
>> endobj
42 0 obj <<
-/D [646 0 R /XYZ 85.0394 457.9037 null]
+/D [897 0 R /XYZ 85.0394 470.0596 null]
>> endobj
-652 0 obj <<
-/D [646 0 R /XYZ 85.0394 429.0681 null]
+903 0 obj <<
+/D [897 0 R /XYZ 85.0394 443.1738 null]
>> endobj
46 0 obj <<
-/D [646 0 R /XYZ 85.0394 352.2747 null]
+/D [897 0 R /XYZ 85.0394 339.8943 null]
>> endobj
-653 0 obj <<
-/D [646 0 R /XYZ 85.0394 326.5176 null]
+904 0 obj <<
+/D [897 0 R /XYZ 85.0394 316.1468 null]
>> endobj
50 0 obj <<
-/D [646 0 R /XYZ 85.0394 247.1936 null]
+/D [897 0 R /XYZ 85.0394 241.2623 null]
>> endobj
-654 0 obj <<
-/D [646 0 R /XYZ 85.0394 221.4964 null]
+905 0 obj <<
+/D [897 0 R /XYZ 85.0394 217.5147 null]
>> endobj
-645 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F57 624 0 R /F56 618 0 R /F42 597 0 R >>
+896 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F39 858 0 R /F47 874 0 R /F21 654 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-658 0 obj <<
-/Length 2399
+909 0 obj <<
+/Length 2282
/Filter /FlateDecode
>>
stream
-xڥ˒ã¶ñ>_¡[4UM|VNkï8;.ïl¼#RŽXK‚²HÎDùút£ )q*©Jé@ t7úÝX…ð«$ Ò"*VYI(’UÙÜ…«XûÛà=·i3ÝõÃöîûŸÒhUE¥«ía‚+Â<«íþ÷µâà0„ëí§‡ûM”„ë_>x|¢ñÓ‡Ï }þÇóöá3ÿ&áǧgøˆûi®üôáïÛ‡¯´.åãÓöë—¿ý¸}üòtÿÇö织­çzz3JdùÏ»ßÿW{¸àÏwa ‹<Y½Á$ DQD«æ.NdÄR:H}÷|÷«G8YµG%% ’ •[QÅÑJˆ H’h&«¤RI/«.†p_U+óÂRRf)éó«>wxY@)'ÒW›(ŠXÄ×öˆ'òx}¾ùZwm çRW»³:Wº£éÉîh_«½Þdw¡oÓv=Ú“>«žøiwézÝØóÉZb)I',EYˆ<Š€7d©ë‡Ý-OKwI’ Ž"Á羃C…\7ZÏAT½if×1b'¦íñj#¥ ÒÐo¼øg©NjWãÞnw /\òО"’ZÔ48 uM#°Jø+ }Õ>O’,u×À
-’5†Û^ÃUýÍSÛW„³ìk·Ü^ñ¡†þØž«½YènDŽÖƒ~^q_–¬;´’{±>wà(¤ñh@aj’Ì…YænaéÁ1{ø*Z¬ÛRÕ1d€
-ò4—lK,âáÜ¡°n-OA(Á/i·ñ~G”ÿʤ{úò½»ªAÉb‘¬=\·í·á´dý^Ün?i¯\WÚô [2ð0â<†è#² QNþ_DkÐLóuÕ8×(ãÊ”L¢Ù5ƒxªãPcO”ŽÞ +x¨ûŽVÐp¡w[Ýݹˌ<è<M“õslŒL{âWÖƒdA.‡S¾­mÁ’2{Z+}E¨0©L_5ª'ÃÇ­1àwÚ:H,؆a¡×Ëê•À^˜Éw´ ØRo•›&¤3§]äuÁxŠ J„Û3»Æ»xA‹IPI~å8þÚ`7í¡×††Cç|¦»˜Ö\švè@BˆuàU`Í)›¤‘­km^ú#­
-U†u1
-Ž&lY9ḃ¬Ý.49I6„¶‹uGc~_ËäÇQŸJVN¬’ljH# Y:¦¬9ÈÂßq:i›¦5õejk}¦Ûjß:~?ÓŠ¸„,ä\²‹Ñ
-ÒlTøljLäyK]%2¼$Å0 F`Cv h$¤ÜÑN÷Öo ™a¶Ë#J’ ‘Ñ©é!R ïÁd÷g >j"J:GC­°V¶û;úêÕÐõclò¦À1Ý›UfL• *ýÐfNV° »kо‘e4¾Ë©ÂRèBkßqá툰K;h߀¬0ÆHÔi‰Œ:1“2
-Ä,ÜøŃVýà}Up„°§¬?‰ÔO ãCaB¬b¬Ã¨®—4¶×¯ºnO>ÛO3¸2bŒà}– }e BnhŒm¸O³UâÇ„Y!Ä݇CæN¨o¼®ö¯ÊôêÅÓë•É,P¡ˆ0õKÊåÊík3IßÏÐpT§š·|mký??‡dáú‡Ç§4r=í¤­ÌÜ…X5@HM•1ôßö0~á¢Mƒ >‚8ϨF­ÃÿoÈQ˜z|o ‹µzÕW8Ÿßœ0‹ªšë¾œ¾a:+¦ÆŠtÚBûÞÒ·×ýÜ.Þë9¯šƒOí›KŠ8'ãž®à^J@m0%ZXGSëE°Îoîù—H38Bn«’'Máßõûë¦õ½£búFu-Ǻ}ñ‰3Çc'u†/""ªÙrÎÉYáZ(y;!ˆÐ6Æ9Dn†uC£ÖÌ)Ð^§\a·I¬(lËÃÙë—KIɸ7œÉkžµÑôZÀÓçœt”‚Ñl–KæP"’îAn†qci/¼b$A–™+Ÿí%Ø »Yêe…@nˆ²ô¦­‡Å}Õa.äŠwAyåW¡Þ¿tPôSä'®Jíªºê/$SBCE"¦Îw“@¾D¹GãKnãH #kð¥Ú Q]Ù/€¬_¦gýùŠ4é G3-h÷º/*â‰Þ
-I)ºì
-4¸ÒÔÈhÛ=LÜ1÷t! Ço°°eì}p%
+xÚ¥Ërã¸ñî¯Ð-tÕŠK
+¾÷\*TÐÝŽ؃¶~eX\/ˆÛ´E«µR*L£X­Ö£úf©_õ¶FÜ^·§_xä¾;6Ä$u¤i±êšVà•´Ÿ0تkù>i²4}O
+â’°Û1îˆóŸ™µ¥_~w¿ÀU@"H¥*ÙºËu×}^—¼?Çû›ÀÀã“5ðÉueZ ¶%â0ÎcÈ>" %sŠÿûB`•æAÕø7(¼àº- ¸d³kñVÏ©ÆÝ(!1ܘ
+x¨mO'Gx`=ª£¿w¾`6OÓ$x®@Œéâ‚kÏâÊE*(dãh.·ó-8ÒíŽÎÊ1…"tL°©Z[5Ú’ã#f׶wÆH,؇áÀšeó*/ÊÔ;Öì©·ÆM“Ê™·.ʺà<E(áq.žñ.]°bE’_Îølð›noMKË¡÷1ÓŸÛ®=7ÝЃ6„A8šÀ¹S6+'" jӾح€<(“OÉ[aq:T%ciúa%uîwG°FŸ‰ÂÖÌ‘¬®ZÃ(UK¿Ö Àžˆ·ˆÿÈaRl8ta5& ¤ÖÓM0¸%§rÉc!㸠ê!¾°ØÜ'IP5ãŽÂ ׿Œ1}Ëfó õ-ˆ¤©}vêû®¬Àíxªœ"aetÉ+Ÿ4·(Íêu²ùÅeõ‡:'ĬëJBÁ½ÄOÝñ¤;ÔÍíÞÈERʹéL«°ñ 1¥â,Øu.,ñ¼³¼0­Ðe¸ÀT#`ÃJâ]óZË»›,™r¡ue¡†ºJ!‹©¢-Øó³R >Ý.u%Øfñ”_Q7K¥
+s­;Þ1~e1½¨”û1¤4"ÏIŒ¼¥ »ó·Ic¦ñk¢'(u~ê½öq²Ô|†€ü÷'Nf~ñeu6§c]…B*¢l¬«)WÕÛ¡œ†î°>C_\½ÖŒòµ«Íÿ<µgQðÃãÓGZùÑk6ýd«UŒtk¨ƒ1¢à ]¶Æ_úi4¤#&@è<ýA*Å 9Ž€pXë7suËÎÍv·¤ü©`ð´6û¬íÒEÍŸ§ù¤7Ž@ãh}?ûŸG£è²’|êNfª|±„9™G‚[~U
+¿õûëÙ꽫bþ)åZu÷2æ÷¯½ê#´’ø!©µÈ¹td…ïô¤woºµú„ .‘d8¿å`v0 ­ºö’áz{àIãÞe\®-
+—kóèÃEúRîlý§†ÙG'ç£éµ‚ç_ÒIKF·Yîì"
+©üw£ ŠkÇ{aØNÂ,/2ßå¹G°+³tÔ¹oÏÒ›éwU)›SÄ‚.R^MeÓ@NM¸"‰©ô¶ª+{& ¹:*2A0 hëÒ:ê]Nd{MX9G€_*ñHêÊäâŠØ0?ÏW¬Éf¸º°Ù‚‹^·ïE<³[¡¨’Ów%
+ejѪ€Ç*EF ½ÍRqÕâqÖª)Ê_¸2PyL|Jwåˆ?/ÕºôýwÕö ö‹4xÝ=¼óýÊ~´^øZ…îÿþ6>ý‹ ÎB•çrúì­®>Ç9a¡\In$÷ÑoEÿ7>“endstream
endobj
-657 0 obj <<
+908 0 obj <<
/Type /Page
-/Contents 658 0 R
-/Resources 656 0 R
+/Contents 909 0 R
+/Resources 907 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 601 0 R
+/Parent 881 0 R
>> endobj
-659 0 obj <<
-/D [657 0 R /XYZ 56.6929 794.5015 null]
+910 0 obj <<
+/D [908 0 R /XYZ 56.6929 794.5015 null]
>> endobj
54 0 obj <<
-/D [657 0 R /XYZ 56.6929 769.5949 null]
+/D [908 0 R /XYZ 56.6929 769.5949 null]
>> endobj
-660 0 obj <<
-/D [657 0 R /XYZ 56.6929 749.4437 null]
+911 0 obj <<
+/D [908 0 R /XYZ 56.6929 749.4437 null]
>> endobj
58 0 obj <<
-/D [657 0 R /XYZ 56.6929 609.0996 null]
+/D [908 0 R /XYZ 56.6929 609.0996 null]
>> endobj
-661 0 obj <<
-/D [657 0 R /XYZ 56.6929 584.3177 null]
+912 0 obj <<
+/D [908 0 R /XYZ 56.6929 584.3177 null]
>> endobj
62 0 obj <<
-/D [657 0 R /XYZ 56.6929 437.466 null]
+/D [908 0 R /XYZ 56.6929 452.0712 null]
>> endobj
-662 0 obj <<
-/D [657 0 R /XYZ 56.6929 410.2571 null]
+913 0 obj <<
+/D [908 0 R /XYZ 56.6929 422.2123 null]
>> endobj
-656 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R >>
+907 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F47 874 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-665 0 obj <<
-/Length 1888
+916 0 obj <<
+/Length 2095
/Filter /FlateDecode
>>
stream
-xÚ•XK“Û6 ¾çWø¨‰UIÔÃ:6iÚ¦3Ítší©ékÑgõpEÊŽóë  -oÔN:>
-Œì„SxóþÃ$ý»2ã<í•ý=ëIõj°&˜IóXäeÆfÊ".ÅŽÖÍâôa›&Iý,§æ"'63}mFlê¸.³’­ˆ4Îïþ‡A­Ì¢VNé.BCøEc¥ˆˆFƒŽ@£idh²•gEÊv’¶zd×]‰õ¤Ô@h[6×26~ØŠ¼Š~'èåÀJz0LH4e^#¯ˆŒšÎjâ%m+-:…n¤i\EæÜà­€û¼.P'5°£Žtá@ƒƒógìi$÷V{ýf¶W¢n6Oj:ŒSï-ɦד|êXNúR(àÇa£u¼KÚèc‹6«J|÷–h94D¼ÿí\uPÒÎtCœñ@_N júôòJĉœ:ó
-v¤ïý9
-Íž3_·F^¢vß2Ëm @=¦Â­FÍ4F€!g,©£ïÖ‹HúÔ…ˆ‹Rφ´‚ñ¥É{ìÅI@Á®!šë8ìnåè$÷ØNý;+ß‚ÇO7Œî®:êÒª‚0è»áª¼›ù|ÒS
-½z÷þËòÿP‰"Æÿ»Öþíò"Û› ýÕµDg(°±È’`Ý«^.þ7ûzµ
+xÚ•XK“Û8¾çWø¨®jkõ~g2™ÝlÕ¦¶&½§ÉØm±ZHÙq~ý
+´
+}ˆM“­¸HÚl&Ñ(£ÆAtÝXÏRDÁnÃâú±‘Ú„û4+ƒ_ljôbàMjÐD¥‘—ZN9ñ‘¦B3â8¬ó<±f°*`>Ÿ ÔYäȆ†ãM8Òàhí{‰ƒQn3›Q‹Ì³œŽãÔ;I¢éÕ$ž;^'4ýÓUÁ‡^Ñ:L¢š¼öÔ‚Ì4Jqõçï‰>JafºaMPÖþS¨ UÓ_/nDœÉ‚ ‹3#ý?ó˜/É÷ÿýj0x%nK;^%èùPf\u—f!£•}ƒúF®à3¾sù½x±U­—‘³fÞx¤ÓBäHÇÝšŒkW¥[Þ2ÒÿTP ¥Xt¡'7Ö7mdo¥äÁqœÜqþ,q>wê@–`ì%•OÁïÿ”ÞZ[ËŽsç¼ÜÏQ¦%•E#›Gö~×W5œ8®`Q³Q_Ÿ¿E{ï µ9VfDÎŒh›IJn°Ô ]H*~12
+€—%
+4±NãØó<aÿi÷<0ÏÝ'p<ªEK¾â
+ZYX¸"J8áfÌ¢ÊRú4A0>Žß)0_’¤$ÏÍÔb3œK*QcÈ
+w ÑÜ9’®^6qѾ‹´­&LÅ/,Ãßr¯­ô˜WÛ†…+9 Ü›íŽû
+ Ñižü+
+×Ûöçé-Ä3‹B¼ ï9‘Z¦’
+Ûdƒºkú_GF ™Þ)jÇqŽòß7"¨ÙÛwðöëXÎ`ççNI¡o¶‰eaóÈBýõB ÷vùWeRå ž‚ ¿ûh×ÔWY„Ãvâu_èÚ8@–YuÜ’1Nlz?îélsÁu)– O?r'çà» |“zÓoÂpSWÕÖ¡¿fèG%¿ò-ÝÁŽ-æn_泶XR»V·æK§%›8ÁI¥i‚ÞðØš˜ÏŽ±vr#½×±h°|/ N$=Ñ‘r/€;þPC#¡k zßÑŒ8…\$O2hC|ÚtE•_MsWj3”­.ª™m”ÁÄêe³øÕ¼c$×?à^ÔÏÖ‡¸ù»ÅÊ&ûòÍ# ÎãÕ¦:B»Ï 46îSŒO*€‚ïÎAöÃ4ijq•Žœ•Pðúâ‡xˆæ"#Nrý?p½XŒ¤8ù¾‡Eþß…ûìq‹Ç|Û«×ÇóÁCê 8h7È ËÕ´*
endobj
-664 0 obj <<
+915 0 obj <<
/Type /Page
-/Contents 665 0 R
-/Resources 663 0 R
+/Contents 916 0 R
+/Resources 914 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 672 0 R
+/Parent 881 0 R
+/Annots [ 922 0 R 923 0 R ]
>> endobj
-666 0 obj <<
-/D [664 0 R /XYZ 85.0394 794.5015 null]
+922 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [519.8432 268.1131 539.579 280.1727]
+/Subtype /Link
+/A << /S /GoTo /D (acache) >>
+>> endobj
+923 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [84.0431 256.1579 143.605 268.2175]
+/Subtype /Link
+/A << /S /GoTo /D (acache) >>
+>> endobj
+917 0 obj <<
+/D [915 0 R /XYZ 85.0394 794.5015 null]
>> endobj
66 0 obj <<
-/D [664 0 R /XYZ 85.0394 769.5949 null]
+/D [915 0 R /XYZ 85.0394 769.5949 null]
>> endobj
-667 0 obj <<
-/D [664 0 R /XYZ 85.0394 573.1436 null]
+918 0 obj <<
+/D [915 0 R /XYZ 85.0394 574.3444 null]
>> endobj
70 0 obj <<
-/D [664 0 R /XYZ 85.0394 573.1436 null]
+/D [915 0 R /XYZ 85.0394 574.3444 null]
>> endobj
-668 0 obj <<
-/D [664 0 R /XYZ 85.0394 538.4223 null]
+919 0 obj <<
+/D [915 0 R /XYZ 85.0394 540.5052 null]
>> endobj
74 0 obj <<
-/D [664 0 R /XYZ 85.0394 433.7668 null]
+/D [915 0 R /XYZ 85.0394 447.7637 null]
>> endobj
-669 0 obj <<
-/D [664 0 R /XYZ 85.0394 392.81 null]
+920 0 obj <<
+/D [915 0 R /XYZ 85.0394 410.3389 null]
>> endobj
78 0 obj <<
-/D [664 0 R /XYZ 85.0394 329.225 null]
+/D [915 0 R /XYZ 85.0394 348.7624 null]
>> endobj
-670 0 obj <<
-/D [664 0 R /XYZ 85.0394 290.8035 null]
+921 0 obj <<
+/D [915 0 R /XYZ 85.0394 311.223 null]
>> endobj
82 0 obj <<
-/D [664 0 R /XYZ 85.0394 191.4678 null]
+/D [915 0 R /XYZ 85.0394 189.9853 null]
>> endobj
-671 0 obj <<
-/D [664 0 R /XYZ 85.0394 156.6041 null]
+924 0 obj <<
+/D [915 0 R /XYZ 85.0394 156.0037 null]
>> endobj
-663 0 obj <<
-/Font << /F42 597 0 R /F43 600 0 R >>
+914 0 obj <<
+/Font << /F21 654 0 R /F23 678 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-675 0 obj <<
-/Length 561
+928 0 obj <<
+/Length 611
/Filter /FlateDecode
>>
stream
-xÚ¥T]o›0}çWø¤áúƒý˜¦´K¥¤)MSׇ4¸ÆÇÚþûl¢tOŠÌ=çúúÜÃu0@êÁ€ùÐD€@x!ÌÀî`!°WÜ…MŽ;&¹Ó¬ëĺºõ PøÄÉ뤇ˆs ’ôÉ&AGU@v¼Y¯"‡vÞ8.aÈ~X‡ÑÌ <;Y¬î4“p;.¶ç_gë$Œ4EL¡ëÅÊìÂøaÍÃ1zÜ,¢p®’ØyNî­09ö0í#Ú7ðÛzzF UíÞ[RÁxS‚X–Ç(d¥#’[±õx,8a‡­Ÿú†$TytiœG
-.â¹ÚáñÑ@/°…vå¡ÊrÙèh[¤ú¥v¸ÝN- Ãê%ßÖæö^j¶è/²ÖTùª×M‘½»yöˤ”ÙŠmÙg'žùæ0fgEZ¾M«D¯W}›}cCÁ˜qJ™¤fƒ*þ¶ìEøD•ìWjw•Û–nºm¥Æó¬i53ÈTH3qWÁZWó¥˜ÝH©áö§)…³›e¨Á‘ÜàYq–¨^ÊÊ)ÿÈ\ci6¸&wmYhVËÐûÎzÓ÷ç4ìB/MÙ 5vRÇ©j¨Î^º6+ ø¯±§ ö³úɪŸqò¿¯Äé 圜¦}:•„#(zÕwÉ/„WçRù_`éendstream
+xÚ¥TMs›0½ó+t3EÕtÌI;ŽÁÓvÒ£$šbp$Í¿¯@Â&Mzêx<ˆ÷vŸvßzM
+ˆ,}Q7c‚}vû ­ƒbÓJP*ݾ-Wfü¦=»DÖ+ýÉ\Kií“ù'çs·?0¦¥ÃUõW`[ïí¡”Ï²´ÇB >Ém[7¯ŠšæWN¸ênÈÚÊQD·ºïZ3ô¯åcõóÁª˜¯›æ/æñß*ŒKzܹénÐ8AabD\Q½Í„¾«|Üà÷¥ÿ¦œ@šendstream
endobj
-674 0 obj <<
+927 0 obj <<
/Type /Page
-/Contents 675 0 R
-/Resources 673 0 R
+/Contents 928 0 R
+/Resources 926 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 672 0 R
+/Parent 881 0 R
>> endobj
-676 0 obj <<
-/D [674 0 R /XYZ 56.6929 794.5015 null]
+929 0 obj <<
+/D [927 0 R /XYZ 56.6929 794.5015 null]
>> endobj
86 0 obj <<
-/D [674 0 R /XYZ 56.6929 769.5949 null]
+/D [927 0 R /XYZ 56.6929 769.5949 null]
>> endobj
-677 0 obj <<
-/D [674 0 R /XYZ 56.6929 744.7247 null]
+930 0 obj <<
+/D [927 0 R /XYZ 56.6929 744.7247 null]
>> endobj
-673 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R >>
+926 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-680 0 obj <<
-/Length 1190
+933 0 obj <<
+/Length 1222
/Filter /FlateDecode
>>
stream
-xÚÍW;ã6î÷W[É@D‹¤ž¸j³y )‚
-.AŠ.D‡óøfæ“EW üèªÌH«tUT)Éš­êÓC²:ÀÙ·Ôë¤'YÊ9lN㌗$+Y±Šo|¹}Ø|“²KHž³lµmf_y8\Øb0r\Ç,K"¾þeû=^KIQÔ^KÀENhÅþâ$Qù'9žÃÅgÕHv˜FaZÕ{3|U‘*g¹·’S’EêÌ|×ÃÅ*̱ÕvÅ#-kwÕ‰/ŸÃ¸¦e¤Îkµ{/ÓêVÓá µ‘{´Pß¡QItª?x«­9¢êas]ÛK¯Ô¨ÌQ¶#Ê&-É:NS½_W,’ÁœV6=›¥¤Ê2æû½‹Uj€%¿PC[ãR5øDM¡U/vWSƒOÖZÓö2—ƒ¦„§9ó@¦”äIE_Nè:¦Iõ§!{~ Ål(„ì qJXî ͦž¼Q!ŒXõÝ JÞT±Ð,³ý…¸l- <Ï
-¡Ä¸ØyýºkeoôRÛƤ(fÕ>Sç9³áƒÂСgr–FO×üu’ckûÌnÌã„;5íÚÚZ
-®Ý‰ÀÁ ®vª“Fm
-ó:ó= |ïß;O“9ª¦ÎÎö¿¤}GÞ´rDïXF÷-˃*–ž•A üXˆÆ*ÎT:æ( Jƒ?W{»@àß^™ý|`,] Ž4ÉHÁà­ˆ„(s F ‡w€×Àèo!¡©8+½ç ¯÷\'<ÏuâìáÅÿ!wT:íöê$Z_¡¿ˆ™Be“„ç!føïâ^Ž­¬ào!¿m‰CÁe5€B=—Òÿ1ëˆþåJ8q™ÞÇn´«ðœb/1ufi<!†iÔ®OÃÌÅ”³»_©pdp1Üò•¿oèÁ¶–‹ 'MøÌ…ìŸráÃ×Ûù»$|mðŒØo—¥/— _uð³å¶SyR
+xÚÍWIãD¾÷¯ˆúäH¸âZ¼©OÍ°‰Hs`8TìrbSeìrBƒæ¿ójs6sà
+©Ç¥·†EòS€Š2Of=§&ü¡W.tÀLFXôÚyÉß'1´¦÷fÓ¸<Žn§&=Z|KÁµ½áDnãÖ [;ÑiteL-dçÞ^z@3Š Ñr0¡sSùØò¶Ð°´@EžQ/ëph‘@#†I¨„ƒÜkg+¡Û“€:cŒ£¯&L0À3LDc‚o`Â=æÕÔÕn¹ó"¦iâ$ü©ÏÍZ™Z}!W‰37µu£VDS' Ðò‡4A¤L\û6è @{{VnZ&ÜvœvR˜ò›ÍÙžÛñàVÚkÙRºåÜX³iuD·°qÅâUwñwñð—{à’ œˆ¡dCØËía~}øée ”®[³M#AJTyy+W·´@Aÿ­äóFèjc†£Þ=æ0Tè½>Ú˜ÍEq)·+\]gR½ =^Œl9¯ËσØÚ»Ç
+ÿ¨2ûù@[ –¤('ðVt„(þ° F —7¯€ÑK‚sTRRx;Ö›#<鹎{žëøIÜý7¸Pé´«Õqþ›ð™˜1t6Ihb–{â^Ž­(áÏ!½Žm‰CÁe
+5€B=—âÿëÄæ/n¸GÂä^xÞ`W>¾QAF?°9¯ª™Ù;ë ƒû9âãòíÊwÁ®|»0«ðœIª Ÿ:½äÊ0 £•0ö1¦ÿ˜SM™^ÿ^r0m%©ßÑ1¡¨Ä ûOèøéÛíü•¾]hŠÌ—ÐÒwP‰/2î#èñ4ÉPAÊ<2yazïmþ¤zt÷7¯Ì™øendstream
endobj
-679 0 obj <<
+932 0 obj <<
/Type /Page
-/Contents 680 0 R
-/Resources 678 0 R
+/Contents 933 0 R
+/Resources 931 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 672 0 R
+/Parent 939 0 R
>> endobj
-681 0 obj <<
-/D [679 0 R /XYZ 85.0394 794.5015 null]
+934 0 obj <<
+/D [932 0 R /XYZ 85.0394 794.5015 null]
>> endobj
90 0 obj <<
-/D [679 0 R /XYZ 85.0394 769.5949 null]
+/D [932 0 R /XYZ 85.0394 769.5949 null]
>> endobj
-682 0 obj <<
-/D [679 0 R /XYZ 85.0394 575.896 null]
+935 0 obj <<
+/D [932 0 R /XYZ 85.0394 575.896 null]
>> endobj
94 0 obj <<
-/D [679 0 R /XYZ 85.0394 529.2011 null]
+/D [932 0 R /XYZ 85.0394 529.2011 null]
>> endobj
-683 0 obj <<
-/D [679 0 R /XYZ 85.0394 492.9468 null]
+936 0 obj <<
+/D [932 0 R /XYZ 85.0394 492.9468 null]
>> endobj
98 0 obj <<
-/D [679 0 R /XYZ 85.0394 492.9468 null]
+/D [932 0 R /XYZ 85.0394 492.9468 null]
>> endobj
-684 0 obj <<
-/D [679 0 R /XYZ 85.0394 466.0581 null]
+937 0 obj <<
+/D [932 0 R /XYZ 85.0394 466.0581 null]
>> endobj
102 0 obj <<
-/D [679 0 R /XYZ 85.0394 237.1121 null]
+/D [932 0 R /XYZ 85.0394 237.1121 null]
>> endobj
-685 0 obj <<
-/D [679 0 R /XYZ 85.0394 206.4074 null]
+938 0 obj <<
+/D [932 0 R /XYZ 85.0394 206.4074 null]
>> endobj
-678 0 obj <<
-/Font << /F42 597 0 R /F43 600 0 R /F57 624 0 R >>
+931 0 obj <<
+/Font << /F21 654 0 R /F23 678 0 R /F39 858 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-688 0 obj <<
-/Length 1948
+942 0 obj <<
+/Length 1842
/Filter /FlateDecode
>>
stream
-xÚÍXëÛ6ÿî¿BØO23|I¢.Ÿ6¯v‹d“sÜ.Š^?h-îZˆ®$ïvïÐÿ½C)Ë^9›Þ¸Â€5$‡ÃáÃy~,ˆb§< ’T’ˆ²(XW3ÜÂØw3æxži1æz¹š=ó %iÌã`u3’¥UŠ«ü—PAæ †—çïßÌ<¢á§7Ëy…?ÁǶ?||³<Ÿ'2\]|¸ü4_$4•á«ïÏ?®<ÇÓ2^}¸|{ñÝ{9ó_W?ÌÞ¬†]Œwʨ0[ømö˯4ÈaÃ?Ì(©Š‚{hPÂÒ”ÕLF‚DRßSÎ>Íþ9Ú©“È1J¸
-:ýÀ²¦ÜeVi2 $$\Ù·f"WÂ_àgÐJyXܘ^>4sîÞX»7¼ý•Ð8puu…ýƒÓ0û¢ßàx­ûû¦ýŒÝÆ°ìdt?f¼¹Á!1æÇœ®Éݼ:Gn×-žMú@JP¤GÂÍpíÖ¤2Û¹S¡Oã°ð  Yip\Hö›ÌÉ^—…®{×}_”¥ënêZ¯q–æ«3¿Teì¡vË4žè7ª†zxµ>§Ù•þÇqZ@ZPˆ2–~]^À ò+¥ó‚ÿn–×c¤ëI pYŽô3E-üž"fDÄ’ IÇÁV‚P‹
-&Ã¥îš=€µF—±ŒÛÿ¢].áŸaûuÖgÇ' x­˜FÁXÛÿ
-<¯ŠºèzÀ—hƒ NÑ7xn¦Ýã^-Ç߸ïÆ+òÐ-&Ë3ú¸âã…±Ìæ?  Lì1h–eÎÈÚ™ƒu®1šëÝímáûX j(ÿüd¹-°`ÿÊÇ«9”ÏÚ‹AÛóSv¦aMÝŠ.º©(ÓA[àiM9¹™˜¼Ã4x2õüÚ·é½S’ Üŧ½Á)9¥ì!}¤¹Ä~¬úŸ<SÝendstream
+xÚÍXYoÛF~ׯ üDÑf/^Í“s8u8®¢Ô(Ò<ÐäÚ"ÂC!)«nÑÿÞÙ%EÉ”í¶Z÷˜ùvvŽe…s<Ÿøœ ’Ä£Ìs’bBk˜{;a–fÖ͆T/“ç'"p"ùÜwW^!¡aÈœEúÅD)p îÙñ‡7Ó÷¨ûéÍ|êyîÏð1ýçoæÇÓ@º‹ÓgŸ¦³€FÒ}õãñù¢£x˜Ç«g'§o?oùL¿.ÞMÞ,z-†š2*´
+ß'_¾R'…ßM(Qè9èP¢ˆ;ÅDz‚xRˆn$Ÿ|šüÔ3Ìš¥£È1J¸ðùtÑt^D|Á…î÷ªTÓ™O©{D ˆÀ’•³8Mk׫øçþЊ:<"aÀ1F"Ïã†A{»² Š¸iUýÂÒ]¢«,ïvÉ«$ΗUÓ’ZÝíQãq–U›]Ý"}Y!Éltó?Gw{þ×^Ø=ãÚ6Ú厨ØnT}Óµ¯*ÛP¿ÅÅ*W$©Š1 ¨ (Ÿ¬s’^Ž£Õi{znµ…³SM£ìVWVÍ<¾QCí|œçÕF¥ Ê~ë¸l®ÔC` ¼†ÃlwÉ=°ˆæ‡nˆU¨#ðˆ'qø³ v¿eÄ@Ú7‹òš<€ÆÐ4v©ÿŽyAFUZÇ.rùíèÞû°g!»ö±¯Ú¡{2©šN=óœ2C΋ Îëù g“DHpgà²`#Î"ëæùtÆ(°z_Å)ºä—q—IV^Ûåbàð`5‰Dèꎧ3!¥»ª³"k3}κ g[è–gÐ#¹a®[—=sÓMâÒŽ+\'ËLÝ(KÙYãet㵎3†þé×MÏ«Xçm¶Ê-¥­ž²ÐUIe¾iÓ håÃA¿Œ Eú‰€D‚fâD/ä¡èîï3èEÜÍ®ô¨to«)s×Ø^³×´í…P8qqqã½ÏÐMÖ.q¾Tí¦ª¿á°¶+³½ž¯®pŠéàáÅÊ`»Ü®+S¤¶ÃâÙ¨›¨AZl˜ã¢c iªu²ÄVlF<{*Tã©ýt ~ ›í2¶¼“<Sek‡7YžÛáª,Ubi´¯Ô_w[ÚJ»MÕ5Úe†¢¡ØZž-Û¬P?ì§Dî€rGøŒ_²Gå 2‡0 w󊶪“càŠJ€ë(ð²ÍN»]V³N'0íˆHõ9ËΡҎ
+y ÌêŠC—­N! Å5
+r›ZWéPÓÃ9º§v±G7lNdY^V7&=
+ƒmè׈nAu“VE~k{( 2Yä``\â~ÓN¸ee£yfŸ#^à·ïÛ/³ã˜5 'ì—ku?@‘#[ cu‚Öº±!4±òº[µ«Óp¬]×¥J÷ÄH³&‰‡´=WkmŸ¥rHcd²T°…7RØKUg9¶+£ä[øLòÆwÌ2N­>¤ÉÉR~ò )¬…™Âb{©8óÀ 1„1öVCV9«êë›ýH‰ç‡ÂÒ6ëËF_…M¶0Ç|p«*Ê¥]]­Ú „ÙEø$´“¨ßÂ(¥³^uè­‰E’ø&àL}í`c>öº¶¥>ìj,–c>7ù¶y@¢¿' ƒ'< „¹ãðzš{eØ礅 c¥á ŠKßg¡~ÿ"~ðî%Жˆ˜$šW<[É%VªŽ‡GÀú¨‚£ð€Yè÷ϊ̲[LcnUåöªŸ»Kt1‹…ÑÐøÇåx«Ìz¼f…žg_6ËÌT!X@¢åÆNªš¤Î.{§!Ìã8ǹ¬„›¸Re_šòR“gñu Þ K´—çºR+²2kZÅ%B_ ,k«ÚVHà¾PkCs—Òð+]ª=՛ۦՑ¸‰íŽr=„PVµcò¯öŽ_Q—ëëë~¼ç^öÀ6`S,9tYàx¥£J“ªÇ¾Ún¯› ˆÃ¡½O:©Ìë—¼#{÷¾;"ü_Gƒž†endstream
endobj
-687 0 obj <<
+941 0 obj <<
/Type /Page
-/Contents 688 0 R
-/Resources 686 0 R
+/Contents 942 0 R
+/Resources 940 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 672 0 R
-/Annots [ 693 0 R ]
+/Parent 939 0 R
+/Annots [ 947 0 R ]
>> endobj
-693 0 obj <<
+947 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [55.6967 208.0574 126.0739 220.117]
+/Rect [55.6967 190.8043 126.3509 202.8639]
/Subtype /Link
/A << /S /GoTo /D (rrset_ordering) >>
>> endobj
-689 0 obj <<
-/D [687 0 R /XYZ 56.6929 794.5015 null]
+943 0 obj <<
+/D [941 0 R /XYZ 56.6929 794.5015 null]
>> endobj
106 0 obj <<
-/D [687 0 R /XYZ 56.6929 492.2203 null]
+/D [941 0 R /XYZ 56.6929 480.2651 null]
>> endobj
-690 0 obj <<
-/D [687 0 R /XYZ 56.6929 453.7474 null]
+944 0 obj <<
+/D [941 0 R /XYZ 56.6929 441.7923 null]
>> endobj
-691 0 obj <<
-/D [687 0 R /XYZ 56.6929 385.673 null]
+945 0 obj <<
+/D [941 0 R /XYZ 56.6929 373.7178 null]
>> endobj
-692 0 obj <<
-/D [687 0 R /XYZ 56.6929 373.7178 null]
+946 0 obj <<
+/D [941 0 R /XYZ 56.6929 361.7627 null]
>> endobj
110 0 obj <<
-/D [687 0 R /XYZ 56.6929 177.8714 null]
+/D [941 0 R /XYZ 56.6929 167.4388 null]
>> endobj
-694 0 obj <<
-/D [687 0 R /XYZ 56.6929 136.2124 null]
+948 0 obj <<
+/D [941 0 R /XYZ 56.6929 126.8733 null]
>> endobj
114 0 obj <<
-/D [687 0 R /XYZ 56.6929 136.2124 null]
+/D [941 0 R /XYZ 56.6929 126.8733 null]
>> endobj
-695 0 obj <<
-/D [687 0 R /XYZ 56.6929 109.3045 null]
+949 0 obj <<
+/D [941 0 R /XYZ 56.6929 98.4089 null]
>> endobj
-686 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F42 597 0 R /F43 600 0 R >>
+940 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F21 654 0 R /F23 678 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-699 0 obj <<
-/Length 2677
+953 0 obj <<
+/Length 2679
/Filter /FlateDecode
>>
stream
xÚÕZÝsÛ¸÷_¡—N¥éÅA°O—Ë%×ÜÌ%×ÄiÒÌ”– ‹w©);Îôï À$EJÎø©ãàò·ËÅ~f3
-l¦SBE.gY.IJY:[î®èìžýtÅ<Mˆ’.Õ×W}­ø,'¹âjv½î`iBµf³ëÕ§ùË¿¿øõúÕûEÂS:d‘¤ŠÎß¾øå®|€Gi:ÿg xùîíë7?}|ÿb‘Éùõ›woIFs o^~÷ݯ¯ßû°ø|ýóÕ«ëøÝ/eTØOøãêÓg:[Áÿ|E‰Èu:»‡ %,Ïùlw%SAR)DXÙ^}¸úGì<u¯Ži.š¤šg#ª“£ªKs¢Nuö›a‹„QJç?–ÅmU7m¹Ä¯½^0Ææu½mì—žèàÑYÂÉy–;¤ëñD]¦,'4eVVK³*oG€˜$¹ÚÓ|7‚"‰ÖÀ 6 àJN„ÊxDI¸dó¢ZÀqØ®¥'­šm]ÿ~Ü`Ê´Ï2O¸?,˜ž×·‡b×
-;ÏÉÓ”õ?ভʵ•jm8/+ümÚ‡­Á!JƒúØî-ŽA¨]Ñ’›¦°ƒàhJç`\9÷^O”t©¦M0RuŒ¢Ë3‡W´àçy¢ž=» `^J¦}¦ÖZN³ùªÞNCTƒ¦Pe]áÃ[Üñ½S%ÌÿMS:fäR°6ñ VH 1Ë™·A¢µo7²›Ò¸]
-Ü5XÛoMëéëuhü’7h7vfqçjþÆoŠÆÛR
-’S¡ú¶ÔÞ׋DP¢¬Ló·E"Ÿ7¥eŠëeÕšC±lË;óHˆ#gÚbIóì9¼æìÛ…pOÁ$~‘}rS´ËÍê~S†EóÅ,­ipVtáìwоüè^`Ò¦°
-¿rL6È‚ëær[4ͨJI–
-9
-˜ê UM—jºª‰TÝ*µËÔ†<I•:Ï5R°ƒÀ(lYÜã;]†3ÉÏWÐÜ™Æxx„£l]ešÎÍn5C¹`ó¯¦Á%gõå2’øŠWBÒu>
-\ñN
-‰S=ë4¡‹1à#UÏE}6ÂpHüÄøT¯+‘ª›K’¶NÖe8Ýíw¥š0ý¿È'ñìÐu>&a4Uy/9ô=[çÁ(aäŒ~%qVµÂ…û+Zs
-ÑWðXèöh{Ѧ»ä¡n¾Â¡=aDû…‰¯’qâY‡ã`Ï »J¹ò4wÕçÊ.Ž.škQÅ¢Õ2¦ü€fÝéÐsç½0Ý<ì"E‘ÿ“üÙŸhZçl]ðÆ@i¿º„佂ÎQtÕ©êGBL§Ædfü h4¨0“sÜ®#ÐI<< “0²Û_ŒGv„
-µ#÷‚+ÏÌ.¹Qø}lHì¬'¬#[÷BÏã–jü½ñO¬ ÖÖ•,¿r4êÓ’À°Á_T3 ·Ü>íl‹kÖ´?ë€gè£î¸fq3où§{³,-²²ó»
-#¿UÃ¥ìœô­£e0fÆOØGG÷ãÑê‹aº°¿®Ï³”Z;Gà32’ØMZKÿ&žPÃ`3GÕÚû¤M4Ý×Û•³)îÊÚIdϸ¹žß{¤•—¡ª=-âÕ
-ÅðEàð{» åÈm–&™Œ%â¹J&•…S4¦ý±1ã7dh¿á¸Š†Ö+2–0‘Û®SÙ$F”d²sõÈýÕã‹Õ®¬@•‡"T
-ñPà·æ6žøï‹CÛ¿)ˆí<ÔÓF½…Ÿ• ŽÕÚLf„ju¡ÖîRM×Ú‘*8Â*YnÌòw°ÄõIÉ­R5Y~^€H5"A¿)HÌû"Lž71;’1Øš“Œçüô¢Õ·RöÕf°/ÍCÕ_†{rZ8ë“ñfØ C&äPœp¥ÒxIGùvú>Æ^ÄjÊÄs*¨.ÆtU©.VuŒAŸcK¥çÈÔÁ˜®ê"ÕØûâî·»¯gOF˜bŒZÇ8s0˶ÆK½á)$Š§ì[ïEÖåÖLœ;€kNU÷¼`Ìy50¦ê¼ë>ÒL;®§hëk]™S·…’LŸciNx÷]²¼ËüœÃêS‡ VÂƉ'9lÂhÓ†; t¬xõqêÏñ´$&Ø%^O_Ž¦Dpö¬kȈpæbi¦ÝÐo¶H‰ý¯†4Œ=ûŸƒÿg
-LYhÍÇ@P†žgA(+<cCÉãŠþ?H·endstream
+l¦SBE.gY.IJY:[î®èìžýtÅ<Mˆ’.Õ×W}-²YNrÅÕìzÝÁÒ„jÍf׫Oó—ñëõ«÷‹„§t.È"I¿}ñË+\ù
+›öakpˆÒÁ >¶ûc‹cjW´äĦ)ì 8šÒ9WÎƽ×%]ªiŒT£èòÌá-øyžh„gÏ.(˜—’iŸ©µÖ„Ól¾ªw…ÓÕ )ÔAYWøðw|ïT óÓ”Ž¹”¬M|ƒ•C̲AæmhgíÛ즃4n×€w ÖÁÀö[Ózúz¿ä ÚÙA\㹚¿ñÀ›¢ñ¶”‚äT¨¾-µ÷õ"”(+Óüm‘HÆçMi™âzYµæP,ÛòÎ<âÈ™¶€XRà¼{¯9ûv!ÜS0‰_dŸÜír3„ºß”aÑ|1Ëckœ]8û´/?º˜´),@×
+üÙ–·z§=ë´]lq‚Èž²2V}‚Ñù‹íéózoÍ¥ñè1ØÉriš¦¼ N·FcÚá ·ÑÂs;õ@Hu\ƒ7HEƒt8â "±P)ŒÇ\Åû
+c©9Ym~lŠ[3)“D¤Z=K¦fü|L¦@\,Q`eŸ¾GWK»®&R¢UšzWÃè‰d=d¡·õdŸG€‚Qy¿ÆPq
+$ÑR O#@)ɳLyg=Iû°7#Xœ³,ÕQ(üÊ1Ù ®{˜ËmÑ4# *%Y*ä
+²u•i:7»=Ô å‚Í¿š—œÕ—ËHâ+^ I×ù
+›Ai:ÿÁ¯Ìº8n[»ùJ W—ufÝ6øÖiï©ðÑ‹"X¶e±¯^$ôLŠòkPÑÀÞØ"¥2Þ8‹Õ
+ͺiL0º›Pú–­·Îõ±ZZ³,ü§[ó vtã-Ô|iMµ2«àÖífàÌ'1À›údbO)'TÁN>#‰v1¦{¤º˜ØeÊ….é92u1¦{¤Š¦‰á=)^®¶‡ëû»ï“åXáУñ<Fü‰ Èón ß^¬ªUÝ~`{p"ïcâ¦èä_—ñÊ6î 9ÎC¾LC™ÈD?oL{(MóÔüy&½Û}u íHr$Ë5jõômåÜ ¥ÛŠ…©ÿÛ¼7¸umñi‰OòÌžÉó‰¯K5ø"Õð8¥—ü¸†V3ãç9Gª ¬ä<¦a 'yŸåh‡£Û
+î7®hÍ)D \Ác¡Û£íE›î’‡ºø
+‡ö„í&¾JƉ7fŽƒ=3ì*aäÊÓÜUŸ+wº8b¸h®QD‹V˘òšu_`¤CÌ÷Âtó°GˆEþOòg¢iiœ³uÁ¥ýê6’[ô:<8GÑU§ª 1™ñ' Ñ ÂLÎIr»Ž@'ñHð4LÂÈ
+l1Ù*ÔŽÜG®<3»äNDá÷±!±³ž°ŽlÝC=[ªñ÷Æ?±.X[W²üÊѨLKÃQÍ0xÜrû´³-®YÓþ¬ž¡ºã˜ÅͼåŸîͲ´ÈfÈÎï*Œü>HT —j°sÒ·Ž–Á˜?aÝG«/†éÂþº>ÏPnhíÏÈHb7i],ý›xB ƒuÌUkïk4Ñ@
+t_oWn̦¸+k'‘=ãæz~ï‘V^†ªö´ˆGT+ÃÃïí6”#·Yšd2–ˆçJ (™TNÑü™öÇÆŒßi ý†ã(ZS¬ÈXÂDn»Ne“Q’ÉÎÕ#÷W/V»²UŠP<õúDZ÷Û­…·ÅC(ÄCßšÛxâ¿/mÿ¦ ¶óPOCõ~T&8Vk3™ªÕ…Z»K5]kGªà«d¹1ËßÁ×'%·J Ôdùy"Õˆýý¦"1ï‹0yÞÄTìHFÄ`kN2žóÓ‹VßJÙW›Á¾4U[|îÉi=à¬OÆ›a' ™Cq•Jã%åÛéû{«)Ï© ºÓU]¤ºXÕ1}Ž-•ž#Scºª‹Tc;ì‹»ß=aŠ0jãÌÁ,Û/õ†§’(ž²o½Y—[3qî
+ =Ï‚PVx–%ÿEt*úÿ
endobj
-698 0 obj <<
+952 0 obj <<
/Type /Page
-/Contents 699 0 R
-/Resources 697 0 R
+/Contents 953 0 R
+/Resources 951 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 672 0 R
+/Parent 939 0 R
>> endobj
-700 0 obj <<
-/D [698 0 R /XYZ 85.0394 794.5015 null]
+954 0 obj <<
+/D [952 0 R /XYZ 85.0394 794.5015 null]
>> endobj
118 0 obj <<
-/D [698 0 R /XYZ 85.0394 769.5949 null]
+/D [952 0 R /XYZ 85.0394 769.5949 null]
>> endobj
-655 0 obj <<
-/D [698 0 R /XYZ 85.0394 749.3395 null]
+906 0 obj <<
+/D [952 0 R /XYZ 85.0394 749.3395 null]
>> endobj
122 0 obj <<
-/D [698 0 R /XYZ 85.0394 221.8894 null]
+/D [952 0 R /XYZ 85.0394 221.8894 null]
>> endobj
-704 0 obj <<
-/D [698 0 R /XYZ 85.0394 197.4323 null]
+958 0 obj <<
+/D [952 0 R /XYZ 85.0394 197.4323 null]
>> endobj
-697 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R /F77 703 0 R >>
+951 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F39 858 0 R /F53 957 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-707 0 obj <<
+961 0 obj <<
/Length 3210
/Filter /FlateDecode
>>
stream
-xÚÝZK“Û6¾Ï¯Ð-œªÁƒàcoÞÄÎ:U›‡=ÙÝ*ÇŽÈ‘K¤"R3W~üv£”H)v+¥ƒ@°Ùh4º¿~bÁá':aI.óEšÇLs¡«Ý _¬áÞ·7ÂÒ,Ñ2¤úûÝÍW¯¹ÈYžÈdq÷ðÊÏ2±¸+ßEŠ)v xôý‹¾¼]JÍ£·/ßÜjý þÌõ?¾|óâ6£»×?|ÿöv™ò<Ž¾þÇ‹ïÅu_ÿðý«×ßþ<ð¹}÷ÝÍË;¿‹p§‚+ÜÂo7ïÞóE þî†3•gzñœ‰<—‹ÝM¬Ó±Rnf{óöæ'Ï0¸kÒ\¬9Ó:Ö‹¥ŠYëOQ‰„å*Ñ0žb‘‚Ü"“0Ð9K”T^ù: ”Ÿ ¦ó\/<*¿)vU¹\mªÕ‡OmSÝ.ΣwËò×ß¿yï®V¨©¯^¥!7‘¹¡DÈeµ-ºŽˆFKÊœeYš[*ϯà§4ì^;†í±ßû Žc2ϱ¿Ê±¬ÕªoÏLuÌ©Å)Ó§ ¦pJx¦"],…`¹ÖòÏrÿpUä_¸æõºi‘Š8 Ëbå¸þ:ÁL²4IcKðTš .R±Mýry(ê-H%æŽ:;ÝdóÜd`Ïna‚(ŒK³#â,IT26¢wü4ËÓ4q’ÕÛ
-v‚eœ²Lò4”lm‚¥B$‹”k¦Ò8qK´ © ŽÄ“ î¨pÅCS®NMS&_^ÔM,ªBð’LÄ©/z·À’™Œ·"‹ª]ÛÛk£$‰¨,`º¡ÙUÛô†²ÝÒÚér´A;ä±?D·µ‰$g(·bA<÷´ÂúPìh¢ØnÛ§Ž¤éÀÝs×WŽ ÜÕMÝõ‡
-¥úÙˆ?'¸¢éçä!‹ù\ÀSù³¼ò!›ÄÍ<ØæC½ž
-Ñ ƒœG†‚îj(°V9ÉQÊXžrÜ_å¸oSIÄ8 x~ÏWù}¨¦¼ÈäTÉŽ
-«v·+šr
-Å3&EîâÝÕxp‘ œ–Œ1ö~ÂG—*‹ðS°ØÊ¥ÇÔ ¯Ï¥}à­;â aHIé6Zw”y›ÄÒ èŸpä›u³>óNgÈ —
-¨l²>cqRfÓ½£Á&Bªy›ðT&w>TÕ'×úK¢ÄLdÀFä—•ê©Îµ:¶ Hšs­äX­oݾÂð®T÷eÑW]`å‡ÿý•ÏP´Õ+º XXêDšz §šv¸E£Ú2‚VõÒÖEjU5‹ÒÖ¬\Vå—`d¹Bk3U²Æzij³sT`ÓEGÂW%È‹2F“çÁC©«Áj›ca9UeÝÛiªlut_Ñ­]QVá³s¼´n£¦=쀳ɼAù£‚—t‡Š½ÆJ»…¢ô×D„Ò&"zÝq±íZ­ŠcgÔãMѬéŠÒ†&'âà×öxhpSxáR5¤ì-«{KØ=Ð[©
- ˜¶,—$B“A\
-©æýËS™ön_ôÝyËM
-r YÑÚANÝ Æ5c)‹óÄeˆN<S¦’|xg²€
+xÚåZY“Û6~Ÿ_¡·PU‚ƒà±ûäMì¬S;ñL6»åø#RÆ)‹ÔLäÊßn\ÅC®d«v+[z
+?¶‰Rž.â4$’2¹Xïoèb Ͼ¹a†fe‰V>Õßîn¾|)âEJÒˆG‹»Ç+!4IØâ."È8Ðàõóï^,W\ÒàöÅÛ¥”Á?àOõß|ÿâíóew¯Þ¼¾]®bš†ÁWþý¥¸Îã«7¯_¾úæÇŽÏòýÝ·7/îÜ*ü•2*p oÞ½§‹üí %"Mäâ :”°4å‹ýM(‘¡vdws{óƒcè=U¯Ži.””HÊÅJ„$ùǨXDRIh±ˆAn–phÈ”D‚‹Nù©§ü„™¦rá¨PùU¶/òÕú¡XøTWÅrQ¼[å¿||üú½í­QS_¾”ÂãÆbØ7”¹¬wYÓh¢Þ”<%I§†Êñ«Gø «—–a}j§v„cŸÌql¯rÌËc±nëãy„© IÄ%»dú4Âv ÷”Å‹c$•’ÿ^ü3•´ÜVõ±Ð¤,ôHCF’PX®¿Œ0ã$ŽâÐ<eÇj„ $ESÿL.›¬ÜTlj«“ËEVÂEíù§QCá ‰iö å?½ÜÏtäü¡4…:û×ؼa#IÇ‘Õ\¹+PF8…1I8}zÐËHÌX´ˆ©$”§É¸“1D+ŸJágcNÆRy8Wï £]­/ S˜ŒçEpT#2ô´ ‡ž¦1ë q[îË]vw$dÐìÉ5eVáàü̼àO”D`N¯÷€™Šy©þà Û=eçFå§ý¡ÑÃíC¡Ç4æãк®Ú¢jlúuÝmźü™R^ä(ÂbÅiHxD™µmfl›ò]¡-Úy{>”ël·;롲Òÿ™þËËÍ’%Á¦8⟞†7õqŸµhÖdÊH¢ˆ‘Àúgħš6G… 8VùúrÒ8&,’éü¤–hdÒÞfqÂÂXô'½S{‘ð@ëa_·¦¯N´Xg0\éQÜ'EYïô
+ÚèNiž>•»nåesØeçÞNM¶U+ Á¾hl7F))%‰
+€S„¾{r¸­"€.@=«Æ ™T ¸ƒkjò¨fÔd©újK”“w÷XöR›w#\”=äÂ=.ýC8ÉƋDzx“¥ê4àRÁÊçu騆Êì{@ÐOš&¬¯MëÝ!Ø–EÕmòä‡)@?Ì<»ÅÑô["½Á›cÑ<Œíp/ñ˜ÛáAž3¹7ÿå-9l
+
+"ð†q˜^1jÆ,•6A«fc]pOû‘çŠV
+[ˆ(I9x¿Y…:ª¡FûÖ
+J±dÑSéÛN¥³›mlB‡úû Ú}¹‚ Ö§lT&ž\± jÆ&,•ŠEñÉ–6ÿ”1‚ °aé¼RÕP«}»€ 9•‚÷Õz{j:v!Âàtȳ¶ht3?¡Ëø—Ÿ!i+׺£aa%#®ò5ªêî‘n•†‘*<¬L^$!W—É¢®J<#KZ›Ê’%æ«ØÐ<3¦lÝi´ðE²„,„ˆQÅyI襺¬¶:e†S‘—­Ö™­ î ýhŸå…ÿDNW^V…e ,…àZh Zw¨H0Ðû3þ3TÚ’B­7èk"”6bÁ«Vg»¦Ö­uvj”ú±ýU[Ýaªê‚ƒê$bã—út¬pQرAR¶†Õ½!lÎ
+^ÿW`ËÆ¥3ºìb× eŽG®ž6_TÙ½2¼(éðŠG©¶BÌt·Ûk=ÜY<4ø%¢H×›àyUwôHi#~Yø zñݨôð+vø[üŠû²@ßáYìãÖOqm
+ÍÀÂ-š%ðS¸‹mBÖšP33½Ol1,ö];¼—͇gcP Ž?$ІåJ‹†pÄ™ç € sÐÉ6
+@„Å Óâ`ë!3 °„¿+ZµTÉeðܾƕ»?ãF€¶4¬ñ)%‹qd5vöíKêÙ†tx-µÍð¿«]M,to`ÂØI|à)%’ñp!|ªiŒpTJôº-7çÿ«ìvV—B ”9Ž=m¾-šÂ–+^¿¹{õò_&‚ÕÅÚf*õ™Íw¸L1ÆWöÞ£šÙ{K¥ó®„Ù+Á¶†œ^™ÙQ §î—€DHB¼ÕÑ›ÛÕDd¿(E#µ t.Ú::€F÷rÆ 
+Ý Ej¿eEA^ªÚ ô 
+úůeÓ–Õ¶ãáÏjÊê‚‚™‡¼U…N`Ò4(ËÓ×qÖ#Ùc¡Çt<¥°UF[ñF?ßØØÆ
+±LËû(hÝ‹‚6å;Ld¾Îeu™7–_…­ˆ,~4µ!T—Ö¹òwk¯JØ–{;á ®ê c¶rú|Q «‰¯Ô|ª™óe©T9¿ÍÚfX_eàËc9?­£ÎÛ?\,S
+ö½ú_bj“z¿Ÿ¶z ËÅiâ*jØ®{@¹}|õÏ—x¡šù¦ƒícÓê' ÄιWVÈl=\¥m„®¨øϧtuQ5_ŽU<«lVýLYNk-tfßSø…!0÷šÖEÓL]þ†ÅÛ#»MÝ ˆ?|1¼»/w ’„O$¨1ÖŒ€‰
+ÕÏ¢áµ8
+§?â#¢ÿÐü#endstream
endobj
-706 0 obj <<
+960 0 obj <<
/Type /Page
-/Contents 707 0 R
-/Resources 705 0 R
+/Contents 961 0 R
+/Resources 959 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 672 0 R
+/Parent 939 0 R
>> endobj
-708 0 obj <<
-/D [706 0 R /XYZ 56.6929 794.5015 null]
+962 0 obj <<
+/D [960 0 R /XYZ 56.6929 794.5015 null]
>> endobj
-705 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F77 703 0 R /F14 608 0 R /F42 597 0 R /F43 600 0 R /F58 627 0 R /F79 711 0 R >>
+959 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F53 957 0 R /F14 681 0 R /F21 654 0 R /F23 678 0 R /F48 880 0 R /F55 965 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-714 0 obj <<
-/Length 3636
+968 0 obj <<
+/Length 3905
/Filter /FlateDecode
>>
stream
-xÚ­ZmÛ6þ¾¿Âè—óµÂwQ—OI›æ¶‡K{É6EßpÐÚZ[ˆ,m-9Û½Ãý÷›áz±i{ Qäˆ3gžšÏüñ™Õ “™š¥™J4ãz¶Ü^±ÙÆÞ^qO³D‹1ÕëÛ«ß1Ë’Ì3»½Íef-ŸÝ®~™õ·Wßß¾y½šÍer½Ð†Íß½úÇêù
-¾¼üíwß¿¾ûpýÛí·WonûUŒWÊ™Ä%ü~õËol¶‚{Å™Y={„–ð,³í•Ò2ÑJÊÐS]}¸úg?áhÔ}Ó '†ÛÙh…á2JÄ™ªô«x"½~µé—3h+3ë©P¿Ý._‡kå2K¬”Ùl<á1ß@uÌWÉ1_¥˵˜2¾©—»knçŶ¨;Ú€nSP£-vŸ‹]K/«ân¿^—õš^«âsQQóM]$GKJI9KlvQsÕÅy¢‰Þ^|“f#Z©k´†ù‘Š„=-Õ‰ÉДΉˆŽD›êÖ²ÄXf'²}(º6ªQ8 jþ—‹zízæ5=‹?ªrYú]úœWû3úiÀ¬Aç>&;­ñž
-—U7qcÕ<ImÆ/pTÇœ§
-Õ&IS¦¦¬ÿ_egô¦ÑKXsIo#²3z T(ü}µo7'øy¾ý?â?âÆß ãâŠ[æËÍ9“â …æê’jFdgT¨zÕÔù6v’Á„µ™?Éh"`‹7~AÀ@u,àT‡™N¸0Æu¸.?þp:Á\ëÞùÓfû§õ­maZ‰ ú“ÖwO…«i»¼Û·GŒ8M°à<ã@uÌøà³$Í„rþºlªA ×nîñ)½¾pôêÄ
-šJÌÿ ÉÏ^ÖËj¿
-oýWeÝ»:¯ÈìÔI•¢ÞîîÊzõâ«¿yÂñ:Ò TÓLkLÈ<¸ïÕ)¬Šû|_u®™€X[É‹›wŽ ™)å‰6eˆÛËò¾çHÁÝw{»~.²ý6G³.›úWÆÄzOs®ÎX.(O0ž]²ÜÙË T¸Ú]±ÜïZô퇼LRz:Ï;P󞯱I*ôó¯÷Û‡ƒ­¬ÊÖë©ñ:ÿ}_ìÊà)Ð+¬¦ÊùIuW=Þ/Ìc)§]<d`†™Ñ-àÓ€Ù€ÈÚùë›w_S+KÄ—s‚…’ÁwîêÕ2fN
-@Ç}³¯W±‚Ú‡\šú¼“ÁD¥"ùXºÓ͸wmتšæµ‚3›h"U‰6Ümé§â)¶£€1Yj=õ¯L3´LœüŽM®â˜ .U°šö©EsY•»ÈüF€ÿÖ<,'oiòUº¬·q¼0 Àù)h¸8èì Þ£!Læݾ¬Ð6ÐWå.˜ã+X‡ V
-$p¡žm¹-«|ç?oˆ"ö4÷1_¦á+ÎGûê”GÖž/;à#X9_œ¾îÒGÜ›c2-q¿óÖ¾Qr“MϦ—®¬ÙbP6é‰hP?c|âVÛˆ¨Yðqì8ÛFÒ
-Àó““ì356Eŵ4â>‰4•£¡×GTly8mÝ?Qç ¼l‹¼öÓ‡IïûÈ¡§å™‡?@Ù¸þ•CX@H™Ž™*È—âÌ¿ÆtH
-ÈxrzlW.€–¯r1wXIV+ŸŠ„oÜëzïw{\V "|ðôÞy¨ža†åó$dà3è%<†­;O~¹Ë—öáÕŽPº&âØau/»hO`ՌىýâPxêqž³¢¢ÐĪPj Þªô·KG%¼’KÅó, Ü+³â`{´
-<u_ÆÕ¾žC‰¼~ržßýÊÎ;Þ&ŸS0ekŒ˜Zû2Õcôˆ¯jÁ3Y&V!ú€q"¨d‰T鑈)KALàÒ>óܤ‰2ðR¿
-R4ÜçÔÕГ<rd¯PT¼Ô¹T«íùnš}å5ÆZ£gªð$S…“*-W}ÈyáFõ·QÍ> ¹QÚÔ[sçév}õ…’Á¨ªB»yFèæ¦÷ìÓÝÂ` àX  î|ˆP™¹d
-xBÄp©@{H–*´}ÆÖf<Ø¥MŽùPÁ¡
-¨•} çȆ҄‰þHP5ªæ,ë×eQÙü¦ó‹mŸÀëý2 T¤:H4ÿ¢·Z‘X˜Åj2p©O•=,ORœàÜ–`í^V2l‰ãV›2ƒàFHê&}ôÀÄ;èIÅÜB°†Ÿ—€'ÊôÇ+,ô¾©ªæÑamM.I’ïó\Á¾ i­N2Ë‚AÀbÂη{ꄯŠ@ONÏyU®¨¹j¶¹;T@Esû’W³_o¨Û]J
-)’2‡Qù,
-G‚rð¨ôè
-H(³žÌç™E*ËÏ9›m¾\lW:¾Vô‰ƒ7=Øö~ÿi½x+ÉÈ0²:>ÊGá=÷¿IÊÛbaü¤E½lVá
-…–n×°-ŽK(±øŽ—–öRxØ”:bÜ’ ™qK^'§nŠ¹ð>†Ð¿÷×’8î§
-iUvâ¸ÙÄfZÆ%òYô ËäÖR¬pÀ.„ÌüñX–`N p¦¯»($ø8
- ªAâ£`>wÂéØrÕ^$r'ü}¡™1Y,F¤Ï@i60è(L3g£Øp>
-g3jÀ<¬O…NºDËÔùzÎBbÓ4oã{γ‘‹2–ŸÐ¬ ùIÐ"E?-FⲂkºþC«Æ>ª2BÃoSê Ç™®§¡Ž;ÿ ÁLìñEõToñ<¸AºtSú
- ¬mã™:~ù5F$áJáDõÉÔ õ„’,Ëô1Ü¡ÿñ6~{æTvÿtyŒ8Ma5«/Þ¤Ï9J˜èÈ'L#Ž²žñ™§,$…ÔOºâûäö×çۇʸ-ër›W§®œ ³¿i{hÿ¤ÃͤÒÀ_bV+z«\ÆœþÕ¿ýÇI lmzpQ0@GùEˆD_¼ŒÅ2ê‰t)ß?Ý ]ß¼ý¸¿“ëü«×Û;y³þéÃëî§Õú§ú#»yË7?¿ýaýó6{ºyûf½ŽýÝO¿ˆÊôß—1„j{§WÄc¥8GŽÕ:üå©_IKàO›#wðï¥øÓ¿ ~XŽ(ËÚ?“ÌïõB᪸<”\C¯­H#¢ÿþ;¶Æendstream
+xÚ­Ùrã¸ñÝ_á·ÈU# qLžfÙLª2›Ì8GÕî>Ð$m1C‘Z‘¯óõéF<$Hr%)—‹ Ð@7}ƒâ· üñ[«Y"3u›fŠé„ëÛb{“Ü>ÁØ7ÜìÐzõÍýÍÛ÷2½ÍXf„¹½œ­eYb-¿½/Z}ûÇw¹ÿþÓÝZèd%ÙÝZ›dõñÝŸ¿§žÏ0¤õêïâÛ?¾ÿðÃß>½»KÕêþÃïÖi’)˜y}îù~š÷ùî—û?Ý|?îb¾SžHܯ7?ý’Ü–°á?Ý$LfVß>ÃKÂx–‰ÛíÒ’i%eèin>ßüu\p6ê¦Æ8§¥eÚŠ4Â:!g¬ã’3k¤½MuÆŒ„1ä]]Þ­¥±«º§çþŽÛU5ömU7ŒÑ«ûMÌ›¦{í–žÕoCµoóß²ÕÎÍ÷`CGϲ°mÝVôú¼©üü6ßVž†M^Ò*E·Ý50¡DÃ.ל³Lká(î‡n·«Û'vÌ}ž(جJoSž2)²,Ê®j=sìRvήÚÊL‹!îMÞ À”$Yý´ÞýrB€‘,UJ^! @°</cY*ôŸa÷ ŠB®†M… ±ê«ý×jOõ¸YçCÕ¼ÜqÎWp„2á«OUQµ›¼}ªîøª§÷m^VaE:½ÃÓ†:Ê8º 4‡] ëÒ@çÑ}øçûOîŒàØ@¸¸]UNÒ4p½j»}þÕ84tpE{ÁŽmÞ¸lÿœ$¢©ú7ð&ùêáà§?×MC­?‰¨nš°êc·&Ô%-ÿH[4 ûWwð’;aó8H<=ðBÉäŒ<ÏŒS‘y2ª~È÷ƒÓ¥ÒÕ‡G[ï–°ý®*jD‰4ã€Sƒßõô²Ð"¯ËªQKi)æwk¾jà€IYq*+>GeèÕ)Ø:<|ÎT_‰7Øòª‹M§ºØ˜T×÷7ÃE]5š3ÎSqEWç`çuu„Âý û¼¨NðÊŒY)³+xÔ)Þ¥Š*Å,þ-h :Ÿ-é²rã™GrÓÆ>žž€=ôÚT_«†š/ôìÚêëDÂÒôãF  l#˜ÓÞ¾×z*5¨7ô$Š(=¦+ÕÌdàý.Ñ`ŽéZ²Õ&ÌØÄÎ û\ }”—à¼ÕêwW9„9÷²[ý¶kê¢öçó5o8­³„)!ì^ÏÁÎs{„ÂmQŒŠ)ÈSj3~s€:żä§6ÀÆD-Qÿ¿8š\à›IX’‚ »Â·Ø¾($þ±9ô›³Ê}ï¨Ü'xãʽ@üW¯`\‘›K"%2ðîV]cÍ ìkÔÈ4Í5AÖf^Ђ@açÔ)KfšqaŽ(Œóð©þ:w,Ôš<÷ÿÈo•eLZ~ÍÏÌÁÎó{„¢x4ý b“C,~q€:E|¤Á`3PÜæïê~×äè*Èpí£Ž$„ˆÉ"»jõ±üаɇÐò]íaûà‚X‚–«ƒ+ò«×mÑÊð6ΪÛ)¶
+$½¨‰NAÉ:´u1.
+쩇 µ(¨àG±3 É0Ü8Õ%Ô
+J¿Tå3¨YoöÝ‚Ó ³ðl;~vÞ:ßá“Ú¯uégŠä tní@vK‘‰ƒB*"\ž¡’à*/
+ÒòŠzƒŸróš®'(¬WPÃŽ$ˆc೯ØÁlb‚qŠÐ¥<]Ô®{Z”oV\M™Ôctø¶Š·ˆÁj”VB–fĨŽ¤ÒÂ@dh–|sµ¡²ÑGæ‹\ Ý3v¸H®¥î‡í-Š%0àÏZ#Çóœ$ؤuT…S* &©Û!~<3žPÑÆ/~䬙0:²ÚË`
+ZH›G–öž~ðôµL%˄Ζ\#‰Y~‚ÃaW¤„8<±.5¦ÁýÓ-5>ÍCÀ
+B
+=<}](S&äxÈ#mX1‘«3­ÙxKVUôZ4ù¡¯úßG z
+ šÒà#ÀõYA4è’Ë ®­wÆG ¦!랈Fã ~gÚvX¥Ø²Š¥VXÌ@x3†a5oY2ÁLz|Kx–X3ÌL^†ü‹K+ áÉé±é\½
+hàÎÃ{iä¡|† V¸íãc½ŽaëÁÃ]ò‚¼>¼ºÊR×E û:ìnÁ‹u&TÍ»_TåãN=OsJ!bXJ ÔÛÔþb餤 Øvñ: óšXqt<Zœz¬ãj_С¼ ^¿8Ë‚ï~õàçÎɧDÙ#–6ÏÍLõ<xÄWi¥x ‘L¬BŒãŒSɘTé‰ ˆ1KOàÒ¾RoR¦… ¸§ŒÆï‚X 7º:z’EŽœ’Š·:×êQ µ#ÞMwh<§@X[Àèʼnjª½¨b eÁ¹ê#éôÄÍ
+p³¢}äfYÓ(q‰“8·«/” FåP1píæ®››Ñ²/O %ÄÆ*Óñïæšd@r«"ÞÁÊQ
+{zÍéAb r”ÞPÀ<†Ë Êk„T¡í+Ž6ãAþüµ<"Ÿ
+8Tµr¬àœÈPÊ1ªUX£lβQx]•­> ~³ý X½ßB¢ŒTGyÆ¿h­J" “Xí?þÐ窖³¸t$X¼—“”LGâ°µ„f
+™ñ{&!}T°è³LhñeÉÜ‚³†_¦€3eFõ
+}ìðC)kk2I’lŸÇ:ö&dµše–›¥‰ ±˜°«íÁ¹:á‹"ГÓãkÞ¸C YvÛÜ)@ÑÚ¾â>èÉVîV@Ûªò“(¶ÂõŠá7®@7ò©!u,*6xr bÖ°9¸4@Ê@G?ìIØ`rS©bqÜÏB¨£n]Éúñ½®Ö^pfm’½æÃ:«Zÿ¬n=®¸ž/¹6Q”
+È®G° ö!e™ƒ=·×Em(§×p`ŠÉ—œâV)C#|Õ*%XQ>µJ€€bV´ÉÏõ\ŠVa)£Fž7OݬÆ6VñO!{ͳ“ÔcŠ‡‰I­é†SL¦¹ñM*káû+,M“ý]ˆT¤2gV»|ß»pM™¤A+/ÜuµÛjŒb«4E*¤HʇŒÊgQ8˜ƒJ Ò“{(
+qJú
endobj
-713 0 obj <<
+967 0 obj <<
/Type /Page
-/Contents 714 0 R
-/Resources 712 0 R
+/Contents 968 0 R
+/Resources 966 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 717 0 R
-/Annots [ 716 0 R ]
+/Parent 939 0 R
+/Annots [ 970 0 R ]
>> endobj
-716 0 obj <<
+970 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [120.1376 425.576 176.3563 434.7914]
+/Rect [120.1376 335.453 176.3563 344.6684]
/Subtype /Link
/A << /S /GoTo /D (controls_statement_definition_and_usage) >>
>> endobj
-715 0 obj <<
-/D [713 0 R /XYZ 85.0394 794.5015 null]
+969 0 obj <<
+/D [967 0 R /XYZ 85.0394 794.5015 null]
>> endobj
-712 0 obj <<
-/Font << /F62 634 0 R /F58 627 0 R /F43 600 0 R /F79 711 0 R /F42 597 0 R /F57 624 0 R >>
+966 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F48 880 0 R /F55 965 0 R /F21 654 0 R /F39 858 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-721 0 obj <<
-/Length 1521
+974 0 obj <<
+/Length 1632
/Filter /FlateDecode
>>
stream
-xÚÝXKoÛF¾ëWðЃ„ë}?š“k8‰ÄIc¥(#ÒŠtEÊ®Qä¿wöEQ]©Q…ÚåÎÎÎ~ó̓$ †I„DÒP“(ÑÀD$‹Õ'W°örB‚L…Ò¡ÔOóÉÑ IƒŒ¤2™_ti„µ&É<ÿ8eˆ¡hÀÓóã7§³”
-<½8}?bú ü¹ùÛw§ïgŠOçgoÏ/f©Â†OO^¿›G‰‡uœ¼=qöòÃVÏìÓüõätÞßbxS‚™½Â“Ÿp’Ã…_O0bF‹ä&ch²špÁàŒÅ'Õäbòs¯p°ê¶Ž"G0¢ P:„N¨t„ĵ‰IF™Ã./.³MÕ¥_Š;¸$Çxº®óÅï0}no—¤Ô ­8¶!¨ÛõÕ-½àlp
-[™ù²l=n¿aL«â™Ÿ”—á¿n»¬ªŠÜO³ÖkÜ5cd0
-vv^h
-øc¯žÅ+¥œC0¦ûr¶¢¡Hi¥É:]O¾‹³—¯>¼Û‰(HBR°d¨ñßÙ«±r׋;fžXþ·{íô–ö¸OB¡ åcI˜0È\}C6ˆgۻgY[ÐCƒCˆyB ™aHa@n_Ôþ? fйIL`0ô ‚K ïÕoî§ð@å“QøÀÌq
-í|4…USe_I#‹?Ëî~Ž=ÙM¿;Ž‘§äÅоHñ
+xÚÝX[oÛ6~÷¯Š=ØÀÄð"ÞÖ§4HSwhÚ%N¶¶+Ebl¡²”Yr³`èß‘Hʲ­´A Åà‹ä¹ñœï\$`ø‘€ $4ÕÔâ˜ð YŽp0‡³“q4¡'
+ûTÏf£ƒçLiAE0»îÉR+E‚Yú~ÌC€Ç§‡¯Ž'!åx|~|6á|| íúõ›ã³Ã‰ŒÆ³éëÓóI(±ŽÆG/ßÌ<Å×e½>}>=¹ØÈ™|˜½Ϻ[ôoJ0k®ðçèý¤pá—#Œ˜V<¸…FDk,GgˆGŒù|t>ú¥Ø;mY=G0¢LÐ!×éžëA\kÈH"!¥uÝGs7 ÆãU‘&t«¿››T#¥T‚4ç´eˆóy¹ÊêÅÒ>Y,ã$\¦üÉÓ–{j+¾2ÉÊÔŽ4agwW”Ó“Ëõ»,â£gË+6¿=V¿ý5š¿-.ñô„,Þ\Ìß-õÝôäxžRÝœýìćC&}ÞQmwË›:+‹êþûX Ss¯ó:¬Ìê“YYjB%Âð#ƒ‚=Gë,õ|÷UžSÖ‹v´R·4³EVY ýŽ1ÍÍv‘]»ÿ¢ªã<7©]Æ••¸c‚1Ò‡[‰¦NëPR×(†„èXr§ð¶\ç^Iž—·ö±^û”Ëe\¤? ¨‰*ÁáI"ͨjåþ`I#ÕOd¤¥Nqc¢ƒ¡ÉË8°4t N°lùêL’L*
+“Ôvá7»(ÚåM¹rš3û
+eX‡ôŠtsƒÁÎvþÈý²O•FŒ(±Ñìëþ¾×|nÙ{ WÎ(G‚¹zgµlñl¥‘~Š+ð
+‹z^ ›247Å€jÁ•ÊßXÜÎWñÒj¸Íò&4Z4°üdŠ B’ßÙ³ÄfÊRÄC!cˆ}cÐÄ%ï̶¥Ø*j¢ßj¸+×ö k‡¬Fi^•Ö_Œ Q²“$iVÝäqc1¡.ÿ ƒË¬¬ñÕMY¤?÷ÝHˆ
+™ÏR[ú† Æ!èÒZ¾00QBïÃ]œ[4 o\ª¯o\…ðDS‡„Ö}0 '‡´&„íb©-<®¥S¸,Óìún@›‚¢ª)ˆÛETO×]GÓ:CO0AL‚ãBÆ!Xtã4„0KÀœÍ‹xmM…ŽHÔ2™Ug­¿Éøâtú›}ª?,h×faßMÄ7ʆÔ7Ê渴uüÑŸÞ˜$k˜Øuœ´ãÝ–.®ìnjªd•]Ù šr±£m«C6â¯rƒ†úïla*©ÞzP¼ò§]oXW]箇Pu‰ü±©h%X!ÎpÔe{;k¡Ývµ?"Pb€˜+³ÐMXûRÂwúÉ·qy;z^»×ˇA–{ô; Íß ªA‚¬çûÙ–5ERI0Á%‘ ×ùôäÅÅ›]/ UHpô%þ;#;‘Vn‡Q ÒäÆ–™GMT;óô÷¸«B®£¥CU˜0(‘ü†ràKÎfxÝ1%!#âÊìá-‚ ‡ýˆŽdš!‰%8rójûÿAp¤aš°}ÁœBÁÜ#xv|öê~÷D>„÷̆pßÎC8ɯ•]+õ
endobj
-720 0 obj <<
+973 0 obj <<
/Type /Page
-/Contents 721 0 R
-/Resources 719 0 R
+/Contents 974 0 R
+/Resources 972 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 717 0 R
+/Parent 939 0 R
>> endobj
-722 0 obj <<
-/D [720 0 R /XYZ 56.6929 794.5015 null]
+975 0 obj <<
+/D [973 0 R /XYZ 56.6929 794.5015 null]
>> endobj
126 0 obj <<
-/D [720 0 R /XYZ 56.6929 526.4445 null]
+/D [973 0 R /XYZ 56.6929 442.7583 null]
>> endobj
-723 0 obj <<
-/D [720 0 R /XYZ 56.6929 499.14 null]
+976 0 obj <<
+/D [973 0 R /XYZ 56.6929 415.4538 null]
>> endobj
-724 0 obj <<
-/D [720 0 R /XYZ 56.6929 469.6226 null]
+977 0 obj <<
+/D [973 0 R /XYZ 56.6929 385.9365 null]
>> endobj
-725 0 obj <<
-/D [720 0 R /XYZ 56.6929 457.6675 null]
+978 0 obj <<
+/D [973 0 R /XYZ 56.6929 373.9813 null]
>> endobj
-719 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R /F58 627 0 R /F42 597 0 R >>
+972 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F23 678 0 R /F48 880 0 R /F21 654 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-728 0 obj <<
-/Length 2282
+982 0 obj <<
+/Length 2297
/Filter /FlateDecode
>>
stream
-xÚXK“Ü6¾ûWô-š*·V"%JÚ[Öɤ¼o•=[[©x‰=­X-õêáÉä× @êÑ{Kñ‚ @Ƈ¾ø§a$‹äI˜Fqz(/o¢ÃÌýò&fš$•ašH Ùc*ó0ÍEv8.™üãáÍßîqQ¨”H'¿—Ê`A&³ÃCõ[ð£éïŽ"‚äî¿ÿ¤eI˜åYŒË"ØB…q*,ýÕWÝ–¦¢?}øD{£Ç©7ƒg'¡L”`* c!bËšwÇ8Š¢àC7Ö§^"EX(¡x…(B¦·{H©‚ÿzxÿ+µëÿY ©{1åY·õp¡îxÖ#Ï7M÷<0‘ìI±=˜þ«éyb숸%y˜…©m£¿š›eYÐh·~2^…‰ã°HYyv­ù…LƒJ:Ú( Þ·4ÔßÅy`†k׆Fþµ×묤X¨PÆY› oÖέ2“8T X›ÈNv“îâøÚŸÓ ¶éˆwY¼Å5Á3¤l>×MC­òlÊ/ka㤷fÀV=ò©Q{uÇ碒Ž±Ê@Zð[VÙößB­Q ­Ž?UN=)­i`æÝVoyá‰þ`a7ÒÖc­G棷;½n‡é!ô¦ÌCñ3;e”÷]OKG’P¯nO]Ñ£•ôc7{VLáÈ"ɾgEY„2‚ÉÞS«ilX…`£2CÙ××y_ë¤L±çCQ˜Å±Û½}- %IïCÝ‚Ý"ù›Ÿf¸Êâ"¹
-ó<•G4Ù?¨ñq_žþ¸\@øµòã¾(Ë'SΨP„1`ÕV$‘˾¤ßÄáh’%a!#òVð5ðœ$eß„šâ.¼5p ­±"bK§Ô©"Ì“$aåëf莯
-¼Iҹɭq
-M¿‹Ïºr'Ä6;WUuû„È pH0wmt c4ïè*Ó˜ÑaI¸Xñ6öð‹í\æ6gÛ~|! ÆA[Oè×ã:¯rð‘&¬þuCÄ_ju§M±r1à!c£oÄ‘õ ¿D>w8b(,ìö V¿ƒY3[g¨¥+p¾Ù]ÄRífg()E0±¡°M%€\§d‹‹|ð×ôC89>¾ VpäQõ€é"•V©–S[6éÔ®ÝC n§jF¨£ŽÓk®¦d¨à@.?ô»©&T¹pADœŽ×®©Ë=;Ê"
-Éu蔞œâF÷3[š¡FøV·»@üGYádF饙å˜C¾p ãÈÂÒØÈao”äƒB„³?öívq0Pïs”F8ÂÝiðëÁ#?ýüæcš:u\®â$y
-ŒÊ(ÊþŽÌ‚?½ÿ…¦ÉAaú° ¡Û€ƒi}ÂÞ ˜QiS“ÚHKr¶È@íOƒiì°”)Á ˜˜¦ŸLkz=Z‡Alj“[>4²çS#¿–þ]ÛÔ-“º<˜_ÌË]ǧ‡*äÜõõŸÚeÊíY\ôÓ»¸sµ -è´KG¡õS‹wª¹7A¯™Èüq­üy ÍžK’zèv²Xð•XŸç…Ãníñxó{7õ­Ã+‹æ5O}ø oHt‹[t.º2Ô²÷økú1äÞí°YyˆÉå 1¸È—°ÐF®h+êc¼ÙÎfæý à‚:
-*8m=,‡™Ù°g¿O+I†­—û^ö|6íÆ q×~i‘?ùìñL®¿8ßÇÌfV©a·¨„óþè;yÉØg Ç$ãœÓE_¯Æ%¹åõÆü1švðeaš-ñÊP™{€o›=„,2Ìö†æ7€ùX.³yµâÕªëçûè,› Ôb¶ò*‡.µq Œ,‡{ÃÊÊ7ZY€9gòǺÕýË7²òpò—:^åÔVÕ£SñE·“õ&©›|K’«lQ~dî~«2[nS«+K¶`ßDª¾y1büg!’jº\ñϘ®øj†²»\¡<ò½lk¯ÅŠni+bòÍŠ:¬s•“a¤v ]bÛF’7N÷l
-AQP R4*bSpK¼ÛÓ1$ªÌ`ÎèòÌô>€
-WØ»(¦äÜ 3|ó‡Ö3Û >ºÉ®£Æ
-H2! U‚ÑÖü Õ/ŽŸR» ý­à§ô¿Ôí™Ór•T)Q¸ªœGë4{Všs.¥ N€"Î1„DKŸå2ä?¤/A/8BÍÎ+ø:"üsÒ¨{V²6Å;)÷ˆn8OcÕ=3ÃŽ'Ë^g{&[uÛ9 ˜õ—€ša]¦‹œéB±ÖR,>»þÚõ½v€¦”«äö^Í\ø3&¬wvð
-‹ðâÅ©¥ƒt<M”3b'Ñ‹vðÁT[}Š\à‹œ5rá¼µ¤WBè/P,› )œìÎhJMB3µ :Pµ¾Å͆³ï#'À+Iç«ÕÏ6t
- €Lï.;A°pòÛwÑeFuWTv‹jùTpû’j1m>•­7°ÔßAÅ´wSif*vïÐ}[ñnP@^÷^SD(eT¸ºeûä^×$Ô¼rÿ¡Î‘gšÇ H…9èÕ1ÂÍ
+xڥ˒۸ñ>_¡[¨* K<ÉiãÇ–÷0®x&‡Ôz’šáš"µ"egüõéF7(JâØ©ÚR•Ø
+ë2‡‰+>ÎBØ„¿™o vfÈWt‘—»º<1c…âÕ%KS”œŸðXú}Fb(59J“R`cÓ1'
+c ß·C¿yQQ`MÖéh&×ʈ
+GID濯œ 3ßp-“kºgÊÁ«²rò+–
+Ìg ]©†q~ÄÄ%d!ÄØ"¹_4Èt6ÏÍÿBže´=…б/û–nâ¨pØ×eó)MdÈÙ´Í@*28²É¨•d>¾{M€tΊK±LV¦¥tã?o~û=]U ž_oR¡]‘­¾Â @@­v7F*á\fâL{swó¯‰ D°B Ë%Â2-Ú—-ãŽsR›ÈÜF›ªŽ,›+dŠâÛ•ÃðR€Ë‚y9×
+ln¯·Ö&MN¾q& ÈK&s’·«‡Ás1d’p^H”0¨q@܆ԙ„JKÏÄ‚XÍH߶÷U¸øo&er‡®µ}nºÇ~UjPY,Ða!‚6}×"Áç,ÜÂia
+1PÞ몧LŸ—&¥?†
+-/HØÁÎy&å»À®”N¤Vº)ì|O¼…p©ŽEÞ$P¤>ÙG~²­Y¡Ê  †¿3y^¦kWÔÀàÜ•ÿZtÀ8”9ëVÞû—c×yÀ‘ópÖmD4( ×p×b„âžãÍ3è«))êþ{_aøãdÚd]Üàöáë鳫ǧ>ØBšlƒ’p­ªÀf±è„J’*Å}ëK´ã°ñªº­Çi–K*-+>&¤ÙqQý
+oQÈ"ú5QÚìû¶)—ª:kE¦òXÕ•-Åä…£¹ ¼>Å‚3eSojÍkâ
+}FÇ>ŒÈ E?ngʛ̺­Eñß`{Ó¤p0ú¡†.[$.d2ÐèSš¥ßbà2Éq˜öƒÍݽ} ë’–¶=÷ò¸H¶
+–ýG[¨R¹b»ðŽàK¦`ý 4ðÓmpp{ì÷J0 F¦åǺ«~ F “‘þÅÉe‘<ßéuô…$ÒtŒ{„"ù\?¯%dCv¿)#Oý¡ùæcq™Å£=ø!zVl”C·ëc©Ž>Ø<vø¤Cní©þï̵a¯Ÿî0Û1q:½ ªÂ+ca´)b|ž^…¦ˆòG<t1"a8h_
+Õø†¢fðçð,‘ÍÞdT†ÏUMÓ!EÃ×Ó'öûÙ¤˜¬N9âD¦Iï°a¹ï¯h‘‚”OöôÖȳ»X¾ jPåp]RKœfb<‡ÆµYÒåÜâ¤NJb…­ &x¸‘ú¤€¿>ÕÝÅ2~F
+f2€ïFt-˜¢~¶åônwâ-ú¬;]àc×BλÈs¤Hz ƒúÅå©9Eª;4UUw—iwÉIÎ’iÌœæšÎž¿“²‡§þØVÓcïb¢uÕŒ1tì|w |ON~™ ˆI›ÏŠ“<>Ú<¶=
+ö
endobj
-727 0 obj <<
+981 0 obj <<
/Type /Page
-/Contents 728 0 R
-/Resources 726 0 R
+/Contents 982 0 R
+/Resources 980 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 717 0 R
-/Annots [ 732 0 R 733 0 R ]
+/Parent 996 0 R
+/Annots [ 986 0 R 987 0 R ]
>> endobj
-732 0 obj <<
+979 0 obj <<
+/Type /XObject
+/Subtype /Form
+/FormType 1
+/PTEX.FileName (/usr/local/share/db2latex/xsl/figures/note.pdf)
+/PTEX.PageNumber 1
+/PTEX.InfoDict 997 0 R
+/Matrix [1.00000000 0.00000000 0.00000000 1.00000000 0.00000000 0.00000000]
+/BBox [0.00000000 0.00000000 27.00000000 27.00000000]
+/Resources <<
+/ProcSet [ /PDF ]
+/ExtGState <<
+/R4 998 0 R
+>>>>
+/Length 999 0 R
+/Filter /FlateDecode
+>>
+stream
+xœeU9²,GôûeË@@Q ‡!é¡%bd(dèúʤ—÷ÿ(žÑ¯
+’$¡T¬)ÿ®ïë¯ãïãÇ_¢ýþÏaíÏc‹®½Ú¿G—=ûÌöÓ1ÄF¬lÖ]töö×ãqu‰Ý¦‹÷5š”<8Ç—ý:\;âúãñ‰ü<q¸Í;.\ži2c¶û~ð¶e¸í×qc¸=7Ä+Àg ¯ãã×ctéa³ÙL1ca·cu™šm QOƒ½¥ì-¡{wñ¨¼&kñÄÞ
+¨9xcH
+¤Ï’ÃigÙ¥—ÇáC6uéíÛ&”\Ê GTœ„Méêö–KòlÜ’Fyu|?é%åiÈ¥K”êNÊq{vˆ*êèJE¢]8hÍò¤p0R±ˆ$Á(+Á nÖN¬
+qª„Ñ«ò^ÿï>‹«>÷— .13×…Óƒ!¶3¢SËAÕ”ih¥Å¨Š^…(€<Îm䦽ªšÛÆlLÊâ³ò7Ù
+г2"ïE9~ 
+n*Œ1½÷¨¾x¥Æˆpîâ‹&XîÃœ§³±è\íD¤ßä0}#XŒûž˜‹¸À>#^V°¡|2Îi‰9ÊÎr)`˜¢Xh¡Ò& „hb—H°Œe"Ãê
+þrÓGçX5¾ûû8‡´ÕªOª«t–Ô³$Ây°‰—BÒ›ÀÄ5©/¨vp÷o`kA“ôr ±ñœÓ4N.4Žæ
+endobj
+997 0 obj
+<<
+/Producer (AFPL Ghostscript 6.50)
+>>
+endobj
+998 0 obj
+<<
+/Type /ExtGState
+/Name /R4
+/TR /Identity
+/OPM 1
+/SM 0.02
+/SA true
+>>
+endobj
+999 0 obj
+1049
+endobj
+986 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [470.3398 483.0796 539.579 495.1392]
+/Rect [470.3398 482.8902 539.579 494.9499]
/Subtype /Link
/A << /S /GoTo /D (boolean_options) >>
>> endobj
-733 0 obj <<
+987 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [316.7164 471.1244 385.3363 483.1841]
+/Rect [316.7164 470.9351 385.3363 482.9947]
/Subtype /Link
/A << /S /GoTo /D (zone_transfers) >>
>> endobj
-729 0 obj <<
-/D [727 0 R /XYZ 85.0394 794.5015 null]
+983 0 obj <<
+/D [981 0 R /XYZ 85.0394 794.5015 null]
>> endobj
130 0 obj <<
-/D [727 0 R /XYZ 85.0394 769.5949 null]
+/D [981 0 R /XYZ 85.0394 769.5949 null]
>> endobj
-730 0 obj <<
-/D [727 0 R /XYZ 85.0394 582.1251 null]
+984 0 obj <<
+/D [981 0 R /XYZ 85.0394 582.0558 null]
>> endobj
134 0 obj <<
-/D [727 0 R /XYZ 85.0394 582.1251 null]
+/D [981 0 R /XYZ 85.0394 582.0558 null]
>> endobj
-731 0 obj <<
-/D [727 0 R /XYZ 85.0394 543.5676 null]
+985 0 obj <<
+/D [981 0 R /XYZ 85.0394 543.4475 null]
>> endobj
138 0 obj <<
-/D [727 0 R /XYZ 85.0394 445.615 null]
+/D [981 0 R /XYZ 85.0394 324.8439 null]
>> endobj
-734 0 obj <<
-/D [727 0 R /XYZ 85.0394 406.7709 null]
+994 0 obj <<
+/D [981 0 R /XYZ 85.0394 292.4184 null]
>> endobj
142 0 obj <<
-/D [727 0 R /XYZ 85.0394 289.0425 null]
+/D [981 0 R /XYZ 85.0394 174.5048 null]
>> endobj
-735 0 obj <<
-/D [727 0 R /XYZ 85.0394 261.2074 null]
+995 0 obj <<
+/D [981 0 R /XYZ 85.0394 146.6189 null]
>> endobj
-726 0 obj <<
-/Font << /F42 597 0 R /F43 600 0 R /F57 624 0 R >>
+980 0 obj <<
+/Font << /F21 654 0 R /F23 678 0 R /F62 990 0 R /F63 993 0 R /F39 858 0 R >>
+/XObject << /Im2 979 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-740 0 obj <<
-/Length 3597
-/Filter /FlateDecode
->>
-stream
-xÚ¥ZYsÛF~ׯÐ[¨*‹¹päM±åR‰ã•´»©™Xƒ
-iÉØH À¯»ö-.¤ÒÆðS(7I˜eïê•~ØÅ—‚߈ӱšœÊ(yf`±ã³Ð&H <PgAwë²eá¼e\WVµ²hVɦy,Æ›€!8ÅW-OââñÚq)©Šý,ÿ««¹¥DàÎÊ _ÃPW2CV¯H¿K«Ò I#3Õ3«NFk9R(l²¶+v\fY
- W«²;+(™ŽT‹›}=s:„ƒHãhr,.;̃—„ñ ÇJ+¸„hÈš®šlu´`Æÿêxõ¨§Ñ‹Ë¢î¡¹Ô± Â0T^uj
-Q$hÐoZÁ±Y°gX @Û†Xsž÷.–
-ä-®ë|WlŠºË*á<^rÙÚ.«Û‡b×Îß©`±rMsÇ.J˜…açgJÂÞ¸Õ¢“I¸}J®Ø"Ý5y#ï–-¿™qõ=qá¡!m%üÅb÷ÈÀ©nœNÙÔ•Žƒ>³WsÔPÖ€N:Vç RŸ‹ñ˜‚ ¦¶Ñ4ØJú€fÐBÙSt *µ:Aª€KGÛ‡÷iûÐÓn‹¼DÐÓŠ±£æŽ›·¯¹|#ÉÑâ¶(Žý ༜VduÛ”Ÿ;wιp3rýøåø…Sq*µöË{Þȶi ÏažFÇSõÞv`
- ^µ¿/Z…6°¡‰Ï#àªÌ¬7ëG-ÇÃN—z*™”—˜Ã¤Å°ºØRß×hÙX»ÈòŽNœÊ­<ù!üœ•‰’Å7×ïÞpWÊv¿Ý6»N^ãÓÆA ÝôÄEć <¬ $…ºÈ‹¶ÍvOXu‚cîwÐ5Ð1 d˜n“ueƒ[R–e”[dYY!ý`$„%-‡Ôyµ_IÅó4–ý*áõMV‚¡—5â»îŸø9øTä‰;ˆû° †‹ý,ofÕÖŒÖ!™(—xZ«EsïgÆfœŸ¨à€‹o‰$ ÐRÖŒrÄ\ÕbØv$4íÉFdã­c²&nZ•±‹m±Ã`Þ0Žø šöªëIºFTíH’—B’¯¸IÃð!â+1Ú4 ËထIdƒ][‚À©»4ø<´>Â(??ú–»f³\¨À¢Š:/Ú‡¢¹Ô¿ÝŠYÙ(°:ÔÓSm‹Ž '!ÉØÅ:ˆt´IO³³¡•‡öÑOf‚Ä:ímØm8Õƒ §ŠmÛøAÇ
-ʵ@Ëb¾ÐšòX ­pt×›mÇ
- á¹'kqbØØTW`¡\.;î-¥^|ÞVe^vx@X_qXºÄÆpN„Xlß4bü/Ù²Èî›}ÇE–Ç0¶yÅ=mQp±€c‹6ß•ÛA981PׇIêOfW|Úm·$¤œ‘ss©?¢¼ÊHQ/Ïââ
-Z®4
-Óx
-ª"ûØr‘ȘñÂ'.ÁÁÈ ôëeÆ•B™a × 0Uä„ÔLj8âs¶ÙV…ä¡ M…7­L×fOÏ8¯,ÿ’å°«9Y
-]öBM±úäµÜ
-§àž'.ÕE!£9 BņõÅMÌ‘°;¾¬ý0pv½˜hjÐÇV
-æ隆HT©J×Bê±&,Q£¿[‰y¼ Äè$Ô=ìWM¾GçÇÎÎã“–ƒ•Œ¼70žqÁ#ã|Ö
-ÈT1ƒtä0§hâ –î —®ñcøEã’‘è)†ñ´ïZf+”Øõ°œJáµ?N‚(ç,¿<‹“ .I‹¥É"¤“í̾Éi}=7Ï÷E÷…}€ÊŒâ½˜#Ρ¿”2/@.K|8r§ÊÀ!Ä©Ob]ñÚ Æ`J'˜ñ©‘ œÒs.œÉô™À¨ØGr²ã gv?ç‚Ø7ÈS¼äuæ÷æ½1Vòf7¦iÔ–œKM½Iñ›¿ãIzÁ$.µÑt£{åÊ¡ìÖ\šÚ ¶x¬b-Z¼ŸæTbfÞë÷’tŠ7D,ò
-üô^k«bƒQ[¶+¿øÉäÚ¡Ø7?üÌ÷´†h„‘Û·E>íèdã¯<Þ³î¸þÿŒal÷p!ðH™ ë¯ºà2ø,ºTÅÖÃC(
-'S•ŒN&¡i:Š ÂÑkJÄ€CyÕãž)CÁá°{ ÎmEäIÜë_ÇÑ}>Z‰Z`~ÕÓìÈD1ÜÎ2y,³C%LÁ>,ŒR"Íi;lF¿û¬;”¼F Xö…Q q’GüiŸb(0Ïù%}o^ì0Ñ0ÇÏ~†¥\ýÝ ˜`&3…G3êWÕ {tþâ½®Ù}pd¾¢p-”ÃÃO9ê´*Ûµÿ`QR¤ÝðfÐ:¼ Wsh¦À>Ëlå݃…ùFB÷+hAüø·(aL_SRŽÎ'†¯*÷ÒÕÈNÜdŸ.f=%ᘯR"ò\‰WŽ©+%—O™l¤¤!-.´”¯ú(Š²ÞwúÏ^âw)ÛÍ=÷Y+ìhB”áÂïcë2_ËÃ4æ(IF~"–šÁ :XtYõqJH÷ q6²(©¢©ô¢¦lWÖG`†…›¥›ØÔúOÆ%þ8¡ù^çMÛ‡}ÏÅVÂ#<!=HršdþýOûbWRžÐ$I§ ´ÐÐÓ ˜ó½Q˜(òŠ.Rý²O71A”DþJýjFâÒ:„î8»Ž’õß“*Vf²ÒßTL«’´—¹´qè?  ×I
-¬U/éÂ+?á=Nø‚²]Y5ʉ¨à¹_âàÏçf~i
+1004 0 obj <<
+/Length 3372
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ksÛ6ò»…¾•ž‰x$Ad¿¹‰su§uS[÷˜&ù@“ņ"U²¢üúÛÅ.øèëÍÜx<x-‹}c©pÀ_¸‰ŸdQ¶PYìË ”‹b{,žaíïW!Ã,Ðr õÃêêoï…Zd~–DÉbµáJý MÃŪüèžð¯CàÝÝ¿}¸ýåö~u­bïæçëe$ï÷_ïo©·z¸¹|ûðHÃO îþýþÚðz)Tyo¼ù°º} õ˜±Þ¼ûçu†ÞÍýÛÛw´ôîžq¼¿½Á³Vÿx¸}¼þ¼úéêvÕ_j|ñ0x£?¯>~%Üÿ§«ÀY*G~˜eÑb{KáËX7S_=^ýÖ#­Ú­³Œ ?I4ÃÉHÌqRf~"` 9Yçûë0õž5\.ʼomýÊP{Ø•y§K¬-°þó ›®>YÇDywét^¾8{ÝÆbI½ò°ÝMñ•ºÎOßÓÉBm×RJj·Usè´±X…—×u{¬šgZË˲ꪶÉk”°b†~&edïEd™E‹mþESoWç…öû™†Ib7þk£<@z96‰gôþEïiŠ.!=bƒéò=³&ñòuç rjÌæЕ푱µ{‚+ö¹ÙØ ^ÕÑÚ±ªkZ%Ä@݉V˜‘Òû£=ìñªvð)¢ZÓbÖí~×îáÖn‚–‹d†E,kàFÞœ¨3åÚ&ïÿÚ/#¾ñ&¾°…ä¹:7¼e@Ž*0Ëé·›¼y¾<Œy{¨yL:×ni„×Ü’ЈÀ· –;“£»}Þ˜µÞó¤êŽüÚ°V0kk+I‹”!¨1Õ¶B+±ƒcî´~æB+bƒè)ˆXR†¦Û5M–§&ßVÅ
+~'Ž3æùd÷ÑOƦº1>hÆ FjîÔxРÞÒ Oâëõb$ÅñŽÊ8Sšúž’ sáVöשwh4pØáÈaG2öUf@1ºoJ>ÍtíŽáÇ>Ž|!‚”ÁIE‘~Ejªªwx—Ty§ö@Mþ‚ä¥)‘3[r–éXŽ0pË9A\€9æ‚Ýܬú¢±¼Kö¬ÛÁ‘ìŽ ¼Ðå¡W˜f§ˆ½vÿå{3©ôÞU&ªgåØS"‚lpd"$Fã¤%
+\†K§¾
+bÖ«¯ôzZ®÷ívY
+ßµ8ýRé#:ôÕV¸vÎTOœÙ¿róEpÑÅvlá;fgk'‚‹6Ø‚Óô°ÎSaR¡¿vסׯ(WikÊŒìVn†|âL´ ]pêX7sº+<ò¿ÉzÇE×2ŠX.Ž±
+wƒ¡%’M2‘gùLÔ:ÿb¨k1Q»µeRì`ãúK•Ó@CJÂ'l๦Š>!s9"B|Í·»Zóç˜ “G䶤†=“¿¼œ^“¯¼ø˜Y@2ê!n¤Z•E']•
+øbz
+g‹Å¦Ïse9éõ…
+>…²G
+UZJÆðz¦åY~
+‚Ê\Uó–hCek|þL’•Ä¾Œã¾^+ƒ™Ò¯ðE¨\jÏ7ö
+÷ç褯¤¾HÞäîn.=ÃÁèÛ"™ŠŠë™3)ÚiÕ?ë4\…Cd'çŸ^¢ª7P«nC½©ÝàŒÓU%Þ‡i‘MQ(¾ûÀUH%!’G.Ç®YŽÃŠÂÔÓø|_}s‡ñ;^%í»_~§‡ûŒ µüe2ë6'bV‰\X¹T:¾ø›ó⺒Î+†±;À ÑiÊD»ÎôuÐ.§¯jWè'*vê€9µ}_d”;‹(¼U²QZÈŸí±}ÒJTW¦
+@ àò²´ÆÇ!·¡ûþ*
endobj
-739 0 obj <<
+1003 0 obj <<
/Type /Page
-/Contents 740 0 R
-/Resources 738 0 R
+/Contents 1004 0 R
+/Resources 1002 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 717 0 R
-/Annots [ 743 0 R 744 0 R ]
+/Parent 996 0 R
+/Annots [ 1007 0 R 1008 0 R ]
>> endobj
-743 0 obj <<
+1007 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [464.1993 638.9439 511.2325 651.0035]
+/Rect [464.1993 509.0768 511.2325 521.1365]
/Subtype /Link
/A << /S /GoTo /D (proposed_standards) >>
>> endobj
-744 0 obj <<
+1008 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [55.6967 628.0049 105.4 639.0483]
+/Rect [55.6967 498.1379 105.4 509.1813]
/Subtype /Link
/A << /S /GoTo /D (proposed_standards) >>
>> endobj
-741 0 obj <<
-/D [739 0 R /XYZ 56.6929 794.5015 null]
+1005 0 obj <<
+/D [1003 0 R /XYZ 56.6929 794.5015 null]
>> endobj
146 0 obj <<
-/D [739 0 R /XYZ 56.6929 704.5459 null]
+/D [1003 0 R /XYZ 56.6929 577.5408 null]
>> endobj
-742 0 obj <<
-/D [739 0 R /XYZ 56.6929 671.1703 null]
+1006 0 obj <<
+/D [1003 0 R /XYZ 56.6929 542.4624 null]
>> endobj
150 0 obj <<
-/D [739 0 R /XYZ 56.6929 515.8828 null]
+/D [1003 0 R /XYZ 56.6929 380.9794 null]
>> endobj
-745 0 obj <<
-/D [739 0 R /XYZ 56.6929 480.2977 null]
+1009 0 obj <<
+/D [1003 0 R /XYZ 56.6929 343.6916 null]
>> endobj
-738 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F79 711 0 R /F57 624 0 R /F58 627 0 R /F56 618 0 R >>
+1002 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F21 654 0 R /F55 965 0 R /F39 858 0 R /F48 880 0 R /F47 874 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-749 0 obj <<
-/Length 2237
+1013 0 obj <<
+/Length 2880
/Filter /FlateDecode
>>
stream
-xÚå]oã6ò=¿ÂØ—ÊEÅ¢>¨æ)ífoS´A»›kè8EfbÝ*’kÉñ¦Eÿû 9¤LÉ´öpOE€h4Î÷ ‡4›Qøc3‘Êóx–å1I(Kfåã=À·œ1CZ¢Ð¥úêöìüMÍr’§Q:»½wx B…`³ÛÅÏÁ×o/¿¿½z7£„1™‡IJƒË×?ÎcÁåÍ×W¯ñÓë›÷¼¹ºœgqpûÏwW€a"N¬³+ßÿíõínÅ/·ßœ]ÝšºÖ0Ê•š¿žýü -À¨oÎ(á¹Hf[x¡„åy4{<‹N’˜s‹©ÏÞŸý00t¾ê¥>ï$\DD™Ç=1÷¹'ÉIÊ#®ÝsÝÌC± X,ª¾j›/à•‹ _J…§ÁjsWW¥²óüM’9ÜÀ<ÊrÐAñéª^2$ åBE†ªhV%4e£ˆÈOÅ㪖¤l=L‰`Ürý­md‡ftËvS/Põeñ$ v%˪¨ýÝ¿¹ž3ȲÕÏ…Yß/‹^ œ…QÊx–ÏBÆHž$‘U¶M_TೈÇÁ¶ªeë†hBÿýùgð`H²'D!WmÕôUó€kú±Úå
-¸+: üºl»¾ƒÜã4 n—U‡ØÊpj¤\È…Y&ËbÓI$Ÿz¹n”ÉêÓcQ¨“ë'¹î´‰tlÚBé‘DAÓö ÿT4Ï´ äÁmaq÷êɃºm?¢Q€Ü¬ v‹@o¸/d]=YF/çsö¡à#k‚fdüÀÒà§y’U¿D¹è7¥‘Ž‘Ø &±ø«Ø,§ƒ2T12ÐùfµV f];Y¿ ¼(u€í²*—–E3,2Ð}»ÞîRUOËÉÊqÝA­;¬•ÉE.´•ošŸuHiEšŠ2ÌïÍÇÁ`7‘,õûìKOñ*ñ9É8Ç,ú\ëq’«þÇHóÍÍ<L)rVOFñi3•¹5O<EZ¦ÆÜL³½Q Æy‚•k ùŒPQ–re°^)Ïr]0Ë¢¾78ó„Lï—:‹Õ[Õ -ÂA½5²ß¶ëªe&éŽhHõ¢… ¦.” _ ªXsšm@K à'±«…46 ŸsWA½‹&)6zÀ™PZ†ƒn../eB+½¦]Éu=gÁ³Þ:•Õ‘éZŠ3¥kkÝ_PTcYK_=îL7-?í§QØ‚„>üÒèaã­IÝ`”鸎šâÑàmg´U9™
-ó6Jgoåý°‘ëJmD‘à†ƒµ1í\Éìð£1>hÄjµÝÖi4êË3>Ñ‚=ŽFoÕlrª7Xþu§Ld•m F™Ð«¡·:Ëúý®(?šÆ²9ä÷Á“#G·Í©.êïr*›#Ø
-œlV¯h(ƒ:ÖZ³Ô¤µ†Z|bZ+h5×S@´
-+®–e_=Jå›Ô5ƒ'Lwõ‡ßì_,° ['LÑY…ìÛI“‘N³qÞ÷?K2ÂãÌNµW¸%™üº)}S’?ì0j÷ÝqŸÙ¥Ï¸Ááx´s`qg·è¾ýòÐé"I``fâøQÉ!ÒG;*ç
-¾ã¤ÿ@Y6•¨í<³£"¢=™“¡à8ÉüfF4FjGM:ê”Ú»ôðFxBàtÆOF"Â3‘=Œ@mñ$‹ÿäiŒKÝÓ9;ÐBó=<‡êHô,Õéð“êÄo*Ö@Wìÿ3‚ÄmhÓÃlJX–Š„’By’¥-ýE ÓUs$,@¤'éP ¤¥:ÈcR@NÅúéŠ}y ÷:õµö©ìú*ÎSBcq¢c¹T‡}5PôÕQ©;_í‰õúj$öêS¹,šÏÁ±7'½»ÖBã}àòæµ=Ž¹è•lU17 MÓñ9çín>>èÿCÛ‹6•8U·0
-yQ“ˆÀl—½(ŠéŸÞUþbg!‰9ÍóI±› X”ÅxÙO}“ÏÝM¼ Ç u–)ÌÑ ð8ÐgöZ1SW½®
-öñP?¡4­u“Ô?¥x܉KñÅ•=dØÅ$%…xêè³–]¿®Ê߆êò¸ëË^Ër³ît ‘¯äeâ ¼‹O$X8ÉÊi´ÜÁ6¨$¾Â£•³c½Ú¥DêRÆFHóR2¬Øñöój´ÆŸæ•eüêñ|_¡‹#ä–ÆaÂ袵i;ˆm< I¡oŸtUdj,b,À‰¹æÝeäŽg?ªÃ!=CÃ3÷UÉ_JÓƒ‰ç­9OÞažU?({¶:DôþÝÚ™73Â…ˆü§)ì9F)eäþ¬9üÀ½¯ú9Èúendstream
+xÚå]sÛÆñ]¿‚o¡2æù¾qˆŸÜDi”‰ÇVÛLãÌ"!‘5E($Yéô¿w÷ö8€ )5Ó§NÆÁÝa±·ß_”˜pøOLœa\åz’åš.Ìd~sÂ'×ðîÏ'"ÀÌ"Ð,…úÓÅÉËoU6ÉYn¥\\%¸ãΉÉÅâ—é×ß½~wqöþt& Ÿjv:3–O_ó×S!ÄôõۯϾ¡Wß¼ý@‹oÏ^Ÿfzzñ—÷gp"œ6¾‹_~x÷ÃùE÷ůߟœ]´”¦Ü®ÌßN~ù•OÀÔ÷'œ©Ü™Él8y.'7'Ú(f´Rñd}òáä§aòÖ:&£3Nf#â‘jL<&gVÁ+Ïùæt¦ŸVÛSᦋr [žO›ŠŽ‹ù¼º¹]¯êe8_®ê°”–%!D±y¤Vë5×eCGw·áÛ‡€ÞÔtT]Ñɦ¸)ãWÛûr[ƒ´µË§?nʲ€V—áU8@z@ “™,7FzW›zµ
+BÌòaΘȄìQZ~.ÀIKž8‚RpÁ¬È[”3‘ýîâ–Ž­¥bOBîØQ]ZZ² Á¢U:ž¢%omgAX$S™qQj"ZR  "ç‰-á®E‹²%\-‹û
+¸ K{ñƒ©CºäÜé 0u›)ñE›)qã x6I{)n"•e  #Ù1UÉýä>/ß]®WsŸ”ý‰ŽdhŸ\Øc¼…kCµ7Þ S’Ù¼õä½6k3.žÉÁs€…ðÉïÕ¦ôe‡Zª>$[‚|îÖ â€T\Fv@צ¾£FL‹ºcÖ¿BáÓÉwÊÎðe¾¬º.3°s3Rë(¸ÁRn,@ª”<zâÃÃà äx—ÍÉU˜Ü˜«æöNz°*Âcýè=D‡ˆ7[Ó
+Š–e±¹ö®"<So~§â#ÛϹ0†eÐ7DVØÍçgµ„èkŒî'ØÃ<X¨
+´ÇäåU¼ð/<"lìnÙdQ÷
+®“®|Ÿ"Á¤‹:3z°jÝGÛ!ŒCõŸRÐ2JyGÉ·Ïu)'”L]ŠØ¨—äHH:U+þô¶œ¯(Øñ雟épGïxè«{J V0è
+_©ƒ©A˜[ÌÛªÃ3šÍ?¾ü"—3.=½­ MQ ‡o(GèËuËámˆå­L ˜¦MY.|^ÂÏÊyqç³
+-Âm¹]ŸŠé£ñùÊ[wÓª0á©Ö±Î$žï› í8L=t?/§þ`%ðHiž@ù
+ªºìIú³ÏÎ$ÿ¥þ08Kpó<ŸÞà3hóešf8™Nf8°i ìbÂ/­xN¥|Šýï°|Gÿô?ájQÖóíê’þ,®º¬îK,ú˜¾­š2¢*š¸ŠDŧïQúÍFÇoE×Ø%?¿4 ½_ŽÓp·Œµrl->VwÑï­ø^£Œ¿º,‡ö¬…cN+7‘ P…ÿCz¹½žÐâ}bÚ-ü,ý`׶wñ¢ >`¹RLìPc!âä}bv¼+£`ˆ+ùiXA¸4Æ Íy/_ ºö¾à÷Œµ`Î9* ‹ùšÆ|1 Ö´ýWfàœ–ÁÿùK©_…Ãéá¿_E›¢1 î£é´> f«Ûzv]Í–å¶ÜƒŽrFu‹à-Žt’Ùk¢cc¾sLÐ40YVô–W |GX
+Ã?1>øÿÇ×%& ·srÜŒ·ÌÉ<‹D!/rÇqÚ?ØÛ%ý?mwendstream
endobj
-748 0 obj <<
+1012 0 obj <<
/Type /Page
-/Contents 749 0 R
-/Resources 747 0 R
+/Contents 1013 0 R
+/Resources 1011 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 717 0 R
-/Annots [ 751 0 R ]
+/Parent 996 0 R
+/Annots [ 1015 0 R ]
>> endobj
-751 0 obj <<
+1015 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [417.8476 408.3291 466.5943 420.3887]
+/Rect [417.8476 228.9788 466.5943 241.0384]
/Subtype /Link
/A << /S /GoTo /D (sample_configuration) >>
>> endobj
-750 0 obj <<
-/D [748 0 R /XYZ 85.0394 794.5015 null]
+1014 0 obj <<
+/D [1012 0 R /XYZ 85.0394 794.5015 null]
>> endobj
-747 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F57 624 0 R /F56 618 0 R /F14 608 0 R >>
+1011 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F39 858 0 R /F47 874 0 R /F14 681 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-754 0 obj <<
-/Length 767
+1018 0 obj <<
+/Length 837
/Filter /FlateDecode
>>
stream
-xÚ½W[OÛ0~ϯˆxJâø–Ûxê lCb4Û ‚ •r)q¸”‰ÿ>;ICÚ:¥P˜*µÎÉñwŽ¿Ï>ÇE:¤;.pè^@‘£Ç©õkñkîdu½¾†š}àb=
-Š&yVnr^
-#Zªôœ÷219Žóì B|ý¥¶PX—‚Eq¢daEhcÚ,ÒèÔ5ª7[ ß–”øfaÖdÊ­ëܺaë«‹B>•îüÕ
-
+xÚÅWKSÛ0¾ûWx8%+zÙ–Ë)…Жé0”¸½
+g­Vé…³ Œ´QXK`ZyÊÈ
endobj
-753 0 obj <<
+1017 0 obj <<
/Type /Page
-/Contents 754 0 R
-/Resources 752 0 R
+/Contents 1018 0 R
+/Resources 1016 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 717 0 R
+/Parent 996 0 R
>> endobj
-755 0 obj <<
-/D [753 0 R /XYZ 56.6929 794.5015 null]
+1019 0 obj <<
+/D [1017 0 R /XYZ 56.6929 794.5015 null]
>> endobj
-752 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R >>
+1016 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F23 678 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-758 0 obj <<
-/Length 2220
+1022 0 obj <<
+/Length 2146
/Filter /FlateDecode
>>
stream
-xÚ¥X[—Û6~Ÿ_áGù$VDQ*=}pg&É´MšÍx÷¥é-ɶ]]fêýõ ,y4Ív7sNB .´X8ð'Ê·y‹0òlßþ".®œÅ¾½½,³ê…Vc©Ÿ6W¯Þî"²£À ›Ýh/e;J‰Å&ùݺ~·þ¸¹ý´\¹¾cyör厵¾ù×Ra­?\ßÞЧ›÷D¼¹]/CÏÚüóÓ-r„á:ŸWnîïÞ.ÿØü|u»ôßA8•ûvõûÎ"«ü|åØ2Rþâ&Ž-¢È]Wž/mß“²çäW÷Wÿ6}5KçlâKeûÊ gŒâÉ9£ÈÈö}72F¹+é®í!Å˼z㇣%nhG¾§à”­Ó¦Êì¸*w$;Ù>P¶ëy‚e?;¾SÕ´wú­Ëtž–-pñªÑ¹†Øê¦Ízî¡jPÖipÁëÅVQ
-Dzm×:+!à¾kDJ]¤MZ?¤5‰‰ÐµE`Ãÿîß—Sqñq-æ.„gKÐ
-·€Õ~Ž¤Y Î[®„㜱uab—ÂV|ò›CÖ€½‚ÀêGMCs¨êIßÚwY’·­økÚ¶Y¹§Iw¤q³p׺ltÌn
-‚±á[Ž¤ ÃÀð
-Xµ‚KÉÔSÕ2MºÍ7ƒ¢)·]}9Š!4=!‹`@Îì¤34«Ów·ÁÂ[- d#Û…Îjjù<+9ÙVGL3}®Ï½˜©·æ¢/϶àý6-Óiö¸?è:ålûË€w}ÿs«cN¨uVOSú;ˆÂf¾Ô»Ð»F•zˆ9)=ˆ}.A8O¹$`É‘ àïY=3õF }»Üf›¶iZ²íƒqèB"—-‹}™˜ÑÖû;Ñ/NvÂþ6P£Ü¹„퇪ßÉtÚÒZ—¤¦®·¤yÌ98…RGv]ÓûÇ°Z¾&¸Ð+:»@Àg×õÌuVFç˜à„ÃÑMÅ”:©¢3YÖô¢l7ƒP_]·U_IñŒÆ&~ö
-“cÊÖ][PcÚ„A‡Åû»€¡; 0Ï«Gî÷¢!6Ìä1Ãn©ýÏ0Ó4W­Àâ4Á¾ODoOmÚ7‘õîýúzõþƧÙ 7ihì9>So«SI‚Ðúµ‚†«žËŒÜÆ„ê܈á€ÚŽJ¼ÏÙ¾˜–—:õÜêT7Y/B½‡âүԪŇªeáÖô…D1«ÐfEW gïš½q3ÐÔ¤D–/\V8k›°¹¤ÔÌUs2cIï"Ýöí˜qÒqIÝHÛ'œs»F>ÀÅÕ¤‘Lº˜WjÎŽec‹ÄèôÕ¨L?A”¤l ã¬`à…^8+Mã¡ÐñªH|ænùýã*f°ø»ßî7¼`{ÏÀyÜÉD}HaL zPD}ÁmÿÓ:I(Cùe¬À á‡/ügC[ó0_%< ¡ì‰srò¤@Ä(º"ô ·’mÎjBgÓô
-ö*“†/±v:Œàhx/7¶/"w
-ì]VÇ/ê2®’
-˜<è<KæÒõ9¥š®Ç
-©›¦+&²¯ði¨’kDO(*]ÞfÇ|r7eñþ'È/É<Š3̬‹qgž¢RM/€HÁÍjª‰Jjìš™[N5ÄÂ@#çþhè7/ž¡†ë¼©PPPgZ_Ëê±$r+ é Ì)0ÖKeuÌk”Wºýaî±£\[Qß_Ab«¤^8©éу°W €˜åšy“‡Q¡¢qÜ-…#DÀ¤G"eréÙ
-ŠÄÅ/[ºÕös¿KßÆŸ{g~çu†—Éÿý«òùgt/´¥RîüÆÒ låFa¯*/¢K͇ŸŸŸªþU)endstream
+xÚ¥ÛrÛ¶òÝ_¡É“4 a¼">¸‰“¸—4'Ö9/M'‘ÄT$^ì¨gοŸ],@‰2ݤSkÆ
+ƒÀAv·ÿžìš£S:‰‚”E©H¦”"§”I"0Jùßw(òDÀ$÷Cý³®ô‹}þ¤-:Í™þ¢ÊýN³¬.ŸÐÆL./ Ð ;ß©;;5¤ð
+ΙŒ"1óhB6é{‹Wª¶ÓÍÀÃF¤uáè>)/‰Ÿu]^&ñÕnWß{]£ªv­›]Š
+.©Ô®ýŽÖúËxmÕáM2ûMº“ºú}Mþö’îøKùI•íHpUÕÝV7W°WÔÕÇmÝvKuXé±äþ˜½¢ÊIMŠM^¾'<ú'\@ðXœ›Š¢Ø&ä‘3‹¨…!n£Ûzw©Ö„㔉0ä÷ƒùuC´õ羸S;]u
+´ ²gíW€Ùtn¯8§Ðê¬oŠî`Ù´ÐnÞ¾d4½é¦Ô˜ë6kŠÞðhžmUµq ÃŒè6f·®>ø¾Øô¢‹ˆEPöä½ÞíÎ [ÕM\¡HbZÐü—&9A×èÙ8É‹5Â1hq»²ôÖú¨¸gS"U¶ës²ÃiìÍ¡:ÓmkÃdMcFÔTw<3Ò6
+‚!æò&tÏ
+™XDËU7ÚгvW(šL7ÈJ™
+KÖûcâf±$îf ˉ&Ägqdd<h< ;‡'ȨÜc>’ᮨl–­÷L\Ø&¥¨ŽhÊŸzœ†»IEC#Â÷#Ë!$â)IcûIlqر!pRPGÊQŠ
+ðeÏ¢™˜…¢“Yéî^ëŠØOŸ– XøÎèØò nEȤ/ϽgL _|qzBHL÷IR9XÞžð*bS5«Š æ<\¢}Íû½±üÐ×ÕsêÉô¨>‡îy”>q<à Ã5&XHUKטpB7à¬ìÛÎ:§>kÚÉÕöUíê8ÞѲ ŸÅg@ÀÒ4G¼ìªïêŠpFD¬ÓaëðU‡!b¬ø¨±­¦< EXÜØ‹álsôgX)¸H=Ð8-°åä1ÍW‡N»ÖSÎßürõÂûåeD+Òiitm¤½S­ê;SÉâdþs íÞdAµM×âµ;i0"ª*¸cºmê_ÒÇNkÕ…:ŸÔ6*GŽd8[w¹3]©p•'¥úR”}9ÜAxOmŒ™mÁˆ#.,ÃE‡/D!15ñÚ‘¬/©á=¦:× #x\^@/Ô¹„slÉx¸µ±yŸÙ“Š†£a­“cƒf½3LÇNEÝ 9U^µq<8þBo+OѸ-Uæ•yd¡+ûò©Xô7¿Þ.í“Ø›vçӛɥ I˜UKNÏéÂ&öÑñ°~É
endobj
-757 0 obj <<
+1021 0 obj <<
/Type /Page
-/Contents 758 0 R
-/Resources 756 0 R
+/Contents 1022 0 R
+/Resources 1020 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 764 0 R
+/Parent 996 0 R
>> endobj
-759 0 obj <<
-/D [757 0 R /XYZ 85.0394 794.5015 null]
+1023 0 obj <<
+/D [1021 0 R /XYZ 85.0394 794.5015 null]
>> endobj
154 0 obj <<
-/D [757 0 R /XYZ 85.0394 638.3105 null]
+/D [1021 0 R /XYZ 85.0394 479.27 null]
>> endobj
-760 0 obj <<
-/D [757 0 R /XYZ 85.0394 600.2421 null]
+1024 0 obj <<
+/D [1021 0 R /XYZ 85.0394 444.0186 null]
>> endobj
158 0 obj <<
-/D [757 0 R /XYZ 85.0394 433.5475 null]
+/D [1021 0 R /XYZ 85.0394 287.5734 null]
>> endobj
-761 0 obj <<
-/D [757 0 R /XYZ 85.0394 403.0897 null]
+1025 0 obj <<
+/D [1021 0 R /XYZ 85.0394 259.9325 null]
>> endobj
162 0 obj <<
-/D [757 0 R /XYZ 85.0394 351.2066 null]
->> endobj
-762 0 obj <<
-/D [757 0 R /XYZ 85.0394 325.7421 null]
+/D [1021 0 R /XYZ 85.0394 214.4637 null]
>> endobj
-166 0 obj <<
-/D [757 0 R /XYZ 85.0394 166.6305 null]
->> endobj
-763 0 obj <<
-/D [757 0 R /XYZ 85.0394 141.1659 null]
+1026 0 obj <<
+/D [1021 0 R /XYZ 85.0394 191.8161 null]
>> endobj
-756 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F57 624 0 R /F42 597 0 R /F56 618 0 R /F58 627 0 R >>
+1020 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F23 678 0 R /F21 654 0 R /F47 874 0 R /F48 880 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-767 0 obj <<
-/Length 2286
+1029 0 obj <<
+/Length 2336
/Filter /FlateDecode
>>
stream
-xÚ¥YY“Û¸~Ÿ_¡ÚK‹ƒà×>ŒÇcg6»ŽãѦ*µÙJ„$:)“”e%µÿ= 4@‘æp¶¦j„£Ñht7úëل›ȈD)O'qI™œ,·Wt²†¹wWÌÒŽ(R½ž_}ÿ6â“”¤&óÕ€WBh’°É<ÿu
- È 8ÐéüþîÝ,àŒ§tzó—ëóÛЕHàúÍ?fŒ±éõû›Û78õæý=6ÞÞ^Ïâp:ÿåãíýì·ùW·ó^¾áZ¸ÏW¿þF'9åÇ+JDšÈÉ:”°4å“íU(‘¡n¤¼º¿ú{Ïp0k–zuÂ(áΩ”O#©”|¤™’HpÑk…ÏF)è¢Þ‹jçì6
-÷›¬Q¹m«e£:KPãïëºÛ`ëçl¹)*ÕjµÀæb`: xD$èÜì:ß-¬I¢)þÊéBë*Ç1ÜÛe½S8V¯ðì@pòZµÜ73–L-a7cÓ&«Ú]Ýt8²UËMVíÖ.ØÔû2w»âؾU9° YÜ‹&§KGõtƒÍàŒúT¨_ô°·ó3pªéKTGÛnl«S¥ÚmêJÙ¾ê–Ä*id!à'Ó8ém#¬mîªUÝl=ÖQÍÕ´Ø1JÎþU_Ì$(»·_‹¶SÕR=m¡»m¶["¡Œ„ a$ÂhºMÝvÌÃŽ‡„F©´T˜ö’K‰±pB1¹ÈQîøõòEï€-*,)\s§…U]–õ¡×]aµ‘å¹ókçË
-<xÈjÀUaZÆCy$#”J§†*Û‚-ëjå‘=â„G‘ÓÅ¿(å¥ú³‡grF’4„K-(Œ
-¼¢ÿVÇY]ú?'8ò_ã†Îƒ‚Þ•´ŠÊuÝÝfk×n³e°Íå+Ÿã¶öZkÂï~ʾ¿•7ŸÞ¥ûSݲOŸiÆ?å×?üð. ¼»ýþÊïRÃs{ÊO¢½Ô†
-{ÙlWÛG“uŽ¾®Ê£n1hÙ¡v¿Ó\ÛO/Ž8üúîý‚CýnúpÆ[:œð°W8³V•j2ËÄ\Ô_ë O{_è;ˆ(.†_dņßLÿÈÁ¶úX)ŸÝNNqvYo·ª2Žˆì2K¦@Aà€Ï’0–ˆgyž !©%]X™«º
-uSÚ=Q,Ï¥2²ŠiÝ8qìíƒÆú UrÎÇ”ö4]ñÅÝJõà-Ëðg †îÅÀ¼).¤eÝøú‚ Ê}Ï{qô©*
-P )ÝaaíÊX®..é¶e¨@çvaæXµm¶v+Šu…ZŠÍ=‹®¥Ô©ÎKŸŸ—¥át™UØ€­‹ÕÛöþ„fƒ¬³¸¨Q4fÓ»ÕcD8„¦öË%¼Ú—åñ´6¾ÊMHˆOlp=€{Õžs±ÇÔíÅ…ˆ`z_às§.‡=·]³o
-®ËŠ
-G³ÊnwJÚ—¶‚¨
-´Úrx¨zŽ'È4p<„”§\Å ^¯;Ÿw¥$‰x:…!w)7è57‡F”ÑèQ&î! ZNovQØÏ{ÕZM™Û<Z1¸FKáÉL£=EYbka§{l3³¦ ˆÃP»SK $Љ*/Üx#Eq(¼¡¸þ¦bÇŠ©Ë‰¯ €5-úDŸç „µã
-û mÚ’šÓ{6f°±ü¶Èíöø#ìÀpБÔÁ”=¦CÖocliô½®¬U¸ Rã‘_ŽoŽÏ%<›X|Ó±½ÉH8eÐe$mdŸÑl:ƒoAYë¼òÚ$uؾàØÔåc)z¢®ß´rÔˆ{pDN=v²‹Q‚Â7#ó䃚zT0³®ÊFaÀ˜¨
-×7?a#Wzº*´›Y&ý“E8|YÔèIAwîBK  ‡‡•‡S ‘(´ó`ãæèã’BúÑ'Ÿ<\À®¼éô«×Ê•Œ#>`AÎÒð>A(©.€Ò± îw9„ǰ؅ŵǰ1‰X/ÚBÍóŒa¡Þd¦y»I^uK}ílU¬ ŒAui­ÕCÖù°4mÝt[æ¡}ûÑcºˆÇ%XÁØÁ>ì™q.W€ä*÷j†‘8eñ%f×¥<^ÿEÚÊC¶Ý9ðv¯v™ÃzãTVõfÄS^»3Lð%zgiÔ˜é g{äuéÕó^uúŒÝ]Y-ñòðb‰ÜõëtÕç‚…MÐ|ióE<dí%.Ž£<©7©lŽÄyè»Ñ©¾ÑýåxžR¿°K—i–=°ÂUŒÂhüTðÏYʧõþ,¹;dÕÙºËèì!õ¾;Sö>yîêƒj `öœ‡k7í«!T}°«Ëbé+9#@ú’!ècòyöC
+xÚ¥]sÛ6òÝ¿BÓ—HsŠ‚—éƒâ8©{M.W«÷Òö!‰)E*"G×éï» H›¶“ëxÆ‹Åb¿b¢C&2™DIÀ4z²Þ_ðÉÖÞ\™{¤yëåòâÛ×*š$, e8Ynz´bÆãXL–Ù/SØÀf@O—7×ofs)d§—ß/Þ/¯~‚©æ€‚‹Wÿ !¦‹w—W¯péÕ»¼¾ZÌ¢`ºüù§«›ÙoË.®–ý;®,s/~ùO2¸Êœ©$Ö“[˜p&’DNöVLJyHqqsñŸŽ`oÕm•‰àLªPŽEŠ1¡è„…JªN(‚ÉÙ\pΧoÓ²M ¼çSšcÚäUio ´TŸ
+‹UæÉKÄ[¥µ™‡V‡ŠëéÛª¦C7—××D¸9æ嶦ƒ‘5œ|J‹<³7µw‚%Zã݈ªÅŠ‡û嚧uÝî„Ë—CaÊm³C`^÷îO÷mÑä‡bp·xJôA/Q<11æ€knºṉ&ìþÚÚdÀ‘ ÕÕ€¥¸¯šÁ-Ñ9Ší¯Ó+ƒß½3 Ç̶h&c±˜)ŽØ¢¨+ËF$Ü¥Ãhú{YÝ–8DâO;¾ÇY<m ÖìGU»Ý‘ö­YÄ’©0‰ál{ä~&1b«Z² ².ä«#R'ÆÀó"%ØÜÓ=±Pá×_—˜í,&Þ­@΋%†²ÍÒ&eÝ:Ûr^¤B¸?û¢÷ÄËêpB1´Q‡0¸:«·cИזã¾/+gtÚzòz——¦~Ìwù®3Ð8DC5(ãT9; Àz] ÂœÍÂB"ÃÅÀˆÚÎ$íæ™°n]ªcƒ½.ózOvU[dþT„Y;²ˆ:Öôtíñ¯w؈׾^¾ŸA|Ÿ>GqÔõŽF)ÌaW•†æ¦Y?®ÙéF‘n®ËMuÜhÇ?¡oÂÄ ©¿ú/sz6Ó Hœ^}ÎëÆŸ'£ëõ>Ý‚.1èç9C$¼ì â‰r2`<L4aÙsŸ’H˜Ò‘êQB6å½i+¢×iÜF‹Î
+êÓ(êܵ>WP s!ã;•†c$$ÕK 9¼ÊËÆÅv_ûÀ²s[;ðX^áÛ2ÿŸK7
+r¥mÓd-Äô—…½!ª>.Ù14 sÚ˜zRunýŽ|[¢”"ç'CÖ-—¶ëx>œÉò
+%Øõæ1$¡#ÂR»^Û¶(Nçc¬òMæBBt&ƒû!¹—õ]*tM;^ÝcT?æÈþö_šƒ.CEÙ‚µ?‡öþsmîçå§S°2<¶|Ö8JÏL]\™æÖ˜'Ím…›0h·‹¤¨n°>åwfeÇû¶nþŠV›ª nwžü,5•g¿¾²‚zÊFä|yvnvfÄÉ…P„êÿÍľF8ŽÕ:‚©H$OÕ:‚é(öXTãåwk±ë÷ÝÅÈŠÏUÛý“cˆGJö«,ùd•åE½9´×LÖ*,Ô:æf¯[øí”Â{Oí‘(P^üùw«†·çÖ5JèH•¦'­hé@R5Šmuß6¸D-ŒP°ÝêþXÓº|ÉXUú¸ ˜wsàe•¡eÕ \“ºG€¦%w.Ü#‚í ª1Èßðž†Ù3/)Ó¥ËùC™òN_Œ Þõ˜u%,P±zº„Wô%7È5s—Æ,c5Ðe™¨KY=·ÀrŠSdöckj’”óæÁŽžG8)g5 θ͋G+Zîr›[um@äS0€êƒYS"¡„®XsýhJrq2üªf‡Ø´íÄg`€T‹6ÑÕ9˜Âêa€;§jîo~ÃÛE“.Þ5.ß¹ÑàrÐa€N÷VÐ3‘uÛݳ„4PCeÚàs¹eÖ}wC@^Žµx«aðdDÐg]^Zåm[ztÀ.h»±æîö# 8X]äöçöìÑ>n!p<A„ÚSñt˜DwŒÓ¥“÷¶$­HÅ´ÖáÐ.‡ž3f#ŽÍp¬¾êÚ£ÅpyÚ ûE¦"ˆ^´©œÁ· ´öV¹pEŽ/!8«âé’ÇöoV8zD(
+œ>$fN ;ëÅ Á‚ðÍÈ=ù d
endobj
-766 0 obj <<
+1028 0 obj <<
/Type /Page
-/Contents 767 0 R
-/Resources 765 0 R
+/Contents 1029 0 R
+/Resources 1027 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 764 0 R
-/Annots [ 773 0 R ]
+/Parent 996 0 R
>> endobj
-773 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [389.9997 61.5153 458.6717 73.5749]
-/Subtype /Link
-/A << /S /GoTo /D (dynamic_update_policies) >>
+1030 0 obj <<
+/D [1028 0 R /XYZ 56.6929 794.5015 null]
>> endobj
-768 0 obj <<
-/D [766 0 R /XYZ 56.6929 794.5015 null]
+166 0 obj <<
+/D [1028 0 R /XYZ 56.6929 769.5949 null]
+>> endobj
+1031 0 obj <<
+/D [1028 0 R /XYZ 56.6929 752.2692 null]
>> endobj
170 0 obj <<
-/D [766 0 R /XYZ 56.6929 769.5949 null]
+/D [1028 0 R /XYZ 56.6929 663.7495 null]
>> endobj
-769 0 obj <<
-/D [766 0 R /XYZ 56.6929 748.9393 null]
+1032 0 obj <<
+/D [1028 0 R /XYZ 56.6929 633.2462 null]
>> endobj
174 0 obj <<
-/D [766 0 R /XYZ 56.6929 700.6394 null]
+/D [1028 0 R /XYZ 56.6929 587.2939 null]
>> endobj
-770 0 obj <<
-/D [766 0 R /XYZ 56.6929 671.7552 null]
+1033 0 obj <<
+/D [1028 0 R /XYZ 56.6929 559.4406 null]
>> endobj
178 0 obj <<
-/D [766 0 R /XYZ 56.6929 470.7895 null]
+/D [1028 0 R /XYZ 56.6929 362.928 null]
>> endobj
-771 0 obj <<
-/D [766 0 R /XYZ 56.6929 441.9053 null]
+1034 0 obj <<
+/D [1028 0 R /XYZ 56.6929 335.0747 null]
>> endobj
182 0 obj <<
-/D [766 0 R /XYZ 56.6929 233.8866 null]
+/D [1028 0 R /XYZ 56.6929 132.2109 null]
>> endobj
-772 0 obj <<
-/D [766 0 R /XYZ 56.6929 205.0024 null]
+1035 0 obj <<
+/D [1028 0 R /XYZ 56.6929 104.3577 null]
>> endobj
-765 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R /F57 624 0 R /F14 608 0 R >>
+1027 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F47 874 0 R /F39 858 0 R /F14 681 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-777 0 obj <<
-/Length 3192
+1038 0 obj <<
+/Length 2907
/Filter /FlateDecode
>>
stream
-xÚ¥ZÝsÛ6÷_¡·“g"–$~LŸœÄiÒ›¦½D½››¦´Y¸R¤JPv|ýíøe&éÌ,€Åb±ØýíÊÑ*„¿h•ë TE²ÊŠ$Ða¤W»ÓU¸º‡±®"™³ñ“6ãY/·Wß½IãUiœ®¶‡¯<ó<Zm÷¿­_½½ùe{ûázëp׆ë›×ÿ¼Ž¢h}óþÕíkzýþ#7ÞÜÞ\gÉzûë‡[¤„ÌK‚TVnÿ~ûïëß·?^Ýn{ùÆgˆB…ÂýyõÛïájGùñ* T‘ëÕ#t *ŠxuºJ´
-t¢”§TW¯þÑ3ÒÒ%h•:³¥$ñ*Š‚Bëx¢]©ŠiVéõ&
-Ãp}Û¶MëðP°Tô®6qÄ…NiÍöh@Q¶>·×Q¾nvÆ9[ß3­9à7]o?¾û)ÎÞ×fÏíL-ïãÞ®¬y2ñ1îRu<`kYjL[VÜ1-o×:¸‚¸È×ï<P~qáæxgjáß5“•uSoðØxÐ^axP>Cœ¬ËÇ’eä®3-†Öñ 1ú›Ÿ?ütûáw>…:<4í©ì¸ßË“mUqëN8ó.Ý¥…£oÐíNF»ãT€“º‘­.õÞ´®+ëý°ná|¼Ù®¡ï´ªÂn—ôëµÿ–cÑä’€L7 ß“u»¦þ†ñý¥-;ÛÔ(¸
-Áµ\‡…'¬îdÔ|>Wvg»ê‰û_Ú{/ÌÏ«Þ$Ô|_“sòÓï-^õ`Ð!Nð-ùãÎfgqÃôûkz¶yë$#¶h*Îq5~ØZTœ­ü™±-*7öA¿zd±´BÆöÝ“Ì«ù{©ÿ¨›ÇšWýažÈÆU’³š‘.wunj',ÙJˆ¡ñŒd›Ëx´Ýf©HXBCŽ÷j>w y’è½Ysw×ì Os¦ _Þ¼F§‰òL! ·ä~‹h¢Aèö„öLƒ*äÕÑHƒÐP~É"ÊîÒï¦pP|¨*ÌÖû†8’ÊÊîËΠžãP”>Ó3,=ÃØPz=U£ …‰H#͆ÙD³0(š 3ÒìÂ¥‘žzŽwHÅIJJJ´ß Zc'ÃÃÄöLÅÃêAÅБ“$šGá@ö$CÍ¥svï;þòyqzU5tHXÔ–õ=©5-¾î¦¼’c¥½ËS){ ôO\yÁp”ÝŽòÇFÒ b¤TŒ]V1N#ãE¹EJݾûéö³gUÞ±)x$­\(ÂÍ]°Ãrÿp‚$M¯î•+1E¤0{hÌt
-÷(ž?š58q(0'qÜK8ª(8ûîXÖÖ˜z c:Ü@pYá0vojƒ!ÀN‘h},GLfvç}ðï©y°{l˜zl\ç((G¹ÆøcFT’ð
-6þ$“›økNp[x³^üseé$ÃH‰¾ +Pgæ‰LSŽ<OÜ96(¸xJ¤`¤¢i¾¢+Ò
-Ôò‚ÒñSF‹ÕÙúå»÷¯yB!ËOçÊœÀPÏoêJ7µŸ ²DáE6s’bé0T‚®'Š½3øo¨[z6›·¦ªNôÎü pŠùŒqoHÄ|ý²!wC§v^¬á†€Îí?/¶·RM#«ÊÙ»d²8AndîE¦8ýMNo«¬ºcs¹'gˆÞÕ^C(åÎÒºøò“TKrã0{Ä\\o.Y€t ˽+B6øù/\ ¿g
-c[vò3ÓSQ$…ʾn{`Ýàä2i”~ðN(A„‹áFÃMP€Ò¦áSòìj$€¼ «Á°¸GyHid¨ì°?£’ ).f˜ù Ï.Nt…qôͳƒ ×%‰G1ó0ùÌÃþ™B‹ÃHDUÉqW³ÎÄ›dŸPº¬1öÛm5÷`á|–†Iš|óxi”ûûg)1*TN¢Ç`v‘wWö¦2ŒNAÞ+BÄM@ËÊ÷XÊ\1äÛ\9 õ^Š3€M« MáÝI&0dÄ ÷±†œù[î4 u²dÒJ³·¤om;ËÞ»”¤ }¡»«,½>l“#…oèüt¢Õ{
-N£µÃ ™‹ŸÁs ÿ$¿^L+{ᛀ°ºÈŽ@BØÁ/QçNÓY˜*Ïrüs‹GEÇœ¡Ësœ0+IÜ'îø!™Šx½ƒYª ‰ÛFG?Èѵ{Ln`F•¬íGÑ<è *CLâ„£,™,hkMÝ•èùX¼E$2©-|ñDÐu>óÒa.ÐÀƒ8¤Ìõ†£­¸N’®oy±DrÐòAì×Fî8ˆÁÂsÙ¦±ç’B,Nå
- -¿Àéb0Áñ÷Ü8gï*ýðÛ‘Ý£“ÂWþŠt`öÑì.­íž¸‡jfÁ ôW¤pâ> ánîìÒ¯bZȼ}$]iÀý±Î§žêŽNB‰fž€¯ÂGΗ›ÉO^ðåÈ¥ëÔ'S½„'ð›â™@Õ{\ùÙ&Cˆë£töÆíZ{gdŒÕ âå0³ç˹s–ù:ÊÌSôáqf˜æ»Å—û®æÌ_`,Áï+«Hæß €p93¡ä®ßˆçìFÅzM› µøñH9®é 'pcÖ—ô©´Îœ…ôVyd*Wx'ü W«
-Àsí ýý¯˜X»Goᦿ8¤S¡9ÁŹ¶ö­,!_9~/|6å‚?¥A>¬ҞթOT^Úþç
-8'&StÒ\n-ÃjýÒIû2ñP·‡·”=LÄIáS™Íqá ³ÑEâlskL5ÆÎ?RŽÀðÁÂ6·*Kuž4a—ÓË"9¤T0Õzý¾¡è’jïlS@ÓÁ²ˆÈ÷ÍY¹‹wè!81 _ne¸ê½\6O”~ž÷ ?¶ÉUÆ£_è›öNŒº—-w]Cé3Œ7ílÁ³9ù^âÿ[áò…ĹtRè¯Þˆâ('7B?.ŠƒÀ]ÄnÇÂy«F¡$rú†A–fÙÒ¯‹³ÐÄÁçj0e[Ù.ö·2ŽÖ»æt'Ʊ`u{Tžƒ—ÖÝ⨖þw*þÃÅÂZ„ý?Süßÿ×1ü#K’*Ïãá_6¦y^äq‘y¡Pwq4—¼ÿç¢ÿÝÕ;endstream
+xÚ¥YYoÜÈ~ׯ˜·Œ
+PÈŽ‡•U]mÈ-@Ð^c((Ë„ëì1ëíº6o€1 ÿ/ÒF@÷óÕO—WWÜù¤Œº­›CÖr¿ç|&=eÉ­Ù™Oi»D‘½A·;e÷˜mRÕrTWíó¼£Úëä“(Í®º­j¸
+i~3^áŽð'„n¯AhÏ4¨¯öG„Î @¶$Jžµ]†Š@PtT­âõ¾¦F…¤‡¬,03¡žIsHŸé–ˆžaìF(½ž‰*ŒÑ²‰ˆ ¤‘fU<Ñ, ŠfULš]0sÒshPÏ°£ÇRq‘’Bã΂ÖXÅáà˜Øž©xX=¨:"Ihx*2xÀ{×¹å_–§#ð"!aQ“Uw¤Ö(ýz˜rJ´q!OG9€Ò»¸vŒá(‡íÄFÒ b¤TŒ]V1N#ãE…MJÝ~øéòsdÕ.°i'<’ÀV:ÊpsFDËöÿ‚ HÜ$ÁÚâY‰SD
+o™€ÂÉfߪµ
+Òl~ÆóxŽÇðû¦ìÅÍ$LÉÛ#™ddRç©ÐâÌ ‹ *—¡5ëLJlÐ…¢©¹ÞqX à„kÁy ò¥YÂ(ü¦x‘Ÿ¸ûß õ%[»Ê‘h¬Có.µìó2wÕ§‰"Å;E¸’k+ò{ïJbÈEÝYWâé•”Nü@{Q¦3y ,Û4ÌŒ‰¾QceÂ%“Ö†&ýVE[pÀÄ.½ "F¿ÐÝ•y¶)–ÂoéÜt¢U{ÊO£µƒ‡ÌÙÁ]”ú.þ] çs—7rú¼ËNN"öD“x&ŠÒ:ŠøǦ Ê y–ßÌZÞîšßîøC<¥Áz3ƳT:Þnãûì£j÷°
+Â" +Ì:¤¢Ž¢yÐ/¨lÇ%AÚ€–LÀ区j3Œ|ÌÞ"‡çÝÀ‡¶¨ó$J«DÐ'à9ÆqH™ë G![q©$Z_ܶž)p@Ë%±\¹á$ Y°¦8f”bq*'(Ë+I'@-*®o`ÑË¡b}šn%ÉíÁC›CáRt &þŠýÞ__ákK3ó/ÙNÐÆ4ðÓîG°lëp
endobj
-776 0 obj <<
+1037 0 obj <<
/Type /Page
-/Contents 777 0 R
-/Resources 775 0 R
+/Contents 1038 0 R
+/Resources 1036 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 764 0 R
+/Parent 1044 0 R
+/Annots [ 1040 0 R ]
>> endobj
-778 0 obj <<
-/D [776 0 R /XYZ 85.0394 794.5015 null]
+1040 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [418.3461 669.297 487.0181 681.3566]
+/Subtype /Link
+/A << /S /GoTo /D (dynamic_update_policies) >>
+>> endobj
+1039 0 obj <<
+/D [1037 0 R /XYZ 85.0394 794.5015 null]
>> endobj
186 0 obj <<
-/D [776 0 R /XYZ 85.0394 769.5949 null]
+/D [1037 0 R /XYZ 85.0394 648.2128 null]
>> endobj
-779 0 obj <<
-/D [776 0 R /XYZ 85.0394 751.9762 null]
+1041 0 obj <<
+/D [1037 0 R /XYZ 85.0394 619.5539 null]
>> endobj
190 0 obj <<
-/D [776 0 R /XYZ 85.0394 586.2284 null]
+/D [1037 0 R /XYZ 85.0394 445.0359 null]
>> endobj
-780 0 obj <<
-/D [776 0 R /XYZ 85.0394 552.101 null]
+1042 0 obj <<
+/D [1037 0 R /XYZ 85.0394 407.9434 null]
>> endobj
194 0 obj <<
-/D [776 0 R /XYZ 85.0394 373.7735 null]
->> endobj
-781 0 obj <<
-/D [776 0 R /XYZ 85.0394 339.0798 null]
+/D [1037 0 R /XYZ 85.0394 220.8457 null]
>> endobj
-198 0 obj <<
-/D [776 0 R /XYZ 85.0394 207.963 null]
->> endobj
-782 0 obj <<
-/D [776 0 R /XYZ 85.0394 174.5031 null]
+1043 0 obj <<
+/D [1037 0 R /XYZ 85.0394 183.187 null]
>> endobj
-775 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R /F57 624 0 R >>
+1036 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F39 858 0 R /F21 654 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-785 0 obj <<
-/Length 2942
+1048 0 obj <<
+/Length 3089
/Filter /FlateDecode
>>
stream
-xÚ­]sãÆíÝ¿Â9yrÚì¿Ò'çìK.i/­ít¦—äi›‰TDÊ®òë ,°+RZŸ“iG±ØÀâc)u.á§Î“T¤….γŠDªä|¹>“ç0öÍ™bš¹'š©¾¾;ûò}ªÏ Q¤:=¿»­• ™çêü®úifE..`9»úx{{ýîb®Š$1³wß^þãîúæb® DDryõ¯ ¥Ôìòã»ë+‚Y¼¿¾¼ÈììîÇ›ëÛ‹_î¾;»¾ Žw¡¤Añ~;ûéy^Áf¾;“Âyrþ /R¨¢Ðçë3›‘Xc<fuv{öÏ°àhÔMjEI¡ hàT-ÖÄÔ’"5Ú8µÜ=ÖÛ •ÏjÜ\:[ïú¡dV®úŽp [vëõ®m–åÐt-=7Ã# 5Ï«ÖMÛôöºmOƒÝýѦ$¦í@e[}Ùm™Íc³ªˆì÷®eÞË˶ýºPñ°û¹R¬¨ÝV~­÷=ØÏZ°PÖ̓2fÖ×Ëݶö4Òå°ãÞ3`ÝNÓ´n³®½'4‰ÀD|æC#÷n€*éÝû¢–å¦\¬˜è»ÕSÍ3`‹‘M Û‹|ÆF‘³fè ¨Ê¡„½%Á‚ #ý³bµIØñévÁ# n—Œ!ýËY¹#}ù>ÉFþ¤³BØ4ÏAd”ôê–h&>§¬°6ñ$ÄsÙ¹gÅ+G’Uõª~>’vM;§Ôœ(”MAG…ÚnÙ÷(º±zÖ èÍ
-¡Ò¬`ŸªÚŽö6þP·‘%SpR[(¦&·ï¶åzzfv}ÍI¡FÎHäƒb{vÂ<©Ê¦.ˆGK
-2>œê p€8È
-7q^æon/o¿½T"ÐŒô}÷ÝjÕ=‡À…%ƒ%á°‹’YšÏÍ0av¦ïDZü4Åé¼J³Ã¸ÒHÔÿ)Q_÷Ê] i˜mü/š¨ HC•Y2Ýñ4ÎSˆ4ó’žAv‡\ÐvǦv>ï ‰œ"ç'ʾ(@™˜¤MÅÊ°Ù¹<+g˜=WuO¤m„ðxà“£yµ[ÖÕWõ©TŠ™B¾ŸÊõ…”ÉJ›´G¤xÉR‘éµfTAP|Ûô%t’L’õÔ Ü7Ûæ }'"´hŸ½~–‰|>ìÆÈ™[@WKLùø„¢„ýÄ!1òºAz8D`(`U…}O¢Èë'ãd‚12ÄÜãYnÃAîIH¥Xjlî6sw%”Ž{{Ì‹r#Ò<Õå(,Ù²ID26sÜ 1¦z+ƒbõò-a!h GWÿûUÂë$'cx x°–b̳­ˆš´ä¤CÄ”¬(‡seíÔP<6ã! ûâ1˲¯ÙH£ü¯fÞo9…Àâr´†z!ª¨<™•–÷ÿK$Òä aô”„%í‰5×Nȯ£ç(ÂåÎó=f=qÖÓ>nãvv‹ä*ô ˆ˜&éI‡GÑ2ìñÅÈi!Ä%‰ßaü|C©i¥Šm.Z†X=Ù¡ ×hpŸ“Ý&²D$Izê /Á¤,k)+F•zƾƒXî°Ez×5€âø·©·Cƒ'GQ5‹dÍáx’Us³îëQ;æÈÁ' ×›ºäåXŠ<t€ƒœ8åYL”/'W“KorS!b bè»^ vÁ”M «)è͵t¹âÓ–ûb¡²púÞOX®v•Ëâ~V$üh#ŒLÌ+^“‰´ÈÓ‰ÛôÄe×#‡ÓÚÐ"rÄ_>||÷·¯bõ!”r±2™O‰}¥«ú?Úwiî»nÁUCíÚ¹O\ýߺ/<¿ÇÍ2¨Iþ|÷ÅÝË¡˜Âåù\©€ŒZu`í>–µ€òÉÇt±zˆ êË“¢8±©„àÛq¥Ùoº¶jà`9'’ìð9îa0>÷»…ë[xÔ;³dg–jtù2`ùžúÄ CìÆ’4àî¤ò¥ ‘ÕÝ9œnwŽÕG æ#^AEÃ_fÒä³Õ h8-ŒO
-Ÿ…)¡½´’µR„DûÂ?.L"ðo‘ÿGÈp´ÿçcþ€Ù乎ÿÑBg9$eX„…BÁµ>‘ÜÿmãTôÿù endstream
+xÚ­Ërã6òî¯Ða«F®Œ€
+F;·béù»Õ¾^:WG’Э¼ø\õpƒCçˆÔƒçãs×@;ïê':ÀŸÚÆuIœQ$Ú¦d ïäÔí÷¬Ü_ͼo ݹž‡!Jz  èÒsLc¸ÈJ¥4)/q¥Îík×1ŒëÝŽQÀHׄݺžK^ï±ÝlÚ®Ië<ŸýîöšŠ±p(‚të:®Z÷ëÀü{·/7ø’Ã©Û Sôë’71 ò¯ˆ¶naÍSvdõ+×u|üÈ|>^Å}Ümʺ¡¥²¸Ô¶U®/kfléàœ—E:÷'µ¬5Xu³™2ƒUÙ9oÙY•wU ÜEë¬(ewY¬'<
+)´b’vÇÖ˜8hÝôÁ%=À‰‡65j)Í4E$/÷åÖõnß¡G3¿m{GC$e‚M‘¤I2¿ê "Ü!NúÍ={KEyã:rc«•‹ÇwjÉŒRV%¼ûåñ¡ÝÿV7O„­xËUßîŸi¼ÝŸL8£gß¹U¼x-Íòù8é\!©5Ó 4RMiÄ$©´éH#hi:§
+&@íç¿òéTQ8åÔ¨!–ýGøÌ€õ'LÝTxLæýLhηjÌ>ïC#þ€*é=º Vå®ä|®ØñºvóÞñ 8âÄ¡úý%¦'Vcíã
+–‹ (Ó·cŸ¡
+ı¥ç±|,Ð…µI&ó± bÀÊdX³á;  2)†ï*†^â¸×)ÒµÓó9¸ArñR™%èCí+†”
+U‚Ê€
+9a¼Áçïî¯î¿½’/ÕEDDÍP \(ÑX¬±³‹’yf¡­îG›„éÇa,?O±Jx«
+µ©/÷±DyM˜—õ—%¡·@Åý¿P-”…*r3>ñ8.2ˆ4‹’ž‘w\ÒNǦö6ï¡ŸÉtœ û²
+z +r²?Dnc²³Py &åv(¥¼Tê9Ûb¹ÃÎùâQ\×
endobj
-784 0 obj <<
+1047 0 obj <<
/Type /Page
-/Contents 785 0 R
-/Resources 783 0 R
+/Contents 1048 0 R
+/Resources 1046 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 764 0 R
+/Parent 1044 0 R
>> endobj
-786 0 obj <<
-/D [784 0 R /XYZ 56.6929 794.5015 null]
+1049 0 obj <<
+/D [1047 0 R /XYZ 56.6929 794.5015 null]
>> endobj
-202 0 obj <<
-/D [784 0 R /XYZ 56.6929 684.186 null]
+198 0 obj <<
+/D [1047 0 R /XYZ 56.6929 769.5949 null]
>> endobj
-787 0 obj <<
-/D [784 0 R /XYZ 56.6929 655.2772 null]
+1050 0 obj <<
+/D [1047 0 R /XYZ 56.6929 747.8139 null]
>> endobj
-206 0 obj <<
-/D [784 0 R /XYZ 56.6929 387.8252 null]
+202 0 obj <<
+/D [1047 0 R /XYZ 56.6929 540.916 null]
>> endobj
-788 0 obj <<
-/D [784 0 R /XYZ 56.6929 356.2664 null]
+1051 0 obj <<
+/D [1047 0 R /XYZ 56.6929 511.3349 null]
>> endobj
-210 0 obj <<
-/D [784 0 R /XYZ 56.6929 153.01 null]
+206 0 obj <<
+/D [1047 0 R /XYZ 56.6929 239.6059 null]
>> endobj
-789 0 obj <<
-/D [784 0 R /XYZ 56.6929 124.1011 null]
+1052 0 obj <<
+/D [1047 0 R /XYZ 56.6929 207.3747 null]
>> endobj
-783 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F57 624 0 R /F42 597 0 R /F58 627 0 R >>
+1046 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F47 874 0 R /F39 858 0 R /F48 880 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-793 0 obj <<
-/Length 2675
-/Filter /FlateDecode
->>
-stream
-xÚµXY“£8~¯_áè—umMa$qFÇ>ø*ß7øš™ °9lÀÞØÿ¾®öìôÄĆ#L’J¥2S_&J‹ $ñ ‹d®$Êó€/éÞ [²ðXëd2ï¹Ð{Qª¦¼T>X’Y€BIÙtI +I ¤¿–ëíêXiN_ß!Ï–9æõØrµ1
-sx‰áX²|*¬…¯@*›$bYŽZ*[ÊÃQé5W”žN#JlƒJÝßÌx±­Å”zÐyŠLƒÊÆÁ}²—OÉ„~cYF1•sOÙŽÿEN“CX¡v°ø†C•¹ó
-¡1PÌ8×î”™PêÓ5ü²M_yq[/á7ág‘-CIøŠl²ˆaFzèlr£Spà§<
-Åš“ùïbÃGáØv²0~òL?fîL×ÍlåÒåUßuöD±ˆÊµÎ”"\z¤_ÈS¾sPY¦F@òˆ0ü ¦¬³:Û„2#Çòµø”Á†òŸÊ¹fdj£€(ÑÁlo1/ÍYBh§ØB'ÖbçœIeiLF€²ˆÄ;ö@¾ù9R¢ƒ©;$‘¿ùŽ=ðɸu
-ñÒA6J8®ÉÜ×*lwuK÷
-ymNiËŒ#J™Q¬m0’m3
-½˜ºîF™‰ŠmFÙœ¼T<8F϶™ï âPò4ýèôÀO‹â`j–A™d3Ò§çü/
-ôÀ;d[áDf.èçÚLª,‡m>#Ç3a‚0.¦~ÂY܇ŸlÓ!óÔÏJrš÷YáåÅÇ‹X\ÕðÁã‡Âû.°lùß©z 22‚þÚ F&§#"\I‡xFE/ψ¢ZþIçdö¦©yDmϤŸ/|FÂG=ôdzªW(Φë½Ë<#p€{tøó*†¼H ôðøV®¸K¸
-=Câ-Ë„Û»‹Qµ¡Œo³³ljÞNšiÜníj}m¯ÎûŠëóëêa·²ìí›°mº¡×ßÚí8ªûÕúTbルÕ4QV6f£xg¡,3GXzA·¿iÉ3ý¨‹®ÈöG÷¼œ¢Á3WUçÓÍÞ´@gÜ9†×Cë¤îº6·œõ6;³Âñ³ÞIo[þEåwævÁêÆd÷6xæµS… ºUç¦x’åÅMéãèÝkþ®&È~LdqöÖï©Êa¢¡8«
-ªÌy{:¹ÎôÎ3‡Ç‹~ãv«ãº·únô†RwU¶>­Žc&ýÁð¶l¡oß)®îÛû~ãÙ)äÒêFˆà”ág¹úGt—ºh¡A_ÒÏ9Ñ ‘Lš¿”P@ Ð|šWÍ;àï®N^O3„Ï2¤ziV«Úu<Чðʶ7“9·0×5!h6–o!;|oc+»pÖZuêíæzMÍàæE—F+ÙÙZÍÓQ<¯+·ÖZ5š­á"yë®o§ˆuÕC|±v­‹­Î
-@F–yîùµ6Rð ‹…¬‹Îc±®ŒÌg<ªú¼ôXS |^n¡{õÀ‡P<
- Ç
-þ‡åæ׸`•.%‰ÅßDŽ¬[:âJÂr²Œ¨HNýüô?eT:(5ìM©àP®öýSoêį È°"¹ßÀ% @ŠaÖ©Ë´Ã¥¬“ÁŒý+dqƒÿh /}^ÚàÑ´»NÅÓ¦sÌWÄ–égia¦éü
-ù2éÐHëÃñåŽOù¤xçpóäè'Ó¸#øå‹a@¯#¤¢9™™U?ÜPÏ
-‹~ÙNá&¿°ýPº¼,àúðy©ú·áŽQ'³‚ðì‚–½Ãôo_&>h"I‚Ådøb| •ÅÂßED¿Ã}ìýÞ8“*˜þ_þ]Aendstream
-endobj
-792 0 obj <<
-/Type /Page
-/Contents 793 0 R
-/Resources 791 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 764 0 R
->> endobj
-790 0 obj <<
-/Type /XObject
-/Subtype /Form
-/FormType 1
-/PTEX.FileName (/usr/local/share/db2latex/xsl/figures/note.pdf)
-/PTEX.PageNumber 1
-/PTEX.InfoDict 798 0 R
-/Matrix [1.00000000 0.00000000 0.00000000 1.00000000 0.00000000 0.00000000]
-/BBox [0.00000000 0.00000000 27.00000000 27.00000000]
-/Resources <<
-/ProcSet [ /PDF ]
-/ExtGState <<
-/R4 799 0 R
->>>>
-/Length 800 0 R
+1055 0 obj <<
+/Length 2920
/Filter /FlateDecode
>>
stream
-xœeU9²,GôûeË@@Q ‡!é¡%bd(dèúʤ—÷ÿ(žÑ¯
-’$¡T¬)ÿ®ïë¯ãïãÇ_¢ýþÏaíÏc‹®½Ú¿G—=ûÌöÓ1ÄF¬lÖ]töö×ãqu‰Ý¦‹÷5š”<8Ç—ý:\;âúãñ‰ü<q¸Í;.\ži2c¶û~ð¶e¸í×qc¸=7Ä+Àg ¯ãã×ctéa³ÙL1ca·cu™šm QOƒ½¥ì-¡{wñ¨¼&kñÄÞ
-¨9xcH
-¤Ï’ÃigÙ¥—ÇáC6uéíÛ&”\Ê GTœ„Méêö–KòlÜ’Fyu|?é%åiÈ¥K”êNÊq{vˆ*êèJE¢]8hÍò¤p0R±ˆ$Á(+Á nÖN¬
-qª„Ñ«ò^ÿï>‹«>÷— .13×…Óƒ!¶3¢SËAÕ”ih¥Å¨Š^…(€<Îm䦽ªšÛÆlLÊâ³ò7Ù
-г2"ïE9~ 
-n*Œ1½÷¨¾x¥Æˆpîâ‹&XîÃœ§³±è\íD¤ßä0}#XŒûž˜‹¸À>#^V°¡|2Îi‰9ÊÎr)`˜¢Xh¡Ò& „hb—H°Œe"Ãê
-þrÓGçX5¾ûû8‡´ÕªOª«t–Ô³$Ây°‰—BÒ›ÀÄ5©/¨vp÷o`kA“ôr ±ñœÓ4N.4Žæ
-endobj
-798 0 obj
-<<
-/Producer (AFPL Ghostscript 6.50)
->>
-endobj
-799 0 obj
-<<
-/Type /ExtGState
-/Name /R4
-/TR /Identity
-/OPM 1
-/SM 0.02
-/SA true
->>
-endobj
-800 0 obj
-1049
+xÚµYI“«8¾×¯¨x—qMua$±FǼ=ï;xëYlÀëÄü÷Ñ.\™×> R©T._¦R¼òø^‘ã‘*¼ÊªÀ‰<_Mÿ…uð\ó¤<ÓGž«ª½”¿#ùUåT J¯Ú&'KáxE¯šõ[©ÖªŒ´ÆäíŠ|IàÞ>D‰/Uê³7
+PEáuJº³Mµ·?´ÎKC{h˜·ðˆ¨w|ùíþÕÂÆt^x©ŠøzÁ/<T¾ú/‚ˆ8Q@(£x/Ó—ñC`n–.-òŠˆNT \àŠÜ"ªœ„ ¢n±‚8¶ÍØu‚{ØÄ ¼ å–É2'ŠªŒ÷"ü×ó°¹dxqÈF‡è (¥Ð:™v:Å{ûÛIJ
+,2PJVü ýÎóгã'¹7 Ï»= ³¼ó—…8%mkÇÙ¾T›mtŠm‹˜ƒÝ’Zð
+ÃXÌÀ˜V‚'Ëó6á(«’ôeÿ§\?Âý%¢7;¦q$2§ª¸B=9\”þ‹ÃNäŸû[$”÷7–y6<×Â~eoF_lš¨¢œ÷ž
+1æ"6ŒS´Ð—5ž(P à2 ýIÇIÎy ¥Ü¤Î‰Ä ¤~‘øп (CNJ&“Æ€f¢€
+jæð|j=ŒÅãÔ"Ÿõ?9x³ðåë]–·Ö—-
+c <Ê$;Tgz.ùó2+VEçÿ*²s©ú´‰eÇfä®?Ó“=ýð™)1ÜÔ~[=3'[7u“š'<Ü‚tß']õÀs÷D°ŒJÕö€ô߸ßV~!OõAA%•MX!m1!F•ÚÝÜ‘t°F’Ö˜”1 ŸV*–ö¬x*íäðd[L£9KÆ)Ù†‘‹›;÷œr¥iLf­‘ˆÙ©–ˬÀþŠ‡Gù=ئKù«“ù,•i‚1ëv NÐʆÅ
+B*³]z<J/T¢ŠýAa'‘cÜHRCñˆŠ9ñ%Ii´ŒK0©ô쌆içé„ñGí%
+½„™îÅ©ŠÙÍJâŸÚý/A$­‹ XïJžvŸžè´È!¦=%’`Ч/ÌÐO›cßíŒ1ȤÙLXÛlFN¤ÌÄ!9fÄî!nr{LXótãK/!1WШË~$éÇÂû!á«È?©xAæÈã»'DœŠob”¹L§DN•eR9Y@lâït"ƒMnb’šGÄvmv|‰ô"‚
+–§rst¶ßÀ·ªè˜ß¸oL2î‹Ù
+‘J>½ý¥Ä€âx€äg/ØWÃ?àƒ×$Wa†ˆi†T.JŸŽúæ^ùÖz<æöª*…úâ=âÇ}Iì®·Ú.šƒ•Q™ø£mcµbê|ayIy)ZªîÆiœŽòyU¾7WºÕhæ·÷Îê~ŠyO?$g×¼lõ)E¥µ:]}½.ÇP3ûÊá²ðv|Ã] °þ}æïZCAœÞ¾:dè]}Sökrë¼¹,[åª a3¨!ËܠÛ9€¡#Ü.÷¡:w¼þ^Þ­7s„½{v#­A±Ù“§ÚX¿W×¢_ Û$Ås‚›¦·b Î¥¶·Ý•T;~¿ú•Ùjy×ÑÜ«”AÏŒœE¹Ûo4­r¡‰îéü]8vj7ëäÚ­Óþ´D-aѯ˜“÷«k@fbÐÖGg¿Þæ¥:/oçÖ}xŠLœÖ´­×Ú «»ôìú:)‡`¨yµÂÿ#ÃûgÐþo€ÈÁONß Ü¬Âáæ@ï÷¾ìËø¢eñÙLÈ‘Îk>*õúdTá íg8ƒ©p Êmg¨ª£Z‡Îýb^‡ÖÀ¸ò2èe|\ãñ¸ÂÔUé§é|Àf³èÝím›Z0hP+œ{zûÞ:³º;Î Í/MÚ¯BÉä‹žÄ÷åqœÍ­ïŒkJíÞ wýòH®Ôo–m#õiSG±k ­)_æÛ°-UQ|y_®¬»·ìíNs#ôëvÛÛ»µºáz9Žv·q‘B¯Ê{5Ùqÿ¶ì¶ZK{rf;®»öxá[GgØißϸ‰kòRá5WgÙÙªQ­½ |Ð$Hw®½QžZ½< z‹÷:ÒÞ+2Bnu–­Î¶²ª‹=QwÓQ¼ê´ìzM¿Í—Ñy´²ãU½=9oëõ¢ýE8íž×[ÛÖ:º/5¶ûû- àt JãÉ^ٕݶâ®°/Œæ¿~Í$³d`ÿ+°¯øÅ­P~5ÇqÿéO„¡ŽPÑ_ü#™þç?X>ÿSÂê!EŸÿ<}`ä%¬¼*gJÑ ’¿jþø'æGÕÿ ¼!Xendstream
endobj
-794 0 obj <<
-/D [792 0 R /XYZ 85.0394 794.5015 null]
+1054 0 obj <<
+/Type /Page
+/Contents 1055 0 R
+/Resources 1053 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1044 0 R
>> endobj
-791 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R /F84 797 0 R >>
-/XObject << /Im1 790 0 R >>
+1056 0 obj <<
+/D [1054 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+210 0 obj <<
+/D [1054 0 R /XYZ 85.0394 717.5894 null]
+>> endobj
+1057 0 obj <<
+/D [1054 0 R /XYZ 85.0394 690.1986 null]
+>> endobj
+1053 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F39 858 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-803 0 obj <<
-/Length 2020
+1060 0 obj <<
+/Length 2379
/Filter /FlateDecode
>>
stream
-xÚ¥XOwã6¿ûSø°ù½˜%E‰’rsg2múö¥iâéÚ›ŽÕ‘%W’ãÎ~úH–dMzØä Aüý´šKøWóГøÉ<JJÎ7‡™œ¿ÂÚ3Å<Ë–iÙçú~=ûî“ñç‰HŒoæë]OV,d«ùzû›ˆD,@‚ôî5‹¥JïùóããÏO ykš¸ ï÷÷‰JK¥ŒÔÞ‡Wë»'š XÔê㯠¥”·zøpÇ>><ñénµˆoýùéîyñÇú§Ùݺ³¤o­’ÍøköÛr¾£šI¡“8œŸa …J~˜¡a u;“Ïžg¿t{«në¤÷”¾O]»/ðç*:€Å¾ÿ„†aë?p…”迷֧㱬dŵïÀl®{±‘ó¥ %ÚIef¡£ñ³;åùW$W“ôšÒ<'bsªª…Š=[4Äy[û»”~a·,£¬5É(w4Å:U¤KTS²äí–Ö¼)-¶“+—-!yY~9k¦¢qJ‰$ }gÜ={æœ9ÝJóº$êT[N¹Î›½ÓlMS sÒ/Ìþ×ÉVY»|Þ[vzµˆ½SQdÅ+KžO‹ñ)›ô˜¾ä,­þZ7öpQ>‰öc§ü§²P¼yNbèÕ™|#?h#Ë }zaæ²pA‚ùüÑY¹)I(øn©!­Ö{KËäXrÁƒ‰•¡ñhMf|ÐÖy=m\"
-‰zbT[\¦Ý†Ž¶´Ô«£Ûøw­àr¯V`’r¦AûmÖde‘æ´ò;TZ‘½@Ý"ELˆriCëP2[šu)ˆ"ö–Ð74=ôÕ±¡÷ƒtdG#Òê˜Nà´Ñg¾my
-= Ýíä¾ä1ímöiñjk`&êÐwàë&n1"*ñVÅWšKÇ<ƒØC®¶¹ZhùHƒ„>[>°("N¤SÝ80hÒ‡;›0ç@æXO’ÅÛÛÚoÓœª‚Æ)-!Á€ûŽ¾¯€Ê…»Ì|ïžYiÕd›Sž¶¡£XÞ
-:|›ÓÈ¥³f,F! }“"]Õ…ÔpO}´› 3ÜÖ#9ðhȺDÓã&Üý "X-ôDn¿y¤qE0.öïAö†o´hä®DÄq”8Îýütÿ¾; Ä„· €èÉž¬ÁÄÈV ü W éÕŠÃÖã8,êvûßÞªo„¬§ƒó[d(&‘é,=,
-Y訔w;xác™÷rBôøf˜ì9§º:FRîÒ¢oÚ‡[³Ÿˆ Ò@Ë@q¯q{»ƒ¿[•@ý›X #—+e„4AÄ›Òz„Ž=›¦ ÚCÇ×íOUtût|  äp%ÿhAýEþ÷òÔR»—:œŽôMyqP^8‘ñBÁg"M÷v+ªí¾¦¶bÛ×WÑð8mëuuó•è^¾uR÷ç ³JC[•^™z±CŠ±"xC]‡>€¶X%zÔ?‹ ‡… q›"Y«3” Uêâú'©/6³Á§¼aîþÇa$é¾E¶\†Û•y^ž»XœËSÎQ]¾e[Ëݪ dŒ6 Ã× –F—;ôŽ™~Mqɶõ2Îæ©Jbá«®ÞÇ*Š(ÔóŠ qø¶ÂÒPï «ÃÿX¼ˆ-|•ùbÊqZ(!ßû‡ò‹áïI§uˆü¸~r¿n—Äߧ~„êÆò&úÙáÁÿý{áå§Ô ›É†Ã0‹A+å¢\iÞþ°x­úÿ
+xÚ¥YKsã6¾ûWð°ªÊBð"H:'gÆ“8•õxmMöÉ¡1w(RCRÖz«ö¿o7¤(šv¶jì*£4~|hÐ"àð+‚È0“Ê4ˆSÍ".¢`½=ãÁ˜ûùLxžeÏ´sý´:û჊ƒ”¥Fš`µÉJO¬ò?BÍR¶
+F‡ê/Ç’Ý¡ nŽ!‰\°?xRˆ8¥3Õ†ŒÓ°Þ`›„Ý£øº<´øç¹¥©²h;›ÓlQõìEK#v¡xøïl»+-Me—ô´Qˆ¨t^W4¾ËšÅRó°+ÖûhHÀó‰M]w44RÇk൪€c& G›N¡ 85I“`ßWÁQj °Ž¹ü}QªZߪ"š)mä8£8àŒuœ€œ#p>õÀ¹ßíꦣŽsß4Ñ݇ ˜T& ’€àÄ3ó›Í¾,ÑÜ„-Ioi"+K"Öû¦Yˆ$´UGœq˜ÛÏœËÊʨ›mK2\Âר*ÛZ¢ºÚKÎsØúEY•ÏΗ…”uýu¿kÙ\¼\{Ë
+§;PYÙÖDí[ëïšÁš£ÝlKCçÞf_=û·½mŠ~úðh½Ñ›E¨¾P¿öãY5Ýeíº±Ó>CúmÊÇ,U2qʨ!“¤ThÍCæËiÀóJ&½a<¥Æ»m!–êÊù ¨Kø!Šº®In‹YÌEx÷áM+eQ¹Ý$ÏžVÀ0e3dGÜeã÷0³;œŸ:ˆŠr´IÃuY@8-Û"·4Б 3N6´Ù4xÈ<‘­ûp‡;ú°d[?Y¿åÆÔ[Dœ!i`Ëeâð—ú`ŸlƒµƒC0fûî±nŠîÒ';o½+rEÒ‡)P­m@Xë;$eåDý‡`(Ì¥ÒzÞu]uYá údÞd09'&+HÈÎÚg糋"Ô^)°u{° ->1tȺ3¢ç='GžÃ
+ç3{œÖ/µZ0)¢t¤mQu3ÊJ,ž†Š‰´Å,Šãð£ÛÔín›¶¤Õ&²÷ P)MxŸPQ2R-ÿPTYóL|eö`Kçgslj:˜Ï`)ù&
+¿Võ¡"’°Âx©]Û5ƒØ‚XÈÁç„
+ûŽFGÀÑ! ô‰%d$ªæ7x¤€ÇZ¿÷ºÆ‚ª³MÑš¢pçL‹g’ÑÙÕ]&ü{V9)2Ìv»²X»:¿¥ŠÅÁÄFöaŸ×Ô­\!ľ/µ‡ãÞè@&ÉàDcöíÛÒOm)}í¹7y/Ý]Ç3Ç"înßTx¶ÔÝØZB4Lwìj¿
+c˜,/<+”Ÿ}åI®0zy'øí†È4H¥Ôb#EˆM4nM†·K R„ßs÷ÝîóíÌÛ¾Q
+Œª •æ©°ßÛxÐ}´Þ’{ÜÔâX£¬Á¾ÎΧk_©‚ÎýZk§·Š8< ˜x$”{<ÓdóÅ?oîF¯Þ9^пÓÆÀ7•‹¸‡ë¬èkªK&™xñà1¬ƒÂ,þÅÛ{àú -^JC-˜Ç>1~Wº“Å©;"<Âx<|æ¾^¿‹R ÊÿF7u>µÇ›J3 îðÞƒë|¾vÁZЋ`E5XÔ;(!Bªñ¢É%Jcî……¯(jð¹&0u]fÀ+x±ÉÆ OêpVª+.\”yj_•ÅW{"DO¯RÕ¼!¯ÝÙuydÛ¹<"ŠÆbγa|ú<ò5Z¾¯ÂOU@dü˜t–Àçä“O4è”% ¥éß>Þ]ÿŒŸ®ð+‹_Å
+tÒ“'--$¤ƒÞ:Û­…k"wŸÜTx½ñ¨¡ãà:wá¹™ŠZŠ œí†ÐEôz82CT¼~1ŒCÜB—×Ñ¡h±óþ½×=ÎxKoö¡N¹¸ØÀÏ…HML´•‰}q7:ñ‹²v‚µ£3ÍÃT’é(–=>˜ä>ô/Îz:¼7® õ9 ñÿ2þ鬊Ó#Ò‰ÂÎ~Gmæ'O’
+?Qù=‘ê#ÏgÙ¥XíÀÕXu¾ŸõùŠ¶€$y&zT¼çNª ÿµwQŵ³»Wdî¡!æÁûî¥ë5”ÓÂ}…×ÝlÆ`DB"zÆ^gÈŒ}Ò]„£Ã™ý÷eç-ª]™¢c$È6
+£”òåjÎ$PšÀƒ
endobj
-802 0 obj <<
+1059 0 obj <<
/Type /Page
-/Contents 803 0 R
-/Resources 801 0 R
+/Contents 1060 0 R
+/Resources 1058 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 764 0 R
-/Annots [ 806 0 R ]
+/Parent 1044 0 R
+/Annots [ 1063 0 R ]
>> endobj
-806 0 obj <<
+1063 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [349.4919 566.941 408.4801 577.7254]
+/Rect [349.4919 384.4828 408.4801 395.2672]
/Subtype /Link
/A << /S /GoTo /D (ipv6addresses) >>
>> endobj
-804 0 obj <<
-/D [802 0 R /XYZ 56.6929 794.5015 null]
+1061 0 obj <<
+/D [1059 0 R /XYZ 56.6929 794.5015 null]
>> endobj
214 0 obj <<
-/D [802 0 R /XYZ 56.6929 769.5949 null]
+/D [1059 0 R /XYZ 56.6929 594.1106 null]
>> endobj
-805 0 obj <<
-/D [802 0 R /XYZ 56.6929 745.0977 null]
+1062 0 obj <<
+/D [1059 0 R /XYZ 56.6929 562.6395 null]
>> endobj
218 0 obj <<
-/D [802 0 R /XYZ 56.6929 552.7519 null]
+/D [1059 0 R /XYZ 56.6929 370.2937 null]
>> endobj
-807 0 obj <<
-/D [802 0 R /XYZ 56.6929 524.1722 null]
+1064 0 obj <<
+/D [1059 0 R /XYZ 56.6929 341.714 null]
>> endobj
222 0 obj <<
-/D [802 0 R /XYZ 56.6929 397.0585 null]
+/D [1059 0 R /XYZ 56.6929 214.6004 null]
>> endobj
-808 0 obj <<
-/D [802 0 R /XYZ 56.6929 368.4788 null]
+1065 0 obj <<
+/D [1059 0 R /XYZ 56.6929 186.0207 null]
>> endobj
-801 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R /F57 624 0 R >>
+1058 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F23 678 0 R /F62 990 0 R /F21 654 0 R /F47 874 0 R >>
+/XObject << /Im2 979 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-812 0 obj <<
-/Length 1920
+1069 0 obj <<
+/Length 1913
/Filter /FlateDecode
>>
stream
-xÚXO“Û¶¿çSø¨‰‘ÔßcÒm;yÓf:íöÔô@Kôš™ô3¥õÛoÿ
-A®¤Ç ÓIÈ !íÙ9ˆêu2¼ )Špšæ;É*
-®¨kÄI§ˆ =ŽÁ,0¦X O‹­0ÚŠÏ>n–üùøÛv'sÞ4ѽÁ¶¶Çô±àʾrž÷sTÆõ7»ÎÜ.¡Å„(׎žvƒ6í@ò=­:’Œb
-¹,ƒ ³Š‰±gìÇ>¬‡R$æÞ¤w:Qž¥¼uèD<t¢ßcVfcÙƒ)¯ßÓ‚x‚õ+rÈ"‚ò+°˜æ!ÉMH«Î{Ù*LIQ\׺W8hGR:Žn2€%µøÌ[«SYƘ\ÝU#E^À>ÐýþrV®[Ù¦€(f j68+éAe‹ÙÚ欺Õ2koZu1k¾fÉß
-ÕVµ2,Û è_ç³î:ù¯ke—U)¯Å5¡.Þf2g)¯ò2*j£Â‡u(碚Û)/ò<hPCûáìÓR/j(OÆÅ2VPˆûµ"iòh,XˆÌEíÐ$[Öü# ó…Ê 8‰"ËšHá$âˆÔAˆF
-jSlïíùn°+¼²±œ Ç9hÉÞY¢Zy’þ–hJ“60;Kƒ(±šßŽúÔ|žVü¶¨å8XcpQó
+xÚX_Û8ï§È£h\KòßÇöfoÑÅ]±èÎ>]ïA±•‰P[ÊFöäæÛ)JNœqºE€˜¦(Š"©)³M?¶©‹4M¾©š<-2VlÚá]¶y†±_ß± “"-r!àeet[ˆ:-j^m¶×J>=½ûðOÎ6<KË’›§ý¼VYÕi#òfóÔý'ùÇAGuzØò"KŠ‡ÿ>ýFÓò´ª+†Ó2X¢H«&«ý„§ƒ"áOŸ¿<ÕÐã_úù0žþã«r¶åQ+ËS‘—<h-EZ•™Q¤ìa˲,»è¿¯. ïNòôt‹M“6%/ƒj^§eÕ2ø¡É’“ìô¨­‘}ÿ
+ 5e"Ç^·™Ž8ù¢ª’R†x½6ßUGôY—Äpã´#êôÀêd6&’y^~<È1LQ¦s×sÚéä4­[&_þ  MꤕÃÍávK›¢à~;£¥ýKzô¶•=‘­lÚ<Ó‹‘Cð£S'´ªÊ“tÖWA@Æ ¾Ï¿¿”[«[Ó*¤ªD›Ñ[g»©ÅÝã¨QglípìÕÿôøJ lid<(bÍî˜Ð½Ä;’ÆV9÷þa 霸©=ÐDéHfoûÞžýý1Ö¤6.ˆšnÍ+_>þûØ/¯£_­v¸Üσá*qz˜úQe'Gzk¿OGµ{âWr¢æ‰ä(Ï꺰C§\
+veÒÖNϬ—ê¼g¸rÞÊ.ÎèŒÈ¢h¡Á¾¨îý<æBh%ÒËÞ:z³á˜èáhÓ»>HÅôÑhÇ L8[Ú,²j¼œ—D>Õ/…T¿—T„ ¬ñØ€0š&îm´Ù­4DÈÞY¢Bž¼è.ÈÜ&ò0§5¤RP¦†³à÷öÆ'çSʯ†í°ÓF^b ®Æû+ìY‰Óò¸ó†_Ž;oDHàJz+ÞI©!úê`Dñ:™Œ¡£ Q’â™ÞR-ÅãT!pº
+M&PÄqíèÙi7jÓŽ4¾§YyŸ"A¦͠ì‚d,"û©ì±‰kkÒ;¥)ÏR^Š:”&JÓ×9*—“²,Jן©IW؃È!6Š‚O
endobj
-811 0 obj <<
+1068 0 obj <<
/Type /Page
-/Contents 812 0 R
-/Resources 810 0 R
+/Contents 1069 0 R
+/Resources 1067 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 817 0 R
+/Parent 1044 0 R
>> endobj
-813 0 obj <<
-/D [811 0 R /XYZ 85.0394 794.5015 null]
+1070 0 obj <<
+/D [1068 0 R /XYZ 85.0394 794.5015 null]
>> endobj
226 0 obj <<
-/D [811 0 R /XYZ 85.0394 769.5949 null]
+/D [1068 0 R /XYZ 85.0394 769.5949 null]
>> endobj
-814 0 obj <<
-/D [811 0 R /XYZ 85.0394 576.7004 null]
+1071 0 obj <<
+/D [1068 0 R /XYZ 85.0394 576.7004 null]
>> endobj
230 0 obj <<
-/D [811 0 R /XYZ 85.0394 576.7004 null]
+/D [1068 0 R /XYZ 85.0394 576.7004 null]
>> endobj
-815 0 obj <<
-/D [811 0 R /XYZ 85.0394 544.8207 null]
+1072 0 obj <<
+/D [1068 0 R /XYZ 85.0394 544.8207 null]
>> endobj
234 0 obj <<
-/D [811 0 R /XYZ 85.0394 403.9445 null]
+/D [1068 0 R /XYZ 85.0394 403.9445 null]
>> endobj
-816 0 obj <<
-/D [811 0 R /XYZ 85.0394 368.2811 null]
+1073 0 obj <<
+/D [1068 0 R /XYZ 85.0394 368.2811 null]
>> endobj
-810 0 obj <<
-/Font << /F42 597 0 R /F43 600 0 R /F57 624 0 R >>
+1067 0 obj <<
+/Font << /F21 654 0 R /F23 678 0 R /F39 858 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-820 0 obj <<
+1076 0 obj <<
/Length 69
/Filter /FlateDecode
>>
stream
xÚ3T0
endobj
-819 0 obj <<
+1075 0 obj <<
/Type /Page
-/Contents 820 0 R
-/Resources 818 0 R
+/Contents 1076 0 R
+/Resources 1074 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 817 0 R
+/Parent 1044 0 R
>> endobj
-821 0 obj <<
-/D [819 0 R /XYZ 56.6929 794.5015 null]
+1077 0 obj <<
+/D [1075 0 R /XYZ 56.6929 794.5015 null]
>> endobj
-818 0 obj <<
+1074 0 obj <<
/ProcSet [ /PDF ]
>> endobj
-824 0 obj <<
-/Length 3061
+1080 0 obj <<
+/Length 3113
/Filter /FlateDecode
>>
stream
-xÚÍË’ã¶ñ>_¡K*ÚÔÆ›àæä×&냓Ø{³]ŠÂŒX+‘²HíxòõéF)Q£uF©ré
-£óuóä?«™žßã7ïÖ>àòXŒhxðO„¯¦IUDjš‡)ªë{dY‚å&²ÚÊ5@;3_Ãø©òO-{³ÐÂ&ŠaÕá0D B
-§‡8Ö¾üHÓê!¾Zûçø²¨‡xÄ‘´°êðI(+_w›øU…$na!íuh«úqÌÜÀN¤Åtæ0yðEw =Ú¸ÒêM«¨óË`=Ú LMŽ-GÎ5*
-Îth<jp°
-Ãb(³a%Öq:öj4u„`øæûiɸ§µ 8ñ¿ÛÅT‡d—ª¹Ÿ¥Ôžê ¡xrµÛgÖù¶cÇ“8áÕ)ˆk6.â|AM
-ðÎÌ ¿¦¦J2Ãó,*j‡{QQì Uu€ò%eQéËj[l®kì?0™R" =6™ö´RÕôû–Ö?›C¨0à Ÿ› #¡7­ßû¢#x+’ e×N)êÏÜð³?à R ®%¶@Ú‰"Æ@©äLªƒ †bT³\«|œHŒ°
-·»}Uड़§õ°Q˜½ÿ†¾$£c 0¼ÚÑ¥c Nfêö©\C¸.ìŠâñŸB<¦LGq\ùMµ­:ºÐDys>ßÑ»*Â@¶Ȭ7Ï´B²-›-ø¸±î&ä
-2ïsf¨¢#‡¸ŠéoK‹^àMjX†Ãªiµ>lý¾*i¹Z»öF!‹ T:gH-£É´y®¦]¼Ö…1¤ç0_Ëp”ø\<B¢L lÏmç·§—¨ézÈGO¯nþ÷æi1uƒÛb…¬ð>b^ãcÕÒX74¶]Q¯èžxE+[Ð’!çT-¸`‚áË(LŽ½ýÕ”$†$ÀY
-9/{¢(^xæ9œ:Î}=îŠDýp³–`7Uý1ÂÂ>“GÑŸ^¼î¯\sÍa·kðN©áèQÚÖê,
-Puçã0ÿŒ¡27š/ý¦Á?l2Á¥¦ÅîyWA ™<Æ8ixIìØ#ÄB–EàX™”Ǹy’VíßÀWuÓQÿºRjüÃe‡¹UææïkzÓ6ô‰EK)§ B‰ßCîRµ "Ô+‰õ
-¾Ô3ᱨ§²Ë¨@IFmwœ²Lh»ããnÙѺلŠ
+xÚÍË’ã¶ñ>_¡K*šªŒ7ÍiýØd}p{o¶«Â‘8#ÖJ¤,R;ž|}ºÑ
+Waƒš)m%ÂÌ ™æLZEBµL€ap~ƽ¯Wq/¿£ÍïòI:pH^”ïÛÕª}Žòâäv -©YÕ]O½`ùÐV sø·ëª¨ý’XP»ëÓXu¬,óݤÔ_´ó.>¿Eúï¾û8øoAè…žh!™å^¢óÿíîç_ùd±âû;Δwfò 8
+h\±›f¢š%žfÊÁ¾x燈v œ0“)¥ÌDsͤæEؾr¾:–‘‚9 sÀ/’dÞ9—gv6`œQfH„@ê 8€Ñ&rf€â
+ñŸ‹S5Ë~ÐhÙx“áÔ1·ÏfNùÔP”yÃííø0^áS#íXð¹ÙVõïN• 7Ä£³œªð ôcV¸}ÅéíXM¯±êa¾Gž£^äânô«‰Í™…z¯ÝfØÅ\mM:ãLÊ!!Þ©ÍÜ:èùjÆŒ³1ÊSÆe¨-šy»r@¬ÐƒE¦Dö å]UX¨)˜Ä 7&>nŸ&Ôùqt61ÀŸÒ|¤hÇx‘žŸªù>#†DRýcõ‚]0¢ôœœ PW¨8Å6T#ù
+]·
+°Éä¾ešq6ÀBmã%Ħ+Ö€*È·º¾Ú^¯zÃà: ¼Z÷ž‰YP2îC† œÍÇlLé¿p0$ÒØbü
+-\Š_J@…eÏûuåãd~# ø.
+Hy‰¨Uc‹\`e*Y; Þ7hfå*óUÌ8ëÏ;xà ”èÚÞŠçßEž w¨µzÌsÖµƒëðL;s”=—Í⫬ƒWŽi}n‹¥÷ñ<¸u­™†šâõn=aœQf¶™CyÇ´,„îvÛ_MQØ=Ø#ïr s`X¥<ïŒå+ Ñè$nÅõ€ñ
+׸6VêC®ÏØ?ð —/P{Ya§u3_íþ)¦m8óÍDváøôFcE9#é1•õ ôq_Ü@ "ÆÙe&º{¨L ·_8É#w°QŹÂÕòl"^uŽ+E}ËJ\²¸È 6F›Àó¢]—usÉ”g…·ÅöÕ±,aœQ梙„”ÁQyî<ˆ[ÆñÌdˆgRÛéo»{jNáo×oé¨R›éó² 0ü\‡³] çÆ0&u¼|ÐtÅÍ·?üDãHÆ{Äxˆê÷r=ËùoÒñä/RêŒAIH×`Ç’1¾°¾êz¶ß#^Áú¬³)6!Î ê:R„?îÁ†t .õu•0Áj-¢ºö¸±çÔu€½ºŽQ^P×C*«y½.W×5öï!»¯‹—J Zí¶4R7}õ„ž5Œ.W»¤Á§ìOÏ FC_ºjSnËžàm<b+Pv]î6çˆ ÿb†F¤Â†®áðL¿ËœÊð°Î$¯)¤Ê1ª™×ÊVÆX
+…—×*Y€’ªxToôÙÓÿðv§ÿc”NÿH<“œþ¿ƒº†ÄôÃ?>ëØ 3Ã%dG(‰‡.GO=—áYZèîï§Âß:wwpäÜó~¬‚)!ìDZ•Û¥Â÷K³ž„q6F™Ézäû²‰ì²‚dT#eµMKwgìa¤i·²‡á¾òËqSÎY„àKæk÷ajf'•‰aÏ[D¼¡EŒP^²ˆ1‰_nJt0‹=3¶píÚ%×¾å\;’醈Qr.Þ.ÜÛ·°”΂CÑQ8±¯£€ÇÑúݼÝ`BªÊtå#H2ŸC‹J„â½¾6ßðn{Ëòs…=7-×õÓ®î_è}hUo©V$àãÙ…˜vôo½ë"º‡*uGØ)pjÁCàÔBàe"µ› …ÜͶ.ñ¥IEãa¡Ðûð-Í$¯£ã½Vø´¡—4sp4Ù"KÙóðÐÊMŠÉ
+1™0%ÅvQ­êuÝÓ+”7çÓ=}«# d¼ÌæiõB#$Ûy»?· öÂÈ !Cº ý7+pÄ!Žb
+ÜÑ ¤X*†aج†F›ÝºÚÖs®Àn~É€*íÃk¤s¤Yv/Â{+ß*ARth‰¯‡°•ø¿|‚d™þ€²½@)º>~”Þ à ùTÑk"7ý[ûœÍÛGO 
+³ÆGZP[ññk(ü[wÔ6-µ]_6 zü´ ‘5h Ésª\0Á03
+“ã…õ"GÌX€2Á K!§óÝ–(Š¯x¼‡]Ç^ 2Èíc™¨/Öìªn>EXX'»ÃîÅOÃ;"¢Ùmðx¥Z 5=J·[S­  2³¾ÍAèAøñ¡êŸ«ªÉ²œÈK’dB© ›Êó>”_>u|¶ô&2¶‡œ­Úy¹Š(FiÁ©Ï“Ã[ã’Ï{¬—=+K£z©Â©«Â&±ÂPÙ÷å|qh
endobj
-823 0 obj <<
+1079 0 obj <<
/Type /Page
-/Contents 824 0 R
-/Resources 822 0 R
+/Contents 1080 0 R
+/Resources 1078 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 817 0 R
-/Annots [ 830 0 R ]
+/Parent 1087 0 R
+/Annots [ 1086 0 R ]
>> endobj
-830 0 obj <<
+1086 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [356.2946 363.7923 412.5133 376.6291]
/Subtype /Link
/A << /S /GoTo /D (address_match_lists) >>
>> endobj
-825 0 obj <<
-/D [823 0 R /XYZ 85.0394 794.5015 null]
+1081 0 obj <<
+/D [1079 0 R /XYZ 85.0394 794.5015 null]
>> endobj
238 0 obj <<
-/D [823 0 R /XYZ 85.0394 769.5949 null]
+/D [1079 0 R /XYZ 85.0394 769.5949 null]
>> endobj
-826 0 obj <<
-/D [823 0 R /XYZ 85.0394 576.7004 null]
+1082 0 obj <<
+/D [1079 0 R /XYZ 85.0394 576.7004 null]
>> endobj
242 0 obj <<
-/D [823 0 R /XYZ 85.0394 479.565 null]
+/D [1079 0 R /XYZ 85.0394 479.565 null]
>> endobj
-827 0 obj <<
-/D [823 0 R /XYZ 85.0394 441.8891 null]
+1083 0 obj <<
+/D [1079 0 R /XYZ 85.0394 441.8891 null]
>> endobj
-828 0 obj <<
-/D [823 0 R /XYZ 85.0394 424.9629 null]
+1084 0 obj <<
+/D [1079 0 R /XYZ 85.0394 424.9629 null]
>> endobj
-829 0 obj <<
-/D [823 0 R /XYZ 85.0394 413.0077 null]
+1085 0 obj <<
+/D [1079 0 R /XYZ 85.0394 413.0077 null]
>> endobj
-822 0 obj <<
-/Font << /F42 597 0 R /F43 600 0 R /F57 624 0 R >>
+1078 0 obj <<
+/Font << /F21 654 0 R /F23 678 0 R /F39 858 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-834 0 obj <<
-/Length 3530
+1091 0 obj <<
+/Length 3627
/Filter /FlateDecode
>>
stream
-xÚÍ[[sÛ6~÷¯Ð>UîD0î—vö!mnºmÚMÝÙ‡¶“Òíp"QIÅqw÷¿ïÁU$ÑîÚÙÉ$„@ð
-`Áå]`…çL».Ú·–ØlA¨’‘Z!¨£ó ø·³OàANÜò²J(toËÚwAË7êÝæ²lüëí•ï»¬ºÖ·ª:}†—ݦhßqk®ç§Ï›¢ZWõµ[®äw Lô|ke©ˆ£fŸEF¤\!à ?*Qª12†_™@Šóh‰&Š‹>ÉC‰R RÒâ°)‰*$±ŒÝw~ÇÛMÕuå
-Ø&›¿Ø6¾»üXlnÖå³@ˆŽŒ‡p€O‰Pu¦sóI$Ž&VF[q9¡\"bñ-ïpV:KŒÚOŠ°ý“™F¦My[uo-Ž'ÉЖp‘D S!¦iGÒVy3ì1ì?-QÄ>£9q
-©LEa‹È#2£j¨ºGDAãÃysr1ýI#{ð4{„á²Çžô—çf
-^¨¨hl/Ü€AYQöÜÍã˜?b&
-s-—åMW\®í©œ(Ö»Ò¿ÚT×o;ß{µk
-iÓ´e‚&Jè¨t™ìÀÉ"ÚFZ·E;Œ ®¼µ,£ñ¸òæÀžÚ²ùP6£ÏÛ®hº:Œ@V4 Ž4åG#<fkRIÖEĶ76Á,Öë;ÿÛ91xº:¯/òÚÞðÖ…uà
-—ÅÚûB;rÔmóY(á"’ý=³*Èíâr\ßÚ6r„!ŠEÜÁ» 5Èúq1—H3Íçïªõöòüå³ Q Dyúæ»#DeTü,lóà…m ´ [pböÅÄ1ˆS¡#õ¯Ÿ`…×^áu•Ê AL1Ó~ùŒ±é¤ôM§:ðÈÝ@ꚟ¦ßÌŸ
-4`Í6'Y÷j!ã`þÂÃût
-ÿ°5°Ü^ˆMŸiºØðÜðH#ˆ0D»ã|îÉâ!QÇÀ|´Iz7Á&‹)FŒá™bÃன–¾`Ã9#¼k×ŇÒw¹ÀÚõu»KßreÄ èëÊS•¥÷7Ùî½ß(¬FWãþ·¯Òq4ìH+pü PÐxÞ¿RwpµŽ*m uÔ^©²’Pû‚§ÉÚ{·§"y“n'PgŒñüùjªâwE ¾­lQçð†¶U»Rº'•ˆýx™ÉÇ|‘¸ÿUá'}³±ó½ñ‡Œ¶DóWÿ8|ý¦\—H{üûϧ¸8ÐüãŸ~î¿EÅk_ƒÏÉ=Ÿ§
-Ï¿„§;NºySD&Ú1gë²¾¶gyöÇ¿/Õž‡º1ÐxS­âxÏåú?Èïuþëw|ÿüÃÝX;”Û~¿\þ/æÅGƒø¾*íåÁºÚŸå{Ë„ÆOmq3þ‘`­6y›oým‚MÐ(h®FA“ö@úošjS4•KÅàg¸b`¯4„ «²+›MU—áãå2‘·‡]þvÜÚwøk Ðø
-Ž*czî*y>cªrowM¥€ûš^U_vì3aÀ -ùô½íþ(„÷#OH¢˜ìÑò…¢Æ“* G4ž4:œtèÑ øTð•ƒI#gì^Ç™›…G™—?|àÃãè‘ÑسL‚4SLîaRoÔ“â¨{™45éžIãIóLêO:fR¨…YÀú¸çR¬iÿvöIHæ¶3öIFÙS/ÁÔ=Œêš`Tu/£¦&Ý3j<ižQýIC…ËyÇ°¯FYïÊ£|îAtÜQB†wxÆÙ…ôJUÙ8Çø a­ÖŠM³»7è8·ã û˜=5câõxÆ,«û3î+þÊ]Ë¢¶˜òfaí±q$‘ýM ¼L(åàqSýb…œLlm€š‡ÊD
-Äè=P±s\"aÌ}™˜.Éc4]V½éŠx7¸MwcÆý²^®·é^cD˦XBS8-ýÏ/™õã}?úÿØì9!Óšæy‘r°(wóY¬œ`ˆ
-$Í,ý¿LËUæendstream
+xÚÍ[[sã¶~÷¯PŸ"gV0î—dú°I¼©Ód“nœéC’ÙÐms–"µ"µ^§íïÁ")HVje¦³“Áƒƒƒs¾sL&þ‘‰Hj&Êp$0“ùò OîàÝ×g$Œ™ÅA³þ¨/®Ï.^151ÈH*'×·=Za­ÉäzñóT"‚Ξ~ùýëWW_ÿôæå¹âÓë«ï_ŸÏ¨ÀÓWWß^úÖå·—ß]¾¾þ~af¦_þíå×—oü;ˆ|qõú+ßcücÕ7—¯.ß\¾þòòü×ëoÎ.¯»ÅôL0³+yöó¯x²€us†3ZLàFÄ:YžqÁàŒÅžòìdzt{oݧ)rN¤‚MfZ"ª¤Ø?­Ÿô¡) RJèѬ3©‘$Øî ÖˆÒÞ–˜Þ–(ŽŒVD$£ÌíH±ËD+$˜1ÛaG…a­Ó"™E‚³>Å]î F‚ŽÙ[ÕëÖ2xñ
+:¶c …¶bv
+;êeu>c°ãW?øçö«Á ‚"…… U›åM¾Ngi)D†„ ¢‹'éÔMV4ž³²Xm¾ð?ÚÚ>Ù‡Ÿ÷ës¢§õæîÞw
+ƒWž±yÞ40‡åùXŸÃWUUTwÀ9–Ó¬ñOÿ]}N¦-˜,WzzUù7M½ÌmKLç}mŠ§Y¿oóuѼó#~Áÿöé'ð þõü>[gÀ÷:ü„ÏLy°¹±e—³ð-Ç–
+’ -!PP$î0â0íHÚ*oB<@TtŒ"ŠÂ4%"NÁ U?f|΢Œ8ìUC#Ú# *"ŒçMí‹éOŃ‹G€võÄÓýÇS3H/”îTI§Ø÷7§òŠ·ø ‘n¯W¤ö0­{Eú¢±t+~—?Ž×l M JlÇ=""ÁYŸbÂ-‚Z£ðW,’.ä`º0øeÊ·aÄš áQVT;`›Ï™R§[iGñ‰¥RìQ)†k­²ež'È9¢±ø°nbä¼j]`Kw± GZܹ"Û“ùG±iˆ
+Ýo»ù„ë2©2>Ɔî›
+6D(2D=±Rça×¾ÑB
+rÑ“I¦£ø„h˜õ€ýCÙ¤ñ&è¿_…K…
+±ç‹,=ø(!øW®ûQAÒtþuSE|ÛS0¤Œî•z,å.=b*HÊ(S1˜^ä·Ù¦LCœ Í»¢ÚÖ|<Pø—ÉÒˆFt…íŠf\ÐäŽ3
+†
+Y0!Ã\äýL¼ñK­ÔVë]z!0sÛd;»²
+aÖã+5”ç2ûX,7K‹Áï~ÈŠÒ{L÷sYo*[®Wàš“i7clFûkƒø¤Øíy—fDLÖ°µL=[ìÅYŸä®Ø9çHS€§nØ!±+¤ ï $žt€²ƒ U.;;p{m# ­‡¬†·ÞZæÑx\us`OM¾þ¯GŸ7m¶nCä0vÉ­u¤â˜“)aÔ°yâ°zeÓKFdûã˼¾Æk{Ã[Õ+œg¥÷…v$d¨õú³&PÂ-þD$û{‚+Èìâ’Žtµ^'Ȇ(qïÔ Ò¸1—F3ͧ¾ylíÓ.Q Dy÷Íw{ˆÊ¨øG0¶<š±%DÖ±'f[Kƒ8:RÿúÞÍá]ÑU!‚˜bT…ܲÏë‚""‚ä¾éTžöTÒ ¤®ùi÷›ù€8æÓîéCGWžk¶)IÙ«„ŒG^ßçþ¤0fÐ\n\ΕWóxXÙ¯ú„,¢wž™ù/$‰tmª¦¸«œq`Ù¥A‰„Â&E6ÓÁÔŸ3Z͹Tœc€&lJâ’"v’7ý© ‡ãJV6`’Çøv‰4Ár[aö;
+ù#jT{ï é&o:\‹‰P
+|+2JyÙ>zï’*_uãNV¾êSÜ_¾ðç‘£Ï,Â-˜ådüuŸ`Š0@Ø€ÁªNEËàæ¹`ÑÉ\.Éß…@†­Ÿ‰öb@¼,ºc›}HŠŠÆ”æhPÕ²‡jš8Å1t“rF
+Ÿû!ßø5”¡†Äö±9ä#°æüK$èîˆiõ6‹âu/ʼºkïÃûel,Ã’º1Ðx[,âx¿¶yùÖŸî÷:ÿµoݾÿ?S$±§³Ž.m:#{[KÃÖ~•Û+…U±=à÷& Ÿšì.…
+£M·šæÁ ñW –AÛ Y:mƒ&í¡ô¯ÖÅ2[.CƒŸáÞ½ç®),ò6_/‹*Ïçy{æïÌ•¾ÃßU€Æ YoÂ|]] ^Ô«|Ùî@D`l$ü˜JØ{LÒÚÖæœL‹Ô—ÖTWêÉ\k
+|>‘ªRrww¥—ûR_QÝ}¶ïO%¬ÇdþlcÿŸ†ô9Ì$¼BfÅä–’/Ž5žQ5qþ¡ã˜‡^ž€ŸÿÙŸ1ÊÄÞñu2Xx„¹úáž@ŒfžˆÑ'¤³³_8aÌS²90]'šÑtIÉô¦ &Ä,<}ÜJ&¶»ø$dtuëLûp˜Í¥XŠ[ܹ›gÿ ÎVÎ\!¦5M¯¼óð)»tFw8'è2I¬ÿ‹²l½endstream
endobj
-833 0 obj <<
+1090 0 obj <<
/Type /Page
-/Contents 834 0 R
-/Resources 832 0 R
+/Contents 1091 0 R
+/Resources 1089 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 817 0 R
+/Parent 1087 0 R
>> endobj
-835 0 obj <<
-/D [833 0 R /XYZ 56.6929 794.5015 null]
+1092 0 obj <<
+/D [1090 0 R /XYZ 56.6929 794.5015 null]
>> endobj
246 0 obj <<
-/D [833 0 R /XYZ 56.6929 363.2968 null]
+/D [1090 0 R /XYZ 56.6929 304.8746 null]
>> endobj
-831 0 obj <<
-/D [833 0 R /XYZ 56.6929 335.217 null]
+1088 0 obj <<
+/D [1090 0 R /XYZ 56.6929 277.1668 null]
>> endobj
250 0 obj <<
-/D [833 0 R /XYZ 56.6929 335.217 null]
+/D [1090 0 R /XYZ 56.6929 277.1668 null]
>> endobj
-836 0 obj <<
-/D [833 0 R /XYZ 56.6929 306.9099 null]
+1093 0 obj <<
+/D [1090 0 R /XYZ 56.6929 249.2319 null]
>> endobj
254 0 obj <<
-/D [833 0 R /XYZ 56.6929 226.5017 null]
+/D [1090 0 R /XYZ 56.6929 169.6708 null]
>> endobj
-837 0 obj <<
-/D [833 0 R /XYZ 56.6929 197.9796 null]
+1094 0 obj <<
+/D [1090 0 R /XYZ 56.6929 141.5207 null]
>> endobj
-832 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R /F42 597 0 R /F58 627 0 R /F14 608 0 R >>
+1089 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F23 678 0 R /F21 654 0 R /F48 880 0 R /F14 681 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-840 0 obj <<
-/Length 2750
+1097 0 obj <<
+/Length 2803
/Filter /FlateDecode
>>
stream
-xÚ­]sÛ6òÝ¿B{(G4Hð³}j\¹u§u{‰2w3Mg"!‰cŠTI*Šþýíb$%ÓIgÚÑ]`±‹ý†¼™€Ÿ7KBWÈ4˜Åià†Â gÙîJÌ6€ûáÊã5s»h>^õfyu{ù³ÔM#?š-×#Z‰+’Ä›-óß»¿ûm¹x{=÷CáDîõ<Œ„óæáñ{‚¤ô¹ûõñþá‡÷o¿»Žgùðë#ß.îow ˜iØï1…6Ü?ü¼ ÑâçÅ/‹Çå»ë?–?]-–½0c=!Q’?¯~ÿCÌrû§+áÊ4 gG˜×KS¶»
-B醔R^½»úwOp„5[§.0”‰&~<qƒœºÁ0u#éKsƒ‹RïtÕµ —”N¦*¬4~}§ÒÕ需ǢÛÒHѧÔ*/ª Mô§¬T;ÕuE{wªy"ÔŠÿ}õ5|¼×‰U1Ín«i
-«[6-ÄôT{¡)¹®°) ×T'òÞ4výÔ;WmY×O‡=Z‚4 ‚¯6žéYez²¿ëïžPfâ¼o‡xÖ<H(~`CàW´z¸Jcã=íçÇnâE6曺ÒØ:²ÈNpÕY¯à~ µ:b«>R•ãtAA Új?éùŬ s|²u´!2Ž
-$kZRzIX¹
-
-œ„›ˆk%èç ”@ŒÁ°²w‡²+öe_uWøøò9Íûgš‡> %¢R0ëwK…¢’ E€ö…"ÌìÃ'€×5¦>~§ÎéöDÍÛ¢¥o«é €—¢w’¿©;áG!ôz‹—Ü=ÐäÕí7ÓÁü,þÁÜob¹Q¯£Ç¹S='Èï”&²=£ØŸvFsîÅn*ý‹®sBºð%é—RUeÃrV7éÄ òönßOè‹VcÌà%Ñ¥Ü$Œ’ fÆ9l¬›¹ô„›È øÒ­áƒ~˺Ú`a9Î%¦~Æ/¤ëC#ò×3êEB€r<v½ ñKáÆø’b|íæ¦÷¶ {ÌØHpÈl_iÍ
+xÚ­]sÛ6òÝ¿B™{¨œX4@ðóúÔ¸NÏÖí%ÎÜÍ49Š‚lŽ)R%©8þ÷·‹]€DÛ¹kG
+²h</æ8*'fybÎaš)¸]…bþ$dzxU)"Ø¥3ŸÞÑ©nÕñ±0•æQ²lA¾×4¹úþŒ&EOãJ"lôŠ>—¼n¸ÓÈ-!ý#dD‘DÖ8R¥E{|ä€ûóš~(½ÑÍð¤ž#$ðy‰{«ž‘¸]õ²ÄŸ;Õ“øá±Ó÷EÉ6ņgíšeÞð¸Zu§2›ëž•°)†òŽ¦uÕ“šy¨†»çt†`¹i³Ü‹²žÒM„2̾Z7¡ ’X¼t¼UÏèÆ®zY7ÏêéæðØiÝøDz74º¬X¿Nº)붷{*Öã²+JÝã=f ~.’Ì‚<™9ï²6âEÊJÍK£˜,Ñ.T|ÜÄ
+ùÆÓauÊF ãŽÜPCKÏE]­@Z-Ê’|-%›ow}ÊoÉ>H4 © Ä@À¶Zã HÚúò©œ÷=Ø’ÊäüŒäXágS:wªt·¡™ñ†â´‰½µˆªfãعP1Ü*íî–/êÓª-w¨+cÚ“vô¯;«J@…ùü¶úl!W¿hSD lÁÎ…®õ…0È*bÊv³e?\mˆÙãöˆ‚¯8¼>˜‹ŠrºŠ…ÑŠ¹ºâ³îŒ ¸qÌ¡zÁè&Œl×€ A6yB¹2÷Í9Oˆ š¢„ ÀUºãÛ6FÂ^cî9™»ÝM˜•ÞêfÕÜ.¸CCéHJ(ÇK<†×/Á¼4ù|±®aQjÊÀœÁƒÆ˶È ê³½,Ï.J‚ÔÍ mÛ =/56ï¥Îf=,a•P‘a wßæ¼ð
+G¨I°> »‹«ýÍ´§’톕Mß«–ƒ^;¥v'ñÂájú·Ú^SæÄVh·
+¸E
++Æ/õÚUçøí6.)è+s*ìáSñfùayWSJ„U†aØ>¦+øÐÕ87iÆ£)§)ˆÇáü]kW)6ÛZO¶)tÛ£wŒ —Ò¶Á2uFßb.Éç¯N18R};á‰ÐúªÔ…o*‚Bå¶àW8
+QTy9§ƒ73‹À’jöW,¡Ù´ã¨:¡Or7\a“®iÉÏó4
+!æíf¬×>`«÷eBn°òHÉÊo?S÷Ž›Ð;nŠöçu‡DÎ lÙ…p2’q5ƒ‘àÒíVw’ÍãÃXA!–õ8¹ûmQòtSpË;’IŸˆIÞw‰ùiÐ&nwÕL’+©5v{‰œßœæá¼%„9 ¦†wÙvn»nÖõ4!7Ô¼ú¾‚æ
+ª×~(ºôªìó'‚†‡– å]Ñå`<ç¯ Žo¨}]ôØ꩘Èáƒ*­¢Ö_aiâŸñúœ †ìâ·4C "üK,Î\å8]}aA RïyT¤ûÕ|¯t U:u½ðÉ\óZÑÛ=îŠg\H@òväéqTP Ñ{zA!’åº>ÚÆž]Ѐô+(pn"®ÕPžï?\ ­3VöfWÕ¶v5wƒ;Ïi>ÜÓ|¨Ìs/ò€Ö{*•P\&Ô•‰ðeßV¼n1õñK{H妲M
+
+*â=ß8fœp¬ÛæËJ?—˜.øˆ›P¨ „6äë3êÔ_|*ðڄ“ðŸþ ~ü¯0J•eáôvÉ‚,ÌSË2®Ô!ç1Êq¦¬ÿÕ
+€ endstream
endobj
-839 0 obj <<
+1096 0 obj <<
/Type /Page
-/Contents 840 0 R
-/Resources 838 0 R
+/Contents 1097 0 R
+/Resources 1095 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 817 0 R
+/Parent 1087 0 R
>> endobj
-841 0 obj <<
-/D [839 0 R /XYZ 85.0394 794.5015 null]
+1098 0 obj <<
+/D [1096 0 R /XYZ 85.0394 794.5015 null]
>> endobj
258 0 obj <<
-/D [839 0 R /XYZ 85.0394 497.0473 null]
+/D [1096 0 R /XYZ 85.0394 438.8479 null]
>> endobj
-842 0 obj <<
-/D [839 0 R /XYZ 85.0394 468.4726 null]
+1099 0 obj <<
+/D [1096 0 R /XYZ 85.0394 409.9891 null]
>> endobj
262 0 obj <<
-/D [839 0 R /XYZ 85.0394 408.9221 null]
+/D [1096 0 R /XYZ 85.0394 349.7918 null]
>> endobj
-843 0 obj <<
-/D [839 0 R /XYZ 85.0394 382.8699 null]
+1100 0 obj <<
+/D [1096 0 R /XYZ 85.0394 323.4555 null]
>> endobj
266 0 obj <<
-/D [839 0 R /XYZ 85.0394 310.3501 null]
+/D [1096 0 R /XYZ 85.0394 249.9022 null]
>> endobj
-844 0 obj <<
-/D [839 0 R /XYZ 85.0394 283.0525 null]
+1101 0 obj <<
+/D [1096 0 R /XYZ 85.0394 222.3206 null]
>> endobj
-838 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R >>
+1095 0 obj <<
+/Font << /F37 743 0 R /F14 681 0 R /F23 678 0 R /F21 654 0 R /F39 858 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-848 0 obj <<
-/Length 2299
+1105 0 obj <<
+/Length 2453
/Filter /FlateDecode
>>
stream
-xÚÍZmoã6þž_! j£k.ß%ö>¥Ù$—¢›ö‡C[àY±…Ê’+ÉI³¿þ†o2+qÒøŠ`_†CòÎÌC:$ÂðDB"©¨ŠbÅ‘ÀDDÙòGsè;?"Nfâ…&¡ÔwÓ£g’F
-)Ie4½ t%' ‰¦³_FQ4 xtòãåÙÅùÏWÇ㘦?^Ž'TàÑÙŧ¶t~uüùóñÕxBAF'ÿ<þizze»¤ÓñÝÅå'Û¢ìç ¥W§g§W§—'§ãߦßNû½„û%˜éüqôËo8šÁ¶¿?ˆ©DD÷PÁˆ(E£å Θo)®þÕ+ zÍÐAüF”V»
-fÁ1LÁ‚Óf°Šþ
-Ëf÷TLÃÇ‹%>Õ°Ç(ئW< 5›m&<8è,A
-æ1ÌlÄúϘp°> Žå(K«ªîlyÝæ¶`Ž„.´ù²Èê²®lUGˆÿþãkxŒMø8½&Ù±µ
->£K#§<uóÙcådÖÙÂõ¶öû0¦fmø^OT¯K$Lp˜`Z¯®~1ªÁÕLíWŒ)dhÒÉ=&Ö1uO°#=º¨fà2]ÞÚÞ΋™x¥´—è7 ?­{¾¶Ûî
-¯¶Ûå“!Gô".¢‰J¢ðœ¾íèk'JÂÙßÐ…·9fèM1’1°ŒÞ›hD8b\Ò\è]a¡”gg1„’“4˜áfEé2Ày“.—ióD®M`bż÷Qp3GÔ ¤ì'ÛÑ/™nl‹ÖdQ1i¾ÆL>»BÝf5£Ã'• ãñèú‘\îå\ÖCF Â‘“¡Ü'uá“©ØÊõÐlÙ€­¸¯O5DtSÊË<îiç´¤•S°ZåicËz¥õÚHèóœ•u[TsÛw¤!7{Åjô9­œþ
-y³,*æˆÂ†ì¸© ·ò¾MâSÏ'n벬ïíNÞ6øãÙÛõjU70å·ý3‰Æqį1‘/1¾DÀÖ[¾ô×F©‘2èUj´#Øcgv[‚h¥ åqúr2`à #‹ˆ ëÊiVx'ÐE rÙÔ8˵V&’Jeâ%$ˆ*]jƒê–‹ŸlS:›Y´Nt™vÙÂLw—à´ph˜R`ÊÆ)Ë2+­SœB3¾.‡œ,í‰&ø£‚×ÚÝC’§ làñ6„µ-‘ñÆm^®Òïá)£ñ.wjÍ Íc%dï­M]¶/0\V:¯h=ÁÞ@lÀòÒu{r“÷ð:Ìo6äÞN.“
-¸àÊ´rß¾ŠAÆÂÚ’÷ Z¼"SÑ<ÑJXšM&¶öJnª¶¿íÖ7Neå4µez7ø*÷Å<!h»÷“T¦Ï“È–÷ëïDBîaþ”ý«ƒ ÏõJçªy¼§Œ2•Œæe}c^uÈ÷Úw/ë à§16^+ÏÍ­ úgùmº._Kíñºõ/¾ãßÜúž1Y€Æ»åýs„ÃWÌA‹é×ƤËKë½ù4÷7â,o6×úlè©fc]Ù~
+xÚÍZëoÛFÿî¿B@?TB¢Í>¹Üö“ë8>—´µ}8ÚGS´E”"U>â:ý;ȕDKN¢+Œ
+©ˆF“›»€WŒp“ÉÍâ×i„(š<=ûéûˋ]Î$ŸÞ\þôa6§Oß]þóܶ.®Nß¿?½šÍI,Èôì§?ßœ_Ù©ÈñøáòÃ[;¢ìç ¦WçïίÎ?œÏ~¿ùñäü¦—%”—`¦ùóä×ßñdbÿx‚S±˜<@#¢¬N¸`HpÆüHqr}òKÏ0˜5KGõG0¢,¢#
+¤lLB¡ˆÁ”VàÙ«Wó¦},2Œ«iZ­VYÙ6¶×´IÝÚæCÞ.m«]:Úö¡r‹–I¤mV»eoÞØïoXà¦HšåkÇN·aØnR.ü¦e›—g[mí“yºênkf½|læÚ ˆ9!H ATyš³9£Ñ´ÈËL[—ÅÓ›eöhÓ¤,«Ö¶o37æ±°Ý$­g$žVMcû«®hóuáˆõÆ›{4ßC;âæôzl™|t´UéEu?¬qŠ¶f”cb ›ê[g¶ymÛY’.‡QÛZuMk[]ㆬ¦ aLßu’×ú.£~;‰£Òl÷®ª÷¿’lû&/TÁ%ê—Äf‰æa ºÍÛò_³µn¸K¤›Ú€ú›ØÓ˜‡PÃí(³¿Ü#܆bÈƶ~³Ä/|ØàüÚö²YéUu÷K·¶ÝäáÌS<ŽYÂo¸Þ‘¥—s]góªk¶d3*ÜðC`MŠc© ëëeV¡j·ñ–Xgµ›s>”;x¬:Gaîiv—Õƒgòâþf„Î;blF)âãpd}ÒoF„‰
+¶Üõw­è9c)ÞT¸‰á ¶Q@XÅoÌ ÎèýÁ9IÒØo^ºhþê•mxýË ¾ù›€†»þ >@Âý¾ÈÆ’¤`¹z^–$)%øx–„ƒÆI…ùÓ¼ì: ¼\Ó¯Ød5 ÎcDU¬ÂdÚ«ÿnQÄ$‰&.B‹È¨è߇ˆˆMk„„kc]ätC§Wæ@™^öm:½ØÖì‚%\L.jt5ù´ çÌ…m#ý 3ðærÅ&o+qˆéÏCÎFL
+3Ð>÷Èè¢NV«¤~"×Æ(’Šyï£àfçCKÙOºÃ?bz°É“EĤø3ùì
+}›Õ ŸTæŒËéõ]æé\ÖKG¡Â•£°¶OêÂ'S±‘ëaØ¢Ûq9^ßjˆè¦•Y@Ý.“ÖqIJÇ`½Î’Ú¶õI«ÎPèûœU“—÷vî@CfdÅjú>)ÿ@;#Y'þÄgãÄ~n‹*ýc3³7Ýí|`ä’ùÃ2÷wRwŠÆC…¬^å%,s@a
+LY;fij©uÊ[h‹»bÌÉ’h‚ÿÔ}AÕìF` Iž29 õñuÖ¶$’ÉžÏÒ¯xÊhÐ ì²×hò<#JöîZWEó Ë¥…s‹Æ#ìAÇv` 0!+Ü´G÷·Y¯_§ôÛÇÝÛmÃc…uAâÁT].Ò‘ÃAÕ¢"æ×µy‘·3BÈt õ|·mHŽhC)”ñ‚H,âæµ»EvЂŽ®Ùˆ—íÑÙpœc©Ìú?b¬Å‘Œè,’ 7ºø#{<¨¯f¥¹ÖQY„Í"Ø
+ô‚Ϊ‡ØÆ =c_e"WÂ7éà–C)œö Æ?Š¹ÉjÔù§
+ë{sšx¹æÂaÐð~k)ŽmN)êìpB ‹$“TvS‡œEþåÉ¢„]¶ŒøgŽÈ¼Íj0` £Aië†6AG‘ß/ÛùC¦?v¤*ÌýÐ#‹Äôy u ƒà±‰Õ½ƒê’wäüT ˜CѵŒ
+
+kJÞãGñŒLG£DKaA" ™$ØØ‚Ütí|Óv·Žeé85…~ÞñéOUÿï73è§HöCÈP-/ÖÛ Té*㶓ÉÈ=Uk©žåð/j•©xz_T·æM`|–a|·T¿¡°ÑZéhnj6˜_dwIWl¥Ödwþ½7ÀûCÍ·Çd6^,ê'œ#*ÉÔv@±Ò¥%£ìƒé4óqšÕCUŸŽ½Ô æÑÍúm3ê¼·±.’&ߧù@¨‹Õ £PIŠsL …©ÅêmÝAÈXÌJ~V°3åR=‹§f¹í¿ýp}}~fÛšßeç<®.y‹)¬ð‡h÷âÒ&yöð¹Jt7Ò,UtO±žçå* DåXºš‹¢Aöú2¥é¥{œåX
+{þõÿã](‚¸„è’‚ñð§;?Ñ äPÇ QÁäþ_hD1ŠUÿ,9ö‚@ =z|²b.ªòðQgÆQ^Lô ùéŒÍ"cÒÇÿ­gÑUòèã{á[iÚùÜZ¦ÙïÇ2Å“&„©
+ÐXÓqõvt‡ÒŠ`|çäþ9»Gÿ²Ë÷endstream
endobj
-847 0 obj <<
+1104 0 obj <<
/Type /Page
-/Contents 848 0 R
-/Resources 846 0 R
+/Contents 1105 0 R
+/Resources 1103 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 817 0 R
+/Parent 1087 0 R
>> endobj
-845 0 obj <<
+1102 0 obj <<
/Type /XObject
/Subtype /Form
/FormType 1
@@ -2341,2980 +3853,4560 @@ xÚm”In1 EOPw¨u€$ÅIg0²Êľÿ6¤¤êV5 oʯÅésÀóή¯ƒÖ×O²Î Ž¢‘ÿ¨#h8Çùø:„5?ù
6\>RgÈbÏWÖ¹j[†›
WŒÏ¢®{6;»²þFÃÇñ÷ø]š¨)Õ/Ô¬Mu;pk;Ì©Ëdh<åE–ñ¬AÏw³ð¬±±Nê¦ó¡Ä½t•‹ùD„™Â²]°Ä(‡;„ ·åŽ°Š­r²ÂÙÄLûˆ T¥Í¡誋ŠŽt’¹w_ =Î]ˆ‹=¦uSä÷—ä"ï±yl±‡µÃ-ËkHsŠöreOÚ³êvg›<7ºt,‡Ýe—;ãÒèЭ/I…B÷&ê(ýê³ö󻉨YÙ¹Ç,çkRÔšÚ'^ m" ^˜h±ÎW9AVªy­Â©/fýÆ"•œãûFy-Sng \Çdª¼˜©Æ¥†Í}B©•µŒÎ$âw1.¶&Øíþ²C¶O–ÃVç X×9g¹E{îÇ< •ãóP)!ÍZÜÅŸLÞª~ÑÔ'¯UâXLµüc“ÅXsЖõÚ¯½˜Ó’~òBL–§èªÆ¹O¦ºNZ_[Èü.øšŠû*]3QôçÇñ!Ö-žendstream
endobj
-849 0 obj <<
-/D [847 0 R /XYZ 56.6929 794.5015 null]
+1106 0 obj <<
+/D [1104 0 R /XYZ 56.6929 794.5015 null]
>> endobj
270 0 obj <<
-/D [847 0 R /XYZ 56.6929 486.3415 null]
+/D [1104 0 R /XYZ 56.6929 426.5656 null]
>> endobj
-850 0 obj <<
-/D [847 0 R /XYZ 56.6929 454.4975 null]
+1107 0 obj <<
+/D [1104 0 R /XYZ 56.6929 394.7216 null]
>> endobj
-851 0 obj <<
-/D [847 0 R /XYZ 56.6929 395.7282 null]
+1108 0 obj <<
+/D [1104 0 R /XYZ 56.6929 335.9523 null]
>> endobj
-852 0 obj <<
-/D [847 0 R /XYZ 56.6929 383.773 null]
+1109 0 obj <<
+/D [1104 0 R /XYZ 56.6929 323.9972 null]
>> endobj
-846 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R /F84 797 0 R /F42 597 0 R >>
-/XObject << /Im2 845 0 R >>
+1103 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F39 858 0 R /F62 990 0 R /F21 654 0 R >>
+/XObject << /Im3 1102 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-855 0 obj <<
-/Length 3170
-/Filter /FlateDecode
->>
-stream
-xÚÅZKsãƾëWð*µÏƒÝ“,k¹ÖëÍ®|²].ˆ„$dI@! ••Äÿ=ÝÓ3x %[J¥xÀ`==ýüz@1ãð3gW™ž¥™f† 3[¬øìƾ=aN'%ÃY__}õÖÊYÆ2+íìâj@Ë1],šŸþíäÃÅÙÇãD>·ì81–Ï¿>ÿ õdô8ýáýÛóoüxrœêùÅùï©ûãÙÛ³gïOÏŽጀõ2Pسàíù»3j}ûñäûïO>ÿrñÝÑÙEw–áyWxýô Ÿ-áØßq¦2gf÷ð™È29[i£˜ÑJÅžÕѧ£¿w£~é”üŒrÌ8™NPË™,3FŽ$h2f•T^‚xhàœÏóÅŠŽ÷©ÍÛb]Tm8í&_¯ó žö«·&(…Ï©Y¦…öÄ<K”’*_ôöo\9“Še(”¤c W,—›¢i~]çíâæ×UÙ´~n²5™´ýûba|,àA§Œ[ãºÉGôMñ3ç²*Û²®¨'¯–Ôø±É¯‹°ÚÒ‹›¢ã¥Ÿ$2&„Ë`r”Æ.!a˜°*ÎiŒi3Ï›¦¼®šðBæa}Y¯Ê½‘T±ÕÖaZž Êcáæ Nì°s/SCÁ‚m+îæça«ë¢ û”±ÑÓ¾ò”êõˆ‘ÛM Vð@/wMAšRšI'ÝX­õUëˆ'èˆ<Ayj^S‚ÏO‹nÊi]µ´}PÞ;œHÍŸ¹á'§ïx
-æ÷½ˆ”e
-ì7~_·p¥@<7y‹-ë„=#fp 0ƒcÈÌ_B7‰{×wM qz–d9Å’ºïËöfÂdêXÆSqØ,­NÃœËâª&îh£2l¼ˆÜ¿¤žbÕ÷7­z}i6¯êà?
-²Tl©¶¸Ïýü`í´ö*Ш@ Ao‘ÿ²ZÕ÷ÅrRÞè~ÒU³Êêš^QI¤.ïÊU›”ÕëíÈ)„fišÊ™±Š9¥õSb'3ašŽcçŸ[á½Äör@ë8Ð
-͸bL*é•@c.Íä02,A
-& Dyc Ó1åÕÄÕdŠ)aL°šïÑ‚;¥­‚ÃÜÔà0l[Ć;¦µÕ³ÀŒzþpc-ŒÿOd¦àÔR‹Çd¦!E
-NæXÕUñÇ„VÕO“Ù€™—’YÌqO'Wì—¡Üc2S‚­/ŽU½ÈWxü? ¸TA|EŸNåüüÃM]”D©Ë†®>æÆ…>7À$2W訊ö¾Þ|¦—²j‹ÍU¾(ŽÅ<.¨ºÈ3ˆemŒ<ÍC)ô€ê2yžœ{Õàplîé$㊽ªÓÖÁLõ¨¹ó”YdàUWa"²êD¦}d†òFO]ˆƒhˆFH©~dCOÒ)ŽuúÂî«8~Sb2Å ^5ØGª™ÒÞMŽÊŠÐ‹½Þ¦ÈÌÍ?Õ‹À "ÒдeMUÝRã– Â0—rVäô¸Ï¨ÑÂ`X·,`›uIQ¢gJ LJê@Ô§úߨgUT@亽ièÝ1ö£¨ŒZ#£÷°KÌÏ+kî<þ‘Ä%t,ò¦x5…!Àb, É ÀCªNº¹cV­¨+F¼Îq"ïÐ ¼[Ѽ¢¾xD˜íóîÃëvjÈ랈¢9€h‘Ñ~¯ºÃó\¬÷Ú¾ˆú ‘IÆ4ÎX–ebXÍíTuŠ[8MUV)KA©Tu*˘–NwE
-EÐñt½jþDig™JCÁÓSé+ºGV¾ÕÒ$ëÔ*oõvå_þCk¹
-§,nòª*Va [ìõ<CÅ#—ÔòŠïË—ÎA;›¼­7 G
-ãRŠ}^)–3c¹Ý
-˜·P!Ú”b¼u!`BG¨¡«)6_ hJõû•(¿&Œ6Åeýép¸¯‡`ˆŽ†-<ZÜlW $×AÀ›j¹˜PšPi,(ïÚrU¶DÝßx¾«°ß¢¿¯–©6”
-B“Ò}"¡•‹í¦,¾>WÉ7ï? ‡›»U,××h“a I‘Û@Š1cáléjꤚºbŸŽÃ!½¿M”ÖÐtB í¶SˆìÌ _ܼl¨3§×‹ÓôÞÔ‹ÏèÌØFï/**naNº^
-Š îž-ÖŽb2$¹+Wi
-/q¥¿ÜŠàc:€»¥{­UXˆ’25ÐÈ
-œëû"FÓü2`pŒµmˆ¿eÓÜ…ñ„û`˜¦ÞtFŒé¡«§Dw¤Ø Ð|ѥˇ>¸O”ZC»ÿXéË牠‘¡ê¢¿`%0Y&BÉÕë èÉÀ™Z=JÂ;Ÿž<`7Rl}î=æLiU1FÆ,µ…ì±£Cö0mðåIÍoñÚ¯¥$¯—y0YIXÖ¨=b‚üÁ²„…
-öf·0é°?Ëd¦^ŽÃHð0‡šƒ]
-'Fîs  ÆÆ;¸Ñ×ôòº
-ÿXÆ|>ÕFMä#H‡ƒpÀK~×ÞÔ›ò_ÝW6_@ËfM·Bt«|ŸæóUxéb-¼x¿ S'r úaÖÿ gÑà÷R@Ó”Ið«ç§H0PœÐàA)AqÖ“Câ´´ûì/þò²
-’ÈéAÇØŠµÂhÿDáåÕvœú&$$¸dRk7³|ïùêè%=Á‰ÚˆRP͆I{c‰Ç½±ºó÷ÚÍÏòÅÔßc”œÅ„NŽ.,¼ÔY#½Ãg…¸iD?zV!ñvÍvwXÙ}øÁ1-¾DŠŸÎ^訽ƒG•J0) `uŸÕCi 9¶¡ÃÆàá(¾¦gñEmA/ƒ;fx#x%t ¿á
-Š)Á|>žX¢ )5õH>{ô¿(Oý÷eÿ×T Bpnð÷µu9ï?Õ¦PNJì|ÙŒÓÜeý¿@{Lþendstream
+1112 0 obj <<
+/Length 2937
+/Filter /FlateDecode
+>>
+stream
+xÚÅZ_sÛ6÷§ÐÛÉ7ÿ $O®ãäÜiÓ\â>µ -Ñ6/驸ž»~÷ÛÅ$%Q¶çæFÀb±»Øý-(1áðgW^O2¯™áÂLæ«#>¹†¾·G"Ž™¥A³á¨ï.ŽþöFeϼ•vrq5àåwNL.¿LOÿ~òþâìÃñL>µìxf,Ÿ~wþî5Q<=Nz÷æüíÏNŽ3=½8ÿé‘?œ½9ûpöîôìx&œ0_F&¼9ÿáŒZo?œüøãɇãß.¾?:»èö2ܯà
+7ò¯£_~ã“lûû#Δwfr/œ ïådu¤bF+•(Ë£GÿèzÃÔ1ýå˜q2Q !˜7FniÐxf•TAƒ¸i
+àœOóù’¶÷±ÍÛbUTmÜí:_­ò5îŒâFá“™ÔÌk¡³ÀÀ§Y•¯
+zû7ÎœHÅ<*eÖ‰„3‹uÑ4ŸVy;¿ù´,›6Œí &kÿñŠDØÞÈ 3Æ­q݆ä#z]üʹ¬Ê¶¬+¢äÕ‚?7ùu—Q‡wzqSt²ôƒ„gB8ƒ“6ö ÄUiL3L›iÞ4åuÕÄz4÷«ËzYÎé´Š­¶ŽÃªøU 7u"ÁNƒN© ¾­¸›žÇ¥®‹6®S¦FÏû*pªW[‚Ü®Kð‚{zÙ4YJi&tÛf­¯¢Z·dB’ š(Só„|z2ŸwCN몥å£ñ~ÀÔü•~rúCOÁÂú`‘1¯Àÿqáwu [P
+Ôs“·Ø²AAHÙ;¢0؇Âü%’I H]mšÈã2Rä9Å‚Èwe{3â2sÌóL<ìœVgqÌeqU“t´Pž'éI‹Š_¥X6ÅÝMA³^-óÓªŽçBÏÄŽY`‰»<ŒÞNs¯"
+Œí–D /Ëe}W,Fõç ºªqTY]Ó+i„Õå¦\¶³²z¹9…Ð,Ë291V1§´~Jì„`*̲íØùu³’ ¼×ØA h^±™fl³šu›šAc.ór™ž ¢¼1†éÈòê~Äk¼bJ½æGôàÎhËx`nj80lWņ;¦µÕ“(ŒzþHc-ôÿOt¦`×R‹Çt¦!E
+NîXÕUñç”VÕOÓÙ@˜o¥³”ãžÎ2Í8¬3 *B¹Çt¦_3AËzž/qûBq™‚øŠg:“Óó÷_4‘(‰ÉFRsÓÄ`¹+ª¢½«×Ÿé¥¬Úb}•Ï‹c1Mª.ò bY›"Osß@
+}Àt<OϽé
+clk¿©ÊßãNs¨4¨ŒZÕfuYDuÖwUjÉ×ëzs»OþS;Ú‰’{¢ín%;Ñè`ñŽhTt^«Ÿâµ_Y¿Üy¼~—pªM–J²N„Ñ(&¹Ú¯á•õbæËXô`A™Å½¤Š‡Ìoòª*–± y¤†
+ž±ÂƒžË{¢Ä<hùÒXj·õº¡þÄa{¡Œb}0‰åÌX¾sTkp¥<êÐf”Ó¬‹ ñ>
+™IS²J>Ÿ·-%<ö†
+5®èÄÂ¥ÂpU›é(dà³SsY§§Ç^bá‡ýÑh­2`J^ì÷:‚Ë˼À«k.­#pÞ²ƒÞ*,„J™™‰Pž Úg{kÇq6d9r£`=„¨ºay+6šG¼5ƒS‡¼|9–¥¢"Sí7ÓüìŠÔw_o°ò÷ÉGÓ†[ñkÃÎ<}•ÉGA‚6Î ¢82$7‡ÕbŒ4¬X;£†Ü·3²¾½Ì矣µè4‹ÝA½¡øÙWÞÍdI&À~bDz8Èu_”êõ¸â5ºSü›„Èù ŒB@R6C ƒ ðR±HWúët}ð{¹Ú¬†™oÖˆ³„ÆÌœgšk›ÐLXäüjû‚•ª³á¢ƒúbwŒ7j{0"GF‹ºo)ÄÅoCRêõ@Æ‚¢#…Qs0Œæ³ÌN£ÇÀ2Ý8á7Œ¢—¨WÔˆw
+&\÷ hHäõ.xø€«Ÿ
endobj
-854 0 obj <<
+1111 0 obj <<
/Type /Page
-/Contents 855 0 R
-/Resources 853 0 R
+/Contents 1112 0 R
+/Resources 1110 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 862 0 R
+/Parent 1087 0 R
>> endobj
-856 0 obj <<
-/D [854 0 R /XYZ 85.0394 794.5015 null]
+1113 0 obj <<
+/D [1111 0 R /XYZ 85.0394 794.5015 null]
>> endobj
274 0 obj <<
-/D [854 0 R /XYZ 85.0394 769.5949 null]
+/D [1111 0 R /XYZ 85.0394 769.5949 null]
>> endobj
-857 0 obj <<
-/D [854 0 R /XYZ 85.0394 752.4085 null]
+1114 0 obj <<
+/D [1111 0 R /XYZ 85.0394 752.4085 null]
>> endobj
278 0 obj <<
-/D [854 0 R /XYZ 85.0394 683.64 null]
+/D [1111 0 R /XYZ 85.0394 683.64 null]
>> endobj
-858 0 obj <<
-/D [854 0 R /XYZ 85.0394 653.5261 null]
+1115 0 obj <<
+/D [1111 0 R /XYZ 85.0394 653.5261 null]
>> endobj
-859 0 obj <<
-/D [854 0 R /XYZ 85.0394 576.1881 null]
+1116 0 obj <<
+/D [1111 0 R /XYZ 85.0394 576.1881 null]
>> endobj
-860 0 obj <<
-/D [854 0 R /XYZ 85.0394 564.2329 null]
+1117 0 obj <<
+/D [1111 0 R /XYZ 85.0394 564.2329 null]
>> endobj
282 0 obj <<
-/D [854 0 R /XYZ 85.0394 420.3273 null]
+/D [1111 0 R /XYZ 85.0394 417.9499 null]
>> endobj
-861 0 obj <<
-/D [854 0 R /XYZ 85.0394 391.7481 null]
+1118 0 obj <<
+/D [1111 0 R /XYZ 85.0394 388.7174 null]
>> endobj
286 0 obj <<
-/D [854 0 R /XYZ 85.0394 295.8129 null]
+/D [1111 0 R /XYZ 85.0394 267.384 null]
>> endobj
-718 0 obj <<
-/D [854 0 R /XYZ 85.0394 264.2689 null]
+971 0 obj <<
+/D [1111 0 R /XYZ 85.0394 235.1866 null]
>> endobj
-853 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F57 624 0 R /F43 600 0 R >>
+1110 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F39 858 0 R /F23 678 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-865 0 obj <<
-/Length 3251
+1121 0 obj <<
+/Length 3451
/Filter /FlateDecode
>>
stream
-xÚµ]ã¶ñ}…½À™á§(%O—ËÞuÛæ’îm€IPh-ÙΖ\K>g[ô¿w†CÒ’¥ýhƒÂ¢†£áp8ß´˜qø‰™IX’Élf3Í f¶Ü]ñÙæ>\ ³H‹>Ö·÷W_½Oä,cY"“ÙýªG+e<MÅì¾øyž0É®Ÿ¿ûáãûÛ?ݽ½¶z~ûÃÇë…4|þþöÏ74úp÷öûïßÞ]/DjÄüÝÞþxsGS‰§ñííÇï’Ñã ¢w7ïoîn>¾»¹þõþW7÷q/ýý
-®p#ÿ¸úùW>+`Û¼âLe©™à…3‘er¶»ÒF1£•
-íÕ§«¿D‚½Y÷é”ü"ÎBi–ÂúˆE³‡õŒw“ò6K”TQÞZMÉ;`¡¼¾+wMW‚¬œÌwn¤æßå
-©»¬ žMU\
-͇f6Õzã±Ë5}\ÒŒs¹*ë[ìCµ­ºÇk)'LžÌÿææÑc‚ã…ÐÍ·•ÓN„;»¥q0&>t.”ôãò-¹´Á„mõÏ0µLiHï}péœqØ9fºˆñèxCŒMsÜD—G£©˜Ê Þ/æ´N«Ð"¦Ô
-r+s«SÕm⪞ùæTÓ n°Z 83ðY»!»ÆÛ OÀÈ ›‰RtoÚ8soñ8 e|"’ |ª×å€P=‰Avâ%µ "ݸxŽ;éü`_v‡¦ö
-ÊX;ÀtÉ\^
-×ùʱO>ÄÅ8ÓHx_•fj˜`œÑÀÚ€*8îfW„rU‚ºn/}ÃÃP"ƒ™¬¶vþÓ„–¿åPç¢×… e—´š9¶\Å™h,ߪ/.ÍÀÌyż ¼äþÛÜëÔ„c¾È
-À¦BöÊIt}JˆèåûœVOûž K·ÞÒ}™ð¿ûG !JÇžŽÿåöy[†·¤Ã‰íºCÛìôŽè›© k,Ìë/Ñ“tÿý”ƒCr7ž¾°ñÿ—{“Œ_ön ¦oÉŒUBAZXc®wæ²D÷h7yLÜ{,LéÝmîN.6ã€ÊGݺý@#,mÚ²]_ZHªl¢¹I_ºPø‹þ™#ºƒ UäHCx¼àFKË ‡ü»O||m°^àaLí|™Š ¹‘'ÀbâÜÛÂr–
-iÆ¥3%à6OÈTÅ$äž3ÁñVªåçeñýÆûÓ^R»ÿC@¾2â'±å$zÀÏHªë%.FÔ‚TÃÍ€àPD©§n†-eè<k;€“èxÏÑf\ûZÍré:%\SÜçᆠüx×ì ²-¿¸³CüÕ
-›ì§sÃŒŒ—Ù_ªò4ÝO6Þ‘Å]1¬ÍüOØ„w+¥oé);è›÷ôjJ~|U¯°û³_ÐVÇÜYËÆKÏ4I¼%ê$r<”ô¿3`
-–¨uì©?W)ÃðßN|óÚ÷¯Îÿ’Òï«åÿø±)Ó)ñL¡Ôèß=ÔDâ¿@Ƭÿ——Õendstream
+xÚ­Z_sã¶÷§Ð#=sB
+jz_ŠÙÞç x $|R†<Öé æXàe‚)ÝÅ9 –Y çÁí–jÜŽ¡Ï>ýyðÔQáR½-6”þLšÜä>í™üCwE½ïòàÏ$3c?=ÕšA˜’ÙOð^Gõ‚È°%
+5 ؤéãH"˜°&¹]5ŸAΔ‘†„
+`²Ñ _c>:©ê±à’B0¶Ðëu3-pÖî7m9@™
+Q=–ë51oŠ0 OÿÌé1/ù~Ɔ‘
+ˆQFˆäº"’vU†ÏfyS¼!øÜñÌ×MMt«¢¢¾3à ê7‘éW쬂ü º\ÔÛY¿ˆXú8tS®†p²·ßX:©äaóºðåš]èZåŸ jåc&Ÿ¼w²—Ø›qžfT cÌÒ Rãö†åžŠ×‚¶AjŸR4|zVa\‹/‡RVù,í¿Z-n_R(€âYeÖ -+Ô ^PPDO7„r+zá€pœ8n’>ÀŠ^xE~S´£‘Ò¦„®Øáü8XXÇçXGk4ÎÞ †“[`sÊ?Kaõ:ZÜ£¯z€ù°H†Ž8@¶Ž­pö‚}qða_®[ŒÓX°Ãûý¥K“šÆfdŸ9e_ o 7–ÿÌf樰|^ËPšÈN=¸ko¨¤Ú]ÚdÔ®lßÖ`Ù¡8d>Eý,qa ëdšLdÄ\i†!^ ®æ™1àf,ÖF6öDsó*ÃÉœŠ1wÛw•¢µAÙÖõ:§:ýpÐÕÚp]^5eÈ“ÖQ]ýt¼ö†ÂöBË¢BÃ*éR$¾Pêy¦¥ =>¨x½ÎR¥Ž\j^.Ë6_ãQL o·0 ²œêi£`ÍÍÁ©±·sj|Ù@ÄÏ—ñÃŽ¦]íC——»¼tØ çÉÇ‚”2,SJ¼òãîÇ}ÈC\ 9àº%æ›ü‰…ëñÚ@®… =TǶnšòÁŸsÉ€µ¥IöMèÈ+z_ OR–„á°)Ðoéq@9Is8@‚2ð‰_R
+û
+5º,渻ґq
+Ö á¢)7ÛõõùA ¢Ê‡´¯â)Š:œ¢œÆ–2¸€þÇ‚ ”lB¥qMù¢õUUOL»r¿úW{ż§H@†õzü 鮬f¤¶£JA!ª»Àó|„‚Uc
+¹{ÐϺB}J.@.€zóbf¯é ’Ö<%"¾G:›ƒâ6[0kï$HµGŸ¼ô$á—–:@ÙSR•“Ìà©ÐI^ï;‹ ÎÒ ( ö/t%cÄ“.Â(IE0²*—«@],éã‚F|Ä•®ï°åºlŸ. NÀ%ÿðùr(!ÞÑDå›Ò§¤S»e˜6úúa­=Ü¢–G :âkh4P臡Å`Hº¹¥õ¾›DñäeCŠU½_Ï©#µÆR:Ø.¿Òz«B‡3+€V²ƒV¥¿  YƒðõcEnåb ™†ÏšÉØÖÁexÑ =r™N‹~áuÓ5ÁÛñØKb<“ÈñÀJÔWù Ob
+BȤ†µ‡%ãâCÉåS ^Fçc6Š8’ªðÀÙÒ¤ÖÀÇkàxR`8òh&¡¥:“TÏÙnþ²FyFË€Ÿf Ë3nh2­Ž­Waæàò¯9¨‡^ûã
+K¹Îº{}9œ#L™­÷ó ¹»Þñ^úïrÐöXQËñ ´ u`‚¨jQ® >ßIÄ£$¦“${…$?hûU¬šü&#øÅ‘Sít"ša!x|ƒËà9J0b V$jä”OjDzÅÎg £;4†U»ì]¥Ã`ÞQoë2²{Ä ¡ÎÙË08gÒì+%BU8ëßzN%Þ¶[a‡qá¬"µ|8]ÏŒˆcM²Èg˜ ¯üw
+­qjˆ>û"»‘zG*À‹ ëäP»’x L$ð«Ã½=öl¡^ôÕ”Óü]ž1É{D‚Ø[|É¡âÁÓ¨å"׃CGŽ¦¦8Ò9 öowågŸqðáHš(K¾7Ü#õ(A€OE ÃIuý
endobj
-864 0 obj <<
+1120 0 obj <<
/Type /Page
-/Contents 865 0 R
-/Resources 863 0 R
+/Contents 1121 0 R
+/Resources 1119 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 862 0 R
-/Annots [ 867 0 R 868 0 R 873 0 R 874 0 R 875 0 R ]
+/Parent 1087 0 R
+/Annots [ 1123 0 R 1124 0 R 1129 0 R 1130 0 R ]
>> endobj
-867 0 obj <<
+1123 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [55.6967 755.8266 256.3816 767.8862]
+/Rect [55.6967 676.8938 256.3816 688.9534]
/Subtype /Link
/A << /S /GoTo /D (rndc) >>
>> endobj
-868 0 obj <<
+1124 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [268.5158 755.8266 332.4306 767.8862]
+/Rect [268.5158 676.8938 332.4306 688.9534]
/Subtype /Link
/A << /S /GoTo /D (admin_tools) >>
>> endobj
-873 0 obj <<
+1129 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [378.2799 116.2526 428.5017 128.3123]
+/Rect [378.2799 73.4705 428.5017 85.5301]
/Subtype /Link
/A << /S /GoTo /D (tsig) >>
>> endobj
-874 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [112.234 104.965 168.4527 116.3571]
-/Subtype /Link
-/A << /S /GoTo /D (controls_statement_definition_and_usage) >>
->> endobj
-875 0 obj <<
+1130 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [75.273 61.5153 131.4917 73.5749]
+/Rect [112.234 62.1828 168.4527 73.5749]
/Subtype /Link
/A << /S /GoTo /D (controls_statement_definition_and_usage) >>
>> endobj
-866 0 obj <<
-/D [864 0 R /XYZ 56.6929 794.5015 null]
+1122 0 obj <<
+/D [1120 0 R /XYZ 56.6929 794.5015 null]
>> endobj
290 0 obj <<
-/D [864 0 R /XYZ 56.6929 441.8384 null]
+/D [1120 0 R /XYZ 56.6929 403.8784 null]
>> endobj
-869 0 obj <<
-/D [864 0 R /XYZ 56.6929 416.1193 null]
+1125 0 obj <<
+/D [1120 0 R /XYZ 56.6929 377.7405 null]
>> endobj
294 0 obj <<
-/D [864 0 R /XYZ 56.6929 378.9792 null]
+/D [1120 0 R /XYZ 56.6929 339.6466 null]
>> endobj
-870 0 obj <<
-/D [864 0 R /XYZ 56.6929 348.5817 null]
+1126 0 obj <<
+/D [1120 0 R /XYZ 56.6929 308.8302 null]
>> endobj
298 0 obj <<
-/D [864 0 R /XYZ 56.6929 276.8275 null]
+/D [1120 0 R /XYZ 56.6929 236.1221 null]
>> endobj
-871 0 obj <<
-/D [864 0 R /XYZ 56.6929 248.1435 null]
+1127 0 obj <<
+/D [1120 0 R /XYZ 56.6929 207.0192 null]
>> endobj
302 0 obj <<
-/D [864 0 R /XYZ 56.6929 167.2435 null]
+/D [1120 0 R /XYZ 56.6929 125.1654 null]
>> endobj
-872 0 obj <<
-/D [864 0 R /XYZ 56.6929 135.7502 null]
+1128 0 obj <<
+/D [1120 0 R /XYZ 56.6929 93.2531 null]
>> endobj
-863 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R /F58 627 0 R /F14 608 0 R >>
+1119 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F21 654 0 R /F39 858 0 R /F48 880 0 R /F14 681 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-879 0 obj <<
-/Length 2414
+1134 0 obj <<
+/Length 2601
/Filter /FlateDecode
>>
stream
-xÚ¥Ù’Û6ò}¾Bš*‹&^ñ“㌽“ÚØÙñ¤ò`»\ Ò°Ìc"RV´›üûv£!qâ©réA@hô}€bÃOÌò$ŠU¡gY¡£$ÉlY_ij ¬½¹¼gá7-Æ»~¼½xþ:•³"*R™În×#\y繘ݮ>Ì_ýë寷W7— ™Äó4º\$i<ÿñúíO)èïÕ»·¯¯ßüvóò2ÓóÛëwo |sõúêæêí««Ë…Èç%cxäÀëë_ÑèÍÍË_~yysùéöç‹«Û—1¿"VÈÈ>ų°ýóE©"Of{˜Ä‘(
-9«/t¢¢D+å!ÕÅû‹ÿ G«îè”ü•GI.³ j5%À¤ˆR%•àí½E&ž¿Î²ÑV‘G…J3À{¾ØÃ)£BJ¸)MÈžÀªŒŠ<ϧ] c”Ž‹4™DºHNØ(WÄEÀ°Q‘$’¹xšSbnª®…‘Ìæ_švßÐÐtô߃4h X†A:oLmÝI9/y“¡•U[›’Ïã.íšò­4+W¶éËõ¡l6t(¸@1ƒS±œ_÷^ÆxçñuÖ±j–‘B‚¤˜-Ç7nWh"öe¨D•Ä³ßÙíW»’Š£Xx!u½ém DÚE¥ è ÐöRäs <v}G‹ÝÙöþÞ0„o%hK0Çž+7 0ç`û²¿÷gœæEäÄŸÏÛ-‰ådnV+¢¥ãýµé—÷$+ ¬§²eU•Drž)y>Ú@; #¢aT6˶&•Áž†aýÞ|µ´vgmC°33°n@ÖG’YͳÁÊ
-°®jÓnAíç é?öÌVç’ë£a˜ÖÙ?yuåR&¬êá¢3ßÇ’IV̲\Mù÷û¶Ç¸£œðíTFRCܶ=îÛ ØX3/(G%R”·`YýÖ A¤VuvY~Œci;Úfn—;Äá¹Ù{‚¿.M_¶ côRÂÌgN²n¡mÐÉš± g‹BF*¶ÛƒH]MïŽi5ïví¶G£Á)Òr~ûþú ÁΰꤑŒ'AµY¦RÇ}m–‹z•LÈMg`±ìÈT^<b.2´ÎÒ!~,·¶?µ-2ÈO:™¥…ŠtªÓﶕãbŒòÜV´Œ£DAf¶QüršŸˆr`¹Pc{aºpì”1¸/´¤‹;KJU™'2tBœ]=pw Šï0Üç ït.;é>Ó{† c4]¤š&"ÒÊo$£!âv¶Æ( RH)Y4P£ÄóªÝl(ò
-ÿçDê*”<1÷´cyošÆVÁä3åÊ> ø'1mZ—o0è!8r(ð¬TQuV ¾b{^ÓÑ숰ÙÕw˜’püòQ( ûïhºkª².A1g>…¡8`¶+ÿkÏFrÆ'“Ì2Ý¡ùŽÇŸ×fYVš¦2€?Õ¯ìv;E×_žßª:òñbL‡˜fÄbZ„KÁ-a
-A¨
-„·¶¡÷fÛ Öáooá¤õ ¼;Q¦DÈKÙ¬ÛàØÊÞíSUU•—e°õ
-&’VIUˆóÚ\)hÚ©Ûì¸
-F¨«8qq¾šmiÑ&qÒ®i×À´>ô'q²F;Ã¥FØK:DóÐcÝa×ÒMp§ ÚS±ð5†OçìQ®Ïrjøá~k¨ÛÀ¤ØµËøî¨{kwýÚö÷íª{FÕ?^^8r ŸS™Ç5œ¹xÂ[ö奘S"\þU±oéT<t3‚»3²<¢fFû´så^€Kƒ aQœø²dpɉº-ŽÒÜ‹t¢m¹*°•]²ÝÞ·{ òÛË
-¤iy‚–€ÿ5´O`ɾö [¢ ‰]±·eP`jî1ÒÂQñÎUÀRk¨…§XÓP|èæ°ò,RBç( vå’N|©¥¹ÉÈŠœÓÔð¾Ú4LÛÃÉ
-L2.­_èÁÀ:
-«ƒRa¼iùDœÔƒsM9 G9î‘lœz|L5·’žLnG×'Q壔z"TàÓLZä^_‹Í7ß[""êa’|›{|YEfåŽÒãªÂGm•J·Hpñvë©:MœüJéñ›ÅÙK]Ûå(õåŒ7­ÏŠ^˜mcC)×-;-É+ Þ§ð @,Â"¨›òƒ*
+xÚ­]“Û6î}…µ3‘ÊQ”.OiºÉm¯Mî6Û¹‡4“ÑÚ\[S[r-9¾½Þý÷RÖ7»ÜøÁ$‚
+R *’LÂ*ðvcP@åTž'š³è#ÎoæÁáÈ1N–répÚ®ìÌÎÔ臥Ѳ¬iÐ,—Ç K·ÖÁ‘0PQ×ì ²5_ÌÖá߀RSÿʘXeW5Ž*B¶¡q䫺­VVd’L%Jh/Ô—ÊœR ¸8ÍÔT*° Q¨èoæ¡¥V&ÆÝ‹Xf:aŠùržJ »¬Í
+p%rFÿ oL¢Î¹Ó:‘)Üá/R6ÓxKÔIå0¸3ôlÇ ¨¨Ün €Â· “IœL­3õŠ6©èÞ*–èŒåiWh•H®SÇÜZwh¶m@
+°Ö\)>³«Í”³$UJMµ©XkÌÔÛ8K“Œ+½ÐR%Zðížë nŽÒãÇà sG™ÓE&>˜¥3@jD’ÎøQ Z
+èCò3wí±žâbFÍ©‚ »cÛÑÈ^8ü¯ÌÙì`Zºer%Xƒ5„4®e’3
+,a ,ÔÔþÀÜÇ6:R€²l¡¹e9}N
+ï~æðÅB^
+ÖÀE ¸Û8FbYö¡ápÉóÈ€Œ-…#”§èݦtw*A›aÔ‚}Õºœ§ªÛø½• R^EVýyäƒTâV+â¥uø»²[n\pÑ3Qx]Q±­ˆå\+yop;FL誗͎® p&Ãú¦übhíΘš`½00vÂÀzI
+=8øq×V 
+ž9IP)ã¨nük»ƒÕ1ŽéVSp±vo–Õ%·¶i æ7H]ªîá»ò
+»tˆ%êÕ®ª3½ƒ»Z¹}Çý¾9tîí“Å€Á4ÆßÚfW.ãÝJ$Ju’ ¦û`5' áNõyƒ¥ÔnJ ™$¤Îò)Rù„”i€X†¸2ý³| •=JLýYb2r¯fÖ§¥ÎO&ä8 uª&ôÒó‘ðöÃõ[ˆÍŒäû”^P)óqXZ FsÁ¢ÛË‚AÜÈá5
+B}ÜnÏr¼ü
+^ƒ Ú+j Sˆ­Û‘’àÔf¬¶Sy¨{kð§7°ÓxžíÎ$¾oFÛVæîè9®\Ï‚t9B}€ë¯–C‡çHîÁoºßðX'îƒqâe«›—Á»çsJcÅ=›R€§®ò>ñ•éM±ÿ>ƒç±Ü~öˆ;NèÏ}÷åè²]O’ä¹G
+´Õ=Ûƒ
+‘öa³gÄÁ¨À¯Î}ˆ>lÿÒ–kxW&2ÜîÃAjÿ’z‚¼|óÖM,¥4ê¨þB¨­upñd[s8úR*ƒ6‰ÌM«Ú÷ÅEœØ.ì{†¸t‡re¤N1OPëå6ÔøƒºA2îÓGôçâA*§¥!GÝá~s(©ÎÅG°m–ÈÝRß 9vûcGk;ÓmšUû‚êN`|Wº•^"Ûj°W&‡q g6ž8”V$TúÚò×]3A²¾Žæ¾åg[<nDe4?w&níªP×
+(«H˜òÙsï’ŠÆÜ«´×m2¹,ÀlÍÒÙí¦9Ñ
+ƒãMéαͯÀ;¹/­5aÅ4IÆ•—ŒgQŽ’a;µ£•“¥ cn@ *jËÇ
endobj
-878 0 obj <<
+1133 0 obj <<
/Type /Page
-/Contents 879 0 R
-/Resources 877 0 R
+/Contents 1134 0 R
+/Resources 1132 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 862 0 R
+/Parent 1139 0 R
+/Annots [ 1136 0 R ]
>> endobj
-880 0 obj <<
-/D [878 0 R /XYZ 85.0394 794.5015 null]
+1136 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [103.6195 731.9163 159.8382 743.9759]
+/Subtype /Link
+/A << /S /GoTo /D (controls_statement_definition_and_usage) >>
+>> endobj
+1135 0 obj <<
+/D [1133 0 R /XYZ 85.0394 794.5015 null]
>> endobj
306 0 obj <<
-/D [878 0 R /XYZ 85.0394 662.5434 null]
+/D [1133 0 R /XYZ 85.0394 589.1911 null]
>> endobj
-881 0 obj <<
-/D [878 0 R /XYZ 85.0394 634.6304 null]
+1137 0 obj <<
+/D [1133 0 R /XYZ 85.0394 558.8491 null]
>> endobj
310 0 obj <<
-/D [878 0 R /XYZ 85.0394 376.1585 null]
+/D [1133 0 R /XYZ 85.0394 294.8462 null]
>> endobj
-882 0 obj <<
-/D [878 0 R /XYZ 85.0394 345.4362 null]
->> endobj
-314 0 obj <<
-/D [878 0 R /XYZ 85.0394 136.7105 null]
->> endobj
-883 0 obj <<
-/D [878 0 R /XYZ 85.0394 113.7908 null]
+1138 0 obj <<
+/D [1133 0 R /XYZ 85.0394 261.6947 null]
>> endobj
-877 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F77 703 0 R /F42 597 0 R /F57 624 0 R /F56 618 0 R >>
+1132 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F21 654 0 R /F53 957 0 R /F39 858 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-886 0 obj <<
+1142 0 obj <<
/Length 4109
/Filter /FlateDecode
>>
stream
-xÚ­]sã¶ñݿ“—È3ƒ/’`îé’Þ¥×6—öz}è´™ -Q2{©Š”·ÓÿÞ]ì$eÈÖµ7Á,û½¼ð'¯Ó,É
-U\ç…IR!ÓëÅöJ\¯¡ï‡+Écæ~Ð|<ê»Wß¼ÍÔu‘™Ê®?®FsÙDX+¯?.ÿ6Ë•ÜÀ böýOïß¾ûá/^ßäföñÝOïoæ*³·ïþð†Z?|xýã¯?ÜÌ¥Måìûß¾þãÇ7¨+ã9¾{÷þ7)èqfÒoÞ¾ùðæý÷on~þø»«7Ã^Æû•BãFþyõ·ŸÅõ¶ý»+‘è¦×Gx‰,
-u½½2©NR£µ‡l®þ|õ§0á¨×}¥Ÿ‰Ò@«§4:FÀ´H2­´#`»ëë¶)7›GØšÎgå¦k±eg›z[÷ìï+‚m«®+×A»ê¡Ú×ý#‡·^ö<Ö†ÝñGåbQíújIýw' ,î˦ñóü]¤"ô,«UyØ0Bu‡”‡ýÄ(›2¢àÆêfÕò 1¤M¬2Ó XAÞâ¨ë¹1y’ë¨(eR¤ÐÀe˜j™ÏŽ÷ ²§—¾¥gÝ,6‡eE/e%)ÓÄš”WkÊ-lü)NZ$E¡=âóuÕTûÒÑÈ-Voy…®/·»[hkCCàF®Ûý#½áŒN³ü¦e|‡“Â7>)lz
-;
-H“%VÛlJîÀø@w÷lZ %\‡§¾”Í#6qÓ
-˜VØÜM÷‘V;¥r¤(<À5Oɤd’gšÇ,«®¯›™-²ÙbS:D @š@³#xé8€Ì» '¸Û@ˆÓðëÀƒm èøÞ—u·(÷7rù
-¨¨pó~†²÷t”°³Ö± ±˜!ÖÅ”¾$€Lמ˜£ë=Ór@ ëæžmU6u³ÞÀ¶>ƒÒJ$Ff6ð¿P›*.&R¥YŒØ:O±uŽ!¬}GÄš8ÊãŽÃœÌ
-oíê™YIºÙéÙ•~áª\Üó·N¨LEÛ3Û°dîe²ŒòÇ;ÀI›böØ  E'
->Ê9Y–¡=ç„ý=å`ó,Ër¸i×4«G—"¦G É*k"ë
-¦Ñê%Ýi“k¯9ˆ”¸ñd_¢lj'P(›ØCg„­»rñé°£þá¼°§] ”p݃ \ƒJ%ò=‰¦LçŠtA6 “l©uĺž @®ÏóÙ[§¨\ý
-~ƒü¤žÕ+‚Ò Acq߶$vŠåIÍ>UÕίCkó€v³¤Æhk^¬°¡': ÍG¤§²³…‰<ϧÇ
-Q¥){‘h³]Ô­eÛTÔw ß± ” Vºï*ž%óšÂ«_UµìN>¬›e½à Á ¤L‚ ÏÞ·4Â[
-(Ö=r¸HIc@Wàph´Nx^§o‡XœäZèDgö$"ñˆæÐR’ ·› ± tò ˆûú.€ïÚþ‚£kå‚x4Õ‘°QIÓ*ùõ¡A=X¤ÌTÎyVV̪ð}ãŒer›^个BÉ ÁoIa4-­°mÇë.˾äh “‹lª6ØäÙãùªw^‘  Â=ï¹—¤ ‡¦¯ùË®Ýro{èçíj~GTÀ¶Â«î¶ôJ˜mº°çù÷7¦DUØ[ÑãBÌLcÊfª ƒfç
-& {vÏËTulGÎ3QöRdÊØþsÈ\¼¥³‡«lL”_:Ïf¥¯NžÝÐÜ
-ôu&Úܘµâ9”ÒDJãùöpXìb³¨$³Æ¾4‹wûèaç*½<+Py±S/Ð÷0—δêwçè,䥓lÚE¹‰EÑ
-X0ê³æ‘ÿû<éxõ…ðÑ_hó…ö•~!|²Ø<D9!euÖ1YHߺ©ò Pš«Lc~ÛEl: Ìõ™³Ìéë-r¢é]Gˆ7à¥;ìvížs rFÆ5|Œ b,Q†ÃÁtÙ­g¿¥ÿieÌUZ ®Ûsö݆ròÖ
-k¢€4\æÔTØ7㢿ÙA|£Ä ÝGApì22‘ª—¢%#0ø|ÞõX(-ÄÑß΄±©Wî=aG&±†›³Ñ/ 8S"Z³uœ« ÐÈmQL6’Ë}3 Ÿ`CÊ„¼QO!'©Òæ2f2ãøÌg$5Ý‘Á¦É&v¸1@O¬ÉT¿IÁLþüU+Í­,Ö+Å«|«˜zQÅ/H˦GE5DôŽÑ_ÃîvÁ„j›'…¶vÊÙ.y,üý! .ƒÀëqÈ) _¶BϦZÞRyÂ¥Ù#{H¡-ÓôåR„ÐÁ\y|
-yJ§^åg»]ç
-,௓?͖Ŷ…ú'Érsb.ŽíaæÁ%ùXo{E>5>ãËÙ´ª~f…Îv·-ŸW!Ÿ*l§_Vûý™Hʨ<šüK‹‘çTœ$ÿ²€]1¾³ÅNEZ ½]µwÕ/8¯ùË®éà[e4±Ãïù›žÖ*·è$h ›$w²˜…gÓ»ª!ià´ u¢ÚÉF[E7}¨v®¶ZŸ›´* ‡m7·ÅÊÖHÕ#Ü•·,¥#ááotp ðà®EÁg;z_ÀYßRX0¨Br~‚…ÓÍëaz€fCS³>ìËy,‹Œçs–8‚ãMäYr êÜðKµ@½®~àñc<àÜ~’ÀÂcŒ]R†Öß<™ø½]V.zU\Ë÷wÁFÈCD²éëM{W";ÙŒ­4Ã=N„ÒAe\…­ÊžN0÷¾*tý‹´[{n44dBóÌaJGÌ*;µ|ÿºKyÜV@u}¡7Ša6`˜?¹žÆþwÕ“j­êáv­»I0Š=ëH® Ç”¡‚N_Tõq¦wPé¡Ný´æ’ °a©÷Bæ±¹1NW"nTê’Q^µþ
-áx[%=v-˜Ÿú‹ã(½@íõ ™u:óeyÿåH #¶F›!Â!ÙØ7Ë+ }5®Æ$pÄ(Ñ™¯áÃÉ¢Æã“M‡ÛÞiá#µ‚sK‡:V}cÖ˸ê‹ÇœØóðÃÞ¯v¸`IyKš’n\Ï“,bŒðÊÞ‘€«þ:¹xšº:C'«F׉T:{M"QLÇŽMšµ¤¬WûÖŽôjás/Ö’†³ƒÌptæ„Ô2¥ ?ÄI‘±¼àš”—-†5ùB¼‡“2P_ÖodÛC¿;ô\½ýžŒ—O „ÔK·«õÊ_QÁP5/|Á—dÍI)g·'1"kÿoÏ\:<WÜ$êÅ/n_˜//o®Úö«hrˆGpïÂ<_û…‡NüYFä÷ðÏËÿß¿þ~cò¸ZÅØ¡0E®¶G
-·¤ÍÌýÏDž¢þ_ûîl¯endstream
+xÚ­]sã¶ñÝ¿ÂÓ—È3'?zO—Ô—\Ú\Ò«ûÐI2J¢$ö(R)ëœNÿ{w± ”!Ûio<‚ X,ö{!y-àO^›$Jr•_§y!Íõrw%®7Ð÷Í•ä1s7h>õÕÝÕ—ouzGy¢’ë»õh®,Y&¯ïV?Í’HE70ƒ˜}ýÃû·ï¾ùû‡77i<»{÷Ãû›¹2bööÝ_n©õ͇7ßÿæÃÍ\fFξþöÍw·¨+á9¾z÷þOÉéqaÒ·oo?ܾÿúöæ—»ï®nïü^Æû•BãFþuõÓ/âzÛþîJD:ÏÌõ ^D$ó\]ï®b£#kí õÕß®þê'õÚOƒô“"R:Q*" É£D+í ßK ‹bv·-i‹ËmÑ4eM/?nEWâfaJ=šR\ÏÌà&{Sóu»¡F{ì÷ÇžÚ›¶ì¨Õ·ÜÛðjíž;hÈlÆKÅãã—I*p׸ã×Ò&&ãq¯iâ‡öÈû*^ªøÈ‹ƒ4ŒÎšñÜ–»é?Ï©hú¿~Ê#i€!¡eÈ ßÞ—œ.IG´L’ÙªüYÕT}Õ6Ô½;v=õUͲ>®Jn|×WM1 _Öű+©³ß=A»â¡#Øi[Þž»ìºbc鎃ʺ\ö圭°ny|a7*e”#ÇT†1™ó£gÏOD0Kf¸º|/y<í3³}qè«å±.ôÞ=tÄÐ^˪®ú‡)åììóÞ²!~Ðͪ°L±¢åʃ}kÝŒ=qL±ã)\GÁœd_VU·äYÊ{,Íì]O"GL¶®ìÖÛ=’¼¨k<D ÇQwˆœÎfuµ«zž
+ò±w§Qª*òÀ±Ü̵LvÃ<?|zFÆ—"€HI”ņWkŠl< É"ÊsíŸoʦ<–Fv±jÇ+
+-¸ŽÏÞ¬¥½´ +I;;=»âÞ-\Ë-kõ€JÔE´–­Ýƒ2Yùãà¤ãœl½†¢Häœ$‰b¡çøý=æ`ó$IRh !ÎêÅ¥ˆéQBR«ÊšÀz¹‚i´zNwÆQœj§9ˆ”¸ñd_ lj+P(›ØCg„­E±üxÜSÿp^ØÓ®JØîAPÀÏK‰4™²š2*^ÐÙ$¹WØ:áNm Ï קéì­UÔ
+ô>Vìag« Vû¢ÿœy#x™²Äœs
+öˆGÔ0‡–’½­kbe“Iø„èay¨¼hïù Ž®•
+àÑ”'jÀF%M«@ä7Çõ`n˜©¬ó2¬¬˜Uáû6Ä)ˤ™y‘ãªr%'E
+£ii…];^wUôGà
+ò`ÀG*µéúõƺâ[_ŒøSpðã<~–`*ÿÉÅZ»‚ç܃Äa|+’ÙŸ›öÄPN‡W%GÚŸ2=®b'í%ècyhÂIAq€MÓ‘’Ò!'we»@V“T½t–]QÕa­{t/NâøoU€ªíÈz&*{)2Ålÿ%d^¼¥‹‡«²˜(}é<õ>H_=¹¡y Ì*Ð×™0+¸!… j!ÍÅS(™Œ€ãÛãq¹Í¢¢$‹³çfqnÃò<,àœ\™—¢‚g*ï>tê9úñKgZ÷ûKtò¥“Ôí²¨CQ´L„ú]óÈÿ}3žG}&|ôgš'þLû2Ÿ Ÿ$4Vf}Êê¢?'>}k§J_€Ò\%óÛ6b£ÐI`®/ÖSKÎéê-r¢ém‡7à¥;î÷ís rFÆÕŒ b,Q†Ã­Á´Ù­gßRŽÿ¼²æÊäƒëö”}Ïü9ùk€Å^Ռ޸V$}­ˆË
+[@Ŧ?Òõ|ß*NR4p¼:/å,½Cy¼ãfkkòÒU'ãIuÒø^TæÔTØÇEÿxdñW0ttÁ¡Ë<ZÈHŠL=-Ńϧ]ˆ…L.†ˆ~q¼Æá¯<,Ž=aG&±†›³ÑÏcp¦„™*“M˜« ÐH³<Ÿl$:‡f>) Á†TìóFU8…¥ã—1S<ŽÏ\FRÓlª‘lb‡-ôÌšLõ›„,NŸ¾j¡y¦=Ë_ôJñŽ«p*¦Z–á Rà²éQQ ]0ú+bØýÞ›P¥Q®³lÊÙ6y,Üý! .ƒÀëiÈ) W¶BϦ\½¢ò„M³ö` -y¾!´wÀ}W€á0Äy!Ç0ŽR;F½ÌI˜ÎV>/CÉ`ãT.p¶ÝU~©Àþ8ùÓlYh[¨¢$ÏÌÅ©=Öll’õ¶SäSsà2¾œM+«{oVèlwaÛÌû^ö”Œ¯Ëvý
+/X†#©X¥ÁäŸÉGžS~–üK<vùøÎ;&z»ò`«_p_ð—g×?aÐøú'~㯢“ 3Ø$¹“ùÌ?›ÞV 9H§M¨3ÕN6:StÓGjçjkær“™òèaÛÎaeë¤ênË[¥#áántp ðh¯EÁg{z_ÂY¿¢°ÎcPúäü «›7Ã:ô
endobj
-885 0 obj <<
+1141 0 obj <<
/Type /Page
-/Contents 886 0 R
-/Resources 884 0 R
+/Contents 1142 0 R
+/Resources 1140 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 862 0 R
+/Parent 1139 0 R
>> endobj
-887 0 obj <<
-/D [885 0 R /XYZ 56.6929 794.5015 null]
+1143 0 obj <<
+/D [1141 0 R /XYZ 56.6929 794.5015 null]
>> endobj
-884 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R >>
+314 0 obj <<
+/D [1141 0 R /XYZ 56.6929 769.5949 null]
+>> endobj
+1144 0 obj <<
+/D [1141 0 R /XYZ 56.6929 752.0323 null]
+>> endobj
+1140 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F47 874 0 R /F39 858 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-890 0 obj <<
-/Length 2474
+1147 0 obj <<
+/Length 2579
/Filter /FlateDecode
>>
stream
-xÚÍMsÛ6öî_¡é%ôL„àƒ Áô”¦vâÎ6ÙuÝSÛÙ¡%Hæ,Eº$­v§ÿ½ïá)#q:{ÙñAàðð¾¿,þÄÂhÆU‘.ò"eš ½Xí.øb {ï.„?³ ‡–ÓSßÝ]¼ºÎä¢`E&³ÅÝf‚Ë0nŒXÜ­IÞ¾ó÷»«ÛË¥Ô<ÉØåRg<ùîæÃ÷)èçíÇ×7ï~¾}s™§ÉÝÍǾ½º¾º½úðöêr)Œp_z Ÿ¹p}ó·+Z½»}óãon/»ûáâênäeʯà
-ùýâ—ßøb lÿpÁ™*Œ^àƒ3Qr±»Hµb:U*@ê‹Ÿ.þ1"œìº«1ùie˜62Pç1ê‚eJ*'À?¾E^]§jr’/–J³"/´;s¨êú "ÙÚk{¿ßn«f‹Ÿ<i÷ÃãÞoµú­í'ë¯)¿ÓÑéÚö=AÊæH‹¡ÚY¿zð‹ÞvŸ¬¿QùóUy^$»vm_Â2Ï’îR˜ÄnK÷»>½TŸÈ™¬ÐZ:Îè1£’mÝÞ—H­IgÈaËñv‘ ‘¼}(›ÆÖ=íªáÁKoj¨’sÆy®á1|c}lÊ]µŠˆ9ULåõðLW GB½ï-3RÄù¢§½ÑŠˆ&p<@‡Öq½”ø”ä:pO㶃ívUcɦå@«ˆ­ÜÚž¾
-Æs%<wîîÒi9"ÃL®Rô¡ÄwS‘Ü[Ûà
-(Øw]´m^âB¡dÂ6Ê÷ÖåàWe³ö{ΰDVLˆé·n·[»f1jˆ1©Öú]yœ>“þÑ®ª_9— ¸SŠÊRf2ÎM²Œ“C È1ý±Â#„(ÁTšþØŠL…¥‹ä~ïTkœ'Iƒí˺>ð±þÈWp¯¯š•!2ÃR9²ú•„”uß^'Æžž$Ðë @¤3
-¾B¸¥ ýBœNŽrÀŸF`uï!Á—i‘%w1›“ª`JféŒÇo²€„[i‡ªmzODyœ? ÁuM+—ODÈC
- ÿÕ+÷®°ºsw -çtž:5 Ϧ\UµÏ6ÀÀü¨<+lñBÕlÚ'Ô´M}<§ âI;¿£FΨ)Ãå‡j‹ŽKD)L êŒê{œ»;¦Ÿ—º/­?+tB¸©0²â¡oœ“2ˆ1ß §P­œ8=
-¨\ǒ¨¶Í†¿ôtµ9£>´4Sú¡ì»þ×vÍ1½Xn^xš\~aQ{{ôÝÙE„Q;Bõ‹þy5­ö]g›!XÓhET1ESFóK!a¢Ä/…w ¹ÌŸ˜ccDïÿožüÕÂjöu=‘È!&ãÀdŠ!?Å”Ÿ¡íû@Ñqx}­õê[l)9Ïâž7=š@×”¡4ÆÐçF2i¨K¢“èhB’ÿyêUº
-ŽÐ¯üüÙ 7”‘8Çr{ÇvO‹ÆZÿŽ“&ü®ÊÇa?¶†¹òI·H^nLÃO(vû~˜ÒçÑÑ *ý×aR»X÷(HjÒ!$,·_ëPšŸ<Gó` Ü{÷)RøÈ2À/1‚`‚¢í¾øBt–4Õb\>â
+xÚÅËrÛFò®¯`ùb¨J„çÇÀ>9Žd+µq²ŠrJR.’¨
+îoúHà»ë›ë»ëï®/—\ÅÎ {ÃÜÜþãšVïïÞþøãÛ»Ë?¾y™òË™DFþ¼øí¶(í.X(3/öðÁBžeb±½ˆbÆ‘”R_ürñÏñÂÉ®9ê“_,U+‘z(¸O€q&RH#À®) d) †./42ÇääX…‰Èbx ñA@R&ÁýFÓ©uÝ>ä5­Ký°[ãRµþ¬-´ÈZ<hÚëõ`_lé÷?º»ä*h¯à3áAÞ”„hî[W͚жmiv]£KZ·+<»2gYðp hw©‚]ÓàYâh*©TELY–Œ
+ú ¶€´®—œóàŠ`«¶£…þw¾}¬õk¹Ì&"g@(ø”¤†Ð‚¨¹\&Ì‘PŸÌ;Ÿ¬ âÎ ¯B†?Õî
+ø$¤«¶}ñÆ`2‡CQf$ÖàY.p) }é½ù¯7“›% ãÊàì+´ Ág^‹‰ÙÈQø´¶n~-g¸”v§#쌌 ys ÅPmµ]mìÂÙž¨,>äÙóÜ8¨G¦I@V³ÎÍoy| ¨šÉŒ¸§Ç”#„TÑìrØ2|€]¥`G»Â}5l<ž+Ê.uÁ¨<4ù¶*|AK†œK‹vT^½ë53RèıþeO{G¢¥Ó7‚à
+Á‹TO9î¶U£É ÷£›L¢
+cä.Ž¿úm~˜>2 /Ž Ô’(TIÍ•’{ÈI!½&Ž˜þÐá¾@ÏC%™E³AçʦµÝ@éª2JMÁÀvy]øØä+¸×W͘I¦dðR’YýJBòºoé^#Æžž$Ðê,v‰@(h“¥߲xÄB¨BÒ™v
+¸gÝv=I¦‰t™$@y4J€&æQ”âÇŸ;ݺDá)î, ¢ QÆÁøšù‡¿ã¶u :d Àv› ÖÆÚáw¯kŒ2R%ÁMÕݸ¬£DPùä #*ŒèS9ŒqÄ#‡(L¹šÈˆoì†M ‹÷K.¦¡
+¾\¸¥ ýœ1G9à‡M#°z°ç€Ë(£jÍã‰2 ¥H¢ÞDµìX
+>´{ƒ‰èT>-Ãa+*:)#, ¶L£º/ºêa7§-(O±_Ñ"f"dèÞÐ Òf·^ÐânÒ=ŽøËéê§b8¿ üEht®ÿ)BqJ¤æPbÅ;}ᬱž!äü6j¾<Îc )Ñ=ƒÕã'›qŸë¦he®·móì^¢á¿ze» WX݈9„–s<FOðš~9 îžU^TµÍ6 9ªðô%U³jϨi›úpJÄ“v~ÌG˜Q“»Ã¶Õ´m¦yÂÀ_cE"Œ¾,õI+å:?mÑŒ“†c^ §P­9ÝKz.øÛqú<Ÿ&ƒ˜ëÚî_Ƨ ½U†nK ÓNÇýجÈ5}Õê|™è€
+(/}IaTÛêŒá§ž®V'Ô»–fJ@?äݠ˧î1m×ü¦—ËÕKK“É/¡×½}2uggŠ£¶‡ê—ýój*v]§›á¬!§ŠÉkœÂkœò‰0QâS!Á !—é™9ö'€n|vÂðÿ÷ä¯V³«g3ž†™ÄYäl‚HÈO6åghûÞQt6£¯õ£^m‹-yÊ¿§ÀI{£kÊPô-#™ÌÕ%ÞÉt4®pÉÿ4õJ]
+pHÅïPâyxå‘ UÆÝÌi¹ó0é4D(æ"s%4~[jêࣦ™XÛtBP£:øÅih£VÎC‡ùßÅØ=#óTdÎeGN^+¬D¨D’ÐtI°)ô\D󘓯íí$pX Äs„ ãXñÙ,.NÿÑÈg7vžcMCÞä×Ûï¯h5þÄ´ÖfÐsüÇ‹ó0SŸFÜÅèpXGyf,#•¥ßD¾v™¢Âª
+vV|\ …º¯³#ï;·‰¦ÿ¨1ß4³±ÆÚ¶ÈI*í@%Gè ;6à ©αÌÞ¡ÝÑ¢ÑÚ¾c¤ ¿Eþ8ìÆÖ0•6iàÉËŒiØñŠí®¦ôÙëhÿWk7©öοM,ñ{$5¡2–ë¯u¨˜='fΘõîc¤°‘e
+e$³SÊÇŽž“þ7½6Òóendstream
endobj
-889 0 obj <<
+1146 0 obj <<
/Type /Page
-/Contents 890 0 R
-/Resources 888 0 R
+/Contents 1147 0 R
+/Resources 1145 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 862 0 R
-/Annots [ 892 0 R ]
+/Parent 1139 0 R
+/Annots [ 1149 0 R ]
>> endobj
-892 0 obj <<
+1149 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [173.6261 554.783 242.2981 564.1926]
+/Rect [173.6261 500.8708 242.2981 510.2804]
/Subtype /Link
/A << /S /GoTo /D (the_category_phrase) >>
>> endobj
-891 0 obj <<
-/D [889 0 R /XYZ 85.0394 794.5015 null]
+1148 0 obj <<
+/D [1146 0 R /XYZ 85.0394 794.5015 null]
>> endobj
-888 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R /F42 597 0 R >>
+1145 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F39 858 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-896 0 obj <<
-/Length 2361
+1153 0 obj <<
+/Length 2502
/Filter /FlateDecode
>>
stream
-xÚÍZÝoÛ8Ï_aìK æñ[Òõ)ÛMzY\Ò^Ö÷°·»(d›Ž…Ê’×”“õ-ö¿’²%G¶Ók
-i8’¿ù¦Ìþ±ÒD§<Ä©$Š25˜,ÎèàÆÞ±À3l˜†m®ïGg»Ò|’Ts=ÍZ²B“„ FÓ_"M89 4zûþöêúÝ¿ï.Îc®ßßž¹¢ÑÕõ?/ýÓ»»‹››‹»ó!K‹ÞþãâÃèòÎé ãûëÛ<%õ½»¼º¼»¼}{yþÛèdzËÑö,íó2*ð ¿ŸýòLáØ?žQ"ÒD á…–¦|°8“J%…h(ÅÙOgÿÚ
-lº©½ø1J¸
-ëßfժÿÕc,‚3ê
-è"p:”‚:ñ6Ѷ3&IR6똚Y¶.ê㊀Á{®öâ lÕÖ&›¢[JíÐDª×¬ÐDÚM¤gžÖ¬èhO ’I³o
-S¿²~ÀfÏ€ÖcÉ«\yÛrÌf²^åu˜îUÖALÚù×_)åÛÕÆëzo‰¬°¿YLGŸŒY†eשeEû
-[ºß*klæÙCîÌG0ý|žò¨Z¿šzŽÿÁKÝÄ»­Îê/öúó¾é5°Ø|l øØøÓí• ’2*÷ ,/Œgú®=Éß½ésR‹áË“òrVy¶a¯ø¿ÞôÁÔµºúîÕ/Ýs¾^ñû&{„%pßXë
-²Âc3£+j¸=ÔP$’ĉ`ýU(ï‘`ï’q\ùp…
-ãMñqp[»þ–ÁU‚ðXóà* }èŸBoÿ¬¢¡º}?º¾ú¹ôëjRG°ó›úÖ“*—ŒÎN$U.%Ii’ª –'±ûÐÉ}ñösj”ö>_
-N•B@SŸ›áÄÛq%Õ‰Ú [ã>ƒ®Ëvd¦ž_ä³T…¯ØtaRšzâcú·u™ 8Cs65P×/ò²!ÏÃkèúÒ'ªK$iT¹ï@ÔSAÂã<Ç|´ºõý
-G2ëéØâ#Á  ç«€¥cN÷›Ç¾KAN˜Ði`‚ž½è¯QÏ_‰R?ˆ¶o
-wT. Ò­‹Ì}™!ü ®Ñ!¾¹›W&ˆÐ·ˆC™ º3&Ó¤¹¦<ä
-<&±ˆÕþ—¼5Å+v¨aFó܆/*±»2‡î"…nÏBH(^ð«R§% ¹Æ(™mªV$9} ìæ§f劕׾ÅoüÀî».æ¶ÿ«^ã±Mk׸e©øÜ«Þîßö©/óÓ¯I™N¡¡£'")‹a±ö‘´4õcµútÒñoŸ¡Pðº&åH´lïåN> ö«…LO@¦ᜅh¹œ‚cœî66óIs“„sŽÁÕÚÇ· —T/a¿Çá’)áZ‹\ïu¿´ñy¼}†/ÃERèG bF¨)áRÇ}?õ ƒ“ŠxîKv¿º‘1IÒª7»¡?=€ú^ B?ùÙKó ”ÀÕÚúÿ
+xÚÍZ_sÛ6÷§Ðô%ÔL„#’ /OnjçÜ9;9W÷Ðk;J„,N(RH»ºN¿ûíbAŠ”)É>;3?˜\,Àoÿƒâ#þø(Y{ñHÆ> \Œæ«3wtcθå™4L“.×÷Ó³¿]
+9ŠYzáhºèÈŠ˜E|4MqBæ±1Hp÷o.¯>üûö|,}gzõñf<ñ×¹¼úç=}¸=¿¾>¿Oxpçý?Î?M/ni(´2¾¿ºù(1ý; ôöâòâöâæýÅø·égÓö,ÝórWàA~?ûå7w”±<s™ˆ£`ô
+쌚©ƒøq—y"ô
+δR.z¾b rQnzü­vÈ8Áq @1Á6‰m¥´Nî”Ý3Øzï|d
+æ#¸ëü<Ž=§¬ß¤Ä±ó¿npnu~T’ô×ä1ÔÀjû¹âsoàO³WO°˜»þže¹"¦ïºÓ‘üÝ»!'Õ¾ Ø8)+%±MÅÿõn¦¾ÕíÔwp¯´ôÀùÅï›ìkÀCà<¶ê®MV­CfzN¹Æê8ÁØeñ.¢ŸÚôœìå8­ãq|óxÀ¤ˆ¤\E ‹=Þ®ÇY-lC–ç—ÌEa} ëéê…ÚL0=uC.Û Çõ å9Ö1 ÇÃÈe'*ºþ.·ã ¹Rï“,Of9\–Ò«b:>Ì€¶ ÇTéù&[WYYX®rÑ,œj»V{c”æàýa³Jpz;kkW/‹*É
+6ÐuÙa ÚZ%Û&¢X£IS•öíhQWuWÆ®È'j® jÒl¿”çn ˜„ X ƒ'ó·˜tå^1ÿÿÍj6‚µ äê0ï€æ¹ Ë>63ú¢&í¡ ¼ŒaÍ8Úµ
+½ê
+·“°§P§Ú ‘-@·=èí6ˆÉÊ>iµ1]£Q­-5tÕËÿ- µgódÞvü°¥ÃzîøZzn"ÊÓE6Ö³- ÿ¸š½H°
+GMtlï‘`‡úøæqÊОî>SCW‚ÝE[&èW¥9ç´†<ºu‹8~³îæþÜÕæêÕ*1ßå„}µ—èžàæ–à Âö,âÐ5&`;~5—”‡<Á“L
+ì§Á;S¼`‡
+fºÌ´ýž"Í…¡8t)„0{‡Ò¿y!Å~XšiꀒÐkS³"ÉèK`'Ÿª)UÞR{7ÛÒÀî«.bfzø›^ã°M[7 x—ËcñÜ‹Þ#ž¿s©—yé×£žÏžŠ£^„?D 8Z¨ê¡Ü|9é÷7–"(T»¦C9+;{ù–S÷ Qãá Èx.Ù`¹NÁ/N·[ˆ‰Ù¼¹DÂ9Çàêìã[†ËuYè†'.¸ë3t¿Z“¯uµ`•ñœ$NG^‹’¤&> Æ%]]ìÿÇ,5Ÿúßݯ¢|ÉDyÿéñdZ
endobj
-895 0 obj <<
+1152 0 obj <<
/Type /Page
-/Contents 896 0 R
-/Resources 894 0 R
+/Contents 1153 0 R
+/Resources 1151 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 862 0 R
+/Parent 1139 0 R
>> endobj
-897 0 obj <<
-/D [895 0 R /XYZ 56.6929 794.5015 null]
+1154 0 obj <<
+/D [1152 0 R /XYZ 56.6929 794.5015 null]
>> endobj
318 0 obj <<
-/D [895 0 R /XYZ 56.6929 769.5949 null]
+/D [1152 0 R /XYZ 56.6929 729.6823 null]
>> endobj
-893 0 obj <<
-/D [895 0 R /XYZ 56.6929 749.9737 null]
+1150 0 obj <<
+/D [1152 0 R /XYZ 56.6929 704.9004 null]
>> endobj
-898 0 obj <<
-/D [895 0 R /XYZ 56.6929 433.0023 null]
+1155 0 obj <<
+/D [1152 0 R /XYZ 56.6929 387.929 null]
>> endobj
-899 0 obj <<
-/D [895 0 R /XYZ 56.6929 421.0471 null]
+1156 0 obj <<
+/D [1152 0 R /XYZ 56.6929 375.9738 null]
>> endobj
-894 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R >>
+1151 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F21 654 0 R /F39 858 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-902 0 obj <<
-/Length 2754
-/Filter /FlateDecode
->>
-stream
-xÚ¥koÛFò»…€ûp4zb¸O.“Onâä\$NÏvÚ¢ ¥•D”"U‘²ë;Ü¿™åK¢¬¸n€îr3³óž‘Ù$‚lbT‰DNâD†*bj2[ŸE“%ì}:cþÌ´94íŸúþîìÍGÍ'I˜h®'w‹,FÆ°ÉÝüçàý?/~¼»¼9Ÿr:<Ÿ*ß_] •„†÷_¯?^}úéæâ<–ÁÝÕ×kZ¾¹üxysyýþò|ÊŒbpŸ{G.|¼ú|I³O7_¾\Üœÿz÷ÃÙå]û–þ{Y$ð!œýük4™Ã³8‹B‘5y„(dIÂ'ë3©D¨¤ÍJ~v{ö¯`o×]㟌Xȸx ›ãx Gxý”)Jïã2‡RÅ Íx¨Œˆ[©È¾T˜¡BMb•„ZpáÄòÇÎn3[!{à¼èÆÄJÆ€ÏÝnì,[<OWv{ÎL`é³á>ªU¹Ëç4¿÷òr¹´~­.CD`§ x wð/êó)p/¨êt[ï6ÿ€/ÀkV,i·^YšÌÒÚ.Ë퓧{ðN-C®™ð„ 
-š"-nb‹ºY#qoÊmí×ÍÅYžÁ¹¿û嫉Àt>§+•ßH‹ù~„x>:ŠÝú´
-¬d/ín¸‡
-'žF¡uP¤këÏÍò‘àîÊÓÆ‚ƒÐšWõ/ñÅÉxÊ™Ú{,€rרß “;Ûm+
-«âžÂîq™täEj}ÿØß4x@ý<9Èw<½ÅþøÚ?Óõ&·á¬\”«k/à?š}w{9v»úí[B?‡” -l} é”öŠ„ˆkˆƒ}/üJ×.¤ DPðDÂE$_
-âŸ{\˜±cfø a*H"iH˜<}vZ”×··—ï=G ïîn¯> øX—³2?à,úÖöh~:Ö
-­Ô @67Ž³VF¡QüTV¥4Ð íx–Cxš’úžN­>Ãa[*ñ
-_aä1ÆæÊo´šŒ묚•õån›bRàÂ_ä"
-à˜ÒÐ{òR÷¢©:øOYXša¬‡‰5X ŒD“WŸæg¬BžÈæ¼³ÀÒ
-õËü\ñ¿M×kpž‡²Uã2L$“¾Ê<„f¤,&KÃ}¸4ÆïŽTv 4PIå5Šè:Ä ™°0WCŠ]ßG0ȯcP™¸5ÐRãb1‚Cs(‚usƒEnߎ@œrl5Ø’ˆÃDpӣܥºÿuŠÎ“И8ªyžUµEëjNº!Ûüæª?÷Aõ_î>ÞùDüÏ↡¿ô¿wcÎâ!³tg¿!sÞ‡¿t lŸây¹N³Â]’7¶ñ<-Ęb^Öž}TÖ¾óý„!‰ ±¯õÚDõôŸÔ÷%]d¾SÐÏØ~ªÒ¥ýCUl ¼ëDÕkF B‡Š-8 º”…b­Rmâ±àQ›õ»í’F*×Ýlæá¥BJCž-Wõ£ÅÿÓB›Px`-`ˆrØ;ä‚JYk÷=´âb ÇáJ‡:¢JŽ6·Ë Mnzž¬=?í_ OÖgÏ!\×X³3
-~S‰‰ÊP7HŽÂ˜
-Kyû*`̾
-ÀJ›~âÇcV¯|OœGÞëóͳXøg76æË›ÝÖTu]5ç>ãgŒÄ±æIïoû‰+‚\¤ëçU½lE9p>AZø©ëÀÑYåôZdpÎu¼Hº¸Gi!nÔ.âZV
-œàf÷ªÖÑÞïˆÙz·`R7¿ÓÁœÚ9¸F宸&Š¤´DÆ{r¦£¨4´ës~Ù¸hœµÉ€vp¯¹—z$öOª`ÉùOZÍËò÷݆–ï­o\Ùc¥ ëjyÅݤµŸÙ¼I7*txì/
- ‹—ô{Á~.µÞ«ÿÚ ûS ‰©k¿ñ?ð0M“Å…¯ñAÁ#L¨ GHÿ?¤Àƒžendstream
+1159 0 obj <<
+/Length 2765
+/Filter /FlateDecode
+>>
+stream
+xÚ¥koÛFò»…€ûp4zb¸O’é'7Vr.§g»ÀiPÐÒJ"J‘ªHÙõî¿ßÌÎ.EJ”Ç1}ÏìÎ{†b£þØ(Qa$R9ŠSªˆ©Ñtu°öጹ=c¿iÜÝõÓÝÙ›÷"¥aª¹ÝÍ;°’0J6º›} Þýóâ—»ÉÍù˜«(ÐáùXé(øéêú’fRjÞ}¾~õá×›‹óXwWŸ¯iúfò~r3¹~79³D18Ï„#Þ_}œPïÃÍŧO7ç_ï~>›Üµoé¾—EòçÙ—¯ÑhÏþù,
+Eš¨Ñ# ¢¥)­Î¤¡’Bø™âìöì_-ÀΪ=:D?±q%Fð
+¦,NŽã%àu]¦T(Y¼wÌDJW4ã¡J€ž+œu¸Â¤!Ô(Vi¨–-nÍ&75’ö‹Î~ L¬d HpßíÚLóùÑôqi6ç, = ;¨—Õ¶˜QÿÞm(ªÅ¸¹¦
+€3 RÜ¿hÎÇ@½ n²M³]ÿF
+Θq·ï1/
+‚ue¯8æ…àªUSf÷¾,Nú9 6O4ÂwÚ»â`[¦®‡.ÈãKžt.ø'n‹%sûªu“W%Á^fHí8
+›’îÊâ(L‘ø»’ÖYþEÜÌÉ~·4ÈÞ‚ºxÛ1eãçˆÝëjÓ8Ä?8-rØ÷w7}õ ]0›ÍèHí²r6„!ž…Žƒr»º©-Þ‹TÛvގ»£Ð:(³•qû¦E†HpÃîÈÓڀКWM/ÑÅòxÌ™Ú{L€p7(ßv@τΙn751
+ʪiwÀ9ævM.¯o{Èà„»Ú¶64h&x†æ«M²{švd¸'FÎ¥×_„z‹PCX‘vvÊ$À‡(
+Pê#øcÓ`õ[°ä<"ÛñôvûãchþÊVë„ÓjEP®®©½€Ôûáv2tº‹úí[B?‡” -Ms é˜vŠkÍG]+üJÓ.d
+ð `‰¸‹H¾
+TsjóxéfY°Î¦«x°ÔT®µ‚ Úl¬"BUͶ™ñAé{#8îÜTÖ›®ú>im«)X(g¹Ù¥Òë(¿c¦¸ˆ{îqfÆ:ŒYÂO0S%€$’ 1³„§OO³òúövòÎQ´tVàîöêCŽM5­ŠÊ£Ÿ!mçί£ÃŽ´B…‰Vê ý‰ã¤•Q˜(~*ªRî SmiV€{“øž­>Âfp[*u_£ç1úæÚ-´’ŒƒU^O«úb»É0(°î/²
+ÊD:Ûj
+³°ìWeñtZ/ÛýÀI›ì!ÆX
+=ÈŽ
+©ÃB0þ®ò¦±¨v ’¿¹­ÂÛŠu·¦A/õ•:o®ÛÊ›ƒD—¶]8{¬ÁÆü–dÈzÒ“xÿ¡Ø&Á}^Îjê)°·Ùø
+ÚŒš} Ĺ¾âŒg¼\õ
+Õmª­çÂÞ*+KªQzÅI[°)«Í*sÐé10éëøöè®
+€Ií¿ýAŸJD8GYÎØÂŒ¤°DÆ{|¦­(4´êb~éM4öÚ`@ö+R¸æÏe‰ù‹²˜²ö“f‹ªúc»¦é{ãŠaGª«$ª^p×Yãz¦ðáæQýJ¢xIß öcñ¨Mð^ý †ÝÏ;$†®Ý = ã 7îRøjÉ‘„*áñÀÕÿÚÁ”úendstream
endobj
-901 0 obj <<
+1158 0 obj <<
/Type /Page
-/Contents 902 0 R
-/Resources 900 0 R
+/Contents 1159 0 R
+/Resources 1157 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 908 0 R
-/Annots [ 906 0 R 907 0 R ]
+/Parent 1139 0 R
+/Annots [ 1163 0 R 1164 0 R ]
>> endobj
-906 0 obj <<
+1163 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [519.8432 252.798 539.579 264.8576]
/Subtype /Link
/A << /S /GoTo /D (lwresd) >>
>> endobj
-907 0 obj <<
+1164 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [84.0431 240.8428 119.7369 252.9024]
/Subtype /Link
/A << /S /GoTo /D (lwresd) >>
>> endobj
-903 0 obj <<
-/D [901 0 R /XYZ 85.0394 794.5015 null]
+1160 0 obj <<
+/D [1158 0 R /XYZ 85.0394 794.5015 null]
>> endobj
322 0 obj <<
-/D [901 0 R /XYZ 85.0394 451.0558 null]
+/D [1158 0 R /XYZ 85.0394 451.0558 null]
>> endobj
-904 0 obj <<
-/D [901 0 R /XYZ 85.0394 423.9067 null]
+1161 0 obj <<
+/D [1158 0 R /XYZ 85.0394 423.9067 null]
>> endobj
326 0 obj <<
-/D [901 0 R /XYZ 85.0394 301.4703 null]
+/D [1158 0 R /XYZ 85.0394 301.4703 null]
>> endobj
-905 0 obj <<
-/D [901 0 R /XYZ 85.0394 271.3564 null]
+1162 0 obj <<
+/D [1158 0 R /XYZ 85.0394 271.3564 null]
>> endobj
-900 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R >>
+1157 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F39 858 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-911 0 obj <<
-/Length 1236
+1167 0 obj <<
+/Length 1235
/Filter /FlateDecode
>>
stream
-xÚ¥XÝs›8÷_Á£ó U|ÃÝSš:½t®éë>µ Âhˆ"Ñ8w×ÿý$KØà‡L&“Ñ"vW»¿ý`eÛBò϶ü
-{o÷¢£øÙ:®Äê1€žcÙ6Œ}ß èÇ0p÷€ íJTBósA®½ü,° %©„Á¯Áe‰åò›k?ìEYÀ ¥™(Þk<( ¤Æ
-—DS5k„¦h½>>ü«—oÈGš2âë‚rÃòßA §isVÛy8!¤b[S¿ëB¨‰_ÝöÞ£!TÒ%/‚¾ëÄG¼ ½#ßr**(«ô®RM|áxKg Ðs|èGÒ>zšÑí1JŒ]/¤€âSðpQ°{Mf¬1{zIXYv–pbŒd™^Ž¦× Ñ+Áœšn91NlÌNÙ‚Ö…áå¢ÝœxË üÓ¼ý‡U„Ã1”Açpè‡atÛ7`³ZA9!#P0 öW95ºUäƸ­Ñ1
-8GÜÁ.#Ín±×ÏJL Jš~ÒÍŸ÷[Õúˆ˜zxÜë'9-ȻҶ¬'0k£JRªD•M…&|ò5M'ó¾H½6Jup”Ó"„¯Y³®Øè)¸9¨výpœH‰jŸ‰¬QÀ*@vTœ—²Mþ᢭M¸÷ôZÔè¾#€þhI—~çMʈHr°-Z2Å”¬hyöMVyÀóV¤ì~’ï9–"E
-’‚Êþ4 _UГCb‰€ïÌlЖÒŒSÒŠ–¸
-ûxúQ„¿† ÓbèѶb y&û±ô+Ü
+xÚ¥X[s›8~÷¯àÑyVÜaû”¦N7mºëºOnÆ#ƒš
+Bhžãš“ªVV~易œ\óWá<Ç•4Yx&ìyÀö…š(Ü#v ž@,pNTm]²Š«*-7²q§Zÿ¨â+r‘ªi€MFk-ð£“Ãq\½‚·~ Ϫ&*w¸©joô$¡û÷²iH–0Ê  k[á&gMïÈW„¬‚rÊ
+Õƒ‹XU¾Ôøžtk ø³\è®?àOM´{˶zB@Γôhp–±'UMX¥ûT±<o5©‰V’%ª™*·D•×4{Võ¦&Úˆ­îÉ›ŒÓ2ÓskÞl¬­3ü¨G¿³‚ÔðË 5 Øt}?8íj²Y)©±'Tuœz{ÄUJ5B[òT+w¯1ÄÈÑ—Ž2Í
+6BÜð»¾ûω¼"|
+Þœ5e¿¾QqcÄú ~ €~kH{hÎQ>!<JÁ}Öó•N²¦NÁþÖ‘–×iÃcö4Á €,QFEøžàAèÎÝæ/
endobj
-910 0 obj <<
+1166 0 obj <<
/Type /Page
-/Contents 911 0 R
-/Resources 909 0 R
+/Contents 1167 0 R
+/Resources 1165 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 908 0 R
+/Parent 1139 0 R
>> endobj
-912 0 obj <<
-/D [910 0 R /XYZ 56.6929 794.5015 null]
+1168 0 obj <<
+/D [1166 0 R /XYZ 56.6929 794.5015 null]
>> endobj
330 0 obj <<
-/D [910 0 R /XYZ 56.6929 769.5949 null]
+/D [1166 0 R /XYZ 56.6929 769.5949 null]
>> endobj
-913 0 obj <<
-/D [910 0 R /XYZ 56.6929 752.2028 null]
+1169 0 obj <<
+/D [1166 0 R /XYZ 56.6929 752.2028 null]
>> endobj
334 0 obj <<
-/D [910 0 R /XYZ 56.6929 693.9224 null]
+/D [1166 0 R /XYZ 56.6929 693.9224 null]
>> endobj
-914 0 obj <<
-/D [910 0 R /XYZ 56.6929 663.1642 null]
+1170 0 obj <<
+/D [1166 0 R /XYZ 56.6929 663.1642 null]
>> endobj
338 0 obj <<
-/D [910 0 R /XYZ 56.6929 628.9495 null]
+/D [1166 0 R /XYZ 56.6929 628.9495 null]
>> endobj
-915 0 obj <<
-/D [910 0 R /XYZ 56.6929 601.0964 null]
+1171 0 obj <<
+/D [1166 0 R /XYZ 56.6929 601.0964 null]
>> endobj
-909 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F57 624 0 R /F43 600 0 R >>
+1165 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F39 858 0 R /F23 678 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-918 0 obj <<
-/Length 1174
+1174 0 obj <<
+/Length 1161
/Filter /FlateDecode
>>
stream
-xÚ­XÝsâ6ç¯ðcèŒTK²ü1÷”KIš›^®¥ôézÃ(¶jÍI‚mï¯ü…m°Á! òþv»ÚÕ.B–m>Èò)´IàX^à@j#j…«‘m=™ww#TÊ€J4¥ÞÏF?ÞºØ
-`àbך-º|hû>²fÑç«›Ÿ¯M¦c€©}åÂ1 ®}õþþá§b%(7Ÿnïïþ˜^=çjvÿé¡XžNn'ÓÉÃÍd O‘ÁãRCàöþ—Iñínzýñãõtüeöa4™í}iú‹l’9òuôù‹mEÆí#’À§Ö³ùaCØZJ u©VâÑï£ßö
-oshWü(ñ!õ±×@ê5ˆìË£t &yY§Ï`ëµKô’+¡ÆÀµí«‹‹"É•š¯˜—óX(]¬—ùn
-ƒ"_$Óü,ŸBðó2úe}ȆŸTZ¤Ò”÷a2¥ Fà™ïó5¬X²+×ëüFÝ- ¨|ÏòÂ@G Ê‹Zzm<HÔùÝ­¼­N§Ê[±vŽª¹$v:ª†Â ;:‹¦ã,mÔò$NôìBã ©©¹ÇÔL³'Æb5÷"j‚8ïå­–kð²°Õj2N7ç…Ü<ˆ]›´ÚcngC‡í
-^ WMgˆ¥Íþ2NaÌY"’'Ó4—[ŸÕ’3©9ÓC …‘\pÁB>b\ѦŠP g¦Óuj¶|÷Š? ÊäZ-s‘
-)× •QÕ³K-ùJk;ŠîX¯“Üïòcf†7­ãAsX²p9\|ˆt9‰'`¶FDBï:7êDê­DdšÛ²“<+胣ûDá¬eºQ'ªg”4ãšÒƒåµÌ
- ”€) Ö쨫œ –»Í&£–ù>4Zf_.åÖ´wPÃÖ`PaéèÌîþ‡™TivÐ.dºl£—ÃcwˆÎu¼Üe–Dñ­¨vlÍôrž°ÊËw}·:ÄtyBºî`ìý¸WßøÔ×aŽ}}ï/sÒ¸Ì!¶ }x©Ì52ß_ SÿëìMendstream
+xÚÍYMsÛ6½ëWðhu(>Ibrr\9u¦qZU=© MB2kŠTJ¶Óä¿¿-Ê"e9ÓñAÀ}ûöa…]ÀØ@ú6‡ˆ
+fX‚AŽ07Üå
+O,Äzå9É©5È@Á<Šuªze>
+%ØlÔ&êl2L@F…Ùº>?FjàÝ‹ÔȾÔ)ó¶={Ì]Í„‰‰HïìÑ,ÕßN˜=lŸoÖ+{p§ì1÷eë¿t‡—èœ=Kç±l/@â/¥nk³™p½¼•q‡½k"Z'‡1öÓð½ h4BIÜp_†E ëì=ï¥6òH{%cß ò2.Û§ÎÌkö¾ìë< ;¯}`-ûšªëæL¿ç™…èdÜ8O,ð)W½N…;µÍLŽ¡ªŽÈÑÊv¥c UßÜ*Tz^å{Vu…e™í;Át§Q¹iÝ^Ú½Ÿñl””J}ªQH¨%öœ ÐKÖÚó’SçÊŽå* Áœï9#ìp=(-!b ™o$-± f6i?)ý£Ý'oŸC|v|ï–ôUKÚº:üU«ƒ-
+)¢uu,§|õûy‹_§Àl¯ëZS^EmW"°byÈÑôa£ÛøÞ±$ûóÑ(ÿ«<¢³øG/I¨+[ež>ÍÔJº]n½"ÝÿíZ¶ÈÞnï9‰ÓÓ¾ÁÜŠjÜß¹JôÙÿ5ìÝ@:¡.¶W•ñÆ zê'8¹•NÒ A`k6w\y í’œr˜Þl·\i£²!~õzõߦwÛ&åÝ8¡µ»qŠLha¤Ò }μ¼iߥþÝilÏendstream
endobj
-917 0 obj <<
+1173 0 obj <<
/Type /Page
-/Contents 918 0 R
-/Resources 916 0 R
+/Contents 1174 0 R
+/Resources 1172 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 908 0 R
+/Parent 1176 0 R
>> endobj
-919 0 obj <<
-/D [917 0 R /XYZ 85.0394 794.5015 null]
+1175 0 obj <<
+/D [1173 0 R /XYZ 85.0394 794.5015 null]
>> endobj
-916 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R >>
+1172 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F23 678 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-922 0 obj <<
-/Length 3234
+1179 0 obj <<
+/Length 1707
/Filter /FlateDecode
>>
stream
-xÚ¥]“Û¶ñý~…Þ¢›D0$8yrâsric§Îe:$“R"$qL‘2Iù|ióß»‹ø%J×´w
-ixH?­6éfoVMþ»¹]EA°ÄÞoÍÑlèóK<%ZqÎ¥„›×nö«Cz<šl•fYmšÆ44áÉ4¿Uõoe5;óX›­©k˜¶+NŽâ/
-¨÷’š»/øÞ¼}s×Má“õI$LV6«Sv¨<Ö¦žÝM]Uí*3…Ù¥m^•«ª,ž@DÌ2Ÿ6Å)sKüË­”L‘7-}ýá0gWþp2õSQí&<™å)í<Ë›t]˜UZìª:o÷ÇϬ:¤y9ÚG‡ò¥ÛÂà"± Ó:NÆ{£Á¯C±èÀ[ÜN¨YŽnñ– `¹êˆìiHþlÓÖLÙÒç+óKˆ2G ‚¤eFŸštg-9E %‹Â0²¤ö¦ÛPÄ5K’$dÄñ;8_L‚ÖI©^3Øœ”ËÆ´ õNGjwEµN ê÷Ç‚¶Â6\®›Ð˜Œzë'jÑ@0ê>ìs7mBð:dÔ´vt¬XQocèf”ÂmóñÍà=Ë(Z¦ØÄËMU"ow§:%îâB
-ûˆT²¼ß°Ý›ú–륡‰¸9ƒÀÍ06ÒL' ž³1tÁdL8û¬(¸e¢Õ1 ®‹jóžº „aÀÂŒp©WCÃÈxämã„6ˆ˜VI2ѳMO…ºÇ¼(¨g¯ Z¼.vf‘9‹9*Œ™TqxÁ‚Òjˆe h8ç:,RÚÚlÚª~šRNbo­¯SöH3”‡÷À²ˆ1iÔš•jùXÕïórG°!+›ö–/q_Zm©mýœÆÔAbÀ¯¡ó©Y:ÔÌ`ºnªâÔ:ÜcÚîÑòá‹dt¸Ö¹”¤ÔÝ'g ¢±¨Ó ÊN† €é{S(m¨¥³°îGTÑHk{ý‰ñ¸œs{¤„;!†—\
-]4Na”0üºqb]6NR}ožV ç1CSr•ºGš¡>2Pp‹J)9&ÿ÷½Ug,¦E;8±‚ë|•È74x:f©55зv
-³9uþ à¿W¥i¾ ûC’ʃ3áÐãÀ Â2êñ´.<=ŒN¬Y
-¼ =Oó´` uzźX;Ìmu*­*…É2ß^ØËÖm #Dm÷Ös
-¿=èÀaÇ8“®/¸0ö`ª3±åXÁ[NM;öŸ©Þ:Û_×—‡HÈçw€uEp=Vg0WŸsS© 4,‹b{v‡uN\EC¹å¨ƒQ§ØNJ݇+Ò…TCþ˜ÖÌ™³$a²0gðî[šam.A%‚¬…–RNÓ°öZ{aÛ'´÷ HÞqÛÙðY„
-òÂ..³tj†e ×ÀKÍ‘Lì®N I«±B¢»TY/zqŒ4íwcŽi¶³=F/RñÿfG
-RÙDy×1ØQ±Á7´¥1™É¾Ä-?ZèöTnðâÒ"oŸ†@_O9…x­Û³c žpúiLN GeMTBF0²ñ«*1ĺ¬ƜRÁ3K„Ïï°f¨l9OX Ñ÷˜<™à•ÏF±)¸KSfV¬•“HåïDžе¦]Ūhö)Y-7èPw¦4(CÍ°‰Ä¹8Ip:2 |‚øð—»Ì’ˆº AìúÎ1á èÞ¥ŽY¨ñ½oŠœìq»8rúÆ>‰›9ÙQ³‚¹ë’ kåÕÒ|Ú€;ØТô+oiu›E"ažBë
-B‚0š0[tH3ÄÇö8„l@#ê®0WäZë÷-Ó zé®È–¤7óªr<«Ú®žz‘w<‰1F”×y7ĺ̻ËäÓáxuè~Ÿ!ÞaÍP3/b!&#òåÊh”h¹¨FFÞû<ådXgõù™—FÄÁ£4“yYÚ¦kx®¨}¤pzyÙ´õ­^ž6ü²Ê‘ð“æƒâ•ÀD6
-'Ï\e¶qš »ÊÖ¼ŠÄ PFuÝN„b\7iâ¨<Ÿ73‘€5+Àïaþ7½e >‡ëÖŠiI§çQƒ^Ï?¡®ºWÃ%ÏßG%‡eÂ$é){d³ 9Ó¡äÃâ欪(ÅÂH>óò0ĺ¢*ËF=æ€/29èô¦¹¤32bª«»è°f¶1Ò8²”ÌŽöá\V0ÐüBÁ¶õÃ^g@>psàAê¼µîúp8*Âj4Døˆh»ýÝ:•#VRk>å-VvN¢«Ité½ ÒZÙ'5gu±ÿAž‰ïhCqfîVæâg a’hØ%p
-8=#0¬+ã±l—gÄDã#±–×I{¤Ò£ØŸ(‰Æ¤æ XdWã¾¾ÕÛÕAÑ«7ªq'#¶†Öº²š«mLã
-ŸedÕ‰2è8'vé·Wcà¦f,XÐýØåÿþ]Vÿ£5,ik}¡”*bÍB ‹¸MáIÃàÜð»poý?4ħendstream
+xÚ¥ËrÛ6ð®¯Ð­ôL€|srrS;u§uZG™ ‘Ä E²Giûï]pI‰”hW’í‹Å¾€ø”Á?Ÿz>õ#;š‘K=ƽi¼ž°éöÞNxKC:"Ò§úa6ùþÚ ¦|ÛŸÎ=^!eaȧ³ä£åS›^
+ÊyW{Z~ÕÿTâÑÕÑü亄Á¯ÀÃ'u%<¹±>îüˆøoE.Õéi3šø;Žˆ7Ðiö›¬
+’Dbw¡:]¡=6ÇŽb;4âÌòÄ;ç÷×6ŸnÑ #Ø ¨ÁöqÄ}xð0s§-MÏRø€y×}¹†ôÃåòcvÞL8ÄÀ„BàƒKÙÊrz e{”!>#f+¹UhGÄCEQ
+ ÉŠ8¤EBƒÛÆñ‘jÕ&-óièEÑÐ7‰\ˆ:k“î1Í2„špyÍÍ?¡OjNÎý)wÊm;|â ŒD¤OÕ¼€nëžç[ªF©´’±. ÿîIŽê»aø¼äŽhDr?œÙ+ÌŠ6UCÛ³‹ê3Ì6\€BM@å–Ñ«Á üêîLÛ£×2¿^@Ö_æ-iw1WEVë–Ö\/MÏ3!¶]ÌÑ>¯Ã,$fiON™Ãüa81‚Ž‹ç¸P€â³Ì%~Ñ– ø~éˆ
+ÜÑMhg±1—sÞ˜ñÖA†¢ËÃ
+í¶ÆpÚÚ–¦½µÓ í¦1F7`–skI52j¶C†Ñ4[Ûlå f|ÓøS!¢é›@ûçˆ#ß¡0º&NÇ@£ ð[‚ï^aƸ0·œÀ÷†)ƒçò}µ׶ ¦X#Áã*mZ€í!»KyÜÇ㦩UÚ4â…^—1#xße-¿UQg nÎÛsMO„½mLtSNO6*ߣtgÛÔŽæé&ÕÒyŸå†<Ù¦8¨¸ÏÉíHäZ”mSÏóœ¾à?VM9sxàÁ%î—ؤXd%(‰4ÆͺLDÓj
endobj
-921 0 obj <<
+1178 0 obj <<
/Type /Page
-/Contents 922 0 R
-/Resources 920 0 R
+/Contents 1179 0 R
+/Resources 1177 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 908 0 R
+/Parent 1176 0 R
>> endobj
-923 0 obj <<
-/D [921 0 R /XYZ 56.6929 794.5015 null]
+1180 0 obj <<
+/D [1178 0 R /XYZ 56.6929 794.5015 null]
>> endobj
342 0 obj <<
-/D [921 0 R /XYZ 56.6929 647.683 null]
+/D [1178 0 R /XYZ 56.6929 242.1112 null]
>> endobj
-924 0 obj <<
-/D [921 0 R /XYZ 56.6929 616.8659 null]
+1181 0 obj <<
+/D [1178 0 R /XYZ 56.6929 211.8603 null]
>> endobj
-920 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R >>
+1177 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F21 654 0 R /F23 678 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-927 0 obj <<
-/Length 3384
-/Filter /FlateDecode
->>
-stream
-xÚ¥ZÝsÛ6÷_¡éËÉ3Cð àäÉÝ^zÓ³û˜¶4 YœP¤JRv|7÷¿ß.v‘¥ôæ’–ÀbñÛOH,|ø/*öü02¼Øñ"ß^ø‹'ûáB0ÍÊ­†Tß=\¼ù> ©—&A²xXæRž¯”X<¿,ßýùê燛»ËUûËÄ»\ʼn¿üîýí5õ¤ôx÷ñöû÷?|º»º”ÑòáýÇ[ê¾»ùþæîæöÝÍåJ¨XÀ÷ÏpâƒïßÿtC­î®>|¸º»üíáÇ‹›·—á~…âF~¿øå7QÀ¶¼ð½0Uñâ^|O¤i°Ø^DqèÅQÚžêâþâ¯nÂÁ¨ùtN~Q¬¼8ˆ’Å
-ˆÃ„6+eßócÚJFÂq:)G³R¶T(å®Ïú²ë˼[ýêûA¥§ûQàù~,†“±à¨fx<ˆ(ñR•Äc&6úrúÑr—õ›:Ûò[³Æg¼ìí0shÚ®³Óí³n‰2Ûít]t<à¶Æ_4ô|ÙèšÈ˺ëÛKµÜç½.ÆD?»†H÷]Y?¡l&B]…Òó#?/cÂn[9|—7Dú€ì™
-ý\æÇ~NKˆ09¿¼£šY„vpô~¥c ÚEêƒÚÈåüŽ†Ÿ`} Š»Wê@ùâó‘ î÷X
-7'A
-qŸJ’1î˺ìKkxó¦ÆSzÚ²¨³j2Ž¾lävð'>†¼m¿ß±5/·Ö ÔÅ8=mH†<`§ïöÈÞ„–øND¸hwÒ Ä€(Ÿ³N`HuÚ 8*é´z­ÛV«'Dâ‘ð1*Tç×wT3 Œ½@ì)Š1FwT0U™Ô*¤
-—UÙ™ Éúצ"üŠL`
-¶§`v½´¬U#‹®n?Ûè?£
-6©¼XJuž G5ÃÆl
-2‰8c>.1jh1T¤‘¡s¶½f0äzKIôŸ«ðÆŒ›Î’'yøéº#rqß쨻ÒϺâÏŒi;öžŠm~AΪé O2ôNðd|ü4ˆÌ,¦vC¸é/yµ/ø¼Qg<çÁ3È„rŒÛÆ¥]cíÁÌì4bˆ³ƒ
-ç¨LVv˜–¬²ê©i7ÛîXÝ|Oùò< –h†…‘²ÉØ“`ÚÇ<\˜™qˆ`µå`çi„ck38`׌ŒO xGùòµ±„ˆŒÅòOk¯p?QŽa±«æB,tD©à d^˜(åAöh‹LXŠ2–dN¯²
-6AÁ#(ÍG§L.7Ü6<ìÞrklê²ÏÝ®*q²Seàë+6}Hub–ÊH¥îÀÁ­ª¦ùœueq<$!LÄg9pT3,Œ Ñ­ÊdÌÃß)^M°”qêñAF‰Å¡;È–§Çè{ Öè}Œ…~ÚŽÖaÔ) ÝKHÏLè¯lœEÆŸU¯ÛšJ
-qpd³J›ÿIÔÎ[Ò!‡UpÁ'ã×… a\SêhÊø@bj8>‹o06\¥œLL¥Äªàà+rpÔ*ãL
-†yzYåBp-z§»~æè’Äó…HþøÑAdà ðrôÉZb›µ V¬±$[Q'ÍJm>PN7BNý` Ò랺xŽhùYó>ö5•Ø1@å]þ!¢Èó5)ž[úUVç’©dµ&é²hM­ßžäèhZÞù6AÚ
-ŸI²¼&·K}cÀœZe«yt¿.€z1QÉ`*yVÏ3 SÏ0΀Hq
-Mݱcü¡€!覱§ðTâ
-`,d‰}ik„¬Ã1ïËgíÍ]ï
-) p0À
-Á`$mzu57¯òâDX’GëŽ]ÐVã¶qG¸XÃ1Úí?®?~¸z;tzT~ê˜AýlCëïg®%׬1Ò^ •kYa•"
-=؊̺áé¸XB«`N˜q–ˆTãPâoê‚3RÃ))—¡žƒ«r?Ý8¡æRÂy'â+¿×9ù¹ѵ1Ú}¼5]5õJ)/á1‡âô,Žè˜ƒñVMm#±`ï¦ýÁÝ4dÝ&ˆ_8ò3Ìóð“-E$ˆë†šº>\ çæ›hß^eéêmCu`yFö¹ß  L™@ÐBTÇ
-Ãý¸Š›5¦ˆ¬[üµÊô;ÃøÌÍ„- ÄþÊkæ|§ƒÿ÷É¿´‹¤*œøõˆŸÀÁ§Ò2…r‰Ä”ó8Ó©9Ãú\#ñUendstream
+1184 0 obj <<
+/Length 3757
+/Filter /FlateDecode
+>>
+stream
+xÚ¥]sÛ6òÝ¿Bo'O+†
+¤H¹×K&!´X`—‹ýÅ,„¿bftª4š%ièPèÙj{Î`î§ Á8 ‡´ð±~\^¼z«’Y¤±ŒgË{o/„ƈÙ2ÿmþæç×–×/R‡ó8¸\è8œÿxs{E”oÞß¾½ùéóÇ×—I4_Þ¼¿%ðÇë·×¯oß\_.„ÑÖKÞabÁÛ›_¯iôÓÇ×ïÞ½þxùÇò—‹ëe÷.þûŠPá‹|½øíp–Ãkÿr*5zö?Â@¤©œm/"­)å ›‹Oÿè6ôfíÒ1ùiemd2"@©<ŠÆQ<KtÄ
+¦P€»}ù˜µÅåBÉtþ¥x¦Áïa(7Eƒ?̼YׇMNwŒy_ªü{Gé¼¼'¼ÂÌï‹=>Šª%ÔvUnÄ«W‡}ç©Þ)«·M®Úzÿ|)„˜ã©DÉ|éÖ÷1à @ !‚TkiߪÙ«_¢È鼶‡¦¥¾>‘)û¼kêÍ¡eè.k×ÁÉ©†A¨Aá‘RÃj1#-|,:1¦Å Ù­²m‘/¾¡ä¤…J‚0VéyÚÖ)ñÈ7!É Œ@F=êËu‰'­Ì¼Þµe‡¥’yCùma¥2Ш4 $è0ûÜ´´â)kh‹CƒâGPYÑ“,ç ÚšžöÀîŸhÏð4P6}\œ&^|ÁÊHR©˜™é‹tÀ÷B%q )Ö¶ÔªúaŸm$Ío¬’˜Î£˜y
+J/c1¯júÝ»ltÊ‘ˆ’@)-þ G 7Õ)£zŒ< |VE‘ùÈ‚œ—-CïÕ
+.Û”í³¿
+<
+{vá©B¤ê¦Â¾ õKÆ÷Lc–¥¢0ŽÏ©w Ë8UÌè>«à•Hxëâ òò]èˆÁ-Ƥ}9±ïˆ‹)šÒ°0úËr\€=bÄ!y¢2 Ô¶vYÌ*kŠæ{Çü›Pîˆ+õfd ãØÅ)—îùÉ’=/$, &ü­!ó”8F“±B›(ˆS©Ï k:ZtXGQ¯ÑâFÓ§è<i‡4BZ&OªOÛ .抲_›t.~.6›­Í0SCž
+VÑ3Ò Î
+Ñ܆¤ªÂ´{ÌîXsÌ$½æH%œ¢6op’*ƒ[IR×Ä齬Á«F 3`!ÔnQ^6˜7´„Ý‹­*p³7Jæ=> ~àÀ'•fâHÒ*–ÊkÝ9hb[T¼q•³l#fèg²Ê:³=”˿ྚ¸ÝSÞ=åfÓ¶~¥A!&óÛºå9{¦#‚Äžó1¼ŽË û ‰rHV“`ÇŒtC”­;LSŽüGŒ£H¨³Çh\\Ø{ âüžöaŽÉŠ ;Áô$ “¾‰téEQ­6uã.&\‘×*v`üõ
+¨TYä¥ØHˆB=–—BÙ2Ÿ
+šQtFvkŠì¸„\9®í»òTºÎcä¹òXMq4ø3Ó‹âSÜ@¤’ÄuÎl<îZ jX‰â\ÿ:9«‹ñµ–ÝÍC¢ÂØÓ6c3©ï¹Ê18+¾¼hVûòÎ3¦ÆJ Û‡ ZJ(0 ˆØ Š4¹˜Ñࣧ»þÂ_pª»§û"ÿŸŠ] Ñm´ ÈÝœ¤ÿ;@’ôx:±¢ëNNw;›yIñbþyçácM;ˆ´šzÒ=É£6ñyªÖY5h7¹h.û 3ÿ|õáÕòÍúa¹ĹÃöŽ\‚K¶Bãù ƒñ³!Tº7
+‡ÏݾÜfûrÃ`º–¦±Õ8À}º~ÃUƒ Dd׎õÛÛ ÌØUBΛÃjÆêÑÐÓ¶”íÌ©j2ë^/雨ØƇ]NŸ³„|µ„·gøŒüÈ4GºsÇ+wÙ¶û¬ÄÆ_Ä.
+ ¿VÐM‚­.Aˆ ß]ïÙþzZ—öe•""¯ƒýmüå¤û†K~"_2#î™9ì÷|¹Ö‰Ø'ñõPîÉ… 茼2Ûp›•<¢¤I&® ŸxÁÆk<=œ½Ã[s‡Z|[g‡¦µ™¾J¸w‘8ל´Ýívžo¼Çls`J£ÉTïA„í3®[á|^ñýßH²c‚(r¹Ÿi,öié¾Ê¢è€>ÈŒÎUF©“ŒúÇ¡’!J©P±£Ú]‰¢ÂÔÅ„á×,cŒ{÷—žß¼Fº»iï"Pk³/¶`„aÁ_g­ZúH ,Z——¥XôÇq_ ʪlKçxWu…§ôp Í" ßË goû7vÜfûö°co^n»O°ò~:vZ/¹4÷¼pƒÃ]ƒ%T¼9!!Ñé2I(¼…¤÷l𱦃@‡Eß÷Å~_ä‹ÔÄ“(bfhÎÓï°FèG£DŸêûɡɤݭ˜šoÊÆÖ1ˆÖ>ïø® 5ü5!ØÄ
+
+S®Õ¨ Ão×lt¦îKOò‹NÑŠo«Í!ç“Fk ºð1ÁŠ6ä~*fíܽƒÝ¹³_ÃŽð. ;…*‚VXüêãêÿç¶<½„ÒþŸàçOô JÏi"èÝçOןßáh\G]—Gø ñˆ~À?ßÿý©òñ;nüîÑ9Q¯†q`°ƒÇL¡”#=ä¼û¦ù”õÿ<xmendstream
endobj
-926 0 obj <<
+1183 0 obj <<
/Type /Page
-/Contents 927 0 R
-/Resources 925 0 R
+/Contents 1184 0 R
+/Resources 1182 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 908 0 R
-/Annots [ 929 0 R ]
+/Parent 1176 0 R
+/Annots [ 1186 0 R ]
>> endobj
-929 0 obj <<
+1186 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [250.9056 716.0894 324.559 725.499]
+/Rect [250.9056 311.8959 324.559 321.3055]
/Subtype /Link
/A << /S /GoTo /D (statsfile) >>
>> endobj
-928 0 obj <<
-/D [926 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-346 0 obj <<
-/D [926 0 R /XYZ 85.0394 185.1414 null]
->> endobj
-736 0 obj <<
-/D [926 0 R /XYZ 85.0394 159.4803 null]
+1185 0 obj <<
+/D [1183 0 R /XYZ 85.0394 794.5015 null]
>> endobj
-925 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R /F58 627 0 R >>
+1182 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F21 654 0 R /F47 874 0 R /F39 858 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-933 0 obj <<
-/Length 3394
+1190 0 obj <<
+/Length 3440
/Filter /FlateDecode
>>
stream
-xÚÍ]sãÆíÝ¿Âo•gŽÌ~‘\>^ûêLã4Ž34É-R{©Š”}î¯/°ÀR$EINz3½ñx-Á],¾Xy)àO^Fq§*½LRFBF—óõ…¸|‚w.$ã)èc}ýpñÕM¬.Ó0U|ù°èÍeCa­¼|ÈÅ¡
-¯`1û懻›Û?ß¿¿JÌìáö‡»«@Ebvsû·k‚>Ü¿ÿþû÷÷W´‘œ}ó×÷¸¾§W1ÏñõíÝ·4’ÒãȤ÷×7×÷×wß\_ýþðÝÅõC·—þ~¥Ð¸‘_üú»¸ÌaÛß]ˆP§6º|"”iª.×&Òad´ö#«‹Ÿ.~ì&ì½uŸNñÏD6Œ”‰“*´BM3Y†‰”€“ 4¦{&›I&{,dr^f«Ýf¼W‡Q"’Ëþ„Ëz¤‰euoÙT†Q¤äpÙÛ.ùÕMd{˜6Œãµhe0™LÂT«„qÞȤ˜µË¢ѧ)B0$Ĭ)¶ÏÅ–·WÒΊ¬mè]¶ZÑ‹ÿÔUáÇ*ô&z¥‘Œ¾¦á¼.«§ýÇŒ»ÍªfQlyŠl?5 #£ƒº
-òbU9ní2ÐÀA“€uH¦À¤¾DE³UY}„Mj«f/Ër¾¤ÑyVðXà3ž=ÒŠ»§eK/ü÷¯ôˆò›jNßÔÛò©¬²Ömq4Éš¿X– AÌJ0°$Ãì¡{µÌš,/ÝôÀǬªuû~cdÏãÌQZàÔ¼väD µ5=‰»näuò
- üøCy… …ðšP|Ú”L-­SòzYž—l¸zMOôhh,îÏwj¨ô}Mﹶ&ì8ÕÓ›²rÞE¥}•ç—òàR^†¹,!ÁÊyô•ž»† ¥ 2IB›ó–‘‚ΟZø”&&á „»nì7ÀkЪ쩀09µ:œðl—½Ñê5œ¢’TÇC¾m²¦¿3ekQ¨t$GÑÑeäž.ötÑJ¡§{î%ùo³Oãp:%&V੽Â7pÜëBð>ÅÏ7r°sÕß‘LiÄ1OÂ¤á ›9|ÃG5A»v3Ž~Ü&þxáS¥8bnÚÀÑÜvÉß›Ì-è>lºgxï8îx§<`n…Ö¦>+=¡$&ÔZ'C%Áiÿµk8Êäe“=®|ÖOÜ8ƒƒC¶†ãzAªAèq ‘
-|­ŒŒ:/ ¹5¡W§¸Õ£ã V,H‰b©ÌnÓ ùguë„öÈø‚™¥’0Žu†YZ†Êh{&ˆáÖ[\VŒ/ØeÂaUžaD•µI?sþó<;eŽ=r>ÓöÿG2É$cX~ SZG½<­C.SZ®‘!“ÙŽŸ…= ‘ÄFÅỺíê)û”dŸêôOãü¼_ñröÛu
-NÖ;†àÀ{¶*¨€Kû‚ñAòêÛg1‡:²út­u¼ÇÖa¹@ö±J<\ähC«´>½x‡5±ºu¬0ñpù[<·CÚÃPkfO©á&¾ëJ×ð¶¨ðdÓ‹¦\ïVÜ%R¾üˆXõcS¯
-'xþöî'h—ƒ:78xûãÏ×÷W¸þr%¥Ä>RŸžh–òYX‡JŒŽFUA¥<²Ôþ¸Ò›ŠgL${§„ ÛE+8-ÛÒqÑz$'Ù¢/ƒ§Õ®8¬
-c%ôÉ…;¤Ã•bàÏEoÔ· ‚™ÝË+6~Œ¥ƒ•ËX“
-À0³ ;Y¨€¤ÇØîàØÛ] q$cDißU˜g»Æé¬Áõµ¤W³\=²³¬m‹õ¦í—”,­È%ô0zÔ%Z°ÅÀ'¢zç€ù`Ôw›aW"/óê/ /©¸WÕ°QWM»½²³Ýœõ=õ{
-XÉŠò™úðåO·®ï¿G¼OzUódyÍ‹`ëc9mOãP%V µ=«^9hr¥uÜÈØ–mѼ©:¬íc5Tv&{R,c!-¶WH}[óuJÍ°» ±êÌ•–>Öq5ë°\%.ƒ]¬ò`¾*±qy \J‡±–æ4ÖƒÍBv“dH÷Ú’¸sοd<X‚VUà¥X“ZW[Æñõf庭®®ü%Ù4Bºà¶Cñs>Uuç*tÂw?ß¦Ø ´vöp•‚^’â™$RË¡Sââú¾úé
-o
+xÚÍZÝsÛ¸÷_¡¹'z&dÁ¹§\â\Ó^œ6q?nîîa‹ EêDÉŽÛéÿÞ]ì‚")JNz}èøKp,ûñÛ•åBÀŸ\¤:Òyœ/²\E©éb¹¾‹{øöý…džÐ3…C®ïn.~÷&Éy”ëX/nîk™H#7åOŽâèVÁ«÷×oÞ~ÿ—//3ܼ}}Æ©Þ¼ýከï?¼|÷îå‡ËPšT¯~ÿòO7Wè“æ5¾{{ýšFrzœXôÃÕ›«Wׯ®.¹ùÃÅÕM–áy¥Hð ¿^üô‹X”pì?\ˆ(ÉMºx„É<ë •&Qª’ÄÔ/þÜ/8øê¦ÎêOŠ(Nt<§À| @#£4ÏÓE¦²Hg)°Ý쪶é.C-Dð/<Ï>›Xd‹PÊ(OÓØñmÛv–¶¶÷NÛ¦~¢Iöó²Þ—Ö¯àß”ö›o™¬zrßõäzßÙýÚ¿þû[·s8ÙšD¤#5Ë(“R/4)ÁJæÕBLáËi%–3fÕsá–eÕ·µ ‹ú¾ÝV»Õº›Š U)-Òó2ô\3B$!$\)iÆR¼&)Àæ´
+v+G$A·±Ëêg!b[Ò—××?^½¢Ý·bÇϦ$†[[·Ï­Øk .‘€Ÿ¼Û×»*¤ÛÑidÈ=2Œ _'Z•:’
+¬YœQçDÆDqjü”nWììÚ6»Ž\®Ø^JX~©á¶D¥Þ;SÄq:ë¶ÛÕŸmIïU]uëÛlê
+;edJ@¼ú#p12Ïå´Òt]†uÛ~*ºª´G&–¨(¹9/AÏ5#ÂÈÄ’dr,ÃßV¶Á;7Agw/f.RébP‘3"O¯QDÚæ߸[k€µ£mØèLðPÔUYìÚ-½>‚YU°@Dê ¾”ÁÎn0̓µÝ­Ú’×jû¥ØB!´C(ŒÍØDq˜žˆ }åW?"­²¨eëžeG è0øtr:¢Ý{{ÇôøgÛ (#X‰ƒoÃ]ªÉÂx`gGÌ*ÛuQñBC—Ä“‰qH¼EƒWÞ…U”Ön,Øüñj ´Ð/¾À Ò«Ô9Oxë§?†;6ív]Ô4H«Í÷
+9‚øVEGj{·£!^CŸ,Ÿcß춗&Øw;[òŽÈDwªT$bÈ}£;õüaÑ,W¤ÓŒ›´ËªÝl,ŠN79ºZMÛãÆ;æ÷̱¼þá2ƒ¿ÒØØ`Nm‰ºµüu¿n­Áɘ©bcªØ*–`õ£{¦S²2íŒàRÊÀÙŸ ÞÞÑpo³ÏH­ûu»f›?‹TtÕºª‹mýÄË·×x,ø‹Ÿÿñ´žÊÖv°¦œ³æ>l{Æú
+‰´4ŠГ 2‹rŒó‡ EöAGæ©sè’HrP¤²"U,—v³cºéí¶£tK|ÂJžÕWæzp|ð¼8—óâÇ€ÙMžûÚ´sò³“Ÿ’Ÿƒ+Ò>¸"=®N¥qøRè $#Dƒ¾+ÂJUsoIpçB% WÍð.£Wò9_‡Á[ÿÑiÌA®LÉàÆ…€|‘±Ob@“…!›_fß”–(fr•˜ÆxçÐ!†»c¦Xëô*„sÍ Pª¯/©
+PrA–*ˆ¾Î=ñ{iï
+(àðÅðµKˆÊ™Iõ—«o½¶]Z†Mü³ ÇrU4÷–¶¼#ü¿¦/Ü^Ê8AµC.øþÔîy>»À˾sq 5=±~r¨w”˜@ü¶.{Á…_{·{äå^Ðí‚åaÁcc§xâ
+3‹T–«ó2ô\3BŒ›®ÙaÆRܬ<|£V—á®*H%ܱ¿Š?šp†Xк["mà øº\Ùå'2xs‰ÍÝ­]·Û'b‡XûÉoΫ£\ß@ÒFÔØ'd<6)nºiÙ­'M†áyø¸Ö ¤7v b­§óœàÝi{PàCš<c®3ö๨ SÔPL¶5€¤ÈÎoë™f¶Z@.#Оo{
+â!õ¼ûdˆ$E‘rV§}uƒtS…ë ×(¢X­û±Ž†0ã»ÇzÃàÃeëlËOfÞ- ¤;†‹Œ)¾u~iFE£Ë•vváL, ‚MŒo$LÒ4¨«æf {Ž£X:Â!¨ªLÚq¿ÚÑ?[øï…{^82Ä}Õ@‚p(xaÙÍpŠ«2SXYÂ5°óâ'WÆãbeå–%8e5»¹ŠÎ2Ï/"‘?r9HBÀƒ˜ð$íº‘§ ST†K8Û,a-ת’ãyˆcv€•ºÖóº® P?A ±r^ÓVØ­˜«Á;È°.Än³ þ‚^[·!RÖç§#
+(ÁˆÎQ„RÑl«:´2yߪöAr²OGFå¾4ècnM`8 ëà9î¬Ã€Kr½fDI dÐÄoòPÙÇIâ4’¤™=”Iz|â.hf!
+ˆÔ
+zî_œ’ ШLóñ¿8ýw³¼ƒÐ{Rš'`-&ýEŒ—
+ý‘Â\E:†R`¾¹‘–ÄJI¦é¨€§ÿ9)\Séy'B&dB!ÚÐ .™%Ù×!˜ oDeøÚZ ¤ÿmú@Í+™ @üÿNÅ&Žtvê±¼Š!\ÄZ$gŠ>Ié~‚±³ ˜›J¡PùÂ
+!C¼ÔœêRýÿªRK&Mz^uÄÁ©e¾¯†ýó„ë•sÐO›ÓÓ@„ßv(%አþ€”@–3éì6ŠÅ³JüÒÿ£<ü“©Ê A›xÞÇã
+p•#H…k¡†”>îÔò?\2×@ôÿ
endobj
-932 0 obj <<
+1189 0 obj <<
/Type /Page
-/Contents 933 0 R
-/Resources 931 0 R
+/Contents 1190 0 R
+/Resources 1188 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 908 0 R
+/Parent 1176 0 R
>> endobj
-934 0 obj <<
-/D [932 0 R /XYZ 56.6929 794.5015 null]
+1191 0 obj <<
+/D [1189 0 R /XYZ 56.6929 794.5015 null]
>> endobj
-935 0 obj <<
-/D [932 0 R /XYZ 56.6929 511.7419 null]
+346 0 obj <<
+/D [1189 0 R /XYZ 56.6929 496.716 null]
>> endobj
-936 0 obj <<
-/D [932 0 R /XYZ 56.6929 499.7867 null]
+1000 0 obj <<
+/D [1189 0 R /XYZ 56.6929 471.8543 null]
>> endobj
-931 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F58 627 0 R /F56 618 0 R >>
+1192 0 obj <<
+/D [1189 0 R /XYZ 56.6929 118.9377 null]
+>> endobj
+1193 0 obj <<
+/D [1189 0 R /XYZ 56.6929 106.9825 null]
+>> endobj
+1188 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F21 654 0 R /F23 678 0 R /F48 880 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-939 0 obj <<
-/Length 3651
-/Filter /FlateDecode
->>
-stream
-xÚ­]sÛ6òÝ¿Bo•g*Ÿ$8÷”&vÏ‹sç¸3½iû@S”Í E*"W÷ëo Pü•^n<cÀrw±Øo/üñ…Ñ“±ZD±
-4ãz‘n¯ØâÖ~ºâfåV]¨¯~¸ Å"âP„‹ÇM— ˜1|ñ¸þmùöïoþùxóp½š-Ãàz¥C¶üñîþÍÄôóöÃýíÝO¿<¼¹ŽÔòñîÃ=M?ÜÜÞ<ÜÜ¿½¹^q£9¼/†3/ÜÞýã†F?=¼yÿþÍÃõ?_Ý<¶{éî—3‰ù|õÛl±†mÿ|Žx…ð8‹í•Ò2ÐJJ?S\}¼úW‹°³j_’ŸÒ&ÐB…‹•T Ǥ”YÀ4Hmé8¥­”Õ¤”=Jy›—ù6)Vû¬ÞUeÕÃ}óˆ1fÑE>b¡…šàAvxàQ˜Xñ>w¤úí6Ð8Ü„€!ŽÄØ[K J0ßãùEËæ%+q¤—¯íè9+³}Òäå3>‡Ëý57ËvÇ^£Aí¿d{‡!/
-z£*‹#Í%ë5 IZÙßuMpM5@—VÈùbzÃâXƒ¬@TZ ËsóRíó1K±LJÄ,9’È›¼*“‚ÖI“ÐJ¥¸PÓ¼Û Ì9„Ø¢i>ä4XÈïL³,xƒL-×Y‘='+JPêeiŸ¿dÝ“¼Ê»ÖßÈãK^“ýl“# òíξ[YL0ád–»l¿©öÛ¤LÝDµ@¸C
-:v[ÃUð:Ÿ¯ÉÑѨ›}ž6è
-#ƒ³xJH öR¦Åýó‚ÝSñð«î Ç2‹|}¤XD¼AR4äFH›7#Íh¡.ð0ÆFž{¥BCÑÙèëÄB\r#ôC¸Ü¼´Kx:5=9˜âš r·»ö;‡Ý* “#·dO’ ÄJ<˜¼¦Ù9‘Ê;ÕÚ?Ž[]q¾®sô–%œ)¯~üð†ï½óQÖ…dÅÚ«7¦!¥{ßn~“òØ%WÓC»ù%2®®ƒ¸´¤¨«ÕÉA ’†Hµ™âMà<½[e "Ì gBGÞš³?wEžæÍ1F°¨“F±õ]V*èW#ÙI“"åT§]š‘’КNzªÈ‹ LJÓ˱ „˜òz~æ¥ þèsÃÎ8@„‘Ô_Ÿä´‚ v;!×™yŒ®·¬­˜4¹¼Sò×9®ÇI  ?¥ag¶,9€1ÞÓ Ø7ä6“ÄÊŒFOýÖ»,=™…KRpaZYy¨ñDZz"^è@C€w@'4Ù¶ ‚SR´^_òô…†iR;~ò†~!×ÝïÁhë9nVà⦠îÉš¶Žšfâóâ
-#°—!‹èE¸¼kèå×êP¬ièÚ+:‹9KÑIîôhõ–›Ã¾t¯lðÌ7n™²DœöY"
-1)©“‘òB¦Ï!5J`žvNsŸ×|™ís¬áø ŽôD ©ƒº!ýC,)œÍÚrKZêô"‚…¡ˆ$Æ\ÈY]“
-»¶Åf½ŠPò LN˜Aâ*[_gÙ*w½vªî‹ªútØÕ®ùó1sˆM¦Â;ä.Fø°¸Éšôeõ\¦‚¼2â^ß“'Øgƒâ1­ñ…2º u>µPÖF6)”3fÕwÙ¨lâJ2Ñ<ùj‚~Ͼ±Vú½qH¹oGÕ„ U…LÏÚPë@Šë`ÈÏ!B›x*)g[ÝAû ‰åšFTSE­†i`å™~ͱƒÒA¹:ˆ…ƒw}9\EñDezÕéxÚž úóú¯w¹¶BæßÐy„*êÆp!#MiñWÜ3Hc¯MÌô=˜_)6 Ãó¸è=¸ÜÞÐT+Ï6ŽÆ¥î*]+YÜ$ru ¨h MÙÍÞwÄ¡C¬lGËÖr?\¯B¾|„ÿby3n4Ê ¸„ÚChl@|ñyáGű$¨ÎØîö$;ñÃÝ–/ÞU°§Ew[óª‹Úî˨Þù  T Sº·!+2Ëãµ`Óé!ßî
-›˜“—7Ôçƒ_×C…Q<:zá:”¡\t…ûmç% öÓ˜\¬N—LߦMu¸5 ÄpÍøÆî30xÅ5ë[(”'8ŒU¾^íªª¿Œ
-©&Øæ;”e3ˆÆw+
-¼s§#Ò=a‹`2~A¶o$÷!®Û è
->MèÂOØúkïV>û‡Ì-ßtØ€gz}Ž‡ºÄÈÛì­0‚C.yácŒ.Ôy7ÛBµÁïOðú£Ì‚n %ö,åjLºùÀâL‡}Úù€¥N V-Û¹ó‘/X t´)RÂöeð½cu A™Q§Ö]@Àï:¯“§"£‡»_oúË ýì’=(ó¡HöôÜ–ÈTo®ö¥3ÔFL‚Ô ÿ˜—ö„“®ùßi3ÃóŠboe»}õ%_Ÿkh``’F…ƒ–¶»ïÞ’Åp
-,ÚË¿ ¦Õ‚¯:ð·eC¬Ó¦e†ÜH¿ ³ƒ|¤gfžƒ!¦NZ4*ç{Ä!$˜¡ùJy´à¸bÉCr”ƒƒÇ2eNfžüÓ¼{‘ØSÑ÷Òšq/jJkûÉ58 Yð,õj‚|Ï¡*P?Уߞ{s*©ëtŸwì£ÚLØÔE ÒÁÿÅöÆö
-@þ÷6:§`þ–Çx¿ÖäP'x÷¬&ÎC]bc„m^×dÙB_(ºP3ºæ¡¨ loÎèš ¸Æ
-¤1⼿0"Ž<S(5Êv4ø[mD4ÁúV
+1196 0 obj <<
+/Length 3558
+/Filter /FlateDecode
+>>
+stream
+xÚÍ]sÛ6òÝ¿Bo•gB>I`î)Mœ;皸sÓkû@K”ʼnLª"eÅ÷ëo @¤DIM¯GK`,ö{—ä|btʤU“ܪT3®'³§+6y„¹wWÜã$)éc}{õ··2ŸØÔf"›Ü/z{™”Ã'÷óŸ§oþñú_÷7¯¡Ù4K¯±é··wßш¥Ÿ7îÞÞ¾ûñãëë\Mïo?ÜÑðÇ›·7oîÞÜ\'Ühë…ßáÄ‚··ÿ¼!èÝÇ×ïß¿þxýëý÷W7÷ñ.ýûr&ñ"¿]ýü+›ÌáÚß_±TZ£';x`)·VLž®”–©VR†‘ÕÕ§«↽Y·tŒŠgi–Ûl’H“*­ÍécéÇzóÔj}xjÂŒ3 P®³”)G™Þ“ &9ì“k›fRH'”ºéªÅ òÐe¸’k•ÃˆöR¶×‰aZÀ
+‚ZpS$
+œØYR"Ö-ïÏ $Ä!1ÿvr—R’ˆ¥„,´x*ƒªâDù¥êZššoKóVVÏNEpîÓí;(ÞÞ¿"IšjüNóÆŸ€®åTÝ}¹CÅ(ê0Ëz#%²Ž Ý¦êÊí›3Ð"?:/ÅvÕE:Ž™<ÏSÁ¥òözV&‡îƒÿ±Šïó«co®p!ÔbÚhú‚Žõ°ÎèXÀ—Üb5Of«ª¬»£t"dj18K@Ä¡`pY(欶|H™´Ì³è™Þ~°ºæÓ\”פnõâÇŸÖ«ò ˆF[w~%4B½ËÉÖJØó±n¢ŸÀ8äåp¹mÉŒ™Þ_[PMÒ=(àÇ„¼z‹Ù²*ÑArËÈ<¨€´zŽ'àSS4zÇ7¢lÇ+´á¨XfÀésÕ«­GT,O­aOLh˜˜¶ër†åúän×ЖëbSt~˜ä2jQÃþÛn™Ô_æÍSQYWÕé鎓 õ…ÑîP„#Ç[ˆ¥yˆ¥›ÅLHfL§ø³dÿê¬5*`?Ö¥‚øVó“F©P„ÌÎeë´QF,'÷¦í’¶ƒ<­íªÙ±Q*0#“©óD¬
+†F ¢È 2à2 Í{ÑÑ¥Â0âSa€(ýõòsY®½ÛåÕá·w‡´h6~é3%¿
+–v¡ÑÐÇ:myËY^UWOÅ*ÙøŠãØÓæ@!åó$D¬†8K æƒ"n#̳sšìw„uÓ ë:GÇéŒA‡:  GбMhLèlPcµ„âý­îyYØ¡Z­hES¯^h ª:Ž+GÀ#EìmWlŸ²cSÚê¡AvË’rÜR}ªÇ$ŽXJPá(y([÷”.Z„Mˆ,&ø·mµ¯å¦Y™>:CO³*]?Ä©¾Ô`Vøìª]Àð
+–ò EéSñC 5îžc§¯ õÉf½¾z,uq€á…àýÌÅre 8ìA2­þ„šCXJË/˜]ë´ÙE,gvp…
+"q2säq¤ã€ ÅÁY"ÖƒËfY*si†$x‰Ù^?`Š6 ±
+†*?å]=@†Pœ®Ãc±Z¹‚ôã³_‡åó ø¡“¢#óÍÝë÷7d,P%)ÕT_ÇŽ NH¢NˆésÕPW†FÁ0i PÓF !«ç…ßÃÙ@Lñ`¼Žß ÞƒƒŠÕ®xiÛŠÊ0œ)ëEã{JíÁ©û+Ä0×4Š™ãCÓ-‡éØS‰·oÁ@Á-"jlÚÌ_€³ÕÌG«5ø¬íO)²b·.ôgzHgÔØ# ßw”—‹4çZž=4"Ÿ:´Ó<Íl– Ž œ¥àýíÙx! äæÚÄ>†fÔÈÉ¢[Aÿ†]““ÂHmã«D[m‹G”ÎD_‹S-¤‘[v4@YBtÌĦQFm<‡½¥p@ΗºÜ6ÕBdq.e“LNgË¢b`Žë8c62Í8DYUµe¹K†iró8!àc_*?é/ËѾHקÐÕDÚTÊztdh Õîo~Ü£ Xh8ÞͧÞ*3.ŒžÀX/8┣¤§»eœBé´ô°‚òÍ5I
+*¸ÏÐá9|`E,`˶k ËWâÁ«·kÂ÷ï^žŠ‡%¾ŠÇ“âdË}9"Ü›67IX|¿É®Ù|öA ?—¯GÕ5£x* (êvç(`>6#@W ß5X1ÜÄàZ´Ó[˜Ú«3Sži!Á‘xS¬åée-“þ»\°¢­‹ù Í|¦·Å}ª<©Pm£SårJÑé°Æ÷|áµ·8x.úà ð Å
endobj
-938 0 obj <<
+1195 0 obj <<
/Type /Page
-/Contents 939 0 R
-/Resources 937 0 R
+/Contents 1196 0 R
+/Resources 1194 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 947 0 R
-/Annots [ 941 0 R 942 0 R 943 0 R 944 0 R 945 0 R 946 0 R ]
+/Parent 1176 0 R
+/Annots [ 1198 0 R ]
>> endobj
-941 0 obj <<
+1198 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [182.6146 634.5522 231.8861 646.6118]
+/Rect [182.6146 225.1021 231.8861 237.1618]
/Subtype /Link
/A << /S /GoTo /D (notify) >>
>> endobj
-942 0 obj <<
+1197 0 obj <<
+/D [1195 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1194 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F48 880 0 R /F47 874 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1201 0 obj <<
+/Length 3695
+/Filter /FlateDecode
+>>
+stream
+xÚ­]sã¶ñÝ¿Bo¥gN >H|tî|Ww_ës¦é$y )ÈæE*"eÅýõÝÅ)Òòµ‰5c€‹°Xì'
+’‚nÚµÞ¸‘ª„[n°8•Au?_.îῈ&f\ƒ
+nÖ36Â&Ð̳î |e.…ß™wä%(´ÉÓà°N®KäIT¶uMa¢øUÛh
+ÜÛp†©ÍñXo2m6Bó64É4¸·Òƒ!Öë†6`ø;Xþ“‰sŽj¤ÏO쑦|_® î’|<1¹> –Ë»>¬Øë®/˜#äGQÊÖÚö{i÷Ti Ê2ÖlÜåªêŠvü¸ùéãݸ¹ b[ì@’÷u±£ïA Q#Xç?ÜNW0$À8(IÇv¡j ØGAó弎é4fYîW¹ÝµÏÕê¸S§Úú¨åG¡Dsº±ØŒVe&É%žÑ+¾âOÅy2ê¼^M”
+Œ_¬ ‘3‘³€õÓÑÑÑ$³Ñ¡Àm$ì›Ùðߢh2î„1I,'Á9ä%è,WÖ4LG;ojd
+ ¶”o˜šÖSã±æ„x|¡†€öììkfúqÚ Ò¨ Í ?&Ù]¹«êÒ®gT1Ïb&ýÿ¨âŒúO˜ŽzNÿ<þKžŽû­˜ð˜gýšÕ@õÓÑÎËєɢvD:#iɆQ²›®Ÿ4p·šKqvê€4{,f•ZÅLþçHÙéN¥ ì>pFÊÐÓâÑã€þsBæÑϯw2ê·Š˜Ìb qÞYž¤ó4LÆ:+_2KÀ`$oœ ±^—°€…3ö;SôË’2¢¢[vÛ¢4Ó,5‡À'ççÉX3tŒ¤M&q*X:&Ä $üèö¡~(pOHÂ(¤ˆ;$€š¦Â&PnŠ¯ÆA¬äBŸ­"N:‹ž>Ëb·«ŠG׃Ú0½¤oLF"!ÑåÉÈGƒÃç0ÍŒ*$`9¸Ï²çÄ_Æ:Ký8fnŽ®§bW”KŠÄ$dh âÍQ ÖÛÐMd> Ê Û*6†@{…Ë@h*è“ö×Ví1.´ôÅhJ¯ˆ0%Ó’˜
+m뢬ê
+Lú®ÛbE÷%0‚½a eÔX£üÉMm7I¡âÇÛ›Ÿ¹/©mÆ”?ôO´?°ÊÖ }=šoLHÜ9€ WÞÞSi—å‡Ï_¨²±×;Æ^öèèÆ¡{RQþŽÊ‡Oȱ樄ÚkûÏ3:xüÆýofövUgb°ÿ~9+¿žïÜÒ×ÈÈÒ’®ü”ÂñJ†Rø'­ÃŠm‚‡¿ééÁBcuÕøó»"lïé9_Yš-ìô;½°:qGs'ÕcC7fõº-…´F«<Ö°ÎØRe/ÆV«
+I*êåz×n–žz.ëFM%ÈãÄÌŠÜR&õy
+Ö ‰ãLÆ2ŸiôçA!]uÙ_Ù6d[¼…Ê¥»!‚–óT<W>el]~Z¸<×ØîÐ0àE¥ZÄ,MOÒFo‚Á¢Ã“i°ÆÝ¥‘5$Ø€‡¹JaÙÓ ¬ÆuŒ¤<S|‡G]Ò*ýpt­Ûºnaô÷·W?\ûyWsfçaàŽ1¬š.X#$ZÊ¿ì’ g.°fùeïøËù€¿
+`³râ ìD :/<ntû0!¶W ïyU ®éÝIËPlŒJ3Ú>å(RµÀ`<hÆ­=P¸?ndxì9#ÖŸÕtäœS’kwjAþl[/
+åÁÔ5ò"?}mÚCã`æÙZ\ŽgðíþÍ·öôÅ ¬0|4ö TªÐǵ ¥ÊÐ"Æäü#&ºøs 91?6‚J#ˆ%C¬2Šƒ3K‚•ù§;I ù¬
+å./:šÀ™:ýe"ÜÙfisù€kÌRØXn¡Cã*Ü+%h™
+hpFTIwÜdŸ²(!O³kojŽáJÕ^:ßÌšmK9ˆáã JiŸ6VTðËÒ•}Ú±‡Ú— ,KZ<69?‰^4%/ŠPê(ÇGè%£çÊî`ñW=äåÛ—(R2êBQØjtKM3×ã,‰3)ÏK&üøø Þn¯5h³—ð0 TÕ³)÷»Ž>dvRÈœ2Øø±â²{q‡SÒ¶‹Á‡ŽÙeàƒ¿AGæe'áðQ}†ùkÝ>ŽÞ¥Š]C±|lÀþfV˜¾œãF¢cÍ•ÏæÓMˆtÅkÏ벘«`‹¢Izl=*›x5„
+±,.¶´ŒfëRã‡#ÅLœb‚ “n¾òüX¦q‚W®3™0 oçþðÛäãÃí$ƒ¦åëçÆ ÞxªY‰ž4¸WÌ3Äÿ%õU¡endstream
+endobj
+1200 0 obj <<
+/Type /Page
+/Contents 1201 0 R
+/Resources 1199 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1176 0 R
+/Annots [ 1203 0 R 1204 0 R 1205 0 R 1206 0 R 1207 0 R ]
+>> endobj
+1203 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [108.9497 211.0729 182.6031 220.2883]
+/Rect [80.6033 508.2814 154.2566 517.4968]
/Subtype /Link
/A << /S /GoTo /D (statsfile) >>
>> endobj
-943 0 obj <<
+1204 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [293.8042 165.7184 355.0043 177.778]
+/Rect [265.4578 462.9269 326.6578 474.9865]
/Subtype /Link
/A << /S /GoTo /D (server_statement_definition_and_usage) >>
>> endobj
-944 0 obj <<
+1205 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [395.8905 165.7184 444.6373 177.778]
+/Rect [367.5441 462.9269 416.2908 474.9865]
/Subtype /Link
/A << /S /GoTo /D (incremental_zone_transfers) >>
>> endobj
-945 0 obj <<
+1206 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [309.3157 134.9691 370.5157 147.0287]
+/Rect [280.9692 432.1776 342.1692 444.2372]
/Subtype /Link
/A << /S /GoTo /D (server_statement_definition_and_usage) >>
>> endobj
-946 0 obj <<
+1207 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [305.9683 104.2198 367.1684 116.2794]
+/Rect [277.6219 401.4283 338.8219 413.4879]
/Subtype /Link
/A << /S /GoTo /D (server_statement_definition_and_usage) >>
>> endobj
-940 0 obj <<
-/D [938 0 R /XYZ 85.0394 794.5015 null]
+1202 0 obj <<
+/D [1200 0 R /XYZ 56.6929 794.5015 null]
>> endobj
-937 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F58 627 0 R /F84 797 0 R /F56 618 0 R /F14 608 0 R >>
-/XObject << /Im1 790 0 R >>
+1199 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F21 654 0 R /F48 880 0 R /F62 990 0 R /F47 874 0 R /F14 681 0 R /F39 858 0 R >>
+/XObject << /Im2 979 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-951 0 obj <<
-/Length 3814
+1211 0 obj <<
+/Length 3636
/Filter /FlateDecode
>>
stream
-xÚ¥]sÛ6òÝ¿Âo§ÌD,ðóÑMœž;MšKœigÚ>ÐdñB‘ªHZqýí@R¢Ü»9ûÀb,û ©ëþÕuœI®óë4‚8Tñõjw^?ÂØWJp–i9Æúþþê»w‰¾Îƒ<ÑÉõýf´V„Y¦®ï׿-’@¯`…pñæçïî~øòéæU-îï~þðj©ãpñîî§[nýðéæýû›O¯–*‹ÕâÍ?o>Þß~â¡DÖøþîÃ[†äü¹°è§Ûw·Ÿn?¼¹}õÇýW·÷þ,ãóªÐàAþ¼úíðz Çþñ* LžÅ×Gè„Ês}½»ŠbÄ‘1R]}¾ú—_p4JSgù§Â@àÕ9#3b`¦‚8Ïãë4΃ÄhC ì¶E‡Š’ÅÑ^©la¹÷hk{(:»Æn¼hjòýpÏßæÀß·?æÆ®XmËÚCM˜-î] ­ü5šnË­/î~åÖïZGÈÑïÞ©hD·Qi ³<ƒÓ"Å5£DcÙˆ‚<ƒ9S„ñÙ™T í#ÇY»ó|'Gˆ/‘‘ÆIUþwTA8Ì$ÈÒ8úoW¸x=>à\/#m‚$†¥—Jyk^À+¸‹–…¶ð׋êX<»ÕÊîá¦_K—xn+È;+I
-^Ö<ðg” Æ*W[nV&xFòȺè
-àq”RúñêábÓTUsô«¿ùpóþÖí»&bCG$Ûí·Œ7¶ÚeÝ+´Ê#Âú…60J‹¹Àñ¾ðW©îÅ;­í»aeŠ³ÑÅ© §(Ó3pã\ß´
-B“;¥ÿ=ŒC¾.Xrm7E_u
-Lˆhd‰Rå{è*f.¨­ÈDèd`j’Ûf؃Œ¸Ð%&Žá
-tÉ£¬ËNˈ©ƒÕ‡(áb› ÜÔ××2Ì›7¤°&NбqÕ¬8010 F4!/ClÈ ˜×”c›–!\);—Š`Œ$‡s׳‘¢‹¶EƒÐ¢Aƒdt¶&QÁѾõãø†Ú¯@X–|x?‰^4f/ŠPžh¦‡ŸeO¥=Ž"Ü‘ ÜtÝí;<¢ŽÙ¨ë„ÃVlíÎ …
-£ 5æe©À¤ÓçÆÇ^V/À‘ʆ{»*7Ï"¯3»@Ó™Óƒ]õ‡–>XdvSÈœR¸ø©âòª fã–|í
-kd]óµß£Å¦¡¼ ”å[±â brN`Œ‹È9Râ‹g`“ƒžR*”p!qûV8€@?‘‚fŸ!Crœp˜ÂëÏÅFsjȱ‹H…Iv\ñFè<”vIÍ ¿ž$B£ÚHák%mog#%NlÉÓ°ë©‹øO¤’øŸ<P½ªPõž,8@ßÇ÷ ÐBfÉšÆùÐ…µ²Ÿóiwïþ„¦½ýÆ-:8®X?¨›ÍèÑz£Y4™o£ÃQ‚=o̱ƒvÈù‹‘K¿?> A zc‡¢âªïVGYZZÓȶ>—ÁIÌw:ºá)¿›1Ï’Tðf>ps/^¥î¸O«8lj —ùC/e?JŸKÈâN0ÊiiÍüH0Çó
-˸ µø»] É%U£Hi88€q<#ŒÈÀ:[-nk°/““Älö¶°¼a—Ál®»rçÈÍÙôÕ¬ýFAMiïdiqp€üTÖý7n¶Ï`v-•”Vo€›ÃWn±ÞpžO}þ|µ‡ÚVÜFõlñµÐ"•n=·îß|”᦮¹˜2[àqæEqN _—Áp¦ÉŒ´X$%eåt¸Çʪ$*Q"=8¯mV_)Ó
-¢Ao>~‘jì쮡” Úà˜Û~çüÆù>‘³.\Öˆ’œÞ ƒªPð½Bª З´=(i6¼Öa‡KškWÚ_¯–"%ûÊv\
-ˆÍ '1 é)ŽŒÞ9c=ì;UcÚ“2ø W"==f^ÌÍÌ}qP’Ë9ßQÿ²œ±uâüG\~%4äˆðPÖ‘ ‡Q!8RÌo‡§poÛ$ßó˜~·¡H”_<Sm]žäÐínߊCéjM¨\+²\mdñOÙ6•ÿ¡«¹K•ÊÒ¯]«»¨P*Kþæ77c¬Ëñ‡Ç¢H®¯ºr)’n¨8€ä<zyw5³ý$ÜÐa`´I§ûKþ wæóçDËs³9…†¼¥Cë¹ég+ÖŠÏ°¯\ÎÒN^18ºO|°íEdx9 ŠäÓmAmä± ëà‘: #§×JÅ¡ûå½rçù|R™g•ùß²J¥T†Zó>îEÛÕ
+xÚ­Mw¤6òî_áÛâ÷Òôè8q<Yç%“YçåÉíf‡†ö8¿~«T%0ng6y}h©T’J¥úáy
+'æH†ÂO ´Rà</û²©Ój³m›ýÆîãéSk¶çÏno—Z…LàVÝÀŒt‡"+?(r…U{×u×ilQhEg'p¢;4uNCx~»ÔíBZع™ýŽÀ¥|üpõ½Op²|vâ®*^Œô€Y:t«"HªÖ„ù ÷°g;Ó‘@asÆ{,xoÍÒÔàñÆñáhnJ¶djò˜M5àÍÌHÊÀPúÏܘ; ž9’<ŒÖÝ=#m¦Xä­Âw?b!cöiŸí6ûôp(ò HL TÀ%,ÈAàG‰2§é±V™
+š´E‘œSr½%™TÉÌÃúB:~"–N8ö_M8¨˜‰B†[ך%бwýþAñ9i
+
+Ž$¹®”ˆ`ΊRtbxCgƒPþYP.D6ŠMq‰Ó`ᮬ)49N<®ÈˆpÄŠqÒšÌ^3²p´pœø˜ãnÇj‘Y9]_]¸„‰ˆ…ÿbhÚ´-]Ñ U,³V{N¦SvLnàôÁ–¡è^¹ÄôŒ×® Õû+ÙôBÙ_ ¾Ù$>dÚÊùf[ô&æ°²[ÙPk_ í’Ö‹ç KéKE§ÿ|©‚'ŒCNr%|ˆ|H‡em²á襽nÃÞAd`:êTÅCQqûqWZëMØŸ¶HúzóÛÿjÆÆ~ &ÚÝ>ÛÕB R¶‘ôu˜W™,|#"·KÓ®ñ8ô“H«×x¬ýXJÆY³=«0y±¥È0 ½£a)?ÒÚœŽ†§X/GÃ#–åÀPõåæȇYð«$äóIrz÷keûYð«?Šƒp¾?tÀvŒH•C˜µ—РR9¶žšpv6òC=ár={–Ž¨QºÙßhª\ÑB¦YÆú£6ÝÊÄ…
+—IÍܼ å ت4Û¹ÅpL³^å
+Gêa©ŒIE³<´ŽGNiw©ePP¼jÍu±MábÇG•âP"ý%x²ZÔtÄÊËúÀ•B¾õŠ~M°Nè—òRQƒ4e\5y®`òÀDÞ~ÄZÙvT­ðÁ+žpUs,$Þ÷ï>|¸ºÄ6^àb{°=
+ÖÍÿ6N?HÔ?`âЉqãi <"@Fš\ EµHË–^6çU4ðøaDzNļ†fü(€Ñ)oìöXÁ=KÃøè-ñç¾Nû};!ñÓ;ŒBvRnŸ¨j.'â íùD”Wíj¥0:ÞvVïn©@ë<Nø;wÆ14”>}‰S¬—oqÄÂí[+Æ Ë›ƒ!
+“0å\CÉ…+Š¼p«V ² ‡‹ JE c¨ߌ/„õâ­Ð^“ÓO>È!³m÷.•lÑs¶
+-ת äzj –íÓÜŠ;о2á1ªÒÃH p&Ž^/C9ÆGÿåi[¯má¸_ã'”Ó£/½DÂA„eÐáOÝã\xìW“‚ëÄt±ðPçS ƒµ>Vˆš–ÅtÍžÛ¯Ù‚ÕÂÅn«‘Ú¼²¤}}´:4íêM_JO $D<:óHWr”lL
+ª;´‰7TT”®¦! ¿·)<ÀvM׳~ ûùSNð½}úEY^âø Ž€-'fÏ>B¼›·—6ZðLW6á!é%"äMyñ}“—›µÚ59¼¹³¢e â§/}ý)A¤\³×Á:ýí/CŸÍªØ—IòBš-ƒÈOÐ
+0Qx2e–”Ÿ>'ý‹í,
+endstream
endobj
-950 0 obj <<
+1210 0 obj <<
/Type /Page
-/Contents 951 0 R
-/Resources 949 0 R
+/Contents 1211 0 R
+/Resources 1209 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 947 0 R
+/Parent 1213 0 R
>> endobj
-952 0 obj <<
-/D [950 0 R /XYZ 56.6929 794.5015 null]
+1212 0 obj <<
+/D [1210 0 R /XYZ 85.0394 794.5015 null]
>> endobj
-949 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F14 608 0 R /F42 597 0 R /F58 627 0 R /F57 624 0 R >>
+1209 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F21 654 0 R /F48 880 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-955 0 obj <<
-/Length 3474
+1216 0 obj <<
+/Length 3228
/Filter /FlateDecode
>>
stream
-xÚ­]sã¶ñÝ¿Bo•gN8âƒùèÜÙ©3sµ™v’<Ð%qŽ"‘²ãþúîb)QöC;7s ìb±ßœEðOÎÒXD:33›G2žÛ‹h¶†¹/$ã,<ÒbˆõÃãÅç›DÍ2‘%*™=®{¥"JS9{\þ6ÿò÷«o×÷— GóD\.â$šÿp{÷• ýùòËÝÍí¿Þ_]Z3¼ýåŽÀ÷×7×÷×w_®/2%¬W¼Ã™7·ÿ¸¦Ñ÷W?ÿ|uùÇãO×á,ÃóÊHãAþ¼øíh¶„cÿt ¥ñì>"!³LͶ&Ö"6Z{H}ñpñÏ°á`Ö-’Ÿ‰S+“ÌÚˆ4=&¥‰(©-lœ‰D+¤l&¥ì±PÊ˦ëÊbQ6ùS]ŸYšL(™–L‘Xôõ€¾Œ ÊÁŽ¸&Ê •¦ó¯w×_pœÍ»ýós»ëi¢jØäÛr iT<ÿµ©Ë®£ù®ì ¡oñ Ÿoât@X) B~‘à[ÙΘ9+2­RÆù»e)‘#
-Oå&);¢’3ÙjEß³¹l=FÓöHdZ(mc“Y+·ÿáp ptjA›’Ër•ïkF©º‰cIc„I“„ynÚ©c1QB'JÍšcáø6“Ôk€õŽzy,¤øç¾Ü½ÕíúD³T"¢(6ïSX¤G§Ô‘ÈÒÄŽi?<—Eµz 3Ý”ý¦Üá‡&®¼­«fMݦÝ×K?•„Ûõù®/—a—†F^5pbtp:Jç·+¾…¡h´ÙHé¯a(”£“ ÎÀø+­:&ÖöLê¹¼”óbAº¥m&ŒI‚n‘߬~"U.?‘æôÄ1hàOÃÃéIÉXóúr·­w>ø~z;Úàyw)ÓyÙ•MÁvu„2Ú¸ÈûrÝÍ É$±Hµ6ÉT“ö©µ°±þP‘ƒgïëñ
-ècŠ©‹h_\NcàÖ«æ{GCǵÎæå_ðt¦¥[ÅSÅÅ›†‰X Æ9ŽžxÁÞ¥iËÁî­n_ièSfZôFÔ™
-/rZŒ£%/wõ6Û³eÅ–…xÊbšäjm;Tʆ
-€ÛZö(I“ÌŸö=!¼VÝf¸Ä:ë Úâ81U.¨÷LH±y{Íß.¥”òc£XÊXmQìw¼¢mê7Ú´m¦®«T@ä@1pÁ¯›ªØiä¸>¢j “æ=칫ú¼‡hÇ †£·†èNØãí){áíÙ®«¾óeèðÙJÇhHD Ô¼ï–:C¬óµNÀr $YúiÅ.Eleö>á€5Ay”ŽBeCr3&͵¸®Pëdr`tÁ
-s.D›(‘…k %‡èÀš°ï(ã3â ¨&[úëKû!Þ±,†> ™¥¥,8“ÔØr›äŒ„úÜü­÷x¬¶C:@»ÃKû4m|.ªÅ®S¢® Ê]
-‘‹ÀY²Kš¤A ³`%e½Â CšÐt]Ž‚’Ǫ w§=—“kBFá=Æ>K1è£dú£nâÄ
-ygþä‹4Øl¹/mÖ {¨ƒTü;Àè}+$ØeÅO0®&}1c=Hâ-ã(MÆÒ™F[à­jÎgÅJj%æƒH9Ä:)–KÈÂ5.ºÃÕ"fb!Âgñû<¬ &Æï‘/$Q:æb3µ‰Y2XvùÚ €®œ‚¿Gñ±¨¥{9ò‚W¸š…žá º–fc¾4·5½$tkÔk‚D^šô(ïÛAÒ†ª€N=Án2`SWC|hŠ Ð%æ–^50O–>¥·iÈ»p~»w§¶)UÉ
-eùÁo2Hïü$ƒ‘œýbþ¿€¤Ù;y̖¤ö}Òé”öø1Œ%IÇÄÇ5Ÿ’¡ç¦”  =<&Ü1LÅ×ð—ùw½ë!”Mˆsdì"†{Ãd3
+xÚÅZYsã6~÷¯ÐÛÊU#,‚$•Ϭ“ŒÇ+;{T’ŽDY¬‘IG¤Æq~}ºÑ %ïÔnÕ–«L°Ñ@7Ð?4¤&þÔÄÆ"vÚM +•,/ääú>\(晦YŸë»û‹¿¾7ÉÄ ëxr¿îÍ•
+™¦jr¿úy -.a9}ûéæýõ‡ŸóË$šÞ_º¹œi+§ï¯¼¢Ö‡ÅüãÇùâr¦R«¦oÿ6¿½¿ZPWÌs|w}óŽ(Ž'&]\½¿Z\ݼ½ºüõþû‹«ûv-ýõ*ip!¿]üü«œ¬`Ùß_Ha\j'Ïð"…rNO/"k„Œ ”íÅÝÅßÛ {½~èèþ))´‰õÈjÕÛÀT ëœ$Ö‰Øhã7p¹É—_feö˜×¸bzCb)“¤ y³§§m|3­ä´©à)Ý´ÙäD¨žË|G4šŽ¨k"ÍßÐû|>§FV®¨ç㿈°»Té4_Vþ¹ªÁ$ÚÅÓë†Ù·5 <¯ÅªzÌŠ—2™‘öÉd¦”pÖj¿ÖÍÈd
+|ðŒi0ïÈÐøoN}¨?vÝܽ!Âݧ9Qü‚ @Âñ¢Äùxv¿
+ÌYà QŠšÞ3z¥™¿æ»š§ßVÕ—ýKX-£×MU7A’œþ"­<¯K^.ˆ"…±w}3›¿{·óÅí¥ÓäWH¾[Qª]×s}s’•8ŠW%¥â ­°Išœˆ/bšõ¹ŽÃ+Ä~ËÕ…×ã©•éyÁiDp?H•ŒDj@—ä·(wÀ /4¿ÓðB» wð:ÑÀEólWóˆªÏ¸n'brFë[~]­ˆ±Æ0ÊMïƒÄU¾ÎöÛ†^ŠnvÊ;ý½4V
+'!RâyÎvåHvÒFèH'ÌÄÒ>ù¥úø7.&¢ad<Uu]|Þæä_³íÞ'hg1Çú¤VDQ±¤uVlGÔQ‰p©L˜Ž'RN›æ)Êj—­ Ø@ûve§Ü6r"2Ö¾â¶=®3n¸:·}.¶«e¶[ŠW:‘TçŦñƒM3
+l¤üûwM«§¦¨JjÚ¾ö™Ê°eÉÎ͵{h”U9kòÝcQf[¢ðzÚôldÄÎI“²Äõ¹ñ3r-P6Iu:ô¬vn`×ìáð̶±Aû9{¹TÓš_ =8p(FàÝ«º#ïwû6«k^><÷å
+rqCŸTbýå1k–›¢|ª=T»¢Ù<’
+4½¯`ß­¡kà+dsmµˆ•uÃïmºÅod½ç¤’ÑÓlõÉðµ©ßWî|øö¹N‡oËÕ…oQ6ùX÷å8~­0Òž—˜FäãÀg›¡·ùöÖ{•Ä„ëýYLÈVDCO V§¥gñª×ÔåãžÁ…°?¸Z³pt£T@/@õ_8 &tÝ-.­þƒC8q„ð!²š£ú>c4A6 ÷¾tD@çSÓ;<îÎÉqäèì„#MP[[ô$q$ctŠü÷¢æ¡äÒ0r•oóéF¢¹ DØ÷>a¦„cuÊÀ a»<õH0rTåö…º‹rÆ6rÀ|5OØ!јLEH3ñ;¶ò«}3«Öí4Ioš<HùæEŽÕÌO‹C9Ia ÓÊ
+ “["à  5¸^ìVË
+.•˜àR@ô.ÏKÁ°îåO ²_µÝäW(±"ò‘_Yuˆœÿß~G7™Æñ+~Õã:ãW«çWpÜDÈ}èU*Jj}^|Ë5"àW°V™;TàŸdõ(ž>$#è%Üñg¹~C}\lƒV
+>(ç‹Hë\ ßú®Flh-ìavïpHG‡{!šw7lxóc§w7OáÑ=[k§ÈÖH¶ö˜DBEJ ?1£àà@ßš¶¬Æ¬¯´ÌkÖ‡ï8L¥Ï¿ÇtÚöÉŸqžVp‚#X?ûR9Æ%€%bw^|Ët,èæ
+…ÅçvvÏæ«+Ølñ†ôBÒY
+¢²X„w»¬NÅ„Mö5« ­
+ÆȧÏ.—T@Ó|áªS¾pÂu‰KÍÜI€¨Ÿ÷ 1<õ¦?$ñ·œÔ»NäñÛTø’PÃÕ2J,_|¡€îU¤Ù{Î\Õr 2NZ•c您 Åž£YÉ÷XmÞËÍ|¢ž¦(ö{Ø* Ä~ýiUå‡ì~³ÐYY?·Ó3*+è}øäSE‘0Ú½rãÚç:ýÉl¹üåEúÑ…+œµµç妹ý|áRH\q:”Ë7"N·WV
+‚IX)\Ý!]‘#w¬úŸÈYendstream
endobj
-954 0 obj <<
+1215 0 obj <<
/Type /Page
-/Contents 955 0 R
-/Resources 953 0 R
+/Contents 1216 0 R
+/Resources 1214 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 947 0 R
-/Annots [ 958 0 R 961 0 R ]
+/Parent 1213 0 R
>> endobj
-958 0 obj <<
+1217 0 obj <<
+/D [1215 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+350 0 obj <<
+/D [1215 0 R /XYZ 56.6929 254.6581 null]
+>> endobj
+1218 0 obj <<
+/D [1215 0 R /XYZ 56.6929 227.9662 null]
+>> endobj
+1214 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F39 858 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1221 0 obj <<
+/Length 3314
+/Filter /FlateDecode
+>>
+stream
+xÚ¥]oã¸ñ=¿Âou€µNüѧ½Ýì6‡^îšMŠ»{Pl%V–²– -úß;Ã!%êÃ΢‡
++ÆÊD¥L-Ö»‹tñsŸ/˜ÇY¤UŒõãÝÅŸ„YØÄj®w­,I³Œ-î6¿-?üíý¯wW·—+®Ò¥N.WJ§Ë¯o>ÄÒãÃ/7Ÿ®?ÿóöý¥‘Ë»ë_n|{õéêöêæÃÕåŠeŠÁzî)œXðéúïW4ú|ûþçŸßß^þq÷ÓÅÕ]w–ø¼,xo¿ý‘.6pìŸ.ÒDØL-^à%M˜µ|±»J$J
+ ÕÅ—‹t£Y·tN~Jd‰Ê¸™ sT6ѦP€ŸšýK¾¿dÙrSÖp8®–뼦A^µ î ?ÕÔ¿§)<º%ņ MÀ§ÇSáfW›f——~ê>oËöŒE
+d«æ¥Ûí¡ÙÓà°õ›<VÍ}^u³þš§CÙÔ­_Õà%€$VŒ%V)îŽåøÕbÙ<û}¹ÙȆ–KÇÀsz<çû²8¼Ò\ó@À—üµ=pÍÿº´|Ù NbĶ8ä)ßÊõ±Ê÷ôNn ëÐðØz^6åžã¤SÔ‹NX숴^:™Àä6.æΗ“NI.\;‹®]šÄ¨T\H»mhySW¯?à}îÛ°r 0<ÑT2õ"fJ` Lâ_¿§gÝh…
+‡}^·¨
+èܵ|dÀdèK…±Ž䜀eKP4ð\’1Òœ#©ÓüîèN Ðû‚ 9(3A×
+\-qÍíP7ô,|([û³ë
+ïß](X|Â2TÕAôâ ´ñÆ¿FòA«Í=Ú}QÔ!t¶xS›v¾nv;§YøR‘à`ô{ªÒ"yœsÞ<ƒ´Ê€›§âÕúå+9#É“ æ±.›
+¿†ð=¤ï#A|hêþ©ÞŽÝ"ÉIzÒ«8‚Šã˜ò˜½÷“^Ÿûr}pgäw4d$KÉ{b׿ÒDähÂùèÓGƒâÛˆS¶‡¬¼¶‡b‡ ¨õ—iö 3™HaÅBIL’SýFöÐá¯â3a{Bw˜=
+IœWââ—U;Ôámó2´‰]õÃkˆmÞP—ᔼE×x"šI¨ºä‰³tÁ,B:Ë’³`¬V>"{ã "3s~ëiº÷ „I0 7D0ÎÙòe[®·8ä.xh—!Ü1Le#ùÂÓóïÛÒ¯ó&ä³en¨:}®Àõy3
+}›â!?V>r–£øúD {o:åÇ” 9i¯¯.}ÚM‹vƒ<ÿ¥ ¹4ª(ÚÊi$0©cì aqA«W{ˆ9û:Ÿ1y~ókf÷¡RÊÁå¶z¡^‡!輚Yç…
+tx¸é_ÀɲåüçË«‰h€¨à*[f“Œq×ÿ]|[0ˆoÖ
+ŠÆî´½à‡ë_|làL‹øXò*&íÎ¥.ª›A©.¸4_ªã½_2¨­VbÍ°|]­óõ% ‚zƒ)Gæf©oFgvjUkMDè…ÚCÜW¹øì³L¬©Cq!’ Ík­‰rIk W²ð×'þ¼Fˆ HZ ´ê[èN_¡BNpJ
+Ê×U;ã¹8n…d¬jÖyU‡¹~…äIf².9®7sqÀ&BSsm°j)º™àø½¿g
+œÂ}3’NA°¿C`Ñëý7
+É♾ƒÚÖEñÞhÁö{&–p~ÈgûãÛ|”ç•ÿ¢´ñEi9nù†ž'(a¨K}d:á\3o•¤1ÖiÇÐaõžáø§›&
+¡üÕÚŒ^§]æOÿ8®ÿå 4æ”jð(Ö¦ð8êôg»)ëÿ=¼endstream
+endobj
+1220 0 obj <<
+/Type /Page
+/Contents 1221 0 R
+/Resources 1219 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1213 0 R
+/Annots [ 1223 0 R 1226 0 R 1227 0 R ]
+>> endobj
+1223 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [367.5469 309.3417 428.747 321.2419]
+/Rect [367.5469 732.0757 428.747 743.9759]
/Subtype /Link
/A << /S /GoTo /D (zone_statement_grammar) >>
>> endobj
-961 0 obj <<
+1226 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [483.4431 115.3171 539.579 127.3767]
+/Rect [483.4431 536.585 539.579 548.6446]
/Subtype /Link
/A << /S /GoTo /D (address_match_lists) >>
>> endobj
-956 0 obj <<
-/D [954 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-350 0 obj <<
-/D [954 0 R /XYZ 85.0394 539.0447 null]
+1227 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [213.0783 116.7303 261.825 127.5147]
+/Subtype /Link
+/A << /S /GoTo /D (dynamic_update_security) >>
>> endobj
-957 0 obj <<
-/D [954 0 R /XYZ 85.0394 513.59 null]
+1222 0 obj <<
+/D [1220 0 R /XYZ 85.0394 794.5015 null]
>> endobj
354 0 obj <<
-/D [954 0 R /XYZ 85.0394 295.1443 null]
+/D [1220 0 R /XYZ 85.0394 717.5548 null]
>> endobj
-959 0 obj <<
-/D [954 0 R /XYZ 85.0394 272.6685 null]
+1224 0 obj <<
+/D [1220 0 R /XYZ 85.0394 694.8763 null]
>> endobj
358 0 obj <<
-/D [954 0 R /XYZ 85.0394 159.1962 null]
+/D [1220 0 R /XYZ 85.0394 580.8047 null]
>> endobj
-960 0 obj <<
-/D [954 0 R /XYZ 85.0394 136.8798 null]
+1225 0 obj <<
+/D [1220 0 R /XYZ 85.0394 558.2856 null]
>> endobj
-953 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F58 627 0 R /F57 624 0 R >>
+1219 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F21 654 0 R /F63 993 0 R /F62 990 0 R /F48 880 0 R >>
+/XObject << /Im2 979 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-965 0 obj <<
-/Length 3270
+1232 0 obj <<
+/Length 2980
/Filter /FlateDecode
>>
stream
-xÚµ]“Û¶ñý~…úTÝŒ…ÀÉ““œ“ËÄŽs¾N’<Peq,‘ŠHÝEíô¿w]@$Eéœ&=‡K`±X,ö›â“þñIª™ÎD61™biÂÓÉb{“L>ÂÜ·7œpfiÖÅúêñæ‹7ZL2–i¡'«-ËkùäqùóT3ÁnB2ýúÇwoî¿ýÇÃë[£¦÷?¾»‰4™¾¹ÿá¡o^¿}ûúávÆmʧ_÷úýãÝNi¢ñÕý»op$ÃÇ¢woîîÞ}}wûëã÷7wñ,ÝóòDºƒüvóó¯Éd Çþþ&a2³éä^ƳLL¶7*•,UR†‘Í͇›Ÿ"Áά_:*?ž0!AVçT²#@ËYšeéĤÓRH/À²½I#¦õS±ß—Ë¢Á×v]¸³…îÁŒÎ4lë–Ö»¶¬+Zo6õó¬ªÛru¤•Ý½áθÖaeÓæm±-ªä®M:½'&J"VW›#BÛ"¯Êêãê°qï|ºª÷´>šMþT ø¯º*½;Ž—ÉŒ›„e^Dœ³,M²±+å/I"Šå+¼Xwl,‹U~Ø´øâØò³5>wû[n§õ¢hh‚Žíá-Œæ šÁ“8h…‹¶ø–ãÃñüwBÝæM[좱3µâÌp®'†&S•]PDšu±P FÍ(`9Iàíýv(öÇáÞœ –H•]ß<bìÞÕ³ ײ¿ý‡xNÖNŸ×åbíÀlº®›–Fs/ÂÇ=ËÅgü͸ÁæÔuYVùþˆSß¼û€SpÊÆ+.Ñp‘¥Lh+HQr&µLpÍ w›‰ÍMS£ÚIkY–pÞW»¹;\sGýp ¬ð9n|V
-Œc¨ŽÏÈ×Ò3Sˆ"ƒ[–½äf&¹™>†™ŽÃö*åCFj»1MhÈb°ù7äx‰ Uñ%‚ÿ‹Í’A¡Ö¼BòA¦Ž!H,bíÒ >QB8»ÂTb†²&c–‹´/œp|´ge¦Ï¥wÊ¢`dWìÒ¶X’ {¼Í ÏEœ¢Êç‹[Ü,P~…ÈÞ«…»/§Œ3žŠ~î2ªÜpÄ•}/C¢Í«cì—/ŠÖ•NPO}@¶ÐaÈdú”oÞ\ƒìYW#¬s™A´ö]±qu`8.\Ó]Á´V¦O¶s¼1ª ž„J¥¤#šÈóˆ/‹úP6S°<,H9$É8ƒî)G .ý•»t0²²Z¸»Í‚e€ A7;ÈŸÊy¹)Û#"x'ï¢FÀ`¾ ¢à¤|Ú"kÖõa³D˜·Hå¹l׃É&qa ±Ä*æZ„>â±½¿ÀäÈOY&µñ3ð¤
-O GÝ
-ê¶Të>/g±0b½À‚ dŸ:ëó€ªïJâº+ïeÑæåærB® °¦¢þÕ4¡‹u9MˆX'Oú¤gͱÝm0Jõ2*”s‡ˆ5ÂD/CP «úL<b:lRª¶~Îý õl£;Âz2%9š˜÷¦Óf[×Þ¸Á=DÀ2Ò½\6¾†?«iDã3¯–ƒÞùi(œ­Rý€ò‹ª*çÝ`É&Ÿ›Æâ;Ò6Óy(Ô#Ž “Pµ ÎÉ1 {ò¡€9§³hâMÞÆ"ü\DrÛ¯‹*”'/À!A¹0â¨q.aw2¼
-©•hWG¨g~Úå[Y¯Í$³ p
-Ÿ%
-¬mÝ
-ÑYƒ[6NKMbã÷8YË-¨ X÷®NZålñ||j2E Ž¯KœO‰‹|‚A&võÞ÷A
-‡°ß|Ì)¨þ¸K|PhN±‹jVW#'ŸEÜž¡Ï '&©ý ÒJ2mƒ³kóOXƒs>q|ƒ•¬“¨+øRŽR&LTÓ+Ð-ðyú.ªëêšae`j¹@¢Æ2‹ß+_ú
-·ÞcÒ{À—MpZ‚6â.)º?”ÝA¨tÑ^±‹:8]¥‡­«ž±…0Ìü8ˆ€g¥.J؃nóAP¥¯œNˆÙïÅh{BNåÐ)_îz9Özx ¾¯ÜmF­3a
-…¹9!úÓî½ôH§Rÿe›ƒØôlÎy®Éœ^
-`­^›#ˆk‹ð:':EE?U
+xÚ­]sã6î=¿Â÷fϬ¹üÐg÷)ÝKÚtn·Û47÷ÐöA¶™X³¶äZrÒÜÍý÷–dÙ»7ífvD €
+õöæ;º7Ô\¸5¨-PáÏ;»,_Ëêi67FNŸ‹ÍÁ64®ÛµÝÓ°]‘ìq£L.dª3¦É|Tue=#c|¤xôš×Ôû1ºZ$I”öÉvÄ£ª„R2á%%‹phÅfóJ/ËúPµv¿ÛÏT6­W‡åéLæFfL”LæJ‰<Žµ#Ñ–Ïö ,”fÚ”ÕÒ‚ÕäázêˆØfWWM¹(7eûJ C8ìVEË«ŠåÒ6 —u5SÓ–˜Ø¬Yׇ͊ÆL¸%*/e»ì¼-šÖîy¡Ý?à ›Y­êöˆŽÒɾTͦx¶S™ÈÒ˜¬ècìš(ÃÓnid«b±!ãˆRbÁ^6ƒÀ/…czň
+ì7i&tœy‘5^ÔŽúà:UÉÀ9/ª/—i4Àûå£÷GvÐŽßð½WÏcqØ 9\ßÈ#ƒŽ4À 3Ô³Þ'²CÞ~Ù{»Xç½7`¡è‹ äëzs’X( u
+{@£«²…KiÈd¬±Ø0!“žâ—˜„œ@FpØ=&]
+ö›¦YßoËjYoCEÿ{7_l Øø80î>='£¶ô/laœÆ™ÖW5½kœze:H…d6-x"äA½Ó
+ß(¿œ)¨\2ȉNR¡©’øSwp 8ïP<½‚Uš‹ü>ì{6MÐø EAqüWq^æP„–*ïqx.Gˆ¡4O|ZHµ{.ý.Àc±ÿe§ƒ,8í9†•°  ]x
+$)Üݱr
+ÎpŽÖ»ž†RÜ3Qž sçNÜ1è·òx7•gܳ«
+öÏ~úqR2¼é62žØŠ6¡–¨9+zY[úT<è½5e¯MN†ÑI½Ø@Î/dxQÝp6l¦* [˜øÙ¯¨ÆŠ˜¯/òT˜Èœ+Ÿn¶?üz¶n /•ZJõÍj‘}óÍ[£ß}ÕïF«x Õƒ‘œû#ª¨3K€kÁt!Îò
+u€ŠžNM8Ãߕпþ ©ÞÉè(,. ¾ìæH*ÞÇ)¡ä¾8r©ýbhGµŒùÑÃ,×ÓÚ·>Û H(”Æêwª>í=G°g{æÇ6&ø ™‘.6üçCûÓ?Ä9þJ)×Äß Œ¶Ãuš‰("Ìê)Ö§ÍþÅÎ)ëÿ£Â`˜endstream
endobj
-964 0 obj <<
+1231 0 obj <<
/Type /Page
-/Contents 965 0 R
-/Resources 963 0 R
+/Contents 1232 0 R
+/Resources 1230 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 947 0 R
-/Annots [ 967 0 R ]
+/Parent 1213 0 R
+/Annots [ 1234 0 R ]
>> endobj
-967 0 obj <<
+1234 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [369.8158 503.0308 418.5625 515.0904]
+/Rect [369.8158 701.0858 418.5625 713.1454]
/Subtype /Link
/A << /S /GoTo /D (dynamic_update_security) >>
>> endobj
-966 0 obj <<
-/D [964 0 R /XYZ 56.6929 794.5015 null]
+1233 0 obj <<
+/D [1231 0 R /XYZ 56.6929 794.5015 null]
>> endobj
362 0 obj <<
-/D [964 0 R /XYZ 56.6929 337.0807 null]
+/D [1231 0 R /XYZ 56.6929 532.4192 null]
>> endobj
-968 0 obj <<
-/D [964 0 R /XYZ 56.6929 314.1315 null]
+1235 0 obj <<
+/D [1231 0 R /XYZ 56.6929 508.7234 null]
>> endobj
-963 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F58 627 0 R /F57 624 0 R >>
+1230 0 obj <<
+/Font << /F37 743 0 R /F48 880 0 R /F23 678 0 R /F21 654 0 R /F39 858 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-972 0 obj <<
-/Length 2358
+1238 0 obj <<
+/Length 2534
/Filter /FlateDecode
>>
stream
-xÚÍY_sÛÈ ÷§`Ÿ*u¢Íþ'7~òÙNª›Æñ9º‡ÎÝ=Ðq,‘Š(Ùçéô»X,)R¦ì¤Ng:ž1—X,À?`)qøQbWNG±ÓÌpa¢éê„G_`îÉ<£šiÔæúiròö½•‘cÎJMæ-Y ãI"¢Éì·ÁùßÏ®'—7Ñ4|`Ùpd,ü4¾º Š£Çù§«÷ã¿Þœ c=˜Œ?]ùæòýåÍåÕùåp$#`½ Ž,x?þÇ%>Üœ}üxv3ücòóÉ失¥m¯à
- ùzòÛ<šÙ?Ÿp¦\b¢xáL8'£Õ‰6Š­TMYž|>ù¥ØšõKûügTÂL"ãjÕç@ã˜URyÎË X»ÁøúÞÂ(áƒß¹áÕ:›æ¿s.§érùHù<<·Ä7- X½ªˆº-‰zó~(ç4VÚ)šM‹Y=}Ne´„x,Œ‹j›¥³7ÈÓÀ´ÌZT´´,ÂN‹ìPå‡|9›¦›¡H3<pÌH挑ÞÊt6ó“YUùý`í¼- DT°ÕŠˆeámê" æåÅ´\­—Ù6°Ÿ]i¢Ú­×å&¸¤ãÍ`Ë¢|Èî³ FR 4{Þf‹ôÜ•ûe@ȃ©‰Uº
-¼ HaÛEº¥ˆ¤­a
-zÂY™UÅ_·4qW”¼iQ=/÷-®Iéõë.«Ð˜¨±ñ=jPY\RRiAjÀœF^g@ÇÀõyyI£ªÜm¦YÁ£†½[3›E<²6Xe;x@3„20˜<X(ˆF¨ƒjç«<L¢By†Í–51däÀATIîZ蛡 é@<y­I½xß øæ
-¨¹eŒÏ n “Ë1îŠõ&¿Ï—ÙŸÉ0²[éÆj¬Öm«'‹¾¼“GŽÇ5&¥÷e>ÝëÑn¶‘ƒUâ YÔ¦› ¸i_þH‹uNÔâŠYŸ‹ ƒ¤QÝ-­ßò˜X1ø¤†[uÂ0ð0< àü…­¤gèsî=pÉÄz¬<s?‡®Å·*[fÓ-trAv¶Ù¦yïOjÙx¢ÀZÈË®kfÙ<…;@¨À”¿Ù»—Û‹N= ¶xS‘€êg¤S°âG™}xEuà·&êø¤c˜§OÁ±Ç±i¯9 FA&(íÜó€üT?­˜¶2줟¨'£ÖDW½Øõ¬òúÙö¢Ócn :™1ßøå ÇyDìC.8‘D1«•;.‹Öq†õŠl¾IË!Å JZx×úÐŽE""¥”{oéU+ŒÕ"àŠQ²FòOp
-Ò¡%zº^/}¿…sõW-ð,è‚„Ã=°ûV _’¼|@Æ| „›Ï“~ÊJðû
-¶Ë¾úà;V’Ù” $7°ÃXÔ.fÔŠÚYðºÄÂ6®=£ý÷ÕW§=¢«ø¶ÖçEY±`Ö
-õ–Ò
-}B„L–±{B¤¸4‰û‘ "b8@©ÝG‘¶äg`D$€î±£õ9Ë(âü‡Ì§¡¨êîk S5ÇÎ<<<Ð ©}çÖ´.]‚^(©û?¸+çó—Àb…«º­<ží~]Ðüÿ§Üüci¿ÇÒ°âXz
-âÿùìRC=âúGfGÂ!Ô~lr´?“N2.$]y>—þ·
-³!
-~,¡‘ÿöƒúú]×$OɶÔ«úçO ½ªß¡.ìøÒ”Q|Á‚Ôó‘³*§˜5wø?#ú
-v,=Z'üº˜ùßd‡ÆÒfû~èãM$¾úgÅ}¼ëP(‘ý¿bÛ•HGÊ0”…¾Öñ“Kýûcàj©þÎ?=endstream
+xÚÍYÝsÛ6÷_¡·Ê7%‚O‚¸<¹±s§uRGN¯í#Ñ6'©ˆ”=îÍýïÝÅ)QN:ÉÍÜxÆ°XìþöbÂáOL2ørzbf† 3™¯NøäÆ^Ÿˆ@“D¢¤OõÝìäÅ¥²Ç\*ÓÉ춷VÆx–‰ÉlñÛôÕ¿ÎÞÎ.nNiø4e§‰Iùô»«ësêqôóêÍõåÕëŸoÎN­žÎ®Þ\S÷ÍÅåÅÍÅõ«‹ÓDdFÀ|V82áòê‡ j½¾9ûñdz›Ó?fߟ\̺³ôÏ+¸Âƒ|<ùí>YÀ±¿?áL¹ÌLáƒ3᜜¬N´QÌh¥bÏòäÝÉOÝ‚½Q?uL~FeÌdÒŽ Ð Ð8–*©¼
+äùQ5S–éLDû+›‘•³Ú˜@ñ1Ö×&rö;7<SÚ”Íh ÐóTMQ¶øëí4ÕÓzU¶-Ù(‰ AéóÜËsAdWoidpÕØ»Œ O)M<ÎÕõÙùùî
+$š$Úp&%ˆ{`%Á^•ž¾GUTÊk¾÷Xb\?¬/Äãµz‹eBhiŸÓÁ™Ö
+°¹SeŒ·èÜ€%×+"ÜVëMùP.‹;oÉ0¬Æâ©U8µîŸzv?fwìÈq1)¨ËEò “íb€Uæ˜ÒÚ 7³ÀhÁ…ˆËˆ,H5Ü2õ[[ÖLõ>³Óy^QŒ¿pØB`Çß5Yʃ.™¥«Í­CÑâWS,‹y[VwaíbÓæeXß3’Ô²“$œš
+pß}V ã<"Ž!ÜH¦XªÕ3kÑ<k…fœ±‚]¨pÀ,·;THH³­€Ý ºÄ)º¹î™€p Àb”ŒPþn
+£È)éæ©äÓL 8J-“
+
+®±g _f[hÅÆAæ“ìr½/¶|p]*¥ýkYÈn¬LÿÆIãŒc(¢
+
+ü@£±¢¦ž£ÅÀE¬ô˜…ôoùËçÿßDKSÈ´þÆIÃŒc&"!Ç˸M?a"ŠƒŒUöU=-¤é÷êÿ§í¯üŒ‰@Úȸq¤r09_6õˆÅlK©˜£´^4·ò…w Ï{RÈÔ.¿éü¡“†Œ!‹YX[yû)÷ ºÂUL¾Ž›Gÿ†¿Li¾¾y õPs'Æ“ÞH†¹9伃Š˜ ±×U¨ÒÍN…SCÅæ3êbTÏÅbË}Š/«b~ŸWe³
+ß`ùªÐ2÷ †5$,‚¥åóòT
+ÈWõ¶
+„õm˜Pç Ú¥½ÏÛ1ðìí‰Ò,÷k’»zæSÓ+ €@“g±÷¶^.ëGÊépV—<bjAV¨;úÀ
+~ÿìßí| K
+lÏÈñ:} IzDÇU!y‹“MÈfö7ÆØW:ýüÎÑáÖÃ8Ú1Èý‡{ŸˆWÞOÊÌW¤Þ-ë÷ù’º°*L-‡0Š%)O¼+IÅù‘$G¡'G©Ûß9Ííj†2`–'µFè»~3»ºü•Ú+Ø!¿+šƒÔH·—?ÞUÊ“œŠ"äúEsO½ózýD-ÒFU•w*ÏCýRxE¥¢L–ûñ‘@Iy~‘ õVÙ5 ÕôQÄùƒý¾ ;]¿3b}^S-Ð×!Ö!|ùÐñé}±\‡¦×dø-ªfÅ*ÒÆ89eŽÎîgÝ2ä%Œ…G‡5ïrþÁ›ŠŸ^=P‘÷®‹T4Ž˜/1]ÂήîY¥’Û~•7¯ÆªC
+GWAšÃþ$`©T½×,‡ÊPVÓ»òÁ¿a`WøÍÇjXeè|š¿þ‘Ê–ÔO£j!W  ¾dK¸cl„õñM¹(è«­¾ ¥Ï´;(m!£Ïž<˘͸Ûç†ÅšBü‘C-úåÞ Ã©Q!
endobj
-971 0 obj <<
+1237 0 obj <<
/Type /Page
-/Contents 972 0 R
-/Resources 970 0 R
+/Contents 1238 0 R
+/Resources 1236 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 947 0 R
+/Parent 1213 0 R
>> endobj
-973 0 obj <<
-/D [971 0 R /XYZ 85.0394 794.5015 null]
+1239 0 obj <<
+/D [1237 0 R /XYZ 85.0394 794.5015 null]
>> endobj
366 0 obj <<
-/D [971 0 R /XYZ 85.0394 518.4711 null]
+/D [1237 0 R /XYZ 85.0394 708.1399 null]
>> endobj
-974 0 obj <<
-/D [971 0 R /XYZ 85.0394 493.3754 null]
+1240 0 obj <<
+/D [1237 0 R /XYZ 85.0394 681.7727 null]
>> endobj
-970 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R /F84 797 0 R /F86 977 0 R >>
-/XObject << /Im1 790 0 R >>
+370 0 obj <<
+/D [1237 0 R /XYZ 85.0394 221.7119 null]
+>> endobj
+1001 0 obj <<
+/D [1237 0 R /XYZ 85.0394 198.8068 null]
+>> endobj
+1236 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F23 678 0 R /F21 654 0 R /F62 990 0 R /F63 993 0 R >>
+/XObject << /Im2 979 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-980 0 obj <<
-/Length 3477
-/Filter /FlateDecode
->>
-stream
-xÚÝZKsã6¾ûWø¹*ÂâE8NOÖ©';ã­Ôæq %ÊbD*"5Žóë·Ý HŠ’'»‡­Jé
-ã]rý )”÷úz{e#kLlÙ\}¸úg7`ïkè:)?%…6 «SÚI&^¤F›N€*ˆEJ9û©®
-ZãÃRj¶Ï«fUì\( gzÃÉk ƒT"Ù™4­ó†
-Ûb±Î«²Ùr½¬è·ÉÛÿ³Ù*_”7j¶)Û¼-¨éÀJ ê¸Õ¼ZR¡)Z*lÊmÙòך'i×Ü;ßÖ‡Š ëw¨ó%ÍÒ®ó‡ËQJø$!`õæDi0ËXÄ ð?L€…æ¥i‹-@È([l]Õ›Mý\VOÜk×–uÅ£å»Ýæ…G©éÿNðÝÌâ]Jd
-Äz%R—¹3h ¢yŸê<:*\t¾iêyU·åêe<·’‰ð6Ë.OÞQMÌÞÇŽÈžÌþMñ‹”º*p#µ›åø—Íž6õc¾¡¦MÙ´T
- _ï~`âår£Ü¬hêŸ1‰›Uù¶ RSì?Š4o<õ¥ž\ASTLpÿîáîí¿©¼…ò§"((€F{;„Îóº¨
-˜&Ã2R5[1{kj]Ô»*$UÄ«ìp/geCŸ­ÅòK¨8ÇJ$qÅ%BŠj¤G½QŽk…
-Ê­XEì?˜ï žéþÃPtX±¾¨Ãÿp9·FÒ‘?íål]lv\ p†ÿ¢jQ¬Ú+–6~•—SãÚC¯5“!/üí¹Ül¨ôÛ¡\| úºW(Zù©àA*ê KÌ7íšyùÌêÝjjYyÅV­¯Êã2 ЇˆAÓ\
-f”h ›:ÕaÛ4ó©üTTÜÄÿùÄŒ(¬MS&ìþé\ü‰O&jÐJnŸ_â°É¬liF–LTÃê÷å² Êwj©©õ<èÑB!£WîœÈœôcn)…q0nâôP+~\ax3)“ •ßB =/üljÇ,P/¦!€åéœN §“¸U=1 ,
->I! ‹¥àT ´Í«ê¹-«C[p3! Kqžb¿-çªÌ
-|œÖÿ-¸ÒsØRGlýÿ g,¯}Z=ª ЊTçT}hO­T*”òê2+Õ/l¥°Y‘ÚgæÝ¡epa4Â^£ÒÞa
-ª}S…õ €„­U ÖŠJ1–"L…R·½½€G‘cÃ.}@y8 KÿµV6³"qR}ªóê¨Î[«IHA°lý+¬tT¼ Í•ÆÈ3GH!e¤Ø+©Žö
-ÊÁ^Áÿ„½‚ŽÁ^Ɉ-êì•$lÝ †ø Û+Ið
-½X$ °Td`ņ
-³:Ýæ‹5µ7‡XŠÌBñ@g(åôG[ÏMœÓŽR*ØF¡;·éf¤UÞÌ3;û‚G«Šö¹Þ¤Êc^-ŸËe»Sí‡'R ‡RuXLx"h븀rà„8"ÑÂ*0¢µŠIZ ñ½!›Ñ˜V4:O÷¼Æ ã‚D QIºTTšp’…Ôc}jR±‰¥v并NEâU<£N¡~×,º;åÓW­Ô,¸D‰™„¶@O ;Á_‚ÎKNý ÉÑ8Ȉ+¢ˆÌ×.U< Ê€ùØ´¨«¥ ì­ s{F8%‡¨œ4kZž5*&±Bé×Nk}ªóF¥£‰·¤ôÜÀ¢('ÒWfgš‰ÉE‘b0=˜ý·GûNíf·Ç˜3ÈH8œƒ†Ë3¼&M-ðÖ€ARŠæ£í‡–ãöcò3n?|Ûm°¹‹Ãž ö> æˆú°S’ŸØ¡0ž1î#cÀ’`¶;äáKÈFÂðšð6°iA¡ÉE#uKÈóBseø X¼É’x§
-ñ$ º;Ô0»'åXb®‹ÎÁe3ͱʼnߙ˜|ªƒ]lë‚+8.ß@©Œý­ð"tŠŸVþÑþëBwï°Ð;mô¬ö>^cé(ËP Ró>‚‡/žÜìûrAI‡¦^qÓ7IÈYÖÏ<(ÞG÷®'ËÇ nYÀ …âé°e‘ÃÁŽ•ÍÜ$(GwoùY66éÛØñ¤ðÞ¸?gDµÐ>ñ!°ãÄ ƒéBrIQÝÚb{N;>ZÐÐ5oBŠ¨y4vpX<sâ²Vïý1Þø4iÁnJ¨È‘l‡W™S‡Êð”½qô©Î‡ÕàÁÉÔ½€¯†<^œ½£š˜~x©iñ½P2œ?€Ðh{<?`¥‹¤µå˜ñ9ÝÝ èá ‚¶Ýû
-K ™rpU…ƒ X|y„G
-Zâü+ús$º >L4”úTž
+1243 0 obj <<
+/Length 3560
+/Filter /FlateDecode
+>>
+stream
+xÚÝZÝoã6Ï_‘·:ÀšÇOI|Ün³½×íÞ6Å×öA¶•DX[r-9ÙÜ_3œ¡,ɲ“½;à€Â¢È9þæ“V—~êÒ%"ñÚ_¦Þ
+'•»\n.äå=Œ}¡˜f‰æ}ªoo/þòÞ¤—^øD'—·w½¹2!³L]Þ®~%B‹+˜AÎÞýôáýÍ÷¿|z{•ÚÙíÍO®æÚÉÙû›¿]SëûOoüñí§«¹Êœš½ûë۷ןh(á9¾½ùðõxzœ˜ôÓõûëO×Þ]_ý~ûÃÅõm·—þ~•4¸‘?.~ý]^®`Û?\Ha|æ.ŸàE
+å½¾Ü\Xg„³ÆÄžõÅÏï&ì†O§äg]&œ¶ÉåÜX‘ÁúÓRV"U
+ˆRçEb´é¤¬Õ””#Jy“™·»¼jîŠÝ•Êfó¶Üó²o_9)\vÙ_ሦ™`ÃôØPÎ —(3äã¦ZÔûju57™ý«®
+jEÖ|5³ÝU6ÛWUYÝÓðº®îo"}È«Ø*jmò꙾ܔվ-¸û©\¯©µˆë»M9ÇMûxU)ìG ïœüUy[¬
+[‹¸TP«ôPêÏe­À?­­zR=ª3ŠT§­Õ$¤Œ0Ö¿ÀJG5ÁËÐ\eÂ9bæ
+"9qE‘ÙÃÞ¥
+Û¥îm¤kŠe]­‚ lA
+M.©[ Ï ûò±¨h X¬L¤Ž¥‰ãž«šÖ&ë–ÈÙ „ex½¸k‡]OémŸ#ÒzÀ‘m†ûªæPâ`kŽOVep´Þ™¯8Z%¡Ù?Z6?7ø™œìh~;6w6š;wdî,š;°uáµõY¥#Ímc0qØ.¼L!¼°mÀî&F1Á·áAãë¾!Bó„4ÒL8É×ÙÀÔ¦ÙH '̉µ m+_(þô©N›“Ž*H§
+ÍýŸácˆç‘ôᾨ–Ü?dÓ M<Š`˜2¸… Š–:ïðŽe$@6k¡®È:U¶[T+4Öu¾ªkohr(Lž! ÚœTe¤Ҟ×>Õiå騆‚Ÿ*XäSyôÙå;ª‰õ‡8ñ"M]:d hU½<_¢Y-áa_Ý•¶ñT[=BrR!*„SöUIO¨iN&Tš¨¡3¤ô"œa´çᦀ4­i›z_–¡”Îÿn|þ\܃&—R{Æžæ¼Ã úlm|XÎ>Ö`ã $Ø]Lõ*>…BHµ¼T/\¡ô©Î 0R Q}Xu\’Ò™°Ö¨ó\tTl ÓG#, ùàfÿÂ
+)y0çøÂ%j5¸f ¯1±kÁ”GØ|¿c£ÄšéqXrGQòçÉýÃkBؤi7u(rÀ;ÆLÔbg:”Ã=oÙ÷Aå ò'@¥-è|¢¢ùÖS6[ø4Mz^ÁÈWy–?ò
+CXŒ£& N.ËQn5xVfü;ɸ¢|†âJ°QzÂg(ªã`ΫƒÏÐ)û ¬+·DGÞ{ÈO)=ò½%{$ª«7ýCÄ:ÄÀJïe8*ݽVˆàb]/0vÑü¯3=±¿ægNÃãÐ3|J¡ghò_g8ôÄ®¡§…„Æ$f € †-Ö•}¤Ü>ìH¸ÈÛ­6½ä¹ü[7ÄÂÿ,ÈUI*\’¼PaëS¶‘ÕQùøòøP[È9Ò˜è¨^àBixc0ÐÒ,F]1'\ûÉ®šcQ³|µ:Ü<2¾]d›‰O6¹@MW‡`Q>>ZjݾûH ÐâªXb9Š¯ñ¢B0FÚßU§bÑé®h©Ê”‘†óè°$Õ§Îü;ωU¯º50²Æ@4Ì…ª9fC™ ¾íWZà7ËôôfêÚ*ï.áZ_ÅÂ;ÏÎ~ùî#õ`.þfX¤ •µ}C^õ:{åïä°&|ëq¾Õ3X¬rIãûí
+43v£aSwD‚·· MA…®ðé.³oè-˜Æ;S¿%ç¸^F /:3hFèa“à­}³gai2xan q©5ß ¡y¹R¡Ìm¼fÜÝåKþæ7­ír]7ó©s‚ ¥
+4–h³sæÛm‘ï¨7üuC›8÷È£À
endobj
-979 0 obj <<
+1242 0 obj <<
/Type /Page
-/Contents 980 0 R
-/Resources 978 0 R
+/Contents 1243 0 R
+/Resources 1241 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 947 0 R
->> endobj
-981 0 obj <<
-/D [979 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-370 0 obj <<
-/D [979 0 R /XYZ 56.6929 769.5949 null]
+/Parent 1213 0 R
>> endobj
-737 0 obj <<
-/D [979 0 R /XYZ 56.6929 752.2241 null]
+1244 0 obj <<
+/D [1242 0 R /XYZ 56.6929 794.5015 null]
>> endobj
-978 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R >>
+1241 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F39 858 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-984 0 obj <<
-/Length 3053
+1247 0 obj <<
+/Length 2459
/Filter /FlateDecode
>>
stream
-xÚµ]sÛ6òÝ¿BoGÏ„,¾?ÓÄé¹Ó&¹Ôy¸iú@K”͉$ª"eŸûëo ФDËî$Ϙ `,û ñƒ?>sº`Ò«™õªÐŒëÙ|}Æf70öÓ8yBʇX?^ýðΈ™/¼fvµ¬å
-æŸ]-~ÏÞüûõÇ«‹Oç¹Ð,3Åy® Ë~¼|ÿ–z<}Þ|xÿîò§ÏŸ^Ÿ[•]]~xOÝŸ.Þ]|ºxÿæâ<çNs˜/â
-OLxwùËA?}zý믯?ÿqõóÙÅU–áy9“x?Ï~ÿƒÍpìŸÏX!½Ó³{h°‚{/fë3¥e¡•”©guöÛÙú£aêÿ´t…vÂN0PÉ9X™™Õ¾0RÈÀÀýö<—œgÝm…€ÈæÍæ®Ús—ÝT›yE£Í’ÛUy»þj6Uû
-`a³ë}GuGxåªm¨g]>PW½™‡U«²­F[òlÕ” Bj6ÔДuÓEÔM¹Ž#mµC:á~
-¼8ëPXØ,ç¼ðZ‹pÊnWnÚeµkó--ß´qÖCVZÃõ±0‰Hw"»Æ-ÌØpW/Õ†ú›ø-i8-)£©e[·| ´}[on¨ yL»P¾ÐÒÈHFOûÁJFù„¹½Ýs‘¶%í6½E.+¬Òc.E·‘ ›Æè¸MÛ•]µ®6]q$þ¬`4Ó2«z?­î)b‘´Nª{Âò‚øÜìwóê®Eá…z†ˆë*¸¶…gúedJpÍ:¹¶¨ºj·®AiÀ‚H–ÝßÖó[Wͼ\!ȳr± ‘oZ½Z„R¾Í~³ 쮡®ËwŠ «7
-®Ï&j›ÝÄ:°«3:ø3¹³ÞD¤kpX_‰¶!
-º~Ú+õX'¼ÒTXáÀ$CÌ4ÜäØ1E¤ RFŽÉ™ÂX+Ç´ c– 6¶F©´å”6ر@Á
-Eª¥á&€]+ИiªmÀæ%m\²6¡£ÒhG)ªsÃ*ö7SåKÐ )ÕX6ÍÄ¥C¾†1xL€à|;pP1â­c|<ØQ³é9“…>eRÕT5â6üΦY¬& Ÿ$\Ê“Ö[È®ëUÝ=
-ƒ8'™êc8z]E猒 ¥Ÿª£JC¿mpìÒØìý‡«Ëwÿ¥Þ5ÐQÞ„ 12U³``\ÍBLªfáPªfGÕ,“Ò
-Ü&¾È˜¾àš[•M´Œ‡äR<>o€¹Ÿ|UÀ÷$!ÅAI
-8»ñU»${±¦¢ÀújZ´è„[·`#µ2/góìè1ˆÖïëV1õzz’S(ÍÇ yQá鬾W+¥‰Jzÿ]rX‹‘ýòØ:Íx*‡åàê-ÖŸÉa…€ðÎ8û]sXÁ“Êþ9ìpé9,÷¦`Œ‘Ëù­Y•1i vÖg¢Ð'<
-`ˆ—î% Ï¿‚ÁüŒaìTQÎÇÃyÛ¸
+xÚåZKoÛH¾ûWð¶0ìéw7™ÄÉz0ãd=Êa13Z¢l"©ˆ”µÞ_¿Uý H‰’3HìbÀ,v«««ëñU+,¡ð%V*2™˜LE™Jæë+š<ÀÜ»+xÒÈ”ö¹~š]ýøV˜$#™æ:™-{²,¡Ö²d¶ø}òúï¯>Ì®ï¦)Wt¢É4UšN~º¹}ãG2ÿxýþöíÍ»w¯¦FNf7ïoýðÝõÛë»ëÛ××Ó”YÅà{$œùàíÍ/מzw÷ê×__ÝMÿœý|u=ëöÒß/£7òùê÷?i²€mÿ|E‰È¬JöðB Ë2ž¬¯¤DI!âÈêê·«t{³îÓ1ûIn‰Ú$©€hù%«
+ëŒhÇW¥pšh†?+ËGAV ãCQ)£p„R'©¶Œ(-³ît¹H#™R—1E4—&1ŒH wç{‹v¬~Ì'%Jp â‘ãý4Õl2ƒ¿|r}|(TpeC)±F0\<ùœ0Be– ÏÕ£ÝnVp?Þ¬yò¦†=%ýmEÉi_´Û—æ=¯e
+¶h)hÀ8±ÂfNéßêU¾¯S“²™Â±eNažÌ«…'ŠÀ³*‹­YÔEà¯êÖÍn³©aZÒI)Ú¶¬üKûX„Ñz·:_,¶E$-§‚N@˜¾;Psöú¸»±ðñ|Êéäþ)Úf
+J‘c[ËÌ Š¤Ð_ç;Â‚È â(=¸ÿ×yvÊ3‚“)Ä UÙx>¢0,bQ#ËFÒQÇ…k·yÕ,á´˜¤Þâé“>ñJ­‰Ñ ­¿Â‰׈"¢ïa†#Å‘&3<wÌTM¾TÞ„`êoCiÂxÆB0èß Àø6`CˆTÿÍ^zñ¯y±i=ýïº
+kFMPÁIs›b»¬·ëbá_wsZ$o><éÿòÇFc¡†^:;´YëÂáE.ÜH¾jÓ3žlü㢑iDáÙaR€ä3PäU‘i *Tl«¼Å¨5úp8n•C-]LÃ{¹ôOðÀîÎ
+0*Ê-ƒ›A<qŸX‡*nå·©’V-Å_Étñ‹sURâ’’ª—ª¤R–H%¿i‘TLñJäAð…©„
+bÓŠËå(2]¨Fcpð–ÎtÒ[â´žS=åÈ"3b V#nh¿áë¡á[¿qÃ\5r\Ý# b5Bz¼QKøåùjlp¤¼•D2ɇÉ)>^‘ AjzÉG„„Ll9 ¨AD\ÀÇj@Ò£.W¾T‘"V‘ z¼ŒñË€¦ÏuÁƒ"×iö¹ jðä5žü%e:®m~”·I«‡ê|lÐlL6¸Ž\Êf=—jüt& ¥ÌcÊ• œy*‹}DvÆ›M1/1 9‡³Ø •AØ¢Xæ»U¾‚Ôuê!)ÄŒ¡@<¡ªGêcÑ—jØßjS€¹e
+dÑx°\ÓB¦ZU^ñ"ÄQh¦‘`–
endobj
-983 0 obj <<
+1246 0 obj <<
/Type /Page
-/Contents 984 0 R
-/Resources 982 0 R
+/Contents 1247 0 R
+/Resources 1245 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 987 0 R
+/Parent 1250 0 R
>> endobj
-985 0 obj <<
-/D [983 0 R /XYZ 85.0394 794.5015 null]
+1248 0 obj <<
+/D [1246 0 R /XYZ 85.0394 794.5015 null]
>> endobj
374 0 obj <<
-/D [983 0 R /XYZ 85.0394 119.499 null]
+/D [1246 0 R /XYZ 85.0394 151.4942 null]
>> endobj
-986 0 obj <<
-/D [983 0 R /XYZ 85.0394 95.9037 null]
+1249 0 obj <<
+/D [1246 0 R /XYZ 85.0394 123.0886 null]
>> endobj
-982 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F84 797 0 R /F86 977 0 R >>
-/XObject << /Im1 790 0 R >>
+1245 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F62 990 0 R /F21 654 0 R /F63 993 0 R >>
+/XObject << /Im2 979 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-990 0 obj <<
-/Length 3129
-/Filter /FlateDecode
->>
-stream
-xÚ­ZÝsÛ6÷_¡·Ê3Žø$8÷”¦N.6éÙ¾¹‡^(‰¶y‘HU¤âøþúÛÅ.ø!QrÛ»Éd´
-ž±Ù«òá÷aÂŽõAyŠ¤7 Ü87Wï±W΋¯ùv·)¾8 ©µV˜g•ï'vŽFùT3KX1ÊZ²ÌCƒº#UV°_97`;'Ä%Jè4sQ\’êÔH¯Ì„X«„WIƬh^8-ï
-5òÁªi©xˆAzÅÚ=–ùò¥-¦ÌŒp&Qã­=T|ˆJ™T¤ 5+E‡
-LÀ7©Ò´Wóu]}ƒøå1&ØQt‚ýM˜ ©€äð\òœóŠôC¢Cþ4±óOO"Œ@‘<
-îªÞS‘i౯ŽL‚‡¶ ‘¼ÌÜ‘àûˆj=Ð#¢*Û(H¢ŸUÝ…ˆ„‡íŽaò¾GGÂú¸©Ol:‰)…{Õ9p"FKæ;(&Þ›ì•Cp]8”È4ËÛüÌ¡¤èl.
-ŽL‚%5`ž#Á´™™
-4ÈÝŽ%K‚ŠÌZlëÑÝÆï;sñ(X8†^ZõrúCËäô¡iˆÀÒ,µøÐ@Aázu“vfJ¤ÞÅ4a-Âõ`ekjÅK
-dÀ}øí×e ·'£LÃéNC‰ÑGº´€3»kت†¹j
-€ºÅ*_=‹¹GÀ’BÈ«e C±0‘¸y‘sÀ}±:ì›òK±`ÌñZxiõØV›²¨&ós Y õ1éìã7tl”CžõIF§.:{Ù' ¹Îû¤Ž µÀ‚ȦhŽå¦÷'àÒ/ÊLr‡Ëö‰0^»±\ŽjÓaB˜Î«ÃvIAfJæ¿QÃÐhãg}8š2 A¶Éeüxr3 Vu§FÐQµ
-0Ôæ«Ï“AF*8Ì‹b#Ï©X}TÍp’½¡Ü鸯»þƒÈ/hȼ ÎåÐt²EÿñÀPkˆëÿL`x\31
-
- {Ïñ¾yy³®§7JK¡5ôÖÿ†ë–tÖ_{ámÀu6£l²û°ÉÙ¤Õ ²SòoÿHäÏÛ’5èöÝ+¶4àº`K‘ëÜ*͑࢑iBc#JÀk5¸+^˜°eøÓÁ56(†DŠì
-ÕÙù…ã0ʼâö‡\N4rs½A>7Æjp``è¢
-ׄc´v¶ÊŒ•˜
-ªeHà†7m^õ¡!.ºz¼®N×õçîÅYrüfUÆGñ¾ª,5?‹Ô¥Nûñù-‹§|ƒjp}^øñžaå,Ѽ ?¼óþLYPêLøLv³TO½ i‘ÉÄ j‚‰šW¬r*Àää¶ìC%;íh˜ŸÊið!/÷Ô±,Û᪺’(Æ>i}·1ÒiÈ4¤Ÿˆzµ ¯ X~Ä]Ö’P»UBíÏå¦ÆÇZ|§Ðñ±ÂÛ9Oñ@]Óµé1bLÜI¡â|1"…dܪlTŒ Q!éBY”NcWx†–ü:,eEûšS… Å[¡$ENÛñV ˆ4ÑÆè/A’yÿfÜç‚Xž¹í>JËW^KLçïzd
-Ç´Ú½äàå]ÕEÉÓ©èqÚì…ó©ɾUÖAeÞõ7h* »ã=}ÿögªè|zÖ•
+1253 0 obj <<
+/Length 3339
+/Filter /FlateDecode
+>>
+stream
+xÚ­ZÝsã6Ï_á·*3µNü5÷´»Íîm§Ýí%¾¹‡^d[ItkK®%'›þõ >lÙ¹½Þd2‚Hˆ
+J\07ónÄùpÈS€SÒÅF&¦—ìu£Ø#)c˜`á´ä£iX
+óŠàÀ4!xhÊhÀ™=¼ Öã<" ª Í?sz¬ê.#@ <lwŒ’‹ êâz8QÙNf¥öÕØ !†h%˜ï즘ÌÄR§ÙåMrß”ŽËk–·ù™MI1Ö\˜&mJª! Óbfb°)ðBÑ–h¿-YâUdÖb[ï_ˆnÃ÷ø±¸,3/%{9ý¦ÁËä¦)HÀÒ,5ß¼i H ï^Ýà
+"IR~9{Ÿ— wþQL7ƒ˜nƒ¿Å;Ìpm—áZ
+G˜óÖ5óoso&¨Ï õ±únÑÞ'¦ùR€9[Ù =iyÍ¡%ÈÅ&o<ÐÖaLÂMhëœ qaþк|9út¼ "EÞže"?†xª²€
+"Ê ½šOÉÝ…Ðöhw\Q©ÇeQ
+~gJY
+á¤üzïg=ßÔó)ê¢VZ_V£ãšÐcäbÊA/îHJ}U¦ú$)ã$ Û–M½)Úâ¯X
+Õ>õvç«U±ó§UÿV­¹û¡âLŒ{|!
+QÁk¬Á]áñBû%ÃG‡×øB©$Rd@¹/©
+.+±Ãßó÷Ô4]üsÅÄžT*ÎW#Ò)™ª$ÊŸ·P§±É_C ‚|姲¢uÍ©D†“â¥ÎCV™qCi‚µƒë’àõƒÅ=ëí˜XKuÙÙLç}=0ùmZíÎ:9Ä÷4lö’äŽéTôøÈìbëR3’½eÖAiÞö4Õ„í±‡CKgÆ@/ÞýÂuU]4Ϻ`_ÒMG%ݾZL‡¾Š”)Þ©ŒÍù‚¶•x<6½Oý¾"38M¾­…P±Ðâ•p=亰ëkºB8Úy X§!q¾(¿ãšP`4W™Å©tv¬óµ¦ß}Í;¼×#C¨JC¿÷Eí¨ŠgéáЯO~ñƒM~¦ˆ/©òÛ<æ
endobj
-989 0 obj <<
+1252 0 obj <<
/Type /Page
-/Contents 990 0 R
-/Resources 988 0 R
+/Contents 1253 0 R
+/Resources 1251 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 987 0 R
-/Annots [ 993 0 R 995 0 R ]
+/Parent 1250 0 R
+/Annots [ 1256 0 R 1258 0 R ]
>> endobj
-993 0 obj <<
+1256 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [361.118 643.0167 409.8647 655.0763]
+/Rect [361.118 694.3759 409.8647 706.4356]
/Subtype /Link
/A << /S /GoTo /D (configuration_file_elements) >>
>> endobj
-995 0 obj <<
+1258 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [347.1258 251.1389 404.2417 263.1986]
+/Rect [347.1258 314.3269 404.2417 326.3865]
/Subtype /Link
/A << /S /GoTo /D (journal) >>
>> endobj
-991 0 obj <<
-/D [989 0 R /XYZ 56.6929 794.5015 null]
+1254 0 obj <<
+/D [1252 0 R /XYZ 56.6929 794.5015 null]
>> endobj
378 0 obj <<
-/D [989 0 R /XYZ 56.6929 726.3067 null]
+/D [1252 0 R /XYZ 56.6929 769.5949 null]
>> endobj
-992 0 obj <<
-/D [989 0 R /XYZ 56.6929 699.4102 null]
+1255 0 obj <<
+/D [1252 0 R /XYZ 56.6929 749.7681 null]
>> endobj
382 0 obj <<
-/D [989 0 R /XYZ 56.6929 385.1287 null]
+/D [1252 0 R /XYZ 56.6929 443.842 null]
>> endobj
-994 0 obj <<
-/D [989 0 R /XYZ 56.6929 360.7028 null]
+1257 0 obj <<
+/D [1252 0 R /XYZ 56.6929 420.887 null]
>> endobj
-988 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R >>
+1251 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F39 858 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-998 0 obj <<
-/Length 3097
+1261 0 obj <<
+/Length 2859
/Filter /FlateDecode
>>
stream
-xÚ­]sã6î=¿Â÷tÎÌZËO‰š}J·Ù^:mº—ËÝ=ôú Ør¢YYòZr²i§ÿý
-ÈPI%Y…B^Ê9ÈI=/:´UÍtù—ež¯òì§b~SÑxFWæï¨ûR´Omö% Ûb[ò2ÏEþÒà^¨d¸6/,çÙv[yØn³]Ö¢2$l'~>ÖŽ Ÿ††óö–-A¸ðeªæ €I,'àWù:Û—-u@màûöƒMFÖmÀ‘MËá*ûÊ‹›¯ˆtäà/ê4S¢=ʬ;«Šê‘V Gèè|™…CÅΖÎò–òýµïÖ›À‰ÉHmoÓJ€Q§z|èuå÷"à‹÷„`r±#ðþþ‡† Þ¨¢£ É‘(v2rÊV¢ÓÁ*¡„ír»(‹¦Í«Åç}¾ŸˆVi$‘ž]¾#:^«bóBÔP
-–Z×]„‘‡¼›·ÍšWGØÇ hi×à,TšÌÿ…Ñ +÷>ØÀ`™7 RAš¢øìdaŠ2¯Úé »ËŠ%…‡¡í/”‰Rã­¯#£9ÂFÆ‘”Òˆ­ó]Q¯Š%»ç¥DÉ›OÔ½©à¤ŸáüNy¨Mld\bλèê´vT>º–Ç‹p䥱‚T¢ßY:ª Æ~šÀh…ðÎgtìo¸YÐê±K'„_„õ³'´ƒ ¶45×%“Ec$í.’´am¾g<w¸Ã_'NZ«4FJ¾ º½#—Ö.Ž¬ƒed7Ã}=Ø bjj™„˜=§6‰àx”ˆA<J8ò@ jOÌéS3è<£7Œ§+Ǽ³W‘m¬0B«1_Àʈ•cYGºaàCómò–/ šZñ†ÚŠûÛ‘ñ‡}ãë‹Ü z¹„ãƒüïäEe•ŒlªÿÈ TgÜ P¡&Oy¶kò¬=ãq¤vçeè¨&„ùA"#[9–‚ü@ô¹°!#vã†Ð¿Öo2”¹Ê*oõ0ÔB\ihÌÇYÄe Îk·ÉvŸ¼ÿ
-.c¯ ç"e\HhXÁºš¼1í¸Ö Z g¾©¦­·ÑJ]FQs9<Ô›¢^ÆyÊSöÌáï‘b'®ðW
-,Ñ%°_ý’þÏ6&‰ ¥RÓ•šqäTš¡Pr+%·ÚEÖ©dBôÿàŠþêendstream
+xÚ­]sÛ¸ñÝ¿B}£g"ß'O¾œ“ú¦—¤®Û—ë=ÐeqB‘ŠHÛñÝô¿w P D)餓ñp±X,vý„Âg þñ™Õ)“¹še¹J5ãz¶Ø\°Ù̽¿àžfˆæ1ÕOw¯ßÉl–§¹fv·ŠxÙ”YËgwËß’·½útw}{9š%&½œkÃ’Ÿn>üL˜œ>o?~xwóþŸ·W—™Jîn>~ ôíõ»ëÛëo¯/çÜjë…çpbÁ»›¿]ôþöê×_¯n/¿ûåâúnÐ%Ö—3‰Š|¹øíw6[‚Ú¿\°TæVÏžaÀRžçb¶¹PZ¦ZI0õÅ?.þ>0ŒfÝÒ©óSÚ¦Z(3›k‘Zkìô)³”i8µy¦xj¸Ê†S|ꔞr¿ØÎëªëËfþå±|,Õæ:OyÆòYÌûH‚jB‰À žÔH†»uy9—*OH‚Iš¹„Y–Û~ ×g˜ÝÓ.ËUñX÷4(š%›ª©6ZWu„”~íÍŠÆ}àñ¹Ü5eMp÷¸Ý¶»¾£¥H'ç®RÁŒyšk-œÀÅb"¥Í’3&ê¾Üù‘jYôÅî’Û¤,–/ˆ ©~í䨨»– EÛôŽ´­ýܺ}&`S4/ݽý4P7墯ڦ , /ÅsU×Ý£nÖÒù- W5N´  Ú Î“n[,JŸ‹ª¯š¬Ú'h7~ÕCHÀV8ŠÒÌ}9¬Û]‡»#Ü·ô¥Sƒ»y–üë2peG“uÙy”j’^ §mè…©ê²éë—±Vt7»¢‚Sœ:°ÿ¹PiÎ 8“”©bÜ:zŒ ܤœC¤`Œ%ŸÊ]Õ.«ƒ»KŽ’wŸixÓÀM?ÁýEï‚FêT
+#ÏûiLuÚO*sQ—EÇ;¯¼GŽjDX+Ï‹0PMÈ0vÔ,U67c!œó)i’D¸ä Z=é†"sØ´OŽP'å×mE¸eLеXx2Â.Èš–‘®È36DÒ‡½Åb¸?•»—‰›–"O™â¨õèìÈ¥¥5©¶{FvŸëÁaÈ#¾öÜ Ä<öe‡1%c>e,ŠG™<ð5Œ¾'ÖlŠ¯>ZÁà ½a¼\XÏ»xqÑF3Ťó,O½r^Ö‘§càCóíÊž
+^,¯wV½´ÄÜžÀy-|ë¶XbÑ7WÂ&W+WŽ8¡\ ´d,ÂÓÁÍÙîˇÊïäû¢)uYQB â\¨·w•‹dR%(+"©† )Ÿk.«nÑâƾ*BÜ`Oñj¶Tþ<UK¢R(¹ç±”8¨ëö9pº÷¾9LÖ¦BÙPÊxÛf2WÚ‘âW‚Öâk׃ÃS×·[‚h§¡–pw©ÙHoŠw…¯PÖÅ“|5q‡gþXŸŒv
+¡åÜœw1Õéx7P¡Ú]êv}µèÎF<&Í7„¨&¤8ŒzŒgb|(° “QåáàA8Í ÌÜ{êº}xpð©Çs¨ôsÖ ctÇÇ¥±²Ò—l_PÄ“*Õ";¬¾½†’³à£!aûæ¿.aëP##'lÍ6ðþîr8>رeß{)è`ì‘38"e sPÐFA½õ¯EèoÌZ;ýZñJQÃŒ>Í‹Ö1àåÁ°bÌj¤›K¯JBÅ&8Ü
+X&\’„kÚzŒÌ@Å%dG |È >B©Ç¡už‘\ džò"­߶`óÙ—’ÊsITì´ÝŸ‚C¼¾ÙˆÙÏ-è4‹Õ
+œç1k§—±¡ƒ!ä–JAë·ãÔj]õf“—KÁ’ҪͶ.7%8ÀÒ#úâCd~tï*ÏR#¡[ŽOöÇ. ª×Ôä :öý;á™ÒøþÁSóóP€9ó(<—ÿ\B$í¶Ox™`·øM§|åÚ\
+[.°áh:Bû'$D—_‹Riîk".‰rh½
+E‘Ûˇ¶™7åCá‚/èØ#_ˆÑ¤]Ð8°$ä}Ñ…e®®ò¯v„Ú¶]E-N¸CÜ;© r=Zº¶d(¶ $œ<sw€$ãq`ÕMõ@Î…¥õ+€=ˆ¼ë ‡‘Q~ÎRѯÛýÚs‰T—þFbõ×?—î÷ ©ü.Þ*¢m||t¯pÑ:¹"üþè:hx_^J앦"btßbØ&~ì#a´Á£cÁ”ÿ‡(öw’{}©lñ“õUü[ ‹åÒ¿^yj¯LyCÊÉ6#CšPîy]á9ÄèêqGÉÌw0Mè‡^B5™qh†ò}ØAÛ:Å0fæYøÒö]x9*¿Xº¼¢()~”’¹k.ô87Ì äó?ÒB¦9þÈ9R³×öÍÔ™üªÃT¾êÍ”ÉÿIŒæ57oh ‘“ƒþCkæ“;ÒäqE‹:wå\ûÌLop®ãäþœÑ×? ˆdÓ:Ãw€UÚj¤À¶¿k 8ËNÚL`#³úù–­Sü
+lG&ÇÙ€R[%‰B) Êökš&‘(¿â¯jô:”DUôSGå•ŽÅ ¦5tø¸»·}XSyÞû3ï:Õe ¾õ­T8é@ÝæÐö O`ÔŸõ~wâ·y©SüA}¢ïfC_óÿÛïÿSƒÊR¨´Oür ™I­È³ j§³CÉ5dumE6!úO³Vòendstream
endobj
-997 0 obj <<
+1260 0 obj <<
/Type /Page
-/Contents 998 0 R
-/Resources 996 0 R
+/Contents 1261 0 R
+/Resources 1259 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 987 0 R
+/Parent 1250 0 R
>> endobj
-999 0 obj <<
-/D [997 0 R /XYZ 85.0394 794.5015 null]
+1262 0 obj <<
+/D [1260 0 R /XYZ 85.0394 794.5015 null]
>> endobj
386 0 obj <<
-/D [997 0 R /XYZ 85.0394 630.3935 null]
+/D [1260 0 R /XYZ 85.0394 690.2056 null]
>> endobj
-1000 0 obj <<
-/D [997 0 R /XYZ 85.0394 605.2917 null]
+1263 0 obj <<
+/D [1260 0 R /XYZ 85.0394 665.1198 null]
>> endobj
390 0 obj <<
-/D [997 0 R /XYZ 85.0394 242.2106 null]
+/D [1260 0 R /XYZ 85.0394 302.1184 null]
>> endobj
-1001 0 obj <<
-/D [997 0 R /XYZ 85.0394 218.2795 null]
+1264 0 obj <<
+/D [1260 0 R /XYZ 85.0394 278.2032 null]
>> endobj
-996 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R /F84 797 0 R >>
-/XObject << /Im1 790 0 R >>
+1259 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F62 990 0 R /F39 858 0 R >>
+/XObject << /Im2 979 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-1004 0 obj <<
-/Length 3112
+1267 0 obj <<
+/Length 2998
/Filter /FlateDecode
>>
stream
-xÚµ]sÛ6òÝ¿BoGÏD ñE‚“§4qRwZ§u|smh‰²9‘HG¤âx:ýï·‹]P EÙ¹s: `±X,ûE‰YÿÄ̤qšË|–å:6‰0³Åæ$™ÝÀÜûÁ8s4±~¸:yù.•³<ÎS™Î®V-'ÖŠÙÕò÷(e|
-’è͇‹wçïÿ}ùú4ÓÑÕù‡‹Ó¹4Iôîüç3‚Þ_¾þå—×—§saˆÞüøú׫³KšJ™Æçoi$§æÑ˳wg—goÎNÿ¼úéäìª?Kx^‘(<Èç“ßÿLfK8öO'I¬rkf÷ÐIb‘çr¶9ÑFÅF+åGÖ'O~ë ³né¤üDK²: VS4yœ*©œ
-ƒÇÓ_Ãj–Â…g"¥ÆTB¯ç‚Déž™D„×h”ÎÆŠˆ®à˜  ™d2›™<‹³<uöböy&âDç¹"¤
-Bé!4D øbJËÉGh‹¡`[Z¸gÀ7Õ9p^ñT³åå´ŒñŽ²{Òn¨þ#IäÍŽÃ/d/É£ÿÜ–Lº ÊýköcÐz±z,Û @¶'î|ÌsVN-:Í¢ë’Ú»r‹V‘¢èŒ„oSog£]@'¯‹Ö#7L«G¦3ü«¥^p+h%ú™ªõK|¬WÓÏ»Šq™R/5’@¸‹3©“Ùe/ÈyÑýR Ë1ª÷rÄf{4¼=4sš¤©öf®÷’‡6NAv$ ª9°q
-Ü,VgO±s]Bò®)‡Ë+>áÙq¦¨§8P6¶0e”-ÈuÊ>I%åL+gßh@˜a­=fôç!ÉÃ8CZK4e ¹Ü¤##XVmµý~<öŸàQÁ5êL¥C&ܤÈb•*áåI^N±ä–MSÇVut‡`ojÙ4Þ*`¯½+ªóÂyz2¼΢•ª0˜V|S©8ânQ ÀYLÆÈÁ±LùZ ½lÜ3ƒt5òÐï&2ZÐ!—¡ÀþQ¿ËøópÁ”ßÓú]`Ìû]y¨×n.,ÜbÂï2ÖSœP ü®‚œù¬pY4^CsGÀ.wMBI³zôÆÄÝ*ﳕÇM‡PÚ#nv­§ßµåzEZa~¬]Úr•IóA•_ïÖÕ¢ê&ØIu¬õq+" i0²ÜÎ$B>û…öç!ÉÃ* $¹™Éö;5#`°! Ä0î»1é)>ÅdžÄVZ5dò˜±&÷ªCxWM]ÒeaÝ}C@I+úÌ43""-*E€ägL•œsÙ×¼’ôBFç¿’ #!×£˜oï­Áƒ*ˆÜ2“ã2ײÕC>¾ŽP^¿ù™
-÷x
+xÚµ]sÜ6îÝ¿bßNžÉ*â—DMžÒÄIÝiÖñÍ=´}we[“]É‘´u3þ÷PKiµ±ïœNfBˆA
+BĹ1%”ÊXe"]d‰ŒM–“‰]à]f›T D‰%s‡ñ¤"¢+ø_F&4“Lf‹ÔØXkw™Åç…ˆçŠpØ]u/7ñò|+o¸Ð"¸“§» »+!ìuoàôÔ€ehÒùÕ]IwJU€*
+ú|{ñ‘¾?ïÊö Ûâ -®`³Í Mnw›¾5ŽhvXfW×mü-1Éåeƒ ¬›¦ÝVõ-­ÿ =
+´õgS Rô´^un*‹v=+ÜSa`½fV»’é‘›Ì
+ÚF…{Š
+zE‰q¦êüV'ëÍôó®b\¦4H$žâ\ê¬CFVIBð"ý@ú ÷QŽØì∀e”™ŒÜd&)$Þuù(yè㤿¦‡>NA˜EÇêü)~\—›æCSÊ+>áÝq¥¨ç8P6¶ 0e”-ÈuÎ?I%åBç"ÖV?)Ï€,ÃZ{$Ë(.C’‡i†´6–03`!—Û¢_ÝMyTàYÃ~;Šð¨@:Sé˜É#šY¬R%¼¼ë5)§‚T²e×Գªžtþ¦¦™mã½~u÷åªBs^¹HOŽj!¡•›0¸V|S©8nÑtžÍ¦È#î!%„À2köºqÏ j´Èø UZnÁ†2(7d®»Œ¿ 7ÌÅÝ)ÝqÜÆ|Ü•‡v-AsV‡GÌÄ]ÆzŒ“jAÜUZGg˜-©¡¹'`ÊÝÐ&Ò¬¾ª1¡ÁŽò¡XùºëJ{Äí®óôû®ÜÜÕhHâU¢Ó±Õ /W™t9TQùçý¦ZUý ;©Ž5 ~Ý‹¨Œ…bE§P3dPp>÷…—!ÉÃ* ($3Ùþä£nê2¨Á!~;&=ÅǘÌÈÖ¬3yÌX(’‡€€Ù;骩KRæ8Ñ?4”T°bÌL3C9 "¢iÑ($¿b’‡»jŤ]5…À5ï$»ÑùÏdEÂHÈÄõ$çÛGkˆ 
+r
+Ž­†à†-ïœdûÉ5… Øº(ÿì oëî(Ô5#„}¯ ?ÖË9Å™Ml䛺Üü´‘ȱʴ±x)5-1GèªEÊv ˆÅMO-Vë{ž€[VÜwL쾟êIJ&ÉíÁ`E +|}8ëŸíN‚êÔ|ç»»æ¡&ðèQÞ¡$rÔ1
+J„ò6FE¿ † øÃìÀ0á« -LQ ×QwÆFÒœ»‰¿®2™·I€‚‹¹oîæ"85yC:Ä%NSL6&ëR ã#¢™êÃu±ÕLB¥‰—ÏŒ9í¥eò©´Ìèïk–fÖ5Í0cùpºæÓ}4ƒb¦ Ò²¡õ9á¾2caæ,ÌeLß2:ÄzpˆUKàº5±±c¼`ì­†›üÆ?é§îQ¤_÷‘) • þmˆµ™þ¥ûqòåKZ9‡8‘°ëp t"ßÓÖÇió›´¯¾?» è¦j=³7(¢”žáŸ %|HßxúŽç fà<21§f44ßWã)µŸúûp¤&þ˜”d_¥ì¹Ì圄ý…W›#9‚o&ûç„-¾vRjgå½ëX™±xÁÒnyBN¾Õ£ÆóÏËM>SnòÉr“O•›œÊMüßrÿ˜ÜÔ3妞,7õT¹©Çä&Ÿ#7ù<¹MЇ˜ñYx]ì7¸+èÉ• ßù¾¥`A^­è¯4=¿³’8þ‡XÊÄøgc3údø‹§gÿuÚþ¯`°Ïn­<ÒñÏ@†ˆ0Sȹ±œû?c;dý¿?¿Évendstream
endobj
-1003 0 obj <<
+1266 0 obj <<
/Type /Page
-/Contents 1004 0 R
-/Resources 1002 0 R
+/Contents 1267 0 R
+/Resources 1265 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 987 0 R
-/Annots [ 1007 0 R 1008 0 R ]
+/Parent 1250 0 R
+/Annots [ 1270 0 R 1271 0 R ]
>> endobj
-1007 0 obj <<
+1270 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [213.6732 493.8452 286.8984 505.9049]
+/Rect [213.6732 554.0172 286.8984 566.0768]
/Subtype /Link
/A << /S /GoTo /D (rrset_ordering) >>
>> endobj
-1008 0 obj <<
+1271 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [209.702 415.6507 283.4678 427.7103]
+/Rect [209.702 475.7236 283.4678 487.7833]
/Subtype /Link
/A << /S /GoTo /D (topology) >>
>> endobj
-1005 0 obj <<
-/D [1003 0 R /XYZ 56.6929 794.5015 null]
+1268 0 obj <<
+/D [1266 0 R /XYZ 56.6929 794.5015 null]
>> endobj
394 0 obj <<
-/D [1003 0 R /XYZ 56.6929 561.8344 null]
+/D [1266 0 R /XYZ 56.6929 622.2509 null]
>> endobj
-1006 0 obj <<
-/D [1003 0 R /XYZ 56.6929 539.8007 null]
+1269 0 obj <<
+/D [1266 0 R /XYZ 56.6929 600.0717 null]
>> endobj
-1002 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F57 624 0 R /F84 797 0 R /F86 977 0 R /F42 597 0 R >>
-/XObject << /Im1 790 0 R >>
+1265 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F23 678 0 R /F62 990 0 R /F63 993 0 R /F21 654 0 R >>
+/XObject << /Im2 979 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-1011 0 obj <<
-/Length 2396
+1274 0 obj <<
+/Length 2668
/Filter /FlateDecode
>>
stream
-xÚÅYmo#·þî_±¸Oë"¢ùNîå“s±/_«sQIPìI+[ˆ¤Õi¥ó©Eÿ{‡rÅ]­l_¯AaÀœåËpÞ8|†b…?–YE¨(df
-Ie*›,ÏhvcoÏX˜3Š“Fé¬ïîÎ.®5Ï
-Rh®³»YÂËj-Ëäo~¸üóÝÕø|ÄÍ59)Móïnn¿Çž›7ïn¯oÞþu|ynd~wóî»ÇW×Wã«Û7Wç#fƒõ<p8±àúæ§+¤ÞŽ/þùr|þÛÝgWw­.©¾Œ
-§Èdz_~£ÙÔþñŒQX•=Â%¬(x¶<“J%…ˆ=‹³÷gi&£~éý”°DYn ¨Lb@&8±š²Ì¨‚hÁ…·à¿ÎGšÒœœ0m‰¸àò[°‡¶Ðyqƒw?\Ý"µk*$ˆø‰z:Xï›;ãd\ÂYbÄ)”âC{2Ü3í⇮·ŽñHb95ƒœ{Èã Tw“ª;ŸdO%t^oªY:·å©Uµõ’Ñ(†h”wÐ8xq-Eâ(ÇÀBpëçÜ=€Í¹Öù¬^,êÇùê?«Ïår½cóÅ©ûù§Ð·9g6¯Ê¦^•â¼ÕCùiî4BŽØÆ=õ¤ Œêf‹T¹šº$ë¶Ó9n3Ù.öØ3©W+ø¬¦CÖ
-³Ö¸lwHüçm ]¸§Ìõ4å²êpå%íúAåè‹ê@O\J£L@­ê-*l] US‚Ç´“O{ÇÔM\Ì›mÌ@n{­ˆQBv…ÉÉGˆ3ê·É7èÔtóLp'&zö’ ïJ/á¶2¯w÷1M¤<FáxÜTÁï6S0dÁLÅá I†LþöPù¬ òån±·É)„GíÛiƒSJìMglw›•ž¯bî ÓWÍ£÷ yiYî±ãC`×Ól·À>v¡…Xü•R~¿K÷ ùNåA¦*äAŸSÜ⇢¸d½('^j)@j¿­”t…öÁéò ĪËèÇa‚H6ø;¶› x`T;ãX^Q¢ /ÂÜf[n«%¦-Ør]m–sXAƒþåvîÏÌðzBÛJÙÚ¯Xw4eÈ
-õ§±%hx
-d\ÑÏfQ)ˆF´V'’™ÄBÊ΄6„Snqñ󫬞Ez´‰w—¤ ò’¬¼`Ø_Þ2†$LI1öïuó%,êq¡ù?ëU5„ÉݪEEŽî< PVkž%–ù:c;·ú²‡£ør–qÅiÿ‰b¦°Ï9½z„u5–‘_à?•š½EN­ÿmÁWS/ãÜÈÓg™?aõDŸ¯³Ñkvn à´üŒÙZ²Áä;ÙOóÉfö2™PïVÓRâøK€š™ÿ¥ˆÿÄÉtA„áò'€\È-¢Ø#4+¨……  ØÉa0_\¡æ'\‡:ôºE~x"{ý|õžV[I¯ÁNÆJÝÍí¾!uøÍÕø$HB&õòU‚ÒÄó9Xï'³0nC¡ßìé×Äë
-'¥ÍÅ"{Ÿ–»‡—m’7B¯££.O–õº­Ûƒ‘éŒä8…G÷ŽXÆ7ʲéx‡b…EôÐ7ယ…"Z¶ Òqª!JlšÝÌIëïN½ ‹OE
-F#,OS[{Ò0ʬ«¢aFb<Þ&ŽPñX%xtÄ;H,¿ƒÿ<¿ê¦p%*Hf¡’2·sö1sE!pNB{Mð7K–}_ƒ>Y¢Rä;J{•¬ìTå†P§I! Õà–X^x¬N3
+xÚÅ]sÛ¸ñÝ¿B“'ºsÂá›@òäË9©ozNë¨Óéäò@K´Ã9ŠTD)Ž›éï P DÙÎ%7Ï °Xì.ö ± …?61ŠPaå$·’(ÊÔd¾<¡“[˜{}ÂÌ4MS¨Ÿf'?¾ùÄ«¹žÌn\†PcØd¶x—½üëÙßgçW§S®h¦ÉéTišýtqù3ŽXl^¾¹|uñúŸWg§¹Ìfo.qøêüÕùÕùåËóÓ)3ŠÁz0YðêâoçØ{}uöë¯gW§ïg¿œœÏz^R~Ž‘'ïÞÓÉØþå„ašÜÁ%ÌZ>YžH%ˆ’BÄ‘úäíÉ?z„ɬ_:&?% Q†ç#äbL€Ê-`Ê pö¡Ž´ÎnÚºnïªæ?ËÏÅrU‡¹»ª®±w[}
+cëSf²²èÚ¦¸Žp×å‡âSÕ®#ÆÐÙÄ=êv^DÚnƒ½¢Yì†:ì¶ ¶‹
+·™oê{™·MŸå‰øŸ2F¬RÜ3Ó”›»vý{§(¸É.ÜJg•Ãªò¬«–U]¬qpÓ†Ö§ÄÃW{³7],HK×á@×®7ˆ·jp$êÎ$±äs âªìVmÓ•qYÙl†|Ü–ëª 4ÞøMÚå{ž!l”£ë¢]I“ÝŸn°hî±ãøqmc(Z7²­ÿL„©r²áf‘ ±Å¶gÃ}ôlôT øAãm'n#ú³7φ
+löT
+—ÝÄ’óó²†!܉ƒLŠ ŽtŲ`æ%ž!LË#ÇÙ÷)4A¯i7ع.±u:T.ˆÃÞÎ&ÆêpçÄ‚yÜ°®ÜQkJ³/~{­H®„Êô Bx qB}‘|O]øþï‹1¾<<ÝÛ×à$¸6¤^‚·ÉÂ8ÇÊ4a-„WW]$ñf½
+ JhµŒ¾-÷“gܵ͘KVò Î^QSÂw0`'J_J駤[œXcÌx²5í1NS”Èä€8ná¬åncä«r>¢œIU´»*Ä„EéÌý‘ÓÂ0ŒIX÷<ø[¥¥r ÞÍë¢ëp#5ØHH]Yب‡HLr8'1nç€ñ›%1NS”^bâ˜r·±O×\´‘˜ Ö%ÏÈÈ{”Ì»ÍýªáÜÓ<êIJ™æD´óßéã#Lsž-!¬ÿq®wÀC®tetÐÏí²¨šOZj•µßñã#Œ h$ 9`üÙç–“Û!ç»Ð9Â='Üú†ñ ¹z§žvèp.\.¬ Ãu™«2ÁVüPuʲÐuö\9+-?Àˆ qÝ-X”7D°¤u_p'Óy4û³Ë»meÔ]‚è8ˆƒôúHZ•ý^~ò(m6¥Í¡-Dò>¤=D›~˜6¯ÉF p—Â0=Lb†äÆ`a ×}DïøXØáÔ€¦ô6ò—²%p*x4ˆ*ZtГîwè³DP‘Õci«ËÛ"dz[öNz=Bœ1€A‰Ç•b`nûä*$ªÏ\µÈ‰Tà1%dÝ\XöãÒ²î¡ùþ±U‘—…×t”\GWèÆûÑ"25• ˆhæH|•‚È"&Ribrªð8A>ãÅO¤ "Ÿ¢H¯—I“Ë€dû—˜öù¤Œ: iÚŽã÷ˆ†!ía¡ÙÚ¦Ëèݪº$i˜Û•Ö|’ŠæÛÄínf·ÿÓQÆÇOܶȅ~ì](ÐY_ÍK_q€*•{ŸÍ÷¨h!èÚe„Áö"I.³Äžðóm2úsÅžJ2#;g„»™ßÏëjþ§I½H
+$>…<k©Ó‹ÕÁKPîºÂX’+%®âŠâˆGüª …§P¶}~¼¢yÙA )*Å@8pY!ArP—ØúLÛ÷ΰÁ\Àõž¹º ”y»|†ãÉ^hŸ/F‹‚;(TÜP|%¬/>í×\žê!v¥ëy±íÊXö¹O 0»ÚžÎ“ªµçÐõÎŽšt_I
+"r]'"‡)”]e»ˆUó]f38n9¨
+‹Ùþ
+®ý‚é8Ö6ÝöÆQëC§K½r‹— f†P¸ñÅ_ÔwÅ}7¬R·ýü¬/³œÅÊgR=ãÓ}MpeGüʾŠ_ÜìUˆ³6iáú(Ÿ\ÓÎòö*<‘ƒÕª,<-»÷~„¹¾ ç
+>2r'˜ï¥Æ QÔeq“º*;rì݉sín¦Ory’Ad¶JMûr¸½jý5i_\±çû>þÒËSÏÖ›3è4%93pcgî‚Lü29 *¢'ñ¼ËfðŸgçû’œ’¹XΘ[æ·ž|œ@t”Ö
+Júž× üÀK>ù¹Ž& Sñ4Å왂`––ŠrWø
endobj
-1010 0 obj <<
+1273 0 obj <<
/Type /Page
-/Contents 1011 0 R
-/Resources 1009 0 R
+/Contents 1274 0 R
+/Resources 1272 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 987 0 R
-/Annots [ 1013 0 R ]
+/Parent 1250 0 R
+/Annots [ 1276 0 R ]
>> endobj
-1013 0 obj <<
+1276 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [353.6787 494.5292 427.332 506.5889]
+/Rect [353.6787 560.2827 427.332 572.3423]
/Subtype /Link
/A << /S /GoTo /D (the_sortlist_statement) >>
>> endobj
-1012 0 obj <<
-/D [1010 0 R /XYZ 85.0394 794.5015 null]
+1275 0 obj <<
+/D [1273 0 R /XYZ 85.0394 794.5015 null]
>> endobj
398 0 obj <<
-/D [1010 0 R /XYZ 85.0394 565.1194 null]
+/D [1273 0 R /XYZ 85.0394 630.8728 null]
>> endobj
-696 0 obj <<
-/D [1010 0 R /XYZ 85.0394 537.528 null]
+950 0 obj <<
+/D [1273 0 R /XYZ 85.0394 603.2815 null]
>> endobj
-1014 0 obj <<
-/D [1010 0 R /XYZ 85.0394 387.929 null]
+1277 0 obj <<
+/D [1273 0 R /XYZ 85.0394 477.5928 null]
>> endobj
-1015 0 obj <<
-/D [1010 0 R /XYZ 85.0394 375.9738 null]
+1278 0 obj <<
+/D [1273 0 R /XYZ 85.0394 465.6376 null]
>> endobj
-1009 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R /F42 597 0 R /F84 797 0 R /F86 977 0 R >>
-/XObject << /Im1 790 0 R >>
+402 0 obj <<
+/D [1273 0 R /XYZ 85.0394 128.2785 null]
+>> endobj
+1279 0 obj <<
+/D [1273 0 R /XYZ 85.0394 104.5761 null]
+>> endobj
+1272 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F39 858 0 R /F21 654 0 R /F53 957 0 R /F62 990 0 R /F63 993 0 R >>
+/XObject << /Im2 979 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-1018 0 obj <<
-/Length 3333
-/Filter /FlateDecode
->>
-stream
-xÚ¥Z_sã6ϧðÛ)3•*þ‘DÎ=mw³Ût®Ù^’ÞKÛÙ¢cÝÚ’kIɦŸþ
-diÄÐKÇÁã5ã:課zš,ŽEcé"ãq¤t¢ÏCLáë‚,ž eÙæ;¶íötbÍ£XkuybÏ43±L¬30ÆÆ?˜¶•<h7 "¨ºÝÒˆX¯éÛ˜U] 1´5WùŠúð §\†ïpxöƒ”UQ®ò¶¬+06« &zQ6ùrkܨ8ªžŽë÷8‰7¥¾ ›]
-eÆÐ.æîó£c®;”q&$!c‘Nny×L°ªÝÎT…)"˜Á¼ ìÀ.
-l½0ë¼Û¶Tñó'Ù`h&d¤ØÍŸÆñÌü nÉ…t<¸*Ó˜»²êZÓÐÔHÈ«‚
-­—a—-wÝŽ*Ïù¶3—ÄɲˆkáÅaj^ž4’1ˆ#¦âDç< …)`XyÙ†\ç= çBA`¡ae-jÎ`¼"¹<Ï5#ÀPŒŽ¦R%x¼Ö`ð 
-ž8ë(ºª›Ë 2íK}øBí!_cûïqÌWÔNmeµ¢¾ycˆ²7‡u}ØåÕÊ|‡í6šz'š¶¦Ž µUæ \æÙqæUóbM4ã¡„ýL16ï©:Otª(e½UZ/ã"èSPÉ:9|ÓR!'9 4’¸5:·ëWZ€¬Ú‘6¦q4·ª”UßîçòúðÒ#]9ì«“Ú­•NBç°Yï°S%ÁYÂŽ8ñ-ÊÑ gGåL} %3ïiñ¼« I©ý´GY­ãQqSw‡£×H®x¤c ü_’¯òªª[šÅ|]»¹PÎœ¾òW' Ú¯U°€1FÅŽ¬é¥Ün #–šr »¾}upu¸VprÈ`5}3¥n&
-®¬ÛY›‘¡eêÄdNOû­+g>/Æ|¡N60’‹‡O’f°Sš]Þì!×ùÍî¹ìf—Ux¨ë¶™ltCOØ‹S÷\3s6-³l<¹ƒ/…RøíÕÇ( l_»S59´v;ÛPS»É[*‘®µÃæ?»ÒeÔêlE‘»¹LÓž08 Ò£YÕɬ5±,%p yj ùjeö
-P›
-ÎQ6ñSi¤\ªt$ÍÄz®7d˜Žæ’L—[S‚š1_÷îd‚sAjFç‚Õ¦?°Ã|ž ®“²ÔGßb.ôf À—ò¡7ZW䣕$LŠ™Bă„+.áÆbÙÐswü¾šüàH6”OSÌ¢µD1
-´¯k?ïèvaÕˆ^ù`Ü•ƒ°|»­_¨èBƒ>Tß–»²øó]ÝùQj㯶õÊ…yÍó‚ùõÙØN$ ƒ¿È¹ÎÃaÏÕÇvf}0Í&Äå}×_¬Ì’-w{xòzâăR8mâT^^BÏ5³†‘¥i”(ˆG‹x¤šiP®µ˜†*`-Åg["Ø­Å‚û3ü£qÑ™ÂÛªÓðli6ùsi·V
-^‚|GX´ìZ¢ù;Œ“1ý”Kiº|í;Qa—7˜ÏÂ^¸qŸÊgZ/46ÛüÙñõÉ]„ã¥õ©JÙ€ZÚúÐx7„ Õ;ôЬ+>û<„)G.py‡ˆ8Ž˜rºs¦&Rq45‘JH§siÅ@×VÓ×*ÃòP½On, ¯Ë,µGÛtbs'¬½¡Ý{âéÖ›¤;ЕòÞØN!î3º²”=é¹$<²ä„¬Qòài[/­u1ÖßC;…à€½B°rÜ{¨Ø€‹ŠdgPð‹¼ö~ïÅÛnI$ªqÓ»fp“m¾ÛÏm{ÙdÚP˜hkt<ЖÇõf ìýˆM§ƒ—æ,RÃùhÅøe¤rGêžËn]Q5aWìæüËLo€!v˘¾<}ÏõÆüA(È•Þàôr ÒQ-Ug/h2™qðp·¶¤KTh¸ð”Z~ýð ‘–½;^[…;•m¡8^[cñ.Ë‚ÿ :ÓÊÄzp®Þü !aœ0ì6bRÉ™Ø
-ûhP|oayÜÇ
-=a>ßVF×±Ž¯š[Z ›d¾3¢v°ìHÄ™½Â¦îö‡®Ü¶¡õ…$Ü^b´lßQÜS,‚θ)Hyh†oÇÐ^Š{Rù3zãZëãÛ˜í~Ým‰±(ó§ªnZ›Þ©)0Ü[Û#'zŸäÉ&Š@[ö‹ÃÉoºª
-ΰoLWÔa[ïíy6Û°€¼¶¬f%y”oÍ–%ÝíŸf‹x©ÄüS¡ fqñÔÉÎqqá³­÷?¾ûü03 Œ1¸ô\p5b •(`|¿d¡f†«Ë-•¬ª„½ŸÄê@cP³§¶mFÐjŒ9÷/H=YúFjÝÿÿbÈ?É'£ŽkδµbΦÏI”h¡FâÌ<8®7¤˜ŽvÌ­Q›uÁת~î±\ã5}úÆ6—bý¢Q€a-@3ŒQa³
-Ò8b"KÇàãCT‘*LŠ  ¥C$(³ˆ`—³
-¨EšÙ€éIŒúõ.=³ÿpDÀΨ· †Eq’y+q €#¿Ò¤…ÁÔþ‘ÇÒóŠ¾æë~[®ð@Çšï—æ
-qBÙƒ_N÷¯¬©èÿ3°®gendstream
+1282 0 obj <<
+/Length 3614
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ZIwã6¾ûWè6ô{‚•
+,îšSÛA-©×pb©äÿßÊ7E]7=ÎR~Ý”^¹PÖA^ÅsX³_/`ÁrB`GÖôTí÷Kw%~»jZß?c­o¯Mv‚…õ8Eó¯ÆOœ‰fÕ}ÀÛÕ€³ÀÏCpŸÞ‹ý©$3 P“kIŒÍÕËx4二G‰+Jú2”¬ÍÅËÓ'®…ùÇp¢Ö:/àsÙ{‘åÁ? pö=¥¢£
+O»j³õ`ŒkjÌ3¿3,"ìl«ºhŸ‘âLóØtU_]³ì±t–‰ …Ö‚ïvÞf$Ú°±SF_D¥å7u0Ÿ§²ü‚%7ÙÀH’,*üIq£_Qö€ëeG.¯ìª^·MÓw3ES
+=¢_š:q-Ì=R4UÄJ­Ç“ø2nQ½6«O‡;ԛɚ{üzM5èÐ6h¶Ã¦~WôXBYۀͿŸªp–ak°ƒîvæ*»~Â,ÈŽf5“Yd¹ –À%ÒLÀ£ØlÊ#
+c…bì1jW¦« 3¹ZM’ špmøJiE”Ph5ÂP¹d(/hçñLÿñz3ˆjÖ9ÏfQ¤h‚FF$eÞ`W¿¯¡ÒZLƒ²ßëYžðí‡_½m`G«á¦ÂÀëáÈ~S9až ¹`ˆ„Í㦼•i0âÃq_à„ñvë5~Cø %;Ó¶Ì-áÆšÕPžMEdŸ[ˆ²×çàø¯К[bŒ¶ÞY¤Pìe0“–¡„xÌ—3ª‡5šÕ¶êŸ×ˆ°…Ú Ø¤†Ð´3œ`l‘ka#`Sè
+Õ÷Õ¡JqhNq”&Äø›}³ a^÷¥|r÷닱äpñЯÂá€ë8Œ\)¶+ïÛ²Û­Ýö¾Á¹ø~‰ì¹ûöyΉ3ÊÉi._ÞBâZØÃȃòœ(1âh·x…f„ë-¦Ã
+˜GñÙ ^µ®ã~-³¿u!:3’X3 ÏîÊ]ñXyÕ
+€ã¿h÷ñvUý€ô? • ‰Ç2ˆ ÛçÀ%ƒ¥
+Ò£'NåSV°:·O)\êÍuZ;=;W–2‘+Ä#OVh’gûæÎ[%y›3Q nÀ$W9ë*>àÂ"Ú¢b¯ÏÂ]ºC’[T¦Íà&ûâp\ÚV‚l4m(̤åQ¸Þ[ûöùŒëÝØÓˆ]ŠÓ¶ƒŒKw©D×’Û—zÀt§#“×Û¶îÖ§íqÝU”óô/nšÙçNLóÉÅ$x0pMÍ“-úœl)¶à:}ÕŜ٠„šØòóÛŸtwòyà{t1ù¥{]qÏ}é±KÐìßÎÞ‚™
+‚«9*8":ª+ŸvÅ!¸zrmá_þ&}Ð*§Ìçá“͸Ê_½7ÿIT`šËô+.C®Ë¨¸\œì$·/×þÕ´ŸƒP„k-_^DâZXÅ$…Ôèñ2Æ™+n "<ùîC9¬Ï—1dÂâÌÙÅŠ¢]9¿9B(2У½¼ Jü¯ìj>î$d²œ¢gë1A !^–mâzm³Ñb.Èý‚ɘñ1ÃŒI9f.$(à9¢}ùµ_Èþ
+ÿP„âxôqº36.oÕ=ð+žæÚâii«”¡—vz»«Bt~Lv"úCYÔ!èò™Y}B‰³>TøK—Iá^œKûÚ"¥¢j´JôpÂdBI1‚ ¨>UýÂ[d]q%/h,îËÇrŒEgæ*н…¨IÄŒ–'.@”ƒLeó×ýL2•,¡©Ý´§¶ÿu’Q¸)MT…Ľ¼ U¼¦]\3ì3áÄ…h²:vJó¹„<“ç'Ù%LbºìRßë] @Íä(p)öÚn=Î
+RÂøø “j¡·øÜšo¹+:/hô§ªz³?mC²× º ¥áÆ–óÿM v@£º†*ÚÛ^¶±¬„5
endobj
-1017 0 obj <<
+1281 0 obj <<
/Type /Page
-/Contents 1018 0 R
-/Resources 1016 0 R
+/Contents 1282 0 R
+/Resources 1280 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 987 0 R
-/Annots [ 1021 0 R 1023 0 R ]
+/Parent 1250 0 R
+/Annots [ 1284 0 R 1285 0 R ]
>> endobj
-1021 0 obj <<
+1284 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [297.8955 410.3076 347.2449 422.3672]
+/Rect [297.8955 476.5924 347.2449 488.6521]
/Subtype /Link
/A << /S /GoTo /D (dynamic_update) >>
>> endobj
-1023 0 obj <<
+1285 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [55.6967 109.336 116.59 121.3956]
+/Rect [324.9335 169.1118 381.8296 181.1714]
/Subtype /Link
-/A << /S /GoTo /D (view_statement_grammar) >>
+/A << /S /GoTo /D (zonefile_format) >>
>> endobj
-1019 0 obj <<
-/D [1017 0 R /XYZ 56.6929 794.5015 null]
+1283 0 obj <<
+/D [1281 0 R /XYZ 56.6929 794.5015 null]
>> endobj
-402 0 obj <<
-/D [1017 0 R /XYZ 56.6929 769.5949 null]
+1280 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F39 858 0 R /F48 880 0 R /F62 990 0 R >>
+/XObject << /Im2 979 0 R >>
+/ProcSet [ /PDF /Text ]
>> endobj
-1020 0 obj <<
-/D [1017 0 R /XYZ 56.6929 749.3863 null]
+1289 0 obj <<
+/Length 3521
+/Filter /FlateDecode
+>>
+stream
+xÚ­ksã¶ñ»…¾Už9!xñÕt:ãÜùRg_ês;™&ù@“”Å9ŠÔ‰”}ʯï.€@‰²/ÓÎ=,€ÝÅbŸ€ÄŒÃ1K#ÆU¦gI¦YÄE4+Ö|öcß_;gá&-ÂYßÝ_|ó^%³Œe±Œg÷Ë
+®p#Ÿ/~ýÏJØöœ©,fÏÐáLd™œ­/t¤X¤•ræâãÅ?=Â`Ô,’ŸŽRIÏJ³4“RæŒG µEe,VRy)K1%e7 ¥\4uÕýbSm/E:_|ÞUÛý’Ä:ÿ²˜?–Œ–*ÍBNØô³&øTŸ2‘,*3z¿ªú
+øâñ¼¯lDóae!u[uÞô)ovþø×»54çmI£°?¡N»[?Àag³…ˆƒ8É %XEÒpÐ-Q,ÑÜ¢*vÛ¾~ºóŠ = j†¼­»]íDKÃËnK¼ÝÓðcýTµ#¡(rŒL|ó^„g'UÂ2 ,‘•¿Ñ”‘Ø–è4±>·ùºzóyØoàÿ¢Éû~i3GÊ.ùûk8­#”{>»t¸ýjûTm ø\7 R©Œ¥<KÇ‚Ì‹¢Ú ‚XÎ*”
+”ú¥ét›MÝ>$/K8Ü®5Ç 'V0g¥áØ`Ÿ%M4diÉ0Tk¢ æCGÀ¾j–Ôv­¥6¬êžZNipuk«¼}¬Œä@v äœ,-0’‡Š¾M÷øX•È•à¨¬-«ejAC£§vî7 Á-ÐP6
+¶ÀêKQ­€{Ä
+Õqk3ŠÊmz*k§Ò6Ùò +‹R ½,Rmfbö+bø Ù0ÓønW7ÃÂxp8«CèFSçfZwv=Õ+pž2b2†ã²Ù˜_z@¦R1ß´ŸêÒ+ŽšXƒ­UÕl–»†&–uþØvà
+q€aE¨v+Z‘Ü)8‚PÁöà7‡=âßL€ƒ³ ÞIÔA¦ÀûmújWv‹¡Û,šê©je‡þƒ¶ i pJ²8Jœ/x¨ÛrBH2a2î¼ K@Éžœç¢|‚Åχ5˜Hê32“Øa]Êlóc$àö¬ÒCša¶—ojYá0u‘Aï©®ži“ѾªÎ•B‘€¢N¥¦(¡±íãŒwSE`8ÿ4í?ÁŠ;üi é¢ÈŒKqÌÐ
+Rc.Gìœ~Ö+\œb R_àÁ¸Qø9õè!áUI¿rŒ˜ ©í¬çU]¬-¥w˜–‰–2 %iÿšÆlÆ•É%tèÔ<‹°ê‹’§LƒòZê7·SF¢æ~ë “:¹”c•ŒmI›î!w©?”®‰ÉØÔ¼¯É0:àÑöÔéwFä'ýdh,•©³·¼$ál4
+³ºÎ©a?.U„¦ñ4!NSžFK¼Ñ‰ ´8]"~Ø™¨™àU!wi ­°Ê~38uÄ”Ê\à¼ÿå~ÊAS9ŒTÜ@‚‘>2Ƴ>Sc¸—¯¹õ„ÅÒGg,Ñ2iS#hxwº§ïàFIìyC=dØñY´eîæ[ö¨ê>nª¢^îÑ0'â ƒHŽŽÂÒÁªôtWè™ QñØ0­—³–fs½¢ê{[s[rpWðCízÆ
+ÞkP­0œuÞ
+ý,äuÉ¥ÓÍ‘BÖ¥„z™°›4Ax¤c
+jLQ&#Œã ¦78°·Â8¸È×>²B#+Œ©®co…Ð4bqž³ÂT0Ä™=zÇÐ934uëØ‘È´B‚ Ö”B™;Ò‘¯²FXϧ á•\ýiÔtYŒ9Ëë ŽaÚ|©f ÁTGøá"J±ªÛ`.…¼pŠ[õOd3Ð\È· IfIu¤Ô‰ ¨R;/ªÍ%Žc 3p›|ÂŒå®5é°¹üɬnÁ‚Ͷ^çF°³Ûb J+Œn
+w
+2l¼-©ËS5{EÍK´ý¤SâcÇ¡b…t-¤nÝ]2¿y:§dÊá%Ë^räð’S‡—¼îð ßÎtìœÇÍ;öñúîß×wS%CÌ ß×_ëî ç‚Ç&ç0ŸÍ}¡â„œ<M¿.÷=qwÒå27
+7Í=ëÔ{©ð¡3 ÒkhÛË ò]i‘÷s?.
+üp)Å©°î7yQÙ$†a·m©ûË»?]Ý܆£ôèg˜]qŽÓª‹ /‰ëb·˜:—&7u¦¹ö“•Ðžiោû™îÑNò{ qûʬñ…Ó2Ü»7éðÂSÏïÞ¿%°ÈDjטÃÓs>‡Ñ•žFó¦ïh¸n‹fWZÒÃjòõy̱s ]â7??ÅÔ2HÍ`ˆŒ]4g@˜xl«-ÇÈ0 1Õí§—pš;B\Bü!Ýæ!/>Mæè#¶ÂøDÕ"‚Ö®ýÔvÏÖ+ûÉG<ëz)û­Ão/0|t,+0¡µ)¢°[/í\ú'E Œ} Ç9½)÷¨¾Ô½y¿„¶9\fû8Ð;´Qü¤—Îc ©ý²‰_ÛgòXå}Ú”Vs|®_VÉmÍÕ!tyÁžCÉÍ„Âîf°²ÏéSü¾Ýzd…aÊ]nB2Uùaˆ]Sì¶D¡µKšºÆÊ-«uÿ×sï<©b:yå~‡9¦R€„)ˆ§ÐL•ÇC*
+ÎnnWïÞݱ«»ŸñýêÜvãˆ)ˆä/n÷0çüvíœW·û½ÃvNn7 (dòÕûUß!NЇÖþç_;D§…Ιç7Åc–JHv-S&c:yò‹TÊ @M&Xÿ/Vãšendstream
+endobj
+1288 0 obj <<
+/Type /Page
+/Contents 1289 0 R
+/Resources 1287 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1297 0 R
+/Annots [ 1295 0 R ]
+>> endobj
+1295 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [84.0431 510.7325 144.9365 522.7922]
+/Subtype /Link
+/A << /S /GoTo /D (view_statement_grammar) >>
+>> endobj
+1290 0 obj <<
+/D [1288 0 R /XYZ 85.0394 794.5015 null]
>> endobj
406 0 obj <<
-/D [1017 0 R /XYZ 56.6929 180.2089 null]
+/D [1288 0 R /XYZ 85.0394 581.6899 null]
>> endobj
-1022 0 obj <<
-/D [1017 0 R /XYZ 56.6929 156.0579 null]
+1294 0 obj <<
+/D [1288 0 R /XYZ 85.0394 556.4234 null]
>> endobj
-1016 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R /F58 627 0 R /F84 797 0 R >>
-/XObject << /Im1 790 0 R >>
+410 0 obj <<
+/D [1288 0 R /XYZ 85.0394 250.947 null]
+>> endobj
+1296 0 obj <<
+/D [1288 0 R /XYZ 85.0394 225.1724 null]
+>> endobj
+1287 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F11 1293 0 R /F39 858 0 R /F14 681 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-1027 0 obj <<
-/Length 2858
+1301 0 obj <<
+/Length 1676
/Filter /FlateDecode
>>
stream
-xÚÍZÝsÛ6÷_¡Gy¡ >°}J;çLëÜ9îMgÚ>ÐmsŽ"U‘Šëþõ·‹ R¢$·ÍÍu<ËÅØvA%ÉÄjÆe¦&&SLóDOæË3>y€wïÏÏ3 L³>×··g_]¦b’±,éäö¾'Ë2nm2¹]ü4}û7ÿ¼½¸9Ÿ ͧ);Ÿé”O¿½º~G”Œo?^_^½ÿáæ͹QÓÛ«×D¾¹¸¼¸¹¸~{q>K¬N`¼ð ¸¼úî‚ZïoÞ|ÿý››ó_n?œ]Üƽô÷›p‰ùõì§_ødÛþpƙ̬ž<A‡³$ËÄdy¦´dZI(ÕÙ§³E½·nè˜þ”¶L •NfR1›‚ŒQ-sÆ5hmftÆR)dÔ²ÕràB-.ÖmÙÔ»»MË,=汉#×È̲7s"$3VšáÔ·hÜظ×éµ-Öð·›Mµ öú<±ÓbÕ¬;?ºÌ©á¿nŠõ35›û™u¾,p«_]jÓ[Ÿ0‚i ëã}°»²^÷`7]™kÏüTv~–ç•>P»ÒLÊ,ñì·?ÞŽˆL )ƒÄ×È
-?OS#»šÉÔ2’‡ªZ”m~W-EõÊ­¿™m‹;šsx’{@]§,Z¶û>À ,ÎJu"·LGbÐ3áB›¶ Ž9ˆA‘1™È£³žýYîè!25œ–Â/M·ó»^È1þ°â/5ÃøƒwÐðÐt
-îË<6aʤ™7zXС
-ø „‡¢ Kú™kÿ qÜoêy‡˜ òyæ} ¬Öå2wî€ÍzÕ´p¾Äv3$Š>"—þ‰*Á—墨;@ ¢>=–aÈÁ­ð¡yÑaõ›uÝœðÌëçyÞvÔ!½àtÜÒ´È1ï6yU=þö ÖæpºÏÍfM­3‘6ð-a…Þñq’ƒÈöÍØQç&‚
-"š³Ì$ãŠï ÞÁ9ðX–}èú\‡‘.ráê¼Â
-gåbï4ÚŠãÓG®‘ù‡˜Ç™™.Àƒž™^½ëC”ƒ=Óƒ½töÌì™}Ø3§a/Qi€«wìÓÅÍ¿/nFA§ òEõRЃœ#IxúGr·âCX7S\0#­:Û‹AO„<CdI€ºÅŸ<àÓcðn1Áç$øt˜€}Ä„ódJ°
-2¶×¡ùŸâëÓÄ­›ñÕ«Wã&xgŒ,è­P&³™ÊœÛŽšhoCR_Ç­©SbÑ¥ít•ÓÉWCà´,î¥æô
-Ç8Z’#©éïùŽ€0õšˆ¹ËÝ¡1:HBÚR<ƒ«°`"Ƹ Å&úmCQ¥â(¹•¿½—¤ ’["ËCÕÜåÕpG2ƒÐmß7kjø›…þVFYÐÜ"H+§ß•à[´Z£ã-Œ¢[ ¸<4bâ&ŒòEÑøÄåç¢Þe±ÚZä8G,ç'êAW³,»94{?3w0ØA©‡ab KxéaßD@#õ œH>
-€ôôXÄ8èsÄkAuÒ"ªzÞ†È]XÌ` h Ó2Ö>ØÕ.é›Í¿bT/AÉŸ…0§`rËógq’‘eìðáì{½ˆàP°—>ŠÅ×{ÕdœJ5‘2à À¾ä†Y* ¼fç†ùÏ
- ]+Ã,d¤‡W@ã8ÈòÍ0b(j7…I8³6KÆ‹E̾¬„j24&UBþ
-Üú Qúsa?Ô„ÐtñÏE‰Oí
-æ[Û7~n'ƒ(³1ÛÛ#êíü¯iók ¥O­>e ü|”p¶þ¶^·E÷Bt°½³ÉZ•šõÐÀÚ`l탗ÈmÔÛd7û¯}ý±È»üˆ½zŠø²öR_Ô^8ñð„½¤Æ«ÌÛkÑàù÷2ƒ ­£Á°Mw˜ºw!pßÍ¡Á„NCúÍëß}üþÍÕõX ŒvÄ0½ÿ)É ~Wæ$ÒŒÍéîó²Ú¬‹–`P®‹%èºXÒ=¬“:bÒwbI _[J*…_@HAõ ÏçÒÝcè¼­&¼ÏïšÏÅa“öuõw6©LBFr¤‰5x›ãº˜oâwý[šlƒ-õ×£iÿö:!ØR9· Þ.Ø^œÓ=¾\ù›®1KBŠ¿$;‘¹ÃŠ©\òφ.¢™›íåQ½Ø©Mg{Êg\½xÐzšýR°ý1Çÿ#wOÒŒI#äd–*&aýO({ŸR$O!Ëð’›ãuwbÇ?¥ÄÖ† “ÒYw‘»ðNãï-dšCPB/襻uMC˜fÛ¯@ô·½Ð
-·½À
+xÚ½šËnÛ8†÷~
+£+¨Y^D]fVnãt\LÓŒëYµ](¶Òp$×R’É<ý")+4Y¡À (ÌËOþç;"i* ™bñC¦<BQJÓiœ†ˆc§Ûû ž~}ï'DkæF4‡ª·›É›KOS”F4šnnÁ\ ÂIB¦›Ý— BÍÄ 8x÷éêrõþïõb‡Áfõéj6§—«?—ªô~½øøq±žÍIÂIðîÅõf¹V]‘žãíêêBµ¤êã̤ëåår½¼z·œ}Û|˜,7 ä%˜I“/ßðt'°?L0bi§O¢‚IS:½Ÿ„œ!2fZö“Ï“¿º Ao;Ô–¿N3g!J„¿'Ë<E£¬Ë2 A–c":#A`T2Ë_1‰‡¨±˜$t
+§{ajD/ME±7MâiÊOM)9ŒR´ºš/..Öh±¾ž¥4XœÍ9KPš$¾5Tz£òÒ»L{ú¡©š’‘˜þ<<I ÃØTx£ò»L{ø¡©š’x|”Æ(Æ8uÃCÕyøNåƒwšvð/L­ð'¦"£àãa<P9àÊ ï2íᇦvxhJÒqð¢Æ<ð@å€7*/¼Ë´‡šÚá¡)ÅãàGq”z<¨rÀ•ÞeÚÃMíðД’qð„#B¹çÀƒ*¼Qyá]¦=üÐÔM)ÏÅõ"LˆçÀƒªóðÊï4íà_˜ZáOL)3”°ÄsàA•Þ¨¼ð.Ó~hj‡‡¦4/îz$ C<P9àÊ ï2íᇦvxhJù8xFç8òÀ•Þ¨¼ð.Ó~hj‡‡¦tÜ ‚R%x rÀ•ÞeÚÃMíðДŽ»á…)A4ò|ÍÑyt#ò‘»;𡣕:Òqw»0ÆÂÉ÷BUp£ò’»L{ô¡©šÒqw»0óÅÜsÔA•Þ¨¼ð.Ó~hj‡‡¦lÜÝ.ÉbŒxŽ:¨rÀ•ÞeÚÃMíðД»Û…8AQ{Ž:¨rÀ•ÞeÚÃMíðДDbÓ§?OÏ’aß7<g7"ºË±#:ZÁ¡#Exw£cÏaUr£ò¢»L{ö¡©šbôk?«ëÈŸ±0B1|K¨3*oÆ\¦}Ɔ¦öŒASòdL^ºõ«PåȘQy3æ2í364µg š^ KIûs䘣0J<¯ŒPå 7*/¹Ë´'šÚÉ¡i‚–#Øi¢„rÏ#TgïT>v§iÇþÂÔÊ~bšŽcÄ fB<Wg¨r°•—ÝeÚ³MíìÐt1Ž=dˆ³Øó 2¨r°•—ÝeÚ³MíìÐôíYv9|µŠDAÜ·C¦.ËûCó<›Sƒ«2¯e1 ²ãŒ$A®Úë¼i²›½®e’4wºá±ÈŸTiŸ?æ{=A¹SmU¹×Óg‡ƒ*Š±U?´Öº[ÕµÝgµnZ]!U¸(jé¿SŠÜ1ï"–¤x:—¯‘œ«oYãAQÞåÇ¢igbQpÛŽ©îUguhŠª¬UWq«e—
+ÑÜçEô••jÜõá‰Vžè0á‰Öúo‹¯â{ßx·iTªA§‘é4
+tq˜ùü´Oõ˜ÅnÀ¨ö»š†c@!*û¢ntó­ú±ŠZàkU~®Ta›•'ZUé TΪ¦ŸA•²f Ô@2 ¤mn«£*äÿd÷‡}þ›¤ysÉÒÓí3"¿íä
+oùt,ó6»såa¼B¯~W3œì¹eŠ•LAiÐ>LQy˜‘ .Ê益 ¤f·SªvQŠ†cV~Ïuy+ŸHÛ»S f±¼–/îê»êa¯5Ù^i²\%)î²Gm¦:Äœµn0 ÈxÄgY Z9ŽñPÅ u.ÖTDY°*UËá˜m›b›«ZsWè!b£æÙQWäV•Ÿ¥|â²pÓêõ• Û¬Ö¥§¢¹S¥û¬|V¥"lÌMÞ(Å.‡ü%“Ú½E)¶i"ÂoÚmóÐ=¶Hd6?Ê|É
+×kK´–Ù}›7Q,JÕ'f¯Í˜C¶Ík¹Áx|®T¿Š¸!N‘3¶]Ürh¶=¶Ûx[d{KO9 ®Ìó]»4DYPZànô^Ùå‡}õl¶e{<Êx—•e{¢Â}%3ú¬7V•é!ÙS¦ÛÀ¡G9Ò(z5:{1×*ûÿe‰šç—ÿŒþ²
+‰—Ä3oR4NP˜0j‚jÿƒ¾ˆœ`$Mj ý?„{“endstream
endobj
-1026 0 obj <<
+1300 0 obj <<
/Type /Page
-/Contents 1027 0 R
-/Resources 1025 0 R
+/Contents 1301 0 R
+/Resources 1299 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 1031 0 R
+/Parent 1297 0 R
>> endobj
-1028 0 obj <<
-/D [1026 0 R /XYZ 85.0394 794.5015 null]
+1302 0 obj <<
+/D [1300 0 R /XYZ 56.6929 794.5015 null]
>> endobj
-410 0 obj <<
-/D [1026 0 R /XYZ 85.0394 562.9775 null]
+1299 0 obj <<
+/Font << /F37 743 0 R /F14 681 0 R /F23 678 0 R /F39 858 0 R >>
+/ProcSet [ /PDF /Text ]
>> endobj
-930 0 obj <<
-/D [1026 0 R /XYZ 85.0394 539.9988 null]
+1305 0 obj <<
+/Length 2717
+/Filter /FlateDecode
+>>
+stream
+xÚÍ]oÛFòÝ¿‚oG!á–ûÍí=9±sÐØwŽ Ðô)›8‰TDÊŽûë;ûIJ¢d]œM
+qÁ°FÄ)â”
+‘E%/‚ ™ÝÄ
+¸*Jú$óºô‘0¤2¬EÊåÁÝ´Ÿ¢”C¼'ëˆbÊú¼€GÒ~ÀÒ2æLÀCAƒ[ÂŒ¡ 3 éîì°F¶§Ãf
+IÅÕæþŸ—å´šCQªâ§‡¼³cÈÀu¾(ݼq" åËe™»ymrý4&×
+1ù¢S °8…ÇêbÚÔ]>ív½B!B^Ú>`ì¿áœ!’n3¼‚dÌyÉxì92ÃNm0ìÔcÞ-4l÷©‘m¹…ž2nÑOõn¡'g#2 nÁ0 nîOxó+Üâ ! é?ßå\B"#’vƒ!Ö~7X½™µçåŽ/HTÊØaÖ¾A q¹ÉŹÝÙèÁ˜žæDöƒ¹×–7”‹/m(
+çÅ;7V”³|mŽ3«|7œ[ã;f³ºfIª^¹!Ö]{,-¥“(éu¾«kŽKÅaÖ›ºN!>±Úäâ¬×+…
+a `¡‘!·cPoUFN€›Y¿¢µXæà­jGVøUÓf]wFwz«çeéø±• <æóµÛÈS s~±qçálJ€äþìIŸz\Žà­KX`t«òÉ"èE!û8BNP j¿mlT±°ŠöôûÝçà’6ˆ6r‹ïçÍ¤Ì ‰l’ÙÛV
+`èé¡ q0Äé€ØžX…¬êp;Üyf6ÖhmÐÌlf4Ñ3⚥ni¦üYc~L–„ªQ¾”&{œïÍ“–¹YÆÎÎíHQµ€Ô¡ÓGYü¼SÔP‰´ÒQN_EŽi™)ËLåÖEß÷­ÜÓA!”‘Tþ×
+‡Ô.›Ú\çQû¿³Ï9œ¾´éLÏÕíÓ¸¸77»FP¸K!H4´êë<Eû$M³lã~çH’~Å~ç Æ3ò’óÑ )øgµ]ÎÊÕÊ_/{Ã$xŸ†µ÷1L{oÓƒÖ²tf‚T¯=Aè‚«Ÿq{v$=GÛHþ:mþ¥,U/CØ)›êo«U[vGf‡lp6l²ƒ‹;› ²ÌÛGƒ›ö¡îÖW¯ðÑ6)ÃØÛ©þk×y—ï·×P?Ö^ì‡Ú zkYò{a…–®£®¿>ÿŽ3á<LÃÚ`ú ¦_œÁ4¸i0Â…/?4xõß³ëO§—W/í€aÿ ªE¹÷n«7ŒˆˆÌfºY^Í׫òÈ@ÒíØ”kbIßXÌì³%rߊ%nsµ=‰~µ ø”‘ñ\-Ý=”¡€ÎÃÅrãçó»æ±<`Ò®þαFàÄÄ"{ɤ
+Q æNhŠrx3ºsCJS]l+%J ¦°¿ ?@€œ!Ý7ôóÜD·È|åJEø¤TB]ØÉ»gûtWƒ¯YÂÕñ'‹
+endobj
+1304 0 obj <<
+/Type /Page
+/Contents 1305 0 R
+/Resources 1303 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1297 0 R
>> endobj
-1029 0 obj <<
-/D [1026 0 R /XYZ 85.0394 352.0635 null]
+1306 0 obj <<
+/D [1304 0 R /XYZ 85.0394 794.5015 null]
>> endobj
-1030 0 obj <<
-/D [1026 0 R /XYZ 85.0394 340.1083 null]
+414 0 obj <<
+/D [1304 0 R /XYZ 85.0394 517.7894 null]
>> endobj
-1025 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R >>
+1187 0 obj <<
+/D [1304 0 R /XYZ 85.0394 495.4781 null]
+>> endobj
+1307 0 obj <<
+/D [1304 0 R /XYZ 85.0394 307.5429 null]
+>> endobj
+1308 0 obj <<
+/D [1304 0 R /XYZ 85.0394 295.5877 null]
+>> endobj
+1303 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F62 990 0 R /F21 654 0 R >>
+/XObject << /Im2 979 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-1034 0 obj <<
-/Length 3403
-/Filter /FlateDecode
->>
-stream
-xÚ­ÙrãÆñ]_ÁG*e˜ 3(?ɶv#W¼v´r%)Ûå‚HˆB- Ð
- ùõìÇŸãÅÈþæ,ŽTêÌâ:q$ÒT.ögÚ¨Èh¥dwöþìï݆ƒQ¿t–"Ž¤^2PË…QjŒqФQ¢¤ê8(,p%Žãe“×yMD¾o³6ßçeË쫳ý>«‘âÏß;¸˜x±’:JµÐ~ðGû‡_²Í†;ÿÁµ ™FÎY¸í1Xs[m ÍzÊ›_ªú—²¢î~Q¦Ó­êê¡Øä«â·»ú5«è:ÿõ˜7í'®Ê7å'`ÖÖYÙÜå5/)ûÛÀ‹ÙÝÃüÕ]Uï³–fþ›˜ZU™¯`ÂcØãwúì³ò‰áM·D„cüçç¹Ó>äOM¸ ÿiÚº(·ÝB!Oaø‰¢ˆ¼‚ôUSëuÞ“Rô@
-~÷kEb#e¥†-"«•ñ;üÅ™(µ6Y à=q‡ªn;Éê;„ÏJXÁ’yV«‡dˆXrŠ˜3‘‚óþ¯ˆI)@ÇâdŒÚ_2•¸ªAOmÜ8á^VϯóŸâX–E[T%A²rCšl›óQêy½½¹Ï;|úI"à®R˜<ÐíÓ½X¯$1aÚ· á–7Ô]ßgu¶nóºhÚbÍÀ¶¢ïmÎØ7Mµ.`&â±hïy„>õ¹pË|_µ¼ ÌöÜb$ÁbGÄ~FJi”5¥JÚ“ vV¿‚\•Z1C®UËuVR£Z¯553kïI@­­ÙåùŽçß&ÁNU‰œÛëŒï€Ùñ„Š·/Êì!íœÍ¥„‰„QŽ~(òǪ@œq'Tî+›.¯îžß¥˜õØ걄?ŽÁýÌ‹EšÛ¬(½X84€ö”`_ÑÅÏÝŽ#gÍk.Ojqr|óžÂ‘»':«½¯>>;:hE º%
-þ$©“süQÂmxȈ¶éYBGÒiù¿ž5Ãcƒ¶Àƒâ¦2hïS1öC›ü.;îÚ&꜔×zç= µY>UGjlŠf]y£Š½öUéÄó
-j…  Ô¯±Ý2Ž´îÄ{#žžf€°Ä„Óֻ숪Žvn“ƒkÍÚ¤—
-]ss€c+´!þPïñü%1æQŒL]{Q®YHAH<>q²ü··›Ø
-ñö R2üž'€ôØHØ¡?¢J‰” ÀwÙCŽ Ü°¬õ"§­es…Û´|æœUR.Žl`@Œ='¦¨0‡OžN& ¬•2MÉYÛ¥•l
-a@.Øqœ
-Súa|°ŽBzlmÂñUû´t0ß0Ô]/ ÷Q®ž Å´‚ˆ%MÍG媛5òÍ}uÜ!–„f»Ç «@Ø~¬ê¨9IÂñ!ÀÇú@iO’’‚$ésæÜÉH+e^mε•!HD®ÍJ£;%zYãlšŽì$ÓUð×ß´¼?x‚œº=•ìÑ»y=@š :3qŒ"d4Õ…ÛƒFg•Éåu2­œ ™Soá¬ÛÊ×/
-ØÞ¾fàcWÞƒž‡ˆuá&Ú= ±ÖXp2-’¡beõXÐc¯9ýþ±Ü
-¼ïR3¡F·j\Ìôq*&Î'Ê3 æ7ñ§fe»®bì oqJ±'BÏ1“|ã‹úB]Š–÷Oœ<8ˆP@)B æÏÃ÷¨XëQN0[?³‘J;þ
-âx„÷>\܈#•ØI(¼˜tu‚ÄĽöÉØ)l&VJ:i»ÔÂ
-®@Ä+ï} eƒ·²ýS'Σ¼
-Cƒr}dÛWò‚¢¼­Ž^› rD1ÎãQŽ88dÄ\6ö‰T#''ˤŒX5_Ó%»'ŸØ£T즙ù ¨ âÈ›ž gç ÈÖÁ$Sv>(àÎ –”ñ öíp^Xœg¥ÌêHêNñ‚¢r%]Dqê+é¯)³
-#¿ü“òl$fâDN#1 ±ùDxÔdîAÉ©H÷¸Â!ÓZÈî5]
-P· d¯ø¯…ŒRçÜü?-VÝŽ«á–áoCúÁ„»$éOöʲ™ ¨däúk
-Ï "Û›ý\n®Å)3aÀ”É1Ú¦³&Ë…þf<¿Ÿ@‹|‚ƒ5!,U  ÉA_ñY©}ₘ3R9)ˆáãùÍû«·ŸMoŹ(1±X|6Àcà ÕÛ5®ÿ\ ÓWÃùÄñ!'»"ïó€·³àTÍ¡’Èâ“ôpï“ÿÎt³^@át·þýà€ß%Ë6Ûñ#(+þRpkÇ%v—Œí—•ñò¼‘õŽ¼[Á8ÅUKZZ¶?_Z Khþf\¬U“¿$à™&œ €¦Ø–Y{ìžãL—0ønó2¯éŻdžØ`“ ,B9¦ GŽ
-иk¶ÛU µ½ÁÆ2Ïâ°ã)¸'&[
-ßîwp_O÷I£L ¦R½2±]ð#¯H ©¼™Ó•Šs‘³O‚æþ•§ –«æì@ÜýçOÿc¯ÿ;£†¨Î¹g Š´ßT@
-‰2É æá¯}§¨ÿU ¾Ñendstream
+1311 0 obj <<
+/Length 3077
+/Filter /FlateDecode
+>>
+stream
+xÚ­Z[sÛ6~÷¯ÐÛÊ;Š A³Oi›´î´É®ãNÒL‡– ™SŠTy±£îîßsp
+Ô†ÅJª^"†­A/œóåËÍ&oóªÌ
+:ê;»Æ®WG¶¾ËËžx«o¾XɈ™HDŽëͽ\©H/³;EË&°ÃÁ5°³/ §Ë¬h*š²ÎŠÂnücùE
+J•i›á™[>#‹4,M’ÔOóüóÆ TÒ.yÙÚÚ‹å%¡¶"R¾?Ô—"]V÷þ(m˜áȶ9TeㇶÞVŽ¼By@"bœ£I„`FkéDÙgåVÈÄ,«-|ÓÞã€bÀÁÄË_îlIc¨»K±ì­¤^}¸bí­áFð|H´ev ê{ÔdÌž>yáYù##1ó ¸½îªº]­»Ö‰‡£PÜ¡–¤LH)ØZÊt$) ®+à\¶ÔAM¹† hrV6ÖS¯¯5ÞT­ ›díŒ?ÈD3ðeýœ?(ððHpŠB½l£Cƒ$ƒNaho×wY™7{2ªâ 3\¨©Q%õ$w¼ oVn¨á¶„oYµÔ *²ÖúNøuê„Æ·oÞQcH£ùë{§'ho»Òi˜õæé”LPã(V`Ù!ìÆ~£ÀÊ›Ê6DvÒ¹q8ôÎR›œ'NüÀ;]±ÿ+×Ü~\ÛC{²ôúº±­ß„¢dckÀG.oÉv§Ž6ñ+Õ'T±B/³D¾µEõ
+T®[KtÄ\Ô»=Òèùt"ÎÒÈL…Xp›‘%ŽYÄ#õd,Š¹~2‹­À…Q€ºÂ•¤=x$Ž”CÕ49Êãzžà™vožè 6”@Ãtzê@Ýá J‘ïó“ ïýVŸØÝÅtåf£è½õ³»f^«R ¦•ŠƒÑ²+¯Ù&ÿsN¯‰b\é¤×n1:6jZ½^΃ªöBƒ¯A*«¢ê ý}^R|F£úOCÄ©G$šѦ€É¡ ¿o_¦Ié<8ùåRCÊoïVs…»êÚYeI¢ÒϽg=fø\Ä¡þ­ë"_ÏñI™†søic„À å
+>Ã^ôœlQL)´^ðþâ]ŠÂ†GYÇž§¿ä¥‚¥F˜©FnBÕKµü¾z°ˆÆ
+ßßÝ­[λ‘·^[ë.ÀaÙ¸ì4~c¢í2Ú£°Mã7ÝNä‰útFŸEyu KVUžøØg£î”=(Ãç#p zõñ$À•HèŽ#°0;w
+`Ÿ®ØõÖ¯¢ A΢”ZÞMÜ)Þ º¾â"oIl:
+ hŽz?/ˆ>ª¾tïp¼³Æú™èÊŸ²1´°aû3¸Ë9Ìx2îu‚OC+`˜ÉÅ=`×T2 'oËmUÀ­´çž2k»ý> 50ÔÅê.^gž f
+ìÍ…J>/]³GO—’µˆê _9æŸiÒj<ëüKc?kçŒw’3¨½âéíûY3ûOÀŽÔ ²C4àj.ê ± áŸNø°©Fï‰ÏÞR&6ÁìþeŽQ©édc·YWxÿºÏú›tÞÌÙ:†š#"ó9HïŒU*Ñm¢§í<žuÞÎý¬‘×…Ð\îVî{dò8a€¿äÓ’ô³fD™œ:‘L©TOe!-K3¼‹Èþ T†‹Ìžž„pV›9È«†{£Ä'Õ¶Î]Å‘ƒo!ulh€ž7ýû)|¼þ™ædÅÁÃÝž.)+Ã@«Ѐiþ8kn–òhúÀ9¯ØG> Y*EX •¥k-Âi|™’P׃zà܈1§þtÍÕ–F 6`ù¨ˆÀQ-2BWt}
+Ô=„Y~p¹z÷¹}péæøŠñ–ÙáPä¤dxÈj€
+ÏØÿOº<zzÓ/ÓMŸÚõw{l‚¹OÓÒÅhÄàýùÆØï£ÿýl=­šª«×v8i~ˆ\
+$øèÈ’HQþÝ if’$^ŒèÃÙߪºí£
+;fäÃÁ „xÚ"$çê>‹?Õ$LÆ.@Q¤èŒ¨Ñ—‰*¹bR%fVT(Zùöøi
+E È蜔ú/I)ÅTd̬á'R>¯ÎÁ6ÿwËÏý/Ò ÿgññ¾,üåÿóþ *3¤éè(“”E)0ñB¹Ò=†Ëþ‚‹þ?]˜Ãýendstream
endobj
-1033 0 obj <<
+1310 0 obj <<
/Type /Page
-/Contents 1034 0 R
-/Resources 1032 0 R
+/Contents 1311 0 R
+/Resources 1309 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 1031 0 R
-/Annots [ 1037 0 R ]
+/Parent 1297 0 R
>> endobj
-1037 0 obj <<
+1312 0 obj <<
+/D [1310 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+418 0 obj <<
+/D [1310 0 R /XYZ 56.6929 769.5949 null]
+>> endobj
+925 0 obj <<
+/D [1310 0 R /XYZ 56.6929 749.9737 null]
+>> endobj
+422 0 obj <<
+/D [1310 0 R /XYZ 56.6929 262.7954 null]
+>> endobj
+1313 0 obj <<
+/D [1310 0 R /XYZ 56.6929 238.4558 null]
+>> endobj
+1309 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F39 858 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1316 0 obj <<
+/Length 3978
+/Filter /FlateDecode
+>>
+stream
+xÚ­ZY“ÛÈ‘~ï_Ñl‡£.TUÌ“<#ÍʱÖx¥ž];Æ4²±"š
+s½9\¥×;hûñJpŸuì´÷úÃíÕïß*{íŸÉìúv;šË%©sâú¶øeõý¿½þóí›7kiÒU–ܬM–®þðîýDñô÷ýOïß¾ûñç¯o¬^ݾûé=‘?¼yûæÛ÷ß¿¹Y gŒ—<Ã…oßýû*ýøáõŸþôúÃͯ·¼zsÛŸe|^‘*<È?®~ù5½.àؼJå¹~„JšïåõáJ•­T¤ì¯>^ýG?á¨5 ]âŸQ.1NÚ%úE꯽½¶Æ'™’*pð—›u–¦«œËÓÓºmΧMInÈ‹âT¶-Uþ–š”JÕñïØB•ÿA>\K)aÓìz-«• Óÿ.4 ‘xcäõ¨¦4ú×ÉzÇæÔ-,6i1¡l¢Öß¼ØwqQìºVN&&38 ºÀ“õCö[Ù¢<ÊÂåŠÿ¶˜o^lÊ-u¢S7cËÿ~‡­¿+EÏc«º[]IP‰„Jaº¶<=”'R™]Þ•‡²î¨úCù·4•uÕUMM”¼.¨ðs›ïJ^JV‚}yŸù°Òí}Ùïg$å.É\j 3öá <ŸK‚
+XP7î6Ú[*Ví­l©º¹ÏOù¦+OUÛU&v ýß•ôŸ·m³©`š‚êUwÏ-ôwºnUš. «:?ðPÞ$@ Àôjõn;y¤¡¸§Ï4v_ÞˆU½ƒèº\¢ (öä¶*ܨ‚Ùå¦Â±eñ
+)fÕÝ—Èr%ÃÐå”×»’ŠÍ–G…=µÔ-NµipŸ¸—vªR½ú©Þ?QLJ…CÓv³•74M/ 8Õ>?·<"?÷UÉkÐü»<üû c86†gMã! ÿiU™†úGa«jºó
+ž9_8–&`pxÃUù¸¤\:qÆ=;ÊŒõ$Ýæ@ö‰K­ž^óåul
+”çÜ3ÏÜåp¬¹US—D'Â$fñîtš8k¾æò¤Ï–oQÍŒ‡%ƒnÀZÝ}Óòò(ë‘Ú‰eØÑ)©A¡ƒÂwjŽkºaEo'üT㛀X*)á³­vu3h­¶i¸Ð:<T€&¸4V¶aºYâµ
+^¢tVgatG84îÓ³!)¢îÞ-{WÖ$FôþÙK*
+æʨ¨ÏÍ‘] ˜½ª‡Uhd‚û ð¿Û7w¨ †¶T¹µýÄÓ0)XâŒR€d~@å ªùAíËE¯R;­Ü‰Ôåâ±Mâ™èn' ™–¤,a#óBDXBÚD¥` û…S9
+&°/+µt>
+“cõ¦Q‹ZתSo¦\# ’6›Ê±YmIÛÜHÒl"!m*ØfvÞ3ô5Óe¬™KkÙ½óÚ¢´Bk³ö°€L €ZöFëåks™y&­0{Åð >'øD^]…¢™²¯›2Œ´^†¡e <“È;
+Rú5ÒJ1л¿¼ÅœÒ35 ´–QD©Ù?Âæ‚›‰ÓØï|¤¬¶³(-?wÍâN
+>õjKP¥»<h´îk˜"¡âí=‡¯[vˆC@Ôæ!&¿qþݪ.ƒ€B+ ;VŸã^ÀšWÿ¢µ¯6÷TÞOèûzvú¡}4Ž\z,qù¦ûJ:Â74õ׫ÜÈ+ÃÑK®˜Æt¡÷拆rÝ÷š¨b{ßœ÷¸KpBóýcþÔRù±9}BÍÉ2öv<ŸŽödž$ó—àÜÉD+e¾ε•ÑID®-¥Ñ½½¬qÖû Nò¹*þ7ïOá@.xÝá”lÑû~ä=@˜ :33Œ"äÔÕÅÛƒBÊdòz™‡RI@æû[Øë® y% 1h…2ÉúRO8IuàÅní%*Ù_±Ú6<Kù9? ë÷XñŽ€ê·È×8W•AÊG€rwÞížf¾Í)oïcˆQjÓœN7nu>vÜ€•øøPbæÌ
+jÎFKËÍ€#$QIŠü
+¨Œ(wO‰©ã)šsG‰>lìî+&s"‰,«8MÜbµW Í\ØDñßgÀŸß’%0¸¥Yu:܈ò«HYßž÷Dc•³)ÀÓª½§Æp,Ñ='rÌز§ôø@€bäža-ÎÁííq¤æ¼9ݧ3â–’$ývÆðF@8þŠhÛlV÷å«9– nÇÐó0=KÍäÝ`S÷’jW±ÄÖˆÑÙ#¯j{’¢Ýd¢‡ÿ¶xÄ‚¦³æòÏ_TS€+ÕÇ#½PÕT¨ˆ hÜ>W‡ó+²ÇCÅ:‹íe^‰h<)0”¢Z
+Õƒ-F/uÈ|ú™V©¨U¤¥:Q*©i¯jRJR5)ùí¤jHaUCâXÕ°©W5l$ Dr|s"»¶’“€2¨R§ª¶V©`å
+ÓÇ
+'0ÙMr¾¶Ñø!9«§hÁÙ¼a—EÙ­Ë5Lø¸˜‰621Vš!£EÈ
+”Ñ[C|‰yyìLƒd|å
+*RMÄ°{Í)3¨ŸëöÑ5MÁô'¢ó—*@ñ<ÿ@qÉg¦‘Û Ýy·¹)&>ÂD6Ðû¦èÓ‹è­ã?͉%ðËrŸy½ú+Ba°·Ðž±Þl·OTá@4䜃ÎP9˜SýU(K‡…œ'‰º‰spöÙ]JŽ
+¼_üè/…§ý¨éXÀB„z’« Á/æÄÒo[ÌÊ$uý+cð ROù
+tž§ïëJê u½õaåÑB´…à‹ŠôÂzVfk=1·‹o.6Q¾çÿè—¦‰âi¢2ë¦jvW΂°Ù&f!ÙÀ{¾ ¸©¤ë¤íÓQ–.PöÕ!ß6ºAP¨Ï‡;JXó ÃÉzs> n!Òªú®9m‚JÌ+Ši^qb‹Æ‹Løæq½«òç3t” «–ŸRºdÿ™À ì÷Äͳ¹#ƒ;ûÐcì&Fž{—LÈ7’{cý–KBt6äKú=¯,΋Rfu"u:Ñ’øú*’Ô‡××£wXZùõ©|º½›4“óè]CôQ€(Z¢,}„àT¢‡½Â"óÏü$~¶¡µ„ë‰R~͇~2ñιåÏüÖýŒëñ”á¾Ù[hµRbX9(K±„ËÄ ×?i*èØ:ô¥|˜§ÌŒs&§ˆMnüÄÖaÆó›;”ÈVàÒ(8øŽ¢
+FŸMöÝ×£þÄñéËÚlVÜÃÇ2îÛY0ªæÙV2·£Æ;yöÙfìóÂò³™†Ïöpé˜zÈV]¾çOð9«ármí4Ûà²)rYˆæÿ‹'²Á„÷#ø½Fñ ­»/®‚/Þ¼<¸P”WjçÉ\ÓøÙš3»:ïÎ}ºÃô)4âÿ»².OôÝVÏ-±ÁÄp¡Ó„
+„!ÎÁZp´Báx„˜1vB‘l&SúÁ!]gÊ®^/%@¦O^!ÑYíª:ïzœ=/åë&ðMÏ%fx7¯ØËŸ"ø]ŸØÕ±íî)®'Cþ`âb1úzžßyNœNy“XØòºPA›[—ŒœOlf²PÛ$©xö\‰³BÙ<¶Tð…ÃyßUÇ=wÁ91ÔRø¥f°ŸÂlF™u¥Ú+jeþb¹âl€ÈtbŸ}a5r(öÌEŽ=ÙýYú\|ÜX€´ÿŽö_þP|øŠ^ƒ?çœ\†•f‰“ÞÆM…/vŸÁWÿEùó­ÿ™¹lùendstream
+endobj
+1315 0 obj <<
+/Type /Page
+/Contents 1316 0 R
+/Resources 1314 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1297 0 R
+/Annots [ 1318 0 R ]
+>> endobj
+1318 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [87.6538 115.3135 137.7628 127.3732]
+/Rect [116.0003 115.3513 166.1092 127.411]
/Subtype /Link
/A << /S /GoTo /D (tsig) >>
>> endobj
-1035 0 obj <<
-/D [1033 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-414 0 obj <<
-/D [1033 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-1036 0 obj <<
-/D [1033 0 R /XYZ 56.6929 752.4085 null]
+1317 0 obj <<
+/D [1315 0 R /XYZ 85.0394 794.5015 null]
>> endobj
-418 0 obj <<
-/D [1033 0 R /XYZ 56.6929 588.3944 null]
+426 0 obj <<
+/D [1315 0 R /XYZ 85.0394 708.4928 null]
>> endobj
-948 0 obj <<
-/D [1033 0 R /XYZ 56.6929 558.2805 null]
+1208 0 obj <<
+/D [1315 0 R /XYZ 85.0394 678.3234 null]
>> endobj
-1032 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F57 624 0 R /F43 600 0 R >>
+1314 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F21 654 0 R /F23 678 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-1040 0 obj <<
-/Length 2900
-/Filter /FlateDecode
->>
-stream
-xÚµËrã6òî¯Ð-tÕK
-vGÜh¿ˆòÍŽùÖð:> Ö¡•Õ_täÓnÖ@sKˆ @øõ‡ô!ME±`(–HÞ—ër•oö@4!9ééi¾‰g˜þ¶<Çþ¶pîÛ*¹„úb‹“Ì™¨ŒÏØÏkÝ$ëšD%{‘àšN€ßýPÐZm^®šgJš¢ €¬€EÑÌ·å¦-ëŠõí˜/Iˆd¾ÔIÊN:©2ò+œTpY—ÕalÌÒ” +ÍÄɌ֣}ÜÞM¸ê…µŽ~ÚŸpÖŽùâúïÑo¢þ0°sÍÌ‘HZ)"Å×Žê” GÜPÖi¸sï80Òd˜1ÚyZ/'ä,ž¦`Û]Ó‹éÇⱡm¼oó¶XUrÐ6_¯ó-ñW¦'I:™
- Æ!D8Â>' ¼ÿëÍÄth@çmÚmYÝYµ[Ï0†}
-îÓÿèÙ*p£¿'WÿÃ#§ŽYkÜЧþúqLÏ ˆÌ1#E§^‘~®z_èáU¹7#Ê%
-D'$8âE~‹(yõ9%ãË„¹Ôf¼¨lÈDQÙ4òê…ßxV¨^™&Ë¢¢õØìf«rN0XC?%ÓOUWÓ|×.kX/Ç€ÐTx ã¸ÞǪ~¨|nTÉl„DVEÁfaª·Ÿ²(¢÷·VÏ Yy¹%Ç
-‹¶·»[LéA9¾àá˜(çX£Ñ lñWyшGÑÍ%`¯2…*
- zœ]à³ÉIîêh^\iW5å]…Iz°1Šï*,
-Îz……Å»¢Í¦ á± 
-¨ÓÀãÚ1ÐŽ ûÙʱֺ@ìköиÕMq¸ô^w0ð=цî,Úÿ õóAåÿz‘P‘q}P*\]5E{hý{•þí=X°''ð¡ŒöMa€Y˜ò©ût*å>_k\ë‘"@ºÐœH‹!
-#5a×»U[nVB:q¸½mYøÎ#ƒH’Ï—ÝÜ:¸ˆ &çbrò¼^€–œ—ÐU¾.ž‘®aÖ54Aˆ™2¿‹NˆLm=¯WÏbÀ¸ÃT¶\?;(±ºfèE¹Wgýµ ^ »ÉMÒp&í:Ä öDyHå·Ýׇ<Ô‡÷eñðµe7•ÄA^7¨+¯*©˜Õê 'œ¯òfPœÄíuÞΗÓùª9::ÿƒ×+n<ÅÍʇÄÿÕ¯ÉG¹AÉGîUø-,yå£wuÉ”œÉ‹æ¦ÞÞTõ©&Á«©ö}ïAÍŸG¶›ÎûƒŒ3›Iþ•ý8uþÿǾ@‡_þ˜“PŒãýÓQ()Õš2¥z†›ú¡ØÞîV„¬p;ˆ¾…ŠcC+~AÇÁtmŠGˆÖ'„VE;äíÙ#ÂMŒÇæUó@pGH5ŒÿØÛÇp@Pϧû"å/ ê™ÂMì ÍGê ²æ¦Ù‡¨tü}XÖ„²yóˆ ®k%’ËvøÂ{[Îw!é!6é`ºÀ \CÌD…vË5›UxÑVW´»M3æxÑWï‚¡,ó{
-¨”êÀ B fÓ‹Ñ*ê±Í!¨G.·2&:i0ê݈ÁpÑo %§2°dùyËà<Vì"VìtþÍ&Ÿ|°€(E"É,|k¨ˆhö8X
-AŸYû+…
-b½Nc­J+¶õ‚A=fÇll¬$“’æÕàE‚îש ô©6é¥YB ±yÒ¾±!¢36<al ¨UÝÊO›dÓ‡ú&…ûí¶N{ÇLM3©÷Ë~ÂÐ4$ic¾›€ÃO ¡Y<¸¾„OYPÇ{VÅOZ™N™†5>ÃÊBæë—a£W€ÜÙl`jøL©\r‰2IIݽ‡ ¼tPY2«Ûåèã!-ù´¹k|€Û7µ£Ïƪ!Ç[s8¥KN‹â6‡”H;Á„‰¿ž¦QzOÑŠe›aOáÖÁõªÀ"¥N.«î[W²¹¡{Zó!K;ʇ|ƶ
-™×Øîéå¤ö$Ëd*N=ºd™R_¢=‹Sº§-êQøU6×æÇ
-Í©t`ÙîðUê‰æ¶ªUÍïaYbÏèKªpÏT.Ð!´¤ÇHø°.æ˼*›õ ¸’Ás
-7‘¨·¬÷› êQ·”‹Çt"UB˜  ˆÃ[úmG›g™…¯'jÐŒad>(Aâ[†_¼©õ‡ÚꃡŒn¿Õ¾æ“ª¯,Bà}wÑ'ñ7š‹°XµßŒgŒ—&ÅŸm·UzåìÒôÀ?º{rÛeŒÁ#:¨Yv‘ÿimhaºi2 ¼ ¿¡`Oýo‰„(åØ{GÚµ¶ßü'ûÊÉ “ÖŠñ—™BÖ‚P¸#uôÌÚýƒÊ±èÿßi9€endstream
+1321 0 obj <<
+/Length 2790
+/Filter /FlateDecode
+>>
+stream
+xÚÅZÝsÛ¸÷_¡·“g,Ä'ONb§¹ö’«í{èä2J¢-N$R'RvÝÎýïÝÅ)Q±}—NGÀÅb±Øýí.(1âð#m˜Ie:²iÂ4z4[ðѼ{w"Í$MºT¯oNþr©ì(e©‘ftsÛáåwNŒnæŸÆ†Iv
+øøÍÇ—ïßýru~j“ñÍûN'Róñåû¿_PëÝÕùO?_N„Óbüæ¯ç?ß\\Ñ+x¼~ÿá-¤ô8ÂôêâòâêâÛ‹ÓÏ7?ž\Ü´{éîWp…ùíäÓg>šÃ¶<áL¥N Ã™HS9Z$Z1(G–'×'ÿhvÞú©ƒúœIe䀥R N™Qð
+x³Èq@*:¤"eBJ ü‘¦Ùde}›oN…Oêj»™Å9]öD”© s²r>ÌW aóܛִilœ6[fÛ:¯á(=®×ù¬¸}ÄŽ7°?úþçû„†PŽ8dÂX —œåd>÷ý¼<›Š^L7XÍof4©d© ´Kµ–^ Ûjs:Q<ÿ»*sléÝÖüøCÑ,Âø"§!ZqU5aBoîÌì à] ¶×÷ùòñT1;M¬_Ò‚vGÜh¿8Òç›ò­Jàux2Êif´3/:òI;«§Š%eP <ý!ýʹÌç Å’ãëbU,³M؈&• ="=Í·ñÌ`¤»-ϱ»-œ{d[R' —Ô/¶8ÅR•ñŒý\’èv¼ªHT²¥K%ømÐÖ<o²bYŸ˜ÔyN ²^hÌóz¶)ÖMQ•4PÝù’Ä@y©“Z<é¤Úª?à¤R¨Èº(÷±QYP²rd¥bÖ‡(E/7w#j\u`­¥Ÿt'ÂÚ!_\ÿý&꣄0Ìî‹”Àñ@–žHøÚR=!È!7„Kp ¥T,Á1a…|
+}E<€²j
+6 S½±xø$„Üù1C5…"ÊË ©
+‚çÃ" ”˧¨¨¦S»ý>©Þ«³]ÅÓNzåßÈà W(4‚B¡ÕjÚÃÚ±Žqéž­ç\Lè}RÊÛªÎ÷—Þé:±R5m í¿W {PùÛÅ?c¶` ]0{éæÕU7ûÖ¿SéÑÞƒ{rj>Ѿ F;©Ê·g¤O\ür­ÓçkM3¨4$¡Ê!D!RÓèj»lŠõ2§^')n Œ I6[´sk8èà"i0¹4'ÏÁëhÉyi¸ÌVùé¯ ¬Ü»ÌTÙ]¼ ÈÔT³jyãCÙbu¶—eµ—t¯3ˆ½&ébÔ:x5ì&ë]ÞõgÒ®±#)"åáj—"Š"Þùß˿‰ƒ ¼¾ ®¼ª`Igô^mø ªÕºþÜÍÓ÷{•5³Åd¶,@’6Ÿ÷,L-¾xŠ/K(8þû«¡€N| ãƒãöêûc̺Bm³kÈF&äÒHÿ˜×_ªÍ—²zºFðê©ü=lHù1ã’=L@dûÒúÁþœÉ ‚Ÿ_$ȧ,àXH ~î—?äù§ 
+/Ó.Û÷€.e
+§ï'`dø„€©dVò¤'¡=Öl˜µ"š|u»;ß@Ëý¡ðÐ5í§Š[±¤— r17d\Cé˜RŒ+£{·ÌôÍ—j0h„‘« ³4€VæI{—É¢ceØ9be ¨ÓíÊG­LCBnìÈh¦ä÷0²Ào²c8dcPmâªß°1‡ÿßM¼ÈïÛ⥂%iW¸cæe·m &LrýÜqó2²2æ5ô¯ÈOð¯&wV¼ÍMþô?Zv÷”$‡/¿ €±Ä“ ”Ï‚Ìäñ¯/‡¢ÿ¤¼O endstream
endobj
-1039 0 obj <<
+1320 0 obj <<
/Type /Page
-/Contents 1040 0 R
-/Resources 1038 0 R
+/Contents 1321 0 R
+/Resources 1319 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 1031 0 R
-/Annots [ 1042 0 R 1045 0 R ]
+/Parent 1297 0 R
+/Annots [ 1323 0 R 1326 0 R ]
>> endobj
-1042 0 obj <<
+1323 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [399.2874 719.9611 467.9594 732.0207]
+/Rect [370.941 719.9611 439.613 732.0207]
/Subtype /Link
/A << /S /GoTo /D (zone_transfers) >>
>> endobj
-1045 0 obj <<
+1326 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [461.1985 544.3622 510.2452 556.4218]
+/Rect [432.8521 465.5772 481.8988 477.6369]
/Subtype /Link
/A << /S /GoTo /D (DNSSEC) >>
>> endobj
-1041 0 obj <<
-/D [1039 0 R /XYZ 85.0394 794.5015 null]
+1322 0 obj <<
+/D [1320 0 R /XYZ 56.6929 794.5015 null]
>> endobj
-422 0 obj <<
-/D [1039 0 R /XYZ 85.0394 703.9029 null]
+430 0 obj <<
+/D [1320 0 R /XYZ 56.6929 621.0496 null]
>> endobj
-1043 0 obj <<
-/D [1039 0 R /XYZ 85.0394 675.4275 null]
+1324 0 obj <<
+/D [1320 0 R /XYZ 56.6929 593.3949 null]
>> endobj
-426 0 obj <<
-/D [1039 0 R /XYZ 85.0394 595.0025 null]
+434 0 obj <<
+/D [1320 0 R /XYZ 56.6929 514.8384 null]
>> endobj
-1044 0 obj <<
-/D [1039 0 R /XYZ 85.0394 563.7177 null]
+1325 0 obj <<
+/D [1320 0 R /XYZ 56.6929 484.3742 null]
>> endobj
-430 0 obj <<
-/D [1039 0 R /XYZ 85.0394 407.1582 null]
+438 0 obj <<
+/D [1320 0 R /XYZ 56.6929 330.8003 null]
>> endobj
-1024 0 obj <<
-/D [1039 0 R /XYZ 85.0394 381.6476 null]
+1298 0 obj <<
+/D [1320 0 R /XYZ 56.6929 306.1104 null]
>> endobj
-434 0 obj <<
-/D [1039 0 R /XYZ 85.0394 250.4371 null]
+442 0 obj <<
+/D [1320 0 R /XYZ 56.6929 176.7683 null]
>> endobj
-1046 0 obj <<
-/D [1039 0 R /XYZ 85.0394 219.1523 null]
+1327 0 obj <<
+/D [1320 0 R /XYZ 56.6929 146.3041 null]
>> endobj
-1038 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R >>
+1319 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F21 654 0 R /F39 858 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-1049 0 obj <<
-/Length 2026
+1330 0 obj <<
+/Length 2380
/Filter /FlateDecode
>>
stream
-xÚ­Y[sÛÆ~ׯÐäIš‰6Üåmyüä¤NêN㶎O;sšŽ‡&W6'©’”·Í/°ÀJ¤Ì+MÇÄb!,.€%-§üÉi‰(QÉ4Nz2œf«‰7½…½7É2 '´èK½¼š¼x©i"’HEÓ«eO—žÖrz•ÿ:‹„sÐàÍ^ýpñúüÍ/Oçq0»:ÿáb¾P¡7{}þýQo.Oß¾=½œ/¤åìÕ·§?^]ÒVÄ:^ž_|Cœ„ŸQzyöúìòìâÕÙü·«ï&gW;_úþJÏGG~Ÿüú›7ÍÁíï&žðNïaá ™$jºš¡/ÂÀ÷§œ¼›ü´SØÛµ?Ÿô„ò!Vøc ùÊ·ü_]™v¾ð!$¹yïyª29-ï‹î®¨ˆNÑQP×χô´ð/
-42Ö]QW--\ €,ª½àÀƒHÈ0ˆNÉc°ø‘оÁ8ê¦
-•Œ~jv
-@ã½Ð•+ˆìÁ B wéÖ Tкʲ»p¹³ þí¸» %‰ŽºÖÿ’ŠÃC¯O¨á€Öù8qÀd“¹ª»ô ¯ ;™ÉM•1¯ÞšÆi­V×Æ=Þ Ó0PG¦'ãC/£_K¡• ÛÈÏó0œa» O)™L‹¬L[æï]ôpv¾¤ ‹è¡lÁO^%ƒþöùÅP 66+“³Þ‹ºãÓ¹œ¼ZIé«îç۽ѫMÛ±uÕ¥‡EÁeN!†¾Ã=!É­¼-öù¡ÀÉ°Äù…ëÝäjI™ÈêÕº(M¾p)Ü×kG»· _¨ð]Äqúï
-Cû ‘9öŽèŒA¡%½dªk(À€¨ajoi…$9EQS}¯ÊRæÙ{ˆáx2Ižv|ªÛÜt5Hd•/Z‹ å°R3
-˜å.2[&Ò¥Y炈Óêaôʘ
-8¼2 :Ö·¦Â…¥\ÙÐåà^Û=¬±ÚŸ¸ä²^Ô‚¶¾FoZ¼v¼×Àk1Ü­þ™Ÿÿ!Yøy,ðŠ/ÚÁÛÔì"@Þ3wÙFë?m°üPè( ‡eùâ‰\ÙâCª½«7eN4¿³!YcB‘pºiU™î¾n>ôFG¾öç‹Ý‹™bðblÿ^èb|:q
-À·ÚáÀº›z‹(²‹Æ
+xÚ­ksÛ¸ñ»…&Ÿ¨™ˆÁƒ/ÔŸœœ“óÍÅ—:n;Ó\¦C“PÄ EêDJŽÛ¹ÿÞ]`Á‡ÄTrïF°X
+ß9ðöæçk ½»»zÿþênþùþ§‹ëûN–¡¼œIä·‹OŸÙ,±º`¾TI8{„ ó¹Rb¶¾B釔S^|¼økGp°jŽNé/”‰&"žP àS
+ •I!sÝ´E•¶E]5( œ‘ƒ3°•«$€‹psV¦»F£ŽBåÝ,ç )¥WÕ­šÎŠ_: ˜0ðêvED‡ŒpÉý-h©®Ó6[-²²ÐU;ÅCºŒTL»Ó*Ÿ )@{`ÂÅ¢)<ÂÉõ2Ý•$I[ÛÑÐ)ª/xz¶QèBŠÙ‚s_…¡°ü”%º„òÒ<ßÎyâé¦Ñ"ï¦êÖ
+äÃÎ<ŽÙJg_‘¼™Ý|˜ 3%ªü8ç:S{Ò$ÿS{\ùA†ÏÑ^‚G„;’¥Nв!áÚô«ž¸j!Uì3t呿ꧩ[@Ô( œû=®ŠlŠocTTï‹\#BzÈ
+„BÀ*)Áœt¡ vÉ£iÓV¯‰s [ÐØ_*c00jkQ¿
+#Ƴç8”e¤€ôpKS—{tsYÕ cguÕêom'ªÑÒ—Œć=…™Ü6í„6$¨rÎImD"v*#×
+¦ÆF%õÙ ‰q4¡¼ƒ‚-¸?ŒÖú°Ô¤kZª:ȸ¬­¡|›’°ÈeƒyÊX^,Ñ—Úú¤qbØâîQ^ž¶©ÅÙDÀ-}A(S¶`œ$§œz_‰Ù8©™4Œþ¥¿¥kàñ%93Ô²b`[¥%‹5ª[†ø8XîSúmEgìÐlJçÉ?Ü~$œnw¿ãjàÉïÓ
+óa(­¢Cé [øÌÄé
+'Ñ+Å\V-Üñ}Ïôzg:äš’t:((ÉBÞ¡‹.I©¼)zûØ@Æ0ÀÍ­ËÝV¤’ÕëMQê|áLØ»/]ÖLfo£¾Pà%Ʊú÷ª=vx%Œ‘ƒ@Mõ@ײê
+ @khÚ/v† 9aµ&†R zEˆ®Aµ^tÈV&Þwx«[ܵ5ì.2°*5I‚/¸ƒ´œYU
+ôb£ødè™q_¡ÐÌIBÅ2ù^â±€ ¤ÎªL©d¢z
+N`qƒŒõ£j pj©F­11ºõµíÓ£ýD“Kt‘
+ò¢©Þ5ô ëð]ïgè­þ?9ÿb÷J5ú¶‰€%ÁØ6ÙEày/\³ÿÂÎÿc”%Cxe†ÞW¯ì–{|5«zWæ¦7‚5GÛÎ*Ý>ÖÛ¯ƒÒqô¥{HXVÌÀ™o~¯’K‹øýÒ
+'ÛþƒŠáWo÷EFŒÑc&G`Ùœä–èbÊÃ}Oº9Ÿ§”.ªÑ)ZBöA73ì­h‰œÐÏð³"\À2ånƒ²_îrÓ×›ûò|k?\Žèņ®­=4ŒèÃۺʀ“ÓÞñ¡g4pÕåä#´(ˆ/_~þðâ’"wŠþïg,væ‡^ïÞ°ç{ýûÞ¿Mçvä,æ£{ šÂâáéÀœ›­Þõ®éíþÌx€qV Üéå®yF8•ŒD;Çû«úÙÎÙn‹¬uZú3ÝŸºåÎÿmïkT¿{€¢êfÃoR8„ò“$VN8K B`’þ!`êK‡^â弄#ú« ÿ^Ú3ækÊÓÇá×æ½Û¦ë5´
+ÇåMúLÄñ¢ú—ý †ÓO¦½ý<ÒæiMý›"ã_pÿ½±NÜ?üO_ÿ7(èL&‰èÿĵ‡ ^¨ú1bÊ(6>ä¼ûKð˜õÿxÅÃ…endstream
endobj
-1048 0 obj <<
+1329 0 obj <<
/Type /Page
-/Contents 1049 0 R
-/Resources 1047 0 R
+/Contents 1330 0 R
+/Resources 1328 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 1031 0 R
+/Parent 1332 0 R
>> endobj
-1050 0 obj <<
-/D [1048 0 R /XYZ 56.6929 794.5015 null]
+1331 0 obj <<
+/D [1329 0 R /XYZ 85.0394 794.5015 null]
>> endobj
-438 0 obj <<
-/D [1048 0 R /XYZ 56.6929 195.5375 null]
+446 0 obj <<
+/D [1329 0 R /XYZ 85.0394 122.2879 null]
>> endobj
-962 0 obj <<
-/D [1048 0 R /XYZ 56.6929 167.3986 null]
+1228 0 obj <<
+/D [1329 0 R /XYZ 85.0394 95.0525 null]
>> endobj
-1047 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R >>
+1328 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F39 858 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-1053 0 obj <<
-/Length 1020
+1335 0 obj <<
+/Length 1016
/Filter /FlateDecode
>>
stream
-xÚÝXÝrÚ8¾ç)|vFZK²lkz•fI6mÚeÙ«n‡q° šÛ•Dúî+,cLbÀ¶³ÓaýXßùÓ‘ôIÈqÍ9!….až0RQg4í¸ÎÄ|»ê r X õQo_/}ì0È|ì;ƒqMVÝ0DÎ þtvñûùÇA¯ß˜ºg>ìê»go¯o~³=Ìn.¯¯þîŸwïlpýáÆv÷{—½~ïæ¢×(¤Èàq)a àòúž­]õÏß¿?ïw?ÞuzƒÊ—º¿È%KG¾v>}vظý®ãBÂBê<˜† cØ™v<J õYõ$¿:Vk_ hSü( ! qÐ@ÔˆˆP}‚IÁXDÉ,ïßuËú0˵ÈRÛõfé¢Ñ‚ŒR\`Æ"áö³ÒR¤“]C3ùÉØŽøÇ¥n–&óÅXH¥M 5"QÉ¥²ƒžÌ,aSŠ|ű´y&µ­™îuã- „%è{£qâq,Ám¤Ú:SŒ×Ó´
-€uc‰T›?x¦lÎÕ0“Ã4Û¡o=ZX’M€ßJh:›Þr¹§e”ª1—@Ä ÙLïÅ¢—X-¦í°Voši1ž7ú·°Ì1z‡|vû…Ï_jÜVß;Ö* ²™ñu"ŠÜ«%Ò¢@"J¡‡lÀÀ#´ÀÿR|¢ïÔú×ù»5 —@€|d¯6Ū´
-ÜûuÃü—†±Ó0Hp@7 û–¥(i¡´©6Ùjã¬ÄÜG‰ˆ…ž“ô\šVË̉#°§f=I>–\Ý9z@n«kÓr~¨ÐÕd 4‰b!ùHg²\y¤ï†i4åå¤aÃ0`›ÊÖÛ&-OžÕLZ!ËZ!Ä6GI¤ª]u \¡6„êy¾š$º/õ—Ù¶10J’ìÔÿ“-–YÌ•N#=º&&¡lÿ÷!°Â¾Î¸<FVÝ°Õnv"q³Ü$+åñTåéQ.«¬)|-OºSŸŠ£;>ú–Ù¢Ö›’ñ5]Œ#‘,Ä$Í$ßzxãW°
-ô#XþïYú¬Á*V» Ò•ÿ[\}Z‡ÖÖJP-£í“´:Ï«J}–ÖAÝ·
+xÚíX]sÚ8}çWøvFªåoOŸÒ,ɦ³MwYúDF±ÑÆ_•D€”þ÷•-ì@
+†ffw¶Ã0¶¯¬££«{¥ã‹4]þf;Ðñ _s} Ú:²µ îèÚL¶]wPù¨^õ·Þ ;o®LWó¡ïŽ6œÖ°<¨{Ò†á¨ë@ö$‚Þ½üx{usýipÑs­îðæãm¶Þ½ºù½¯î®>\ z
endobj
-1052 0 obj <<
+1334 0 obj <<
/Type /Page
-/Contents 1053 0 R
-/Resources 1051 0 R
+/Contents 1335 0 R
+/Resources 1333 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 1031 0 R
+/Parent 1332 0 R
>> endobj
-1054 0 obj <<
-/D [1052 0 R /XYZ 85.0394 794.5015 null]
+1336 0 obj <<
+/D [1334 0 R /XYZ 56.6929 794.5015 null]
>> endobj
-1051 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R >>
+1333 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F23 678 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-1057 0 obj <<
-/Length 1196
+1339 0 obj <<
+/Length 1041
/Filter /FlateDecode
>>
stream
-xÚÍX_s›8÷§àѾ)’š{JS§—Î5½sÝ—ëu<Ø`[S ᤾&ßý$˜œ8IïÏøeÙ]íþ´Ú];Hÿ°Ã<è ".(d3g± g¥¿½àJÔB -õj:89÷ˆ# ðˆçL—-[>D¾iøièAGÚž½¿<¿xóqr:ât8½x9„¡áùůcK½™œ¾{w:ì3<<ûåô·éxb?y•W—¯-GØÇ£“ñùx2¾<>OßÆÓ&–v¼¹&¯ƒOŸ‘ê°ßt…Ïœký‚ ‚8›e.dÔukN<ø0ø½1ØúZªöâ‡$®Æê>€Œ·
-bÊb§Ï™.úíÈÓE0Ô±]{#=Ï,u÷Y7ÑàÖôµöjOžž6ráÿýÈUõ¨ÃcÂsÚþ·Úßñýÿ?·ã^íIßÔf=99§Äil-c”Cä1¿¹1ªA•oöJóAërÚ´¯¯õ¤…H"íìd8AZâ£
-VQ³Ðþza
+xÚíX[oâ8~çWäV²ëKœÄêS§K»Œv˜]†ybJÁ´ÑäÂÄf[f˜ÿ¾Ps-h´ÚBqœøËw>Ÿãcl!ýÃ–Ç ¢Ü¶\nC†0³†Q YúÙ} /ß«—@ù­wÝÚÕu-¹C«;.ayy¶º£^ýö·›?ºÍN†êl
+™Méª'¬}ªýY
+¿æq,D•Å4TÈSΩòM¤ ˆí>P*Ü…/Ânɨ׫oäóµ’9ÍÚ}±¿2´7 })—^ø=9&X5›,G<±º6Ù1B£7íðAŠGíÈI\ÊÓ)W™Àá“~™Mr½jŸý4žý œq’Šõ"\"^]å×v²\‘­hŠHÄJŒà.‰QgúVɆÎRMv‰ç‡aò ¾NE:[¡æý:T )‘¯†OƒPG‰¼ÿÇÅ”Üf?œNÊíA2Éfüp„ó8É6ï< Le«:ÆIªU]+£Ä‹š§þóQŠh­èh’Y5©Tûp°G¤²2ý½"½¬sÖ¾´aáð»\Å ‹Üóïk3+ÃJ~9?†p¯ØŸëF¿
endobj
-1056 0 obj <<
+1338 0 obj <<
/Type /Page
-/Contents 1057 0 R
-/Resources 1055 0 R
+/Contents 1339 0 R
+/Resources 1337 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 1031 0 R
+/Parent 1332 0 R
>> endobj
-1058 0 obj <<
-/D [1056 0 R /XYZ 56.6929 794.5015 null]
+1340 0 obj <<
+/D [1338 0 R /XYZ 85.0394 794.5015 null]
>> endobj
-442 0 obj <<
-/D [1056 0 R /XYZ 56.6929 158.6437 null]
+1337 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F23 678 0 R >>
+/ProcSet [ /PDF /Text ]
>> endobj
-1059 0 obj <<
-/D [1056 0 R /XYZ 56.6929 128.5298 null]
+1343 0 obj <<
+/Length 2934
+/Filter /FlateDecode
+>>
+stream
+xÚ¥]sÛ6òÝ¿BôLÄ
+&¡äp¬ßƒªMÕ<ü¾úE©¤­q[ƸvÉÀϽ{¬Â>'Y£Ò¸LµíkÙéïa§ûËä¼­ú§–TèØÚ,ª41{ñ?™’c)³sKú¿ùS¨“l_ÜŸ×)`% Wý9«¹¿xÈ)×é´•jrëÌŠ,δaen\?T;´‘çiœë²€-ì~r‘öÕî мv=
+ T”`߸/Õ” è87Z,à-ª%Z½®Š¨îãøC⯶M½p<Ï&æƒHi’=wøD•qžæ©ƒ×ö§5yœ'þ´MÝràmµ¨çÎÒ<Nmñ$ža ªÈòHâyLjMÇ·áÑÍO<ë–KF÷}X¹’þr@ÆÎ"ÃÚ ’M¼0·€À;e݃[ ž™·ö[ð YVó¤õþbý.AÄƨèƒHDF@±ƒ²gåZF»¦ïÎÏÄÁüpn@´˜ozqSú®;‹ )Âã^=4}wdܲZ¹}3¼bí;pÉUXà¼Ø ÌrÒõWìè8n®£m·ÃûäI”ÆPV/‹
+P8.† *¾ÆxŽªÕý”úÄ2Qã:ã,iT"gk:ðÁœœGr€Â
+{õ¤æ~Q™ªQà>"™8VmÏ(r^À¬÷­xÙÒϬ„vÝí{8[œôxJ“ÕôLµ% †`‡ †X¥HÊ8ñÔ°‰ê”Œf†ïŽ
+²Çpèæ ˜lÃXÿÝîëj#Ô,£}
+^VQøP&ºö¤Õ×Iå¹Í¶©^ŠLÚ¡
+
+•¡¬Ã"'µÑG‘ãS—\€i1TÑ „ÿ¶“,ëx ™´]2…dÑ­£
+ZI*T>šâûÛoêȸ÷ÀtU¹a?Ƈ:k1Yeu>±Jþ<½ÖÖ°-¡Ò2žÒI
+)5§úÿZøïéñ\Ÿd ¹'µç@&mLþ´Âd$+€¶:0
+Ë1‚ R|ÁÚ)°yÛÔp'aš`8ëÊŽ
+†ˆH¾S¦Â2õìN”U²£*$; /.
+öºgÂQ–lwõ)-`I}Îî7ìûù”ž˜¿µÑÝõ;]ê‚£´+Xy’Tfí3;`¬>êkƒ XNÏÓ÷Áh×í»ÝÖMäðÒĵ}í›YR˜±¥ïjIAFòƒô½Õ®u S‰Híè­œZ➧Coí7;7¡ç?ëŒ^ÜG?뜞mØÆ^þ‘gÔÎ|c‡”&E¬sìŠ3 g×ùÔOÌ*ü‚úÍ?hŸ~íO¡ç/Š$´dç-|^ÄiLL#/”c®žýÜîùªÑÑÿ…wQÒendstream
+endobj
+1342 0 obj <<
+/Type /Page
+/Contents 1343 0 R
+/Resources 1341 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1332 0 R
>> endobj
-446 0 obj <<
-/D [1056 0 R /XYZ 56.6929 128.5298 null]
+1344 0 obj <<
+/D [1342 0 R /XYZ 56.6929 794.5015 null]
>> endobj
-1060 0 obj <<
-/D [1056 0 R /XYZ 56.6929 104.1184 null]
+450 0 obj <<
+/D [1342 0 R /XYZ 56.6929 660.7607 null]
>> endobj
-1061 0 obj <<
-/D [1056 0 R /XYZ 56.6929 104.1184 null]
+1345 0 obj <<
+/D [1342 0 R /XYZ 56.6929 630.6469 null]
>> endobj
-1062 0 obj <<
-/D [1056 0 R /XYZ 56.6929 92.1632 null]
+454 0 obj <<
+/D [1342 0 R /XYZ 56.6929 630.6469 null]
>> endobj
-1055 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F42 597 0 R /F43 600 0 R >>
-/ProcSet [ /PDF /Text ]
+1346 0 obj <<
+/D [1342 0 R /XYZ 56.6929 606.2355 null]
>> endobj
-1065 0 obj <<
-/Length 3602
-/Filter /FlateDecode
->>
-stream
-xÚ¥Ërã6òî¯Ð‘®Š8x|TN“‰gÖ©'ëqjI´HYÜP¤V¤¬x¿~û’’©™IM¹\  Ñè7¤
-þô"u¡²Y´H²(tJ»Åj{¥O0öáJ ÎÒ#-§X?<\½y›Ef±‰ëÉZi¨ÒT/Šß‚wÿxûËÃÍýõÒ8ÄáõÒÅ*øáöîG†düy÷óÝûÛ¿Þ¿½N¢àáöç;ßß¼¿¹¿¹{ws½Ô©Ó0ßÈ
-&¼¿ýç ·>Ü¿ýøñíýõ?]Ý< g™žW+‹ùïÕo¨EÇþéJ…6KÝâê,3‹íUälè"k=¤¾útõ¯aÁÉ(Mã_dlgKé0Îlry_ÞCÁ¾Ò4ÚAÞm»Ô:
-3—À¥8gÂT%ép).™\Š6:´ÖºEâ²0¶ÆÒ­tuþ\"oÞ¼ì;I
-’ÑÈ<µ›¡Ö&a¦T,xuÕõBð®\U¿+eJš…l‡I)L¶ל¡ t“© ÝówÛò1°§ƒÛ_šƒ»Öã k™ §ÂvWLšÛoòžÁýF6.bsÕ6}¾êe±¾%"Õ)q‡]‘÷ˆŸ¦AE¨ÐXµ»l%L@xyhx¦š(øˆT]ë`/³˜1Ø*ër[6ÃjyüîZn=–¼|“o…wY¬Î´oûÃÆxð$î‡à¸WtØÌ?¼0BQ®óC݇KGA¿Ï›n=LÈ–ÓREÉà5Û-Ãwí¾g¸³²3Ç4↜¿Œï‘ `’Ö(æ##Âc)€MÞ<•×(ØÈ뚇‡K¥9/DñZ¿TÍ“`󇈜!ª9lIôµ…m׃ŒY Á0  -Rø¢ø!ʉø­ÉH` ·áoΨ»’0—Lµì˜wtxÄZ£°Î\ª°MñžÑ‰È£½MUðö
-~íü¬õɬaA
-³3¹â8õq€Ð—³KExÕ£cÒ )F[× Â3gÐØÆq2œáÍÙ1 ÐIÁÜJÆÅc˜Ìøc7¥¸›×»Z&'›~q5+›ÿ9XA‹bùœûzl¹Q—=‡Ø!I¶©Ÿ“x&Z7ÐÑ€î¢F}l;ö¤ËĆ ‡ÉYÜ
-
-BÛPé¿—jø)s PÍR'ý…\ÃEQAÈŒé_“j] ZÖÛ€±«1°üh‹©C.×°ýÇ1±"Ðĉä†2éU¹ëQ"r\O¾ŸÏî`mƒbÂø³~ÿî [;ø=ú’û²;ËDAwÈìphU @óât[9
-iÁ–¸=xRÚE’<?äãìä<ÝÅ |Üsew1èø}ãbEÞp=£ë¬FâRAÅØÝÈý9DOàÆò'¡¤’-QxÙ÷¡oTqtz¤³°CLIߌÆ{=2ÈAQ|:ìI¨:² Z¢I—:LÉÐv˜Æu äØÕy«€Kob ”õD tŽ¹~–¢Û†Á²#´¢7)’GÞ6
-ÃÛ2'L P{Å?ñíVŒÃ*ç$­7è11Áí¡.Øž<•Þª!‡ DY¤àùû&Í!`t.²àhççotÈˇ”VÙ ¶×>ïA…=ò‰æëÁxGY&÷ŽÀŒ?’ÒÕ_°H)YzßÂ7åg‚mÔú"ïÅÜLnL@á t×åÔeƒ½„&¥+d„* Z'¢
-ñ Öäx²/UàÝAÀ^­'¶h8ÌÏæHœd'È8¾èäü9ædPÈn7yÇ uÉžn›S+Jœopü• דÚçÒ¨lR³S>åPbž „'4*ot±%3h±¡iÙ ËËB°YZlÁ™à®k™âC£¹{î8”<?ä磋Æ4ÑŠc˜T`œ¸H7¸H€äàp—t
-ûœv²œÃ¾+I }ÅÊù¨këƒT„&³ò9¾?UÏT0+_´èá¸Ml#' µGI 18©VŽø¼ûKŸ€w€äy_a¼ð\zºOJ<µO<ˆ—³~Ñg£ÆÉUáIs¸"’UŠ‡ÄòÅ()¨l sþìöÕ3×j5Êd?û?yäÐ KÝ¿§3ÎÒ1z\B,VB_¸W†ßs9`(›>l±†D’Vu ”œý<Ýôé$»c­ÂªY"ŸM7óý.ŸË)uÕ²]¦å2-_¦åò$ D
-Ÿí¤àJ“;Jt<\9hÐpëv¸u!^è9á0«¶óåJÑHË)Ù4ÓùÆôiÌÉ´ÎB‡ùì×/:L¹˜“éD…&2Ñr2“ê02Îy†ó}ñUiY¢‚ßÁ}òŸ=
-“1£>Tá•Ï2 ô¾~MŠâ0±ÚKûXF:c¥‘ AªÔS.‚¯T0G ˜ª—ÝÜsUêÂ8Î| |™µS¬3.NAUÃ;ä3ËÇI¨ „øâò ú€™i}¦·MñÆ›“u-ð%Iíéºóm.
-ƒæœ;`;2ÁqS­Ð
-9#eóë‹»†XDÀï%é.Y'B†„¯t™i ]¹ÙçœÑ_`[Ü>ÄðƒL2âI| ¥X)~#@P;ÃÅaœféWqÁ‚iH’×2‚«WÓ§F—œd'žC ÌÁÄ5ù'¸r»ë_ΟëÖ³÷¦M|Å&Œ“ÌNÊw¸,qª°‰¼…PÉVüð™NÒ¡t‡iÛSÉ’7-/;AÊËŽöÕsí«â4W×HoXô·‚ÄœâŠOAØÉ,½âD~ƒÐ¼ k{
-½Ù?¯%à™œöàùór:ã¼Bµ;J çž—áÐ:~eB~l{Ø(D3ãnTQDÀ‘R#ew„°?$Š*™EÆ„`ä"á%O#¾Ç w‘±gåkz&ÂÔÊøäÎrݳ"¦[#9š¯t
-
-ÉÍ;¤ŽXd†ŸÕdRX¢ð
-endobj
-1064 0 obj <<
-/Type /Page
-/Contents 1065 0 R
-/Resources 1063 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1067 0 R
+1347 0 obj <<
+/D [1342 0 R /XYZ 56.6929 606.2355 null]
>> endobj
-1066 0 obj <<
-/D [1064 0 R /XYZ 85.0394 794.5015 null]
+1348 0 obj <<
+/D [1342 0 R /XYZ 56.6929 594.2803 null]
>> endobj
-1063 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R /F42 597 0 R >>
+1341 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F21 654 0 R /F23 678 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-1070 0 obj <<
-/Length 3274
+1351 0 obj <<
+/Length 3085
/Filter /FlateDecode
>>
stream
-xÚ­Ûrë6î=_á·*35Ë›Dqö)íINÓéIºI:³»m[ŽÕÚ’kÉÉÉ~ý%ëfù̶ãñˆA q#(1ãð³0b‘•vf¬f!ál±½à³èûx!<μFš·±¾}ºøæ&’3Ël$£ÙÓª5WÌx‹ÙÓò— b’] <øîþîæöãÏW—FO·÷w—sòàæöÇkj}|¸úôéêár.âPß}õÓÓõuE~Žooï>ÄÒãĤ×7××wß]_þöôÃÅõS#K[^Á
-òçÅ/¿ñÙÄþá‚3eãpö/œ kål{¡CÅB­T Ù\<^ü³™°Õ놎­Ÿ–ŠE2T³¹0Iŧé t}3†±qÔ';AÁaO¢X3%´iö$4­=±’ÙØÌLhY¤¤r[²L7éKReE>/òÍ;.Ñ77ZµFÔ‚mæÿi•—s-T@OÊtIª gš¯Šý¥ˆƒEê;Ö)áö©¹Þ²JªƒŸ´Xb–¯öIYí/ãà°¨n¶™6`ᘠCéøùo‘§0VŠ(ø•‡<e/ ÒZP†O_üîú ½™àþá#
-F}Wù;5’¼|K÷Ô®ÖIEÈ™Ÿšè/ÒìeEÈ[V­‹CUc-ý¼Ûd‹ q,
-œÜŠ Û¶¡Ç¡÷,',·bH@gŸUïôZ¦‹Y
- ÖnC%½B¯qQB%€!z¦+\Ã,4½ãjã“4Ä#w"T<X9P±¥~o
-A‚ZÛä÷ÚOÂ[á½Æ")½×p~"f
-bC³Í#"C“‡õÒ¬Ó2+–#+˸UÖ£ùSR;Öñ‰ú²¤¦c%ÃãÖ;}”éþ5ÃXéÐ?‚oŸnŸ¾òSþD¿»Õ@À¬Bž ËU2¸­º PTÆ–sÙ2Wœ´Âè<Œ™µ`}ŸÔaÍ…Ÿg
-rm^“}V`œvq转ÒmI=ˤJžq¡A7AyX¬ýpÜì©—/$ÇaW£ïöª–Ÿ9É—4¦,èYä ¢ŸúD1Q¤ïoä_—çãÁ÷c ™Öaì÷¯ÑGz”ïy‘¿o{*Gº@ª4¯Çw4ê
-Ìuírå6!ø÷×tSì¶i^Q£OÈiïÁžÐ UìˆôÇ«;·£eªŠE±¡®E+¸ÓL9¡’5
-XÜi¯©Í
-E5:øʺýi,M–KRöŽ…Y^¦ _ü‡ORÓ¡®@Ú`d f‚™¢–ñƒmðçí#Z3˜w`°2Ó~À‚„Wƒïp3¬vÔXgx€ôYƒ–Óæ¡9ª,Ó*É6åIÛ•V3šxÚvÛX§m·ÁBHæ»b“-Fri&´Óä¬ú]ãÕà7ê2Ð5Þã‘îW)õ#V^}ylˆÞvŒ#½{ „¯N<5L)XªÒÀ6§S!¡Æ?#ÚpÞÑ
-f‹9WÓŒ4X#œtÌD° m±þz6b;ÙȨ@#)xhcq2/Ñ\‚ ;BO(aƒFüá¼_œ—èÈÂMØé}h°Î12˜mZ •j¢3JØšP‹ö¬,NðyȬ†Db’xƒ5B½»åœ ¨ß»Û2)m°M“teuØÐ{6¦n£Zgõ“Gz ÍÐØv fL`_SjSL‘þënÌI\}IùŠÀÊ´¢†«»"—ÉbÑÍœlrhù++iÛ7(žìH-IF!Ó&®ïj0s¢ÖÈpÝMîîŸnoþ=VlŠaá›’øŠä«­Üˇ ’Oùœ‹`Aa–rØÑÅT”øÕÃ=Æ&+]}Ûti€-¬ðº
-'‚»¯ÒPWnO²ÛgÛ„Æà­=÷B-%‰Xi‡Zz9 AshU‹ Ý«¶ØJ0 Äd\8æXîÖÆuê}ˆãê}C“„ 0:°:æÑ7b°áP×çy,YÇ&¸òìûŠZîjÏi—KøMÆ‚…Bô®¨(‰«›‚æ°«#¦Œ ¿ˆÛP2%£šÛNŠ\AÝmj¾ôÚ¸¸¶4ÒҳΠWæu;LBs¬ðzMˆ‡šÓz‡º¢ÞPÖJ!ZGxßÖÍ¢§%‡¨CÝ«ƒ7W³_Ó.†—Õá¹s-ëopš˜XFZi{1Óí®¾¦Ak9éÊEÂA<ÿ¤+ocvå –+7¯ÓÅs´Îr˜¤†˜PŸ!Þ`Pï&©pT“ªGÞߎkë¯¡í— aþâÆß#Äk_µÏÜÍO½”صX'{p×NÜ1¨"¸»DÁFùžWÉgêuꃃÒ=œ<Ùe±¥¶&UznòÆù©{Ž¶>¡*…]p¹q£~±ü¦ð Ïþ®È˯{{ŽÖ­—Š¼|ÐÈÓê­Øÿá>ø‰I¿|´
-xÁ{©†ÅÂ_ ¹ó©›«8õÙˆWË÷]êõ÷¦¾í¨P1iX=HöÑ >Ñ£ÕŸ¥t3Å®UŒ„m,Áˆ:Ù[Á!n,%„hEË—žf]â?ª|å&yMDz
+xÚµZYsã6~÷¯Ð[誂›ä£3ñLœÊx²§v+Ç-Q³©ˆ”í¯ßn4Hñ5ÙÉÖÔ@ ôñ¡ÈbÆ៘E†qëYkf¸0³ÅöŠÏžaîý•ð4óšhÞ¦úæñêëw*œÅ,¶ÒÎW­½"Æ£HÌ—¿o¿»ùññöáz. ,»ž˃oîî¿¥‘˜š·ïßݽÿéáæ:ÔÁãÝÇ{~¸}wûp{ÿööz."#`½ô;œYðîî‡[꽸ùðáæáú·Çï¯nYÚò
+®P?®~ùÏ– ö÷Wœ©82³WøàLıœm¯´QÌh¥ê‘ÍÕ§«4¶fÝÒ1ýi1ccè ªá¡9.Áá\ßJ€ÎmÔ;w.g\(;›[e™™£Ä-£ {ÏB3«¤r&Yû×d¿DÕ|ýÆNÄaÈBY8
+[TÇ]:¶È")¿ö¼~UÄlIO·H<û žÊËbAôáþ`=y² ìÒÊ\†’…± »Ú9À´ÌFQä7Jòå×°×ð<eX(uÔ•'Ý—#;ü¥‰j{s=W!^×Ùb ]mƒ×l³¡^²ÛmŽØ5 8ôÇ!ÝgiI a@MRÖ‘#yͪµÓƒjb':
+;ü%™¡(ühî,M„ÞÒn ß:à \ј8p(/ÃA<:þÜWQ±13ÿ“Ð-bocèЩ¾_%ûª¤þa‡—&È*?P¦eom[’Ø騦(¨EÆó%õ“±5Nú‘ËÒpe-¦Ôyvš§H Àȶ(+궔iÁ7E7ì9µÃ¢ÖÁ0êÕn› †þÖ„Ìq¾ ¶6|_“Þ_JŠ½Øv-%)¬º™Å&)=ÑÝý긬–ú^Å’L‹+‹í.ۤ˹‹40°LWÉa3ÊùK8Ãö$0~ü”=ÎT ±÷¹KK¿øÚS|iN½»{¿*yIiµƒíÓ!ÛTÈ܈ =«>âøǽFëB~Ñ?ùŒHAîbå_ر^qÖkèH0‚£wÂ2Åvf tb­½6és‚1jŽ‘căY–ˆBZu XRâ² ÒÜ'î.ä˜J0Ó?Í bBqð›Q¼†ÍóÕ>)«ý5¤ ‹ª®¦Î ×ráÂk
+Ñ=»´WCéüá MÝß>bùì¾xðñá=F#Fs7.‚á$/_ιƒVE£™ß½¾¾Ù á$†ALÕ‹C5ž–QÒ–þ¹Ûd tQ
+
+Æ:̶íÑ“ZülÞI£ 9À9ûÌ%Æ0^BN艣&ù 1ùÑPEœCÒL‹Xº-bÜÿëÛnîî “e±·,RO’ãÝtk¨’Á.Zçs8@Ž†¨Ò?îí6æ@_›%Ý8·;vž|4ÇS²tÙÍò6iÒÊ
+àfO³P±‘‡]M¾Ûg-¿3¥Ò°¦,¨-rQ+ákùwz|-|É{1|÷iì@…~ë5Èá‘šò˜ùqÛƒaùÇ ¿Þ#Š›orŸšJå ‡¾ý%Ý;ÿÀªÈBؾýîæã'¸Ox¡Uä‡Ñnîi½“U±(64µhÇq·SN¤t``›-£»J›àgª
+ÿæ&ìœþ©É¤»õþò ß=üÀ:Í_à÷OŽkÿC |{ö…/Â}ëY΄‚ØÛâs
+O5ù´\ƒ]GÑ©ù
+qKÜ Ä5Ô“‚÷÷ülï¥ALÈ×õ”îšiz;ƒÍƒD¹?‚; þûêú‹ÿïôWŠ:„¬>:àë·SÏ2ŠÁ3³ŠàÉp„õÿ˜Þç×endstream
endobj
-1069 0 obj <<
+1350 0 obj <<
/Type /Page
-/Contents 1070 0 R
-/Resources 1068 0 R
+/Contents 1351 0 R
+/Resources 1349 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 1067 0 R
-/Annots [ 1074 0 R 1075 0 R 1076 0 R 1077 0 R 1078 0 R 1079 0 R ]
+/Parent 1332 0 R
+/Annots [ 1355 0 R 1356 0 R 1357 0 R 1358 0 R 1359 0 R 1360 0 R ]
>> endobj
-1074 0 obj <<
+1355 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [284.2769 435.3027 352.9489 447.3624]
+/Rect [312.6233 217.8123 381.2953 229.872]
/Subtype /Link
/A << /S /GoTo /D (access_control) >>
>> endobj
-1075 0 obj <<
+1356 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [282.0654 405.0176 350.7374 417.0773]
+/Rect [310.4119 186.5529 379.0839 198.6126]
/Subtype /Link
/A << /S /GoTo /D (access_control) >>
>> endobj
-1076 0 obj <<
+1357 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [299.7586 374.7326 368.4306 386.7922]
+/Rect [328.1051 155.2935 396.7771 167.3532]
/Subtype /Link
/A << /S /GoTo /D (access_control) >>
>> endobj
-1077 0 obj <<
+1358 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [184.7318 321.8124 233.4785 332.5968]
+/Rect [320.3548 124.0341 389.0268 136.0937]
/Subtype /Link
-/A << /S /GoTo /D (dynamic_update_security) >>
+/A << /S /GoTo /D (access_control) >>
>> endobj
-1078 0 obj <<
+1359 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [330.7921 290.2521 399.4641 302.3117]
+/Rect [359.1386 92.7747 427.8106 104.8343]
/Subtype /Link
/A << /S /GoTo /D (dynamic_update_policies) >>
>> endobj
-1079 0 obj <<
+1360 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [401.5962 259.967 470.2682 272.0267]
+/Rect [429.9426 61.5153 498.6146 73.5749]
/Subtype /Link
/A << /S /GoTo /D (access_control) >>
>> endobj
-1071 0 obj <<
-/D [1069 0 R /XYZ 56.6929 794.5015 null]
+1352 0 obj <<
+/D [1350 0 R /XYZ 85.0394 794.5015 null]
>> endobj
-450 0 obj <<
-/D [1069 0 R /XYZ 56.6929 639.3701 null]
+458 0 obj <<
+/D [1350 0 R /XYZ 85.0394 430.9244 null]
>> endobj
-1072 0 obj <<
-/D [1069 0 R /XYZ 56.6929 613.6661 null]
+1353 0 obj <<
+/D [1350 0 R /XYZ 85.0394 403.7891 null]
>> endobj
-454 0 obj <<
-/D [1069 0 R /XYZ 56.6929 492.1088 null]
+462 0 obj <<
+/D [1350 0 R /XYZ 85.0394 277.0241 null]
>> endobj
-1073 0 obj <<
-/D [1069 0 R /XYZ 56.6929 466.8231 null]
+1354 0 obj <<
+/D [1350 0 R /XYZ 85.0394 250.3071 null]
>> endobj
-1068 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R /F42 597 0 R >>
+1349 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F23 678 0 R /F21 654 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-1082 0 obj <<
-/Length 3028
+1363 0 obj <<
+/Length 3306
/Filter /FlateDecode
>>
stream
-xÚµ[[“Û¶~ß_¡éKµ3BÜGÇY§›iìv½™v&ÉW¢vS¤*RÞl~}n¯ ÝØ“É,|À¹àÃÁ ãUÿá•â(¡š­¤fˆ'˜¯¶‡«dõmß_aÙЦ‹úöþê›7‚¬4Ò‚ˆÕý¾3–B‰Rxu¿ûyýúï¯þysw½!<Y t½á"Y{ûö;W£ÝŸ×ïÞ¾¹ýþ§»W×’­ïoß½uÕw7onînÞ¾¾¹Þ`Å1ô'~„™onÿqãJßß½úñÇWw׿ÞÿpusßÚÒµ'Ôòß«ŸMV;0û‡«Q­øê>„µ&«ÃãqFi¨)®Þ_ý«°Ój»NùS…¸"rÂŒvˆ(3±’\#A µ¼ÊÀ"†×»lŸž‹Æ}äµ±ì›7\uú ‚(N$5ÿrzhþâP=)D#¥¤ö¨¿™ñh˜Yÿõ¯kW.Ó&ÿèÅçåæªÓ‹û<]cµÎv›‡"Ý~Ø4î3hš6éCZg0W4‘`AnÇKÚ«² §jŒ¢«&àc%VŒ‘æœX›ôCæ&5µbχ¬ljd»$€Uˆhî¼õ®yÊN –²õÇ´8”Rß1s Ǫ®ó‡"sMùÞÕ¦»]ÞäU™®þ¢«iÝÀ'?ÚSúÑW?dYéꊼüí\m^6•«mž<°ÎNÐßÕ¯ßW‡¬5 clŽ…7·z±Ý·äå¶8ïŒ<óõœ7O®dåÙ®yÝœò‡³±ÈÕ@ÙʪÌ&† ¸á}Ÿ?š£­¦%ºPa)ðtôð MåÈ?=Z”ñÆ.‡I<ÅbÌÆ’Ä嶨 Á½U‡aA˜¥Û“ü>ˆ.Íêí)?^<Zíýêêš¡%J «ë¢ÿ@(…¥*@¦ƒ¿&‘ &µì™èO+W¸ëÛâŒëŒÝ^Ì2A „‡*Q=¸^ðz‹ZPd<šQdža\ M¸X`XaX@ÙÊŠì15Öoª²xQÍ`•ŽË  ù=¢ Xç2(àâ»ë_’„¦¦Ì×V[›Enã$|˜°bþ>A„qÀ´Ü¹ªº9?¸Ò°¾!8n“ëÛ½oÍ<Fï„j„ž/Y=ÁX,‘¦D]¶ Úaq”^µ`Æ.¼€¬ç¼(¼Eí5pA:k”h¥‘Þ¤´ (õÁÏiû×Ç°<E7°)…EÚŸN·„_Ž~ åæ9C¿À±*±€2fí«ÓszÚ¸E0â
-€0¦ ëêËþ©¶ÁKç"˜ç
-’ªS¾Ë|í“/F»RµwÀÇ¢z°¾†º>M‰fÚ…WhÌ}G–
-GIต #Êp_…(@‰hô%ƒØ€™¬ŒÒ‡ÎŽiŽë
-[r\|‹šßÎp¤ƒH×WàßךØ=Ãvy¶DÅšY’˜w(3%å ƒÍ§¥ÕþÅ}XŸ›Ö2=d®Ê©Ó…­Ô'y[T®å—„'¿Uçœ{ ˆCeB
-?ªwS¹{ùÖ+{„ó‘5?KÊå ìZJÀAçö?oî+‚=p¶üÎ}h÷'„ˆf)Q»
-G!hã*ÛѶ@$ÈÔú¼m†œý¦Ê.¦K^{ .Xgì Ç8³ÒÓ>!„ùDIvf‘‚„ ,É%[5«Ë×öBíoe±˜EY1náTƒäqÇŒ¹uç,™]8L08N“…¤¹‹š_8-ª·pšÃqãÝ9\>Ì\—%ZÔ„=·1‡:P£]>.ùPR½!IdÕ9³…“íåJ™[
-œ¬o["îæ zÞÓ”" ~‹;úŠøÙƒŒ}‡ô÷]¹ûÌ»;?d›ñaKç Á¢j´ ±=O+hL¤ê)òçÃí1sZh¨”röxL•BL+Òµ8r:náqÛG£ÎåPÆ ?AáØ ´ ¸£±¢c–P$ôÜÅmK½*½€šœ­|WL“r .t\“5¡JŸ~&‡7SÐÕåË\ÆÄ,ò„'ŠDøG ÒkÒ3:J@_0<î§S™Kc%âóТe!•1¶ppè€æ9@ó£:7#*†˜à"ªG +Òg †F`jW“¯DÀ®=£·
-XÓ¡•èç€|`^W‹/³9ÏÚ2>
-”hQZô#©„Ôø2Ä›1f Läþ‘SˆiÊ{öÆxð –ÇýôSGBÍÕt|hAÑXqâŽY¸tî€"´ó ™‰Ú|#âÁ]
-W¢µèoIFûj|5Öyc:(†¦â™w’/–ÄxàqËG£~:ëà0¥˜Žº?`â: GŠRNsó[”…P×ÍS.€ì[aÑl>%Ø ‰”É»"JÌX‰>ãRTÓž_†q[†”ãˆ&šF(›À´ko”r7}4êgPŽ¢„%2êÿ×b4ÖÂÿ`^úqi‹‰ýðÏb"Ó4éÜÅ]L‰
+xÚ­ZmsÛ6þî_áé—“g*”x#Áijçܹ&=Ç»›¶h‰²YS¤JRqÝ_»X€ï¢Òi&“1<Äîvøe
+C.âÕ>MŠ¬xÜsúíP—‘öI£@,~Ü©<’$ ¨£ØÁ²šzL6Mö)¥ò®¬¨Ð<ùæ?Ë"šÈ@®îŸ¬N*”;§e²yÊŠ´ö'®ý%ËÞÕ7«t“¶¢RPÆ}CÍTd„Óð»÷3 C
+†”ƒZØÖ÷îooþ7c¦40ì0ãÔÉ>­ëä1E œ}X ûd`¬}TG5hÌÖÕôÍDl‚ÖÐç‘gu“n©\${W[§Õ§´r~ tP­ä¤ur¨²}R½’­^{g+ñaŸ€˜
+zâð…Î(PJz3 êk*%Å+ntÛ-ÍC]§5}WÒMöKk`^²æi†b"LèиQ­Ñ ¨°*rXt2&Z½qê•UC¥}âÔ{HGº\ñ¨CÃà9øÆÁÜ[%íè¦À¼uUÈd$ôgi«“"ôÚöƈ$4¥ŸÔbëjhâŒ_iÄâÙà#`Œ›a2*Z&˜)Ìj›î’cî¡;jï6cáÂAˆŽs00g,_¨´ê;
+ܵ%NKÚP}b™ …úµh’?¨ÕÒ?J«&ÉœØm¹§²"U;mŠÖùDB©9ç@®puæö+øb¿)]új[pêÊ¢ö¸žïßRÍÎV•{úEöA¡H›—²z¶»CüÂênUÀOI•µ
+l6¥íi ´u}•Ö’`¸,È;ZZ¾RÇßøvº®Âœ{oàlŸ 2‚vè#•]#ÞWÅLØŽ˜ÿæúØ%Y>#¸§bÞó¥§U “‘>ðÕy±vf Y$qgõÅ4IªbNdB‰NóSë>™ #qfÝ÷P ëÞ£ºu¿ÿc,8Ž™ÑYìA3‚³(f$è2ü1M'CZoªÌ­A«s:¬qÄ¡|Œíë?°š…Êø™¦ÕÛ7Qh R l¤Æêñ’
+w=k[üs§ý’¹›Î0<™ðñ±Jx!ùÌ°·¨3ŠL{[䘎43Lç"Çú¨ÓkQÝÁ6w»Iªí$¼ˆ©€/‹÷ ñ¦IΤªü¿Ç´xÀ´¾#áÌil¢“|Ã]ZG¥ |kñgŒžöûù|‹ œ%¤\üuN‘IoË|Sà"¤Ë|ë¡øæQÝLeE“>VY3=—â²€ƒð¢|š‘?$\À„ åP/I¸cÆqƱÀ¸ faÀÍÀÔ%Æyü«§ýþÆA‹áryô[Ô9E&½-3ŽK@sphoÔÍS=ä¸Ášlž ΑX”Ý‚¦Â‡[gÉ#õ@ú— £=F¢CÇñéXkp~!J=|ÙàI¯ŸO38\˜H/Oy ZÖbÒ×"Ç”Ì(,’¬:Ͳe7¡i…§Öu]&ë¦É§^M0­´\V EÍh0¤ZÄ4ž÷*|®Í2f›£¤ä ~MÁBz`ë¢_sø3VOûý ~-`QÈãåáoQç™ô¶Ì9(£Ïœú¨ÎyJ<¶I“®É;<×ÏÒI8ã„ñ ZÔŒ
+Ò)Á”F:|™`:gÉH¼£XÉÓ¬“’Å’l]"ƒŸ1zÒëgSN 1£¿8ø-êŒÓÞ–)'@™3±´Z œG¡D˜¦ä!©ÓÉ4dZ¡jQ°ÍH1_ª¢¡ä˜Yµ™JåÓI2¶¹ª¢\QÐiHí%Õ>8”ËU)—DHÝ”å^ÚŽUà“ÑÐŽÚüoàÓ9øM÷É®ÌóòeÐÃLª“C™ëQª³?šã —°ç¼S~N__\š¤ˆˆroøöŸÕ²S”Åf•¸Æ„þ`Ê’JvŒ
+6Д„E„â½Üüð¹-ˆß½-˜ä?y|U=4_ÍߥÓÞ¥}ýI
+=Çÿ¸â«šÊEâ.ØPb±Þ§û²z¥Ÿ4
+ÛõCž€ïnè§×ÔYf/ß"—FƒEjaeêå” Ñ(¶§õpH£&yvƒ4˜ÐÑhöƒ»¤jõ)É”n•U°áPÖ¸§N©)ÛQm²ÝfèÞ“œêûE­¶UæîÅ é Ó“¶ú!M ªƒ-ú3åˆò¤¤Zç°”»WÃ;i›"æ«å>Ë÷ÖÉþ{†x¡í©'Ý&?n=éNiH® }Õñ XPö—&E:Ó¥7 Ïé‡×AZõdÜ0o<“3èNG²n2ƒ<Œeˆ&|I¦ÇLeöB ñF >ùe6ÓæÓÜ» >}b
+k¯Ëcîä'xšp:QMQV{ÜŒ`•k[Iu~]‰H Ôx]eéö$ïyûõ(–ËÄï£N3¿Eõ¨ã;yxA9
+™ûÐú#nܨ¼G²ˆ‚ ýt^²•I‡Ÿ2I³¨»¡ïy“IÖ"lý3ÄÄq5ÚBeû.Æ[Fdï9Öm»/l_Ï´› î-˜~[;r¸7²û¤¹kûTâ§y ëCˆ(:ÃËj—e·ZÐÃõ‰,†Ô2^–îA3ÒÇY pZb(þ?W±°‘C¤d•eÖÐé K†¾ø³öÙüaG[é¹V!“zMP¨Àg%ng‡Ø¼|¤|Ì÷[y¬à€C¯ñ¨ÅÒÎ:Vn_A@¶qÊÚQ Z‘ÔÑèÝ–%œhnÿ{sǨèN“!½Ê…Šì±(Ýóª ö„Aû²+Û®6À!ؘÕqÓŒ? ã±Ê.£®‰¯œy„ó¦aƒ=Ç €Ã!-óáç/B¨™·œJêXôŸàºrµƒ˜ó[‘ŸÝ8Y1ó9
endobj
-1081 0 obj <<
+1362 0 obj <<
/Type /Page
-/Contents 1082 0 R
-/Resources 1080 0 R
+/Contents 1363 0 R
+/Resources 1361 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 1067 0 R
-/Annots [ 1084 0 R 1085 0 R 1086 0 R 1087 0 R 1088 0 R 1089 0 R 1090 0 R 1091 0 R 1092 0 R 1093 0 R 1094 0 R ]
+/Parent 1332 0 R
+/Annots [ 1365 0 R 1366 0 R 1367 0 R 1368 0 R 1369 0 R 1370 0 R 1371 0 R ]
>> endobj
-1084 0 obj <<
+1365 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [259.4835 683.3704 328.1555 695.4301]
+/Rect [257.6971 603.0615 326.3691 615.1212]
/Subtype /Link
/A << /S /GoTo /D (boolean_options) >>
>> endobj
-1085 0 obj <<
+1366 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [310.7975 572.0651 379.4695 584.1248]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
+>> endobj
+1367 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [308.6055 541.0687 377.2775 553.1283]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
+>> endobj
+1368 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [294.1999 510.0723 362.8719 522.1319]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
+>> endobj
+1369 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [303.0862 479.0759 371.7582 491.1355]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
+>> endobj
+1370 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [332.9347 448.0795 401.6067 460.1391]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
+>> endobj
+1371 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [231.137 288.2283 299.809 300.288]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
+>> endobj
+1364 0 obj <<
+/D [1362 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1361 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F39 858 0 R /F48 880 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1374 0 obj <<
+/Length 2658
+/Filter /FlateDecode
+>>
+stream
+xÚµ[MsÜ6½ëWÌm¥*‹ï£ãÈ^¥6ή¬=esk(‹ñhF;3’¢üúm† Ȇ\‘Ëå|ì~ <Ý Åþ±…U„
+'ÆI¢(S‹ë»ºø×>œ°SP5Dýpuò÷÷Â,qšëÅÕÍÀ–%ÔZ¶¸Zýzúîoÿuu~yVqEO59«”¦§?\|ü±;㺟w¿||ñá?—oÏŒ<½ºøåcwúòüýùåùÇwçg³ŠÁý¼·0sÃû‹žw­—oþùíåÙoW?œ_ÅX†ñ2*| ÿ;ùõ7ºXAØ?P"œU‹'8 „9Çw'R ¢¤áÌúäÓÉ¿£ÁÁÕöÖ©þ“ÊÅ¥^T
+é¦{™ª ×*#Á–Ö:ö2gS½P¾—ß>ì6Ëõ8ZÆ,áMfŽ#j³xf\ΕK]¿]¯·Og•àêôp[wU}ÆNo–ëCwÜÓûÛ¾;ü/¥|ÝC7Ë»¾uØú_yú¹?Þ>Ö»]³ZÕ?æ†ùh~`»Ù'ÎåéŸÛM=åé©9Üög9—¾«@¿nŸ¤Ž#LÛÀˆ‡ÀàqN´rm?§T'ëß7ëÎBÚC†8Ámo uÓŠqy_oVõ
+ŒB ž´¿~°n®—Ÿ=W }ÑYŽ<“†h-Eoþn¹?Ô» ‚Çuc¹YMÙ‚P•‘=f¿^>Ö–¸"FˆàÐwìždOT/[í <ÔàÚ¢æµQ]œT‡Ýr³¿h™=­Í]]5›LìÆú¸%Î$¢&¨$Ci‹6åò©tÛ7Võþz×Üší¦;±½™èn°A¹´qäæ#Ñp$iLc´°–Hgytwq÷eÑ5.áG|!üÜnþõ1P?3M̘’TŠ0χˆ*É­ÅgsR…ZÁ­®0ÃQˆ
+jrÌšÕzZ…š0¥Î$¢&¨¤*d°`øarùk*ts*D4V¡ šZŽ¨¦åx4ªÂ_?·ûrJG´°‡ˆ*É­á*’ k®Â
+Qa@ÍÏÛ‡C&C+‰ÔJãT"j‚K*CG Ap)™ï$ÃaHc–`¦Ý¼#Êh•„ 1à Û}¹5\) D
+j~æ˜T!#Ú镈šà’ªPm̈ÌwZ’‡!gCG “ˆ%tšQIÔ¨{|!þÜî7ˆà >T ‘ÙBE¨ '‚‹pˆšaDy›í¡¹yÎ+ä”ÀýFÔ„ãDqЃ2uêùuwä?f¨3}q5'/˜
+“ŒP«mAa¢°€òï>­'·Q¨ôQ¿5á8­©%±ÖÙÔó…ïo#Ã> ´ìøµ $×–Œpfäí§e²ÙÚBÓ©Ó›í®;½¿¯¯AlÍæKw¼ì~ @¨:»¶/|Ìí©x;⯤¯—G— ð½o¾l–UW*3Iœ6TʼåðÐN¨µgÈ=Ãî÷ÇŸ>¿ëÚÞF˹¯Þ{èÓm݃áA{îZËÎXw°Þ.Wá¾›öÂö®;Z5û¯¾Ø¦,ô!œtýµmp
+U ’[ÃIµuº°3D!
+ (dȦ&Án»§@T&¶EÊ廊pzìöEiOP$Q—÷E©r»ß¸'¨ >U ’[CuÈÛS…M›!j^‡å=>ìëꥳ¡¿OCß¡d"j‚M"EŠ…².¥ó:ïH
+AeoI`iÚ³bô)“3Î%#bŒøBäv_.FH`µæ¤ªD$³†‹Q)(¯UáuÝ…ˆ1 Ž{¼sò“°vi¨“P÷5á?­@ ñ›o ×ܪžœ†L€ÅÍœ‰É3¨N¨H"Å&¿€/ÄœÛ}±Þü÷ T:‹w~D•ˆdÖp½qHša°
+z ½T6PSK¯òûxTá "j‚B"9Ÿ‚[fSßArÓK®G[1DuQ©E,¦º€/„Û}ù,Ç1\Y¼ÿ#ª@$·†ªŽ9È™P¸ê†¨yÕETûî´ÙT»úfWïoÛ—÷oºNð¯T§N·èÃî9dž“ùÃ
+ ·x5Ã8erBò4ˆV¶Ìõ²õD¶þÄÄB
+.•ßzÄÒ€/PÌí&ódf7ó$bÊ@e‚vVD˜äÖpiFŒã…Ýä!
+ÑX@µ÷Ý žêf·½«VÍ?€L¨Þ\×ùK ð$9ÔD(ˆšà“Ö0§Sžòy¼®ոʀÔÚ ŸaA
+*ý;Äa@h‘Ñã =Û}ñ›aÿé3ÓšãCQ"¹5\¢oaoyˆBÔPÞã×úFk°Ý=OåuŽS‰»¨ ÿã¼ÎQX毳ÈfaŒó:éC>>åÜë‚'‘¢y]/ÄœÛÑ[¾Pø]að®¨Ìª6ç?©f…­åh^kÔ.®ëCS¿õN•&ˆ¶Ö¢®#(÷èLZ¨”(Kœ¿Ò~£Æ*c„IÊæUÆ ¹öwécëÑx´c›/ÿÒÅJb(”cX—GPÄØþ5L}‚–>æ;‚oùzÐñº÷ÎU÷~<ß4Ý»zŒAåÒ’TFO8¼Ö|“‘Œ÷‹™ÿÆ ›ò»Wb+&¶=¶ù /f9äªÐõ„³ÈlM«-ìíBÎ#&Ëøßèð—ÿvêø‡eÒag_õPM,w&òÄÈò^a‰²ÜLPÿ?¡xdendstream
+endobj
+1373 0 obj <<
+/Type /Page
+/Contents 1374 0 R
+/Resources 1372 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1394 0 R
+/Annots [ 1376 0 R 1377 0 R 1378 0 R 1379 0 R 1380 0 R 1381 0 R 1382 0 R 1383 0 R 1384 0 R 1385 0 R 1386 0 R 1387 0 R 1388 0 R 1389 0 R 1390 0 R 1391 0 R 1392 0 R 1393 0 R ]
+>> endobj
+1376 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [387.5019 430.1364 456.1739 442.196]
+/Rect [387.5019 693.385 456.1739 705.4447]
/Subtype /Link
/A << /S /GoTo /D (zone_transfers) >>
>> endobj
-1086 0 obj <<
+1377 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [381.9629 399.8859 450.6349 411.9455]
+/Rect [381.9629 662.1643 450.6349 674.2239]
/Subtype /Link
/A << /S /GoTo /D (zone_transfers) >>
>> endobj
-1087 0 obj <<
+1378 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [398.5803 369.6354 467.2523 381.695]
+/Rect [398.5803 630.9435 467.2523 643.0031]
/Subtype /Link
/A << /S /GoTo /D (zone_transfers) >>
>> endobj
-1088 0 obj <<
+1379 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [393.0412 339.3849 461.7132 351.4445]
+/Rect [393.0412 599.7227 461.7132 611.7823]
/Subtype /Link
/A << /S /GoTo /D (zone_transfers) >>
>> endobj
-1089 0 obj <<
+1380 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [255.0796 309.1343 323.7516 321.194]
+/Rect [255.0796 568.5019 323.7516 580.5616]
/Subtype /Link
/A << /S /GoTo /D (boolean_options) >>
>> endobj
-1090 0 obj <<
+1381 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [381.2254 182.5173 454.8788 194.5769]
+/Rect [381.2254 438.9741 454.8788 451.0337]
/Subtype /Link
/A << /S /GoTo /D (tuning) >>
>> endobj
-1091 0 obj <<
+1382 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [335.4973 152.2668 404.1693 164.3264]
+/Rect [335.4973 407.7533 404.1693 419.8129]
/Subtype /Link
/A << /S /GoTo /D (zone_transfers) >>
>> endobj
-1092 0 obj <<
+1383 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [363.1733 122.0163 431.8453 134.0759]
+/Rect [363.1733 376.5325 431.8453 388.5921]
/Subtype /Link
/A << /S /GoTo /D (zone_transfers) >>
>> endobj
-1093 0 obj <<
+1384 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [365.365 91.7658 434.037 103.8254]
+/Rect [365.365 345.3117 434.037 357.3714]
/Subtype /Link
/A << /S /GoTo /D (zone_transfers) >>
>> endobj
-1094 0 obj <<
+1385 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [393.041 61.5153 461.713 73.5749]
+/Rect [393.041 314.0909 461.713 326.1506]
/Subtype /Link
/A << /S /GoTo /D (zone_transfers) >>
>> endobj
-1083 0 obj <<
-/D [1081 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1080 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F58 627 0 R /F42 597 0 R /F57 624 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1097 0 obj <<
-/Length 3167
-/Filter /FlateDecode
->>
-stream
-xÚµZ[“Û¶~ß_¡GíŒÅâFlŸœdíºmœt½™N'ÉMQ»¬%j#R»V¦?¾çà
-fÝmFª idGžÈH2!úâ|(
-rCóàë¢ÎåcSî+šØoP°n©Ž˜PDxRCI8”›Ä=\VCÅ¥Ž£Dʸ§8-î4¸í˜ Ð_0Á˜/™ o•ÅàI¤‡")%"Éå¼+<Ñ1F¼PŠh2øÌ#±C5ƒDO…;Vû¦ÜœÎaƒƒ/íî‰&vïù[ð(MµìoÿeÈKxFJ öN Š¹Ôg¡&R ì¤é):µ@Aç1ßCMÆi¤™”ó¶—LƒQ¹F‘"ct:Ä€bjdÚÕS2‚ˆd‘‰Õ¢Ëz G4!@"2ŽŒŒe_‚ÿDœƒí5èóó(üŠ‘jzºÎ%$OAí1ß—£ÄèHêTΛ?P]dÄm6'%P™ŒÍÌu¨f0ç©pÇ]Y­ÅæPÔ«¦Ü¯È»ìóä´¥n§1­Ÿ™-œË5¯B šÐ¡g¶$‰b£u_ [ž:Øâ [œCLÁ–<á¦'Ø ÄýÇ|{CaÄx<r·‘À*?ïoOuA’1·yŒ JéKëPÍ`ÌSÙðþ¼¡esØïVërƒ7дU^Ôã dՠǬ8jBž^š‹!3ÅqÒèëô`ÕÈO-Χ<h¹b}ÅçRž§¿`‚1ßs)B+Çl9ç‹@uA1·Y8Æ) 7N/”Ù.Õy8*ÜñSqoÀ
-ð˜„M$2–xoßü)ècËïNU¶+sþ§ÇuÖ8Ÿý¸ß–y9YNðVQª¸²ÝÛ•Ø·?p©ûCSã]¼lž÷4mÁ•UÖ”OMìŠæa¿®é a¯÷‡¬jÊk¾¬îi"ß–EÕ8*‚ åýCãæö´ÑcqØì;š\½àæhõª»ä j†ºÀÑ+c2äïûÊ7—ù¾ú…1q´¥¶XÓìÇS‹í±Í9×'Ìc8Ûn÷Ï+ÚýÌ•)_—³j=Å1gC6q/_,«Õ#úf2÷ÆPÂxo#ΩCZÔÖ§b{ºæœnÀ›³L
-Àƒê’JA'‚»i áÀ*ãêg+rÄù6;Öà=8Í.Ÿ÷‡O5 ­GqPg;¿šh9o¸&ËGRâ©ÜÝÊSq¨AGw‡Â+"2¢á»†®VŽì PÑЃ˚Á@˜Ø“@!‰¼ve]‡H·8‚ë±4YuêZ;ßÛë:$½>Qe5ÆQY 2&â0
-
-,_V…£† j,Í~KŒ÷àAZz~ȵáŠüKò$.ÆxßCV‚brù /ë™ÅÊY]GÌò¸µ\aÙ*
-³%
-Z¬mœ$ äž"è´E–?ôx¸é¼u .»áÖ×EUn®ÅŽ›Øx*ðsÿ±`É섀A&&ôµüXÐ=Ùlí&O4IÌqp …Žƒ`¶›²)ÁvÍ—ï6DF0Š6‹†-ˆ‚Øüv,ê†A°:»w«¥².ïÉó0þ…ŬA÷ô¢šTÖ.I•‡|{\“õXÇÒ<t¹ûðî­‹*·
-ˆË”tYÓ˜R ª=]7ǃ«ðD§ä#m[úRil”HlÓ
-žÍIñîSÖ¢IÀÛ7†Ä{BpÙ¶º[`R1üˆêÞkyIÇÅ@ÁPißµ1
-meèßB2ŸTLòжŠac”¹$­èò”m!oLµ>†GR†·U6ÕwÂ~ ÀED¯&ب(5ာµÊè"t§F\bå÷rˆ\O…ŠŽŒ`:proaÖ,¸EOZÛÍE%G¯ö9¿ÀŸ—<Ò2Õ/ù9›T&ÒL~Îö¿=åÁ~щzVzŽ/7ôOôY­‚R0Bs¦*¼î?(0 vîRs>Í00½‡o>gy³²Íq ;|œcx'†¹®WBÒÀ›Ð~à õgR»SNù͇ÅçcQÚWÌáÞºd D‘gÛþë¾Ð³`"p/¦/¦rD{Œ?<IÔ~Òè6B½/£±ŽPuýðe¾EIgõ5áb KšF
-ßš_J }ÀøS^·ˆÀM§å¾_‡‘óo]y‹
-endobj
-1096 0 obj <<
-/Type /Page
-/Contents 1097 0 R
-/Resources 1095 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1067 0 R
-/Annots [ 1099 0 R 1100 0 R 1101 0 R 1102 0 R 1103 0 R 1104 0 R 1105 0 R ]
->> endobj
-1099 0 obj <<
+1386 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [374.6372 737.8938 443.3092 749.9535]
+/Rect [402.9837 282.8702 471.6557 294.9298]
/Subtype /Link
/A << /S /GoTo /D (zone_transfers) >>
>> endobj
-1100 0 obj <<
+1387 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [292.0276 708.0059 360.6996 720.0656]
+/Rect [320.374 251.6494 389.046 263.709]
/Subtype /Link
/A << /S /GoTo /D (zone_transfers) >>
>> endobj
-1101 0 obj <<
+1388 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [319.7036 678.118 388.3756 690.1776]
+/Rect [348.05 220.4286 416.722 232.4882]
/Subtype /Link
/A << /S /GoTo /D (zone_transfers) >>
>> endobj
-1102 0 obj <<
+1389 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [460.1655 648.2301 533.2211 660.2897]
+/Rect [488.512 189.2078 561.5676 201.2675]
/Subtype /Link
/A << /S /GoTo /D (tuning) >>
>> endobj
-1103 0 obj <<
+1390 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [362.144 618.3422 430.816 630.4018]
+/Rect [390.4905 157.987 459.1625 170.0467]
/Subtype /Link
/A << /S /GoTo /D (boolean_options) >>
>> endobj
-1104 0 obj <<
+1391 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [293.1435 588.4542 354.3435 600.5139]
+/Rect [321.49 126.7663 382.69 138.8259]
/Subtype /Link
/A << /S /GoTo /D (options) >>
>> endobj
-1105 0 obj <<
+1392 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [288.6803 558.5663 357.3523 570.626]
+/Rect [317.0267 95.5455 385.6987 107.6051]
/Subtype /Link
/A << /S /GoTo /D (boolean_options) >>
>> endobj
-1098 0 obj <<
-/D [1096 0 R /XYZ 56.6929 794.5015 null]
+1393 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [356.8967 64.3247 430.5501 76.3843]
+/Subtype /Link
+/A << /S /GoTo /D (tuning) >>
>> endobj
-458 0 obj <<
-/D [1096 0 R /XYZ 56.6929 544.3772 null]
+1375 0 obj <<
+/D [1373 0 R /XYZ 85.0394 794.5015 null]
>> endobj
-774 0 obj <<
-/D [1096 0 R /XYZ 56.6929 519.5953 null]
+1372 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F39 858 0 R /F48 880 0 R >>
+/ProcSet [ /PDF /Text ]
>> endobj
-1106 0 obj <<
-/D [1096 0 R /XYZ 56.6929 144.0934 null]
+1397 0 obj <<
+/Length 3410
+/Filter /FlateDecode
+>>
+stream
+xÚÅZÝsÛ¸÷_áGºc¡ø"¶O¾œ“ºí9WÇ7›»{ %Úf#‘ŠHÅñMÿøîb”(Û¹x¦“‰.€°øí qÌáŸ8N 3¹Ì³\³”‹ôx¾:âÇwÐöîHø>³Ði6ìõÝõџߪì8g¹‘æøúvÀË2n­8¾^ü’&Ù pàÉ›÷—o/Þýtuv’éäúâýåÉL¦<y{ñÏsª½»:ûᇳ«“™°©HÞüíìÇëó+j2žÇw—ß%§â
+D+U~ØŠö뙡öÔå $_Õ¥ï JÕ¹>Í’7p‚Ôôp_tTëÕù{–tB`¸8ãr+(xàR%g(À4iKd–j/u 'b“íÒq…f·Q ¢>T¸ÐráôÄÀ2Àö”qз,æ÷#ž\Áim¨! ËM¸¡öEYW¥§õØñ„ÛÐ Îy<,ÊpÂ:!`M }V'7%}“ÌžøHDbŽ• 5 ¨,±«:X%ȬyrqK݆У·¢q
+êAl>m˶£FXX[ÜùÖÊ/²­îèä¡þ+Oy‡G<Ú9õªõFªê‚>Ì—ÛI$ ÊCÅõ‡‹w^«|p
+Ä”"ýtG˼
+úì}{Ñ‘Ab¹!Ë´¡OÚ¶=t2RsÆÅ‹¡0fzí¤ÈâʉPY8C+Ç
+2ØÊ<ËøÔ2ÉÅWD YžåëÊdÀC¦’òK8o‰NÚä¨Øù–h}zcðס5Á ÅR󒺋…ßWK*?GÝtORcËåO4hY~.P“N²ò¦#”÷ÍÃÈ~ ,9ª²sUU}û²i>¶!‘©|'ôÍ™µ¤ähpNfÂhç
+y“ ¤9íeAu²kP©*o·ï8`ÄÀÿcßÞæàAhi\Ô^ŽðAöÃv Ä´{®æf”bÂÇÑH—ƒd!±Cdç–.¶ØÉlj:2‰íYl·‘gb1>° Ã…¶p©\ŽN~)>7Ù=£è)ý8¨õ+zReçTGp*öí™ùE „÷D˜%`sy‘Ô©˜ÃP
+ú|¨–‹yƒv/{T Á“KH.‹¥ÏœNi\G–—1>•Ñ$·;M>zÌ?Š^&$ý±t)Qž@¨¾ :\BÎS(•Êc¤†õA¤†ø ;wíÚ
+*®ÿqþ3ÕÊ/óû¢¾óC¶ãà› &®écgPÎiŽ8¥gÛÞ1uv -}Gp·À¤ôÐJâ—Ëé4ï›Glõ­Þú°æ8†rK¨í»gf#Áë¸mM‰Ÿcµ…^0vNŽr0A¾ £“pR¨>ÆH‡6>ŒÛ4$Ðq¥ûÎ@CUg!:êu
+
+›„wÈÐÔnoþSÎ=ÑE,P~ùZwYaÈ°.êÖ…œäÇ5ìDɸ°EF&„H\—D®Kªë5yéÕZm—]µ½G¹ŒÒi $
+‹c¹Œ7$Oˆ4åLK+öDêfvY,ÓÙ‚"xINO&Ñ'ÊäÓ– d‘,¡2ûe²hV8®_Œf*v?Ù{ú
+`´3‘CŒƒ¹hÌ'7¦DŒûa”Tx#m¨ø\,ÁnLÅAV0¥âÕ•3uû3að†—¢Ôét‚f¹D
+ü9VFB0þ‚[k¥-Ëx¶skýÇF……`ë!rp4Ž/_ #ƬfqS3$A™íòQB2m³c…ˆÒyú~3Ž¶"€îüK1ïf.¾Á ,k¹Â«ê9Zc¹Ï:°%Ú1üˆ~PȨ2Ÿ!)L¾ëoÊÊ]Ç+ÆÅ8¥!Û5/–ãëÈF¡mòç;—SfQ0Ù_3ÒgÃ4ß±ˆ{èÒiÆ´ÈAƒsø¶³E)9×,¨ÝkÂEh&óL?̵T.Ÿ5TcÌ„DtèÚàc$‹E@͈â‚@$mA…[Ñl
+E«"Ä×ÍíéøÆl@§ß€ a-ãZ¦¯Š ÁѼ‚TʬIÓ¯`FDÌ,ž?ƒ ž2üÅÁþi@“ê
+ËÕâ9mÍX
+n×Ï+C¹
+–1¬SxÙÑ…uX‡uH„u3•g1-œÇÉ!ú»”A”0°‡zh¡ÅÛC-Cì,=ø±§?#ø‡=¤õÕô[D/•·™qánz‡[=ŒÇáAxz<ZÅŒ5ò+X†ñ(r ®-͞ƣ q£ÔSQΔ1Aôç)rÓŸ'¶ÐybÍÉÛé´äωñ<‘>âàÍËîaö¶HIzÔÁrÚ™œC{IŒY‰ÎÕ®=š¥JÐ<
+)Ì~¦C—>`Õ’`4VMÛRo÷14‚îܽÀ>ÑV¸W¤ùÜ]âóÛ¡ç4è€WÔhûlxy<Å×0‡åpK¨Â56Vˆ-ô¦û‘a“? «¼‡&®¼¯W&æ¶P½ñ¤íhNS½€Èý„dÜÆŸ<Õ¢öYaÊMˆ<T_Ð)ªýóÎ ³ÜàA‚­QFÿiòÈÓœñTã«:'µ 7çáEͽ*UíÇþ宿 Áî¼hËÆyhñ¾ÍŠî†š¯š™°§V¥Ï„šÂ¦²L>“8Nšfô²á¯­ Þ®ªe±!"€}â<ñ}-&؇²^ßrìGùe^®;š £Ç{àƒc?us;1d(þ?f.âSl±l›ñ£¬w+O ep¯›”¼.R´ÓMÅ3Hü]cŸ»˜‚ŠâðŒûP
+Êü˜†
+Dúi¼•< •öºÇÓAkôÄè&€ÆµLf&ðWgYªvnc5¦{¯÷Ïep¯”þ'}ÿÛa‘Ê@Fò2eøè·…{¿1t±®Uîå5Å×ë‹c‡âcþ@‚uwÒ¾ˆú¹ì­w{úTúh,¨¥_Ÿ=úW'º‘ ÏK·£ÇÞp# ÕO[H
+†¯O>‘¿Çò¿ˆsƒ»·,×äÞܯcÀAºçE•ÅG- õω@‡d:Ù¹9Çe â«‘DÒر¿€†aš¬·¸@¾ºúpñî”è—N‰øáý™'ùßgh;Èv}’óÄq›|Ÿ| WþNa÷¡î汿8õ×îw:ñŠâW)õÙåÏXx¸y ì= Š€ Ñ? Š~{З}.H*ú–z k(éwc´Þ?Ê…äK+%¦~C ÿýÞ¿ù»ýÏ™!9PÖÊiEñ
+¥âªPè™Þ[{ømïÄâÿ’:eendstream
+endobj
+1396 0 obj <<
+/Type /Page
+/Contents 1397 0 R
+/Resources 1395 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1394 0 R
>> endobj
-1107 0 obj <<
-/D [1096 0 R /XYZ 56.6929 132.1382 null]
+1398 0 obj <<
+/D [1396 0 R /XYZ 56.6929 794.5015 null]
>> endobj
-1095 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R /F77 703 0 R >>
+466 0 obj <<
+/D [1396 0 R /XYZ 56.6929 769.5949 null]
+>> endobj
+1045 0 obj <<
+/D [1396 0 R /XYZ 56.6929 749.9737 null]
+>> endobj
+1399 0 obj <<
+/D [1396 0 R /XYZ 56.6929 374.4718 null]
+>> endobj
+1400 0 obj <<
+/D [1396 0 R /XYZ 56.6929 362.5166 null]
+>> endobj
+1395 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F39 858 0 R /F53 957 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-1110 0 obj <<
-/Length 3017
+1403 0 obj <<
+/Length 2993
/Filter /FlateDecode
>>
stream
-xÚÍÛvÛ6òÝ_¡GzâNpßÜÄIÝÓãteõì¥í%Á·’¨ŠTÜì×ï  )Y²ÒMzºÉI ·¹Ï@bÄá¯9ø*ô(/43\˜ÑluÁGïaìí…ˆ8× ézˆõõäâ«7VŽ
-VXiG“ÇÁZŽqçÄh2ÿ1{õÍÍ÷“Ûñåµ4<³ìòÚXž}}wÿš }^½»s÷ö‡ñÍe®³ÉÝ»{oßÜŽoï_Ý^^ ¥„T\â_ïîo éÍÝw·—?O¾½¸tG^Kp…çýõâÇŸùh·ûö‚3U83z‚g¢(ähu¡bF+• Ë‹‡‹¿u FÃÔcdÒ\0!][É”ڜܖ¶à°ml*Ãœ5æ`W¸uδɑôJ2¡ŒêHoòé…VÌ)eF¹)˜URÚ?UËù¬ÜΑ:_½Ñj0!ç¬
-€ˆ“…'œ|¸¨„ój‘Gœu¹òG’93¹‰8?q.ýr~y­¬Ëª†¾Ínúo?k±“gmMÀ×÷Ôˆg¼.‹óüo›rÝTõú
-úEž•ëp oÎ
-as Š`…12lÙ.Â>ZfÛK—í–;*[•íláãÈÓ¯©Õ.<5ÂmæÔWë÷Ümæeëçû’.˜e8ßßÿC¹¬æ$ˆÝÁ©[?Ò7ì‰áUÙ¡ÄjÙefÈèÏ¥S ˆ ÀŠYgÅïX’fÈÓòhaq­ yN¥Âk¹@«Æ/?A‘Þß1T¶g(ŽC±ˆ‹ãÄ.E†"°c(Â÷VhIâ¹9«×­_·Èp©ñÛU[0):õ¨æ0¯j?¹ŸŒëBíëš1%OhHºvZÕ<¡Šgšç­âù«÷ë:ˆ›Ÿ_‘
- °‡WÞ»õt´ÓdÍ¢Þ‘ú #~uT$…€VÙÐ÷8]„æÌg>‰0ÏpHktO˜=¹Ò˜ó<]ú„<]K†XØtKÑ‘±ý¸ J-²d5VuÓd×øÇÝrßbˆ¬\.ë§h!§3õ:®ô‹ÿHß“©hHœ&ãçTK0o`]q+âQÄYÄ- Ø‹@îáPäŒõk‘NB*›µ—"«©9 Ý`AS€øŠÛR)„¿ÎÝ'0¬ˆMšñD26„}âžÍÆϪÀò0„ê9¿ Ë·ÈH–k¥Ãz9Êrð{Üh0L‚“Z†#®“ FvckV6þ´íµÏ3”½íí†sÎÉy~üo³ÒAX)F(’`/‘˳xÏœ,ÀÅZQ°\‚ÝNæ}Ü)¼²ñ@ˆEúu‰ ÓÓº¹êàêÀKyÆÎY‘Õ¡ÃEW;Ô]lizü@Pæe„üº/Ý 
-Û Z×ùlÇXçC44VF”zî‘7ÙÝã"Z öèoiÁÀ#žLОH´ZƒiX•IÞ¥LfƒùÇÆ4b£ýûx)„ÈØ1A›,bØK›C#l®Å±Í5nêEÄ>YÄ0BŸM¹m«Ùu2ôS"žbvpõjS7i´ãafÙF\BL±€’“ãqÔ2¿%ÿ@$,¢ðBƒØFš*x¢uA‡€ïºŽ€Ò¬ÀLðPD~‘¼Ÿ ‹léå·Ž Gp£¤ ¥‚ÑmsEù\¢ðr
-bv©÷Îô¼6™°ÎœDÃ`¦ÅþI¢ÓÙÛVpñÜ|*):üsx¶îIRèÃ3ž3…ùÄ‹¤è°Îœäùjx’˜)h€AøéöS…IrMÁB­©’4 tÊa¼“ÌdçXqYtc=¼bW€“®À\åOK,ºùéÉršq²ª(óœÁ¿骊Òqæ,$³Á?­“NÇ*‡K…Ác©^¬ÅöU—½˜b_*R½à±Þ­_(ÖÏûy4è R±âÅ7‹gK¦§ÉjS6?GUHÇ î¨tB•2«±Ü·&W!„ÍÄ2£°×Ó
-½šTXßùT--#°Ï$›¾Fb®«±ª4”œÜuP3§Èí¹CÕÙOk^àUO„Ï£kÏ*ƒQå¿gÉ4ã4«¸aFÛ³ !Ø,\Ìl&ßaÑ´ˆr¬8ÄóÕÊ_·õõ²
-!8aO‘>lj$&FÐê«È<F[
-ôÃÆ …Ãî¢~ÂÏ–u„lˆQi‘´îšÇËaÛyŠ7ë¡É©Ré*Ö܇1ɼjÒC‘I¢²òyò÷‡ZH¬˜UöŒD‹"g"ÏÉúÌ–&€L+­Éü(He×Éö¨íQ½íQ*Ù@8ȱ”
-r Š»ë¶žÕKB},W(o'…8ÕU ½nËu2;.}¸ìiŽ Hñ¥l!è/Ê0“³\š³Ë“6'4~Mo÷øß –ÒÓ‘æöHj¨¹Á‡T1Ï©"Â(Y¤YHaü¶‹Á¡µCÁ` ë$©6rÂm¬<ZÅô€Fe•.§IÜ ÌåKqïÿæu g<ßÿ]à ¯Bq&µ³/¿à{‘æ 4~¬»µa½†Þ~ìp<²K mª_¾(f¤HI)¯ò`ïOGÑhsŒtbý¨/ª¥–úŒö:8˜Ó2U«@-U`$ø=z›9ŸGÝ¥jŠ ¯<ƒ_R¨ìîž
-4¾`öc“îlòc5$ÒªøöO $çUjiXÊ8K<çì ¯¢ý±>連szT„M™3ZËÏùè,e?õG[ý× ìQÎÉÕ—d×@‚p­P6ÏŠ Ê1ãd‡58ú¹ÁcLendstream
-endobj
-1109 0 obj <<
+xÚÍksÛFî»…>Ò3»O>î›ËMz9''«ss×öE­-N)R'RvÒ_Àb—"e=Ò‹3M<‚Xì.¯@ñƒ?>JtÈdªFqªB͸å« 6z€±/¸£{¢qŸêõìâ‡Ò0D4šÝ÷ÖJB–$|4[ü¼y{õq6™^Ž…fA^ŽuÄ‚×ïn¯ “Òã͇ۛw?þ<½ºŒU0{÷á–ÐÓÉÍd:¹}3¹s©´€¤[â?n'Dtóîýäò·ÙO“YÇrÿXœIä÷¿¿üÆF 8ÝO,”i¢GOðÂBž¦b´ºPZ†ZIé1åÅÝÅ?»{£vê!1i™„:ñ9 yHN: # C(§íz‘µfñ+ÓN(YÜÖ­ª4h—Y‹P<-MEPVÑXÖ¶fµvÃECÏU¶0µ5‘-LiZ‡ËÊ’€Í%O“×ö¹hÜ‚MSçòâ¶,Ú¥›G*[™Wž1ãWJ‚miü´0*$3æ<Lµö˜ùÒä¿Û¥As÷°³L–/ô©hÚ¢z ·!ƒ„k?¯MˆKƒTùˆ«PªH Xa'ÅBÉÄî¦VØJ]g*EivS=[vªdaónjÈÝäÙeÊز¡ê{g™¦©·›Üø7àqáH²Êqú/Rò\ÓóçÆM˜-ÍÊ1Ò· àC¨0U\Y>fKT¨ÔIИ¼-ê
+Ä.“((IÀ¦üŒÃi0¯7S?¡hqÂ=½¯h|zó†Ðà Ê-²0M¾)æÆí`U‰´y]å
+±x\DfôJ§Æ•sG=íi)À~ÙtŠVì&‚0˜ù´.³¢Â½¹pV-¹t†€¸Âm³
+ö€0͇œ¸Kg°­Ôp¿3ý¥¢èèÏ1ðlÝ£¢Pû<i‡®›Ó¢è¨Îpò|5ä„‚âXN¤ÞŒy¦pî‚#²h#TQ~/ËÉúÉŽ“ÝÅÒKÊÜ5ö·ý#r‡JÇj¤’$LáíK2q©’0fñ^&þÿÍòŒô|ó(4ÁZôqi¸Ô¸;ÔXÅP$G4±”Ï xðü©ò>MS$ÛtªðWpo 'Œ–»D¡Ë)¦®°*ŸQo+JÆGA–Üç÷ëd€Ò†ë JHP,SbIš!OˆŠ-¦qN¬Ô[)ÅZÈÐ/Ç‘Štp…ÂK£ÀT9d"hŸ©x4ž- <fåÖè¢1Ø íSò4vi¤±^Ñ"•Œ­‹%’¬kp™í»Í°ž9¡§ž
+Ÿ5¥ Fº€4›½Eé”9“AžÅÊŒá¶äÁ¸,Ò
+;öÂŽ5˜zHªŠeõU.푽Já4¨²òëtHWÒ]ÙÛª°!PRŽŠO¨¼êja/~åk;@Žl½)VÙ¦ÀB _·6ÍChî0ƒ$ˆP¶Ü9úÀQqRă²iC %†pã:yÊŠ^ ‡¯Ëú ”µM„"›£Ò"~ÝŠ€ùáâ·]ø|ã¾î‡œÂ¥-Ͳޖ‹aN²(š<sùé)«î™Ë×™à7>2áSÄç¢L£0qá'/¡L
+û ‘rÅb"Õ†€]dm¾ÙÞŽ’ªE‚mM–pלp²U<é2A%¾9r05õÊ`dt7»51ê«tE…­âNh¯'–—ÒÞ®ýùWdq<JCТ+ŠCû°Ï2gÉÀCE
+åŒ`à;§û±ÅŸÆ|˜ß×eY?u-É^oó‡5h#Ë pÞe$‡/ a-¸vTÞ+!& ŸÒ5ÇÓhAG*þ¦Ñß â
+tLAÅÁ ÿPC@†§}Ç*ŠUd;WBÂÝ×´e‹…s_ÛQið®¢òK
+µmWðB®â$ú9Çè ;gå—$Ñ ùõ{©Zô• ~ù’~Æqù í¿PŸPꤔm\Ä"¶\xÜgÉxsdU?]ãƒÎvÃ÷ "{?¹»f{CxÛ|ÚÝ@®óÍñKÔ MÕ¢pEk©jacöIŸ„o jѯs¥æ;
+Ç[KoôU¢·À€{D ÷íáFªkdöO¢$!`…OWIÛfåäÓÚ@žZV:Tß6UD¶ O²M
+þLâ€ÚIü„µíG©Õq-ôÎ÷GXž¤!Üç",œ²å"ìG(µ–<¸:6Ø?aÊ¢k"ïË}…¡:?ˆ%'ÄÜçÿ¥ñ7èåñ8ðœ˜!ÍK"
+Äo&ÓK¨çg¶|`ÁÛºì¾ûÂø¡h}ˆÍͦu^ZsæŠi{á
+üYÁqáö¸þŽ;z\KLÜÏÉ6²MbjN¿¹½úǤ)Èà†Õ1”l][w]¹2à]Ë4vÝ:ÀØÀŽ}¡²ÈlxIÔ@ì@R84è£ÙÜél­wÀ—mØÅ/Ù°ãLCÆÏe\AEÄ$Eôk§ r›šu™åÔ¡ˆƒ¬”Z¡ñ®m °Ó@»®ê‚îÇ$
+ÝaÍ#ô@K<uîÁS¿6Y„ÏŒ(¼ehÇz
+D"R`7Kw
+Dx4* ”ú5šë åëä¬ c¡êð«oú®ÌFgSÕ/ýmäî÷¡àô29öÝ®kÇÁ=Šk¡ðbý죸ÿ¥£ê±þ?+–ý`endstream
+endobj
+1402 0 obj <<
/Type /Page
-/Contents 1110 0 R
-/Resources 1108 0 R
+/Contents 1403 0 R
+/Resources 1401 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 1067 0 R
-/Annots [ 1114 0 R 1115 0 R ]
+/Parent 1394 0 R
+/Annots [ 1407 0 R 1408 0 R ]
>> endobj
-1114 0 obj <<
+1407 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [341.1654 318.5226 414.8187 330.5822]
+/Rect [341.1654 518.2039 414.8187 530.2635]
/Subtype /Link
/A << /S /GoTo /D (the_sortlist_statement) >>
>> endobj
-1115 0 obj <<
+1408 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [434.6742 318.5226 508.3275 330.5822]
+/Rect [434.6742 518.2039 508.3275 530.2635]
/Subtype /Link
/A << /S /GoTo /D (rrset_ordering) >>
>> endobj
-1111 0 obj <<
-/D [1109 0 R /XYZ 85.0394 794.5015 null]
+1404 0 obj <<
+/D [1402 0 R /XYZ 85.0394 794.5015 null]
>> endobj
-462 0 obj <<
-/D [1109 0 R /XYZ 85.0394 528.8329 null]
+470 0 obj <<
+/D [1402 0 R /XYZ 85.0394 728.5142 null]
>> endobj
-1112 0 obj <<
-/D [1109 0 R /XYZ 85.0394 496.7273 null]
+1405 0 obj <<
+/D [1402 0 R /XYZ 85.0394 696.4086 null]
>> endobj
-466 0 obj <<
-/D [1109 0 R /XYZ 85.0394 496.7273 null]
+474 0 obj <<
+/D [1402 0 R /XYZ 85.0394 696.4086 null]
>> endobj
-643 0 obj <<
-/D [1109 0 R /XYZ 85.0394 466.8716 null]
+894 0 obj <<
+/D [1402 0 R /XYZ 85.0394 666.5529 null]
>> endobj
-470 0 obj <<
-/D [1109 0 R /XYZ 85.0394 410.2137 null]
+478 0 obj <<
+/D [1402 0 R /XYZ 85.0394 609.895 null]
>> endobj
-1113 0 obj <<
-/D [1109 0 R /XYZ 85.0394 387.9025 null]
+1406 0 obj <<
+/D [1402 0 R /XYZ 85.0394 587.5837 null]
>> endobj
-1116 0 obj <<
-/D [1109 0 R /XYZ 85.0394 301.5861 null]
+1409 0 obj <<
+/D [1402 0 R /XYZ 85.0394 501.2674 null]
>> endobj
-1117 0 obj <<
-/D [1109 0 R /XYZ 85.0394 289.631 null]
+1410 0 obj <<
+/D [1402 0 R /XYZ 85.0394 489.3122 null]
>> endobj
-1118 0 obj <<
-/D [1109 0 R /XYZ 85.0394 109.5064 null]
+1411 0 obj <<
+/D [1402 0 R /XYZ 85.0394 309.1877 null]
>> endobj
-1119 0 obj <<
-/D [1109 0 R /XYZ 85.0394 97.5513 null]
+1412 0 obj <<
+/D [1402 0 R /XYZ 85.0394 297.2325 null]
>> endobj
-1108 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R /F77 703 0 R /F42 597 0 R /F56 618 0 R >>
+1401 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F21 654 0 R /F47 874 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-1122 0 obj <<
-/Length 2987
+1415 0 obj <<
+/Length 2737
/Filter /FlateDecode
>>
stream
-xÚÍ[_sÛ8ϧð£2ÓpÅÿä½eÓ¤›Ým’³½w½ÛÝÅVM]Ëg)I{Ÿþ
-d—£€­#¿/¬G¯]΋I2t)Ž ¼ Œ ^úÙ¬ÈBdôfCìð¨ˆCРwºXŸîÐCkûr%Ê2'Ró>IoØ=pÁ´“}F®ƒÕ’?õ J†ùb–M‚¼Mj°Ò  §å—,ˆè¨ ªE>!µM‰ñXÔwDÚjŒô[o
-÷[u²û¬:IÃké>;‡”Ø[K¸ø4(@ÆtP§.øl`NOˆÆƒ$zÐÄäžb Ö~hô´ÀJ+=¯ï²šøÃaE¡h|Øu|U>ÎQ½
-SÒ»Šù&r2j°²›O¬FA|E×ö€…äOËø•²&"ÿZTõö÷ž Fÿ-çáŒËPªŒÄzmØ{ kCj8¤¶þ¶!óŠõaÚ*cæG ŠèáÓÔ†I=WõZ°Ö¾ vçm³ØWUé;¸)- SÕãF¤–Œkä(«ù´‘> *cWq.tÂá§i•@Ñ9àQ,±CõÑD
-Ï„2dÎW˜ò}Æ=Q>
-Ьˆ8 ‚ón ®¯@pWü;œ¨1z«€¶jžÎ>¹Šà¬[9Ü­ù*+i‰ÿ _Á¢T
- é±HÀ¢ŒÎ?@,tÞ‡tþ!TUÜγ:Â5dP*o`[NÊ9"©
-{.Ü!
-Q8+&T5 bö7k¸;t|éX'tiKá ÇEYO{‹œå)¿]#î–úÉ™»nÎÜMRÕ¬ NÙ)…†°êƃUÂÏ9I¾Û:W§¬yÍñMk¥o8r'`¤íq±0‚Yé©Z7jüá¤Q›Q‚˜³kð¸HBÏfÄü<Gǘ+ç†üX¨ènÇx D‡ú;EÿÏ_F¸E_ºs¬ë8Jn‹à ×­¹M+
-Õ£)+!!Ð2«‘Âò¯5‰bó|¿z)šè´ô83ýÆoüpe
-endobj
-1121 0 obj <<
+xÚíZKs¹¾ëWð8ª²°x?’“W–¼Ú‡¤ÜÄÉîFäHšZšär†–_Ÿn4†Ò"G^щ)U
+X*¼Ì.ÆÅ´^óT¸ÄS N¯&"Ÿ"ß„ÏPØ°¬"'Šœ„/9UïgU l—!doŠj´(ošŽå”:öÏO‘ã° bÕIÃ3\lÔìHk§ÏãÞ¶@ôAÂ=“ÒtȦqÖú¸í‹Áð†—õ‹ùâØTT –µ>H™Ín±TMWhÉÇãÔ³**à¹ÒggçÅ¢|c'MÛ›âd7Ç×2sˆ2B2Š„^í‘Çz£‡ˆß[ó%S6#vŠÃ:É” ò°!0o¬ŽLùáìŸÀc#ÁwÔ³Ädð%Ê šc1_ÞLÊÑ¿ŸÒ·ªšÊ¼Fnbý¡¬ï7F½¹1Íß1D˜ìçªéÌDJd°³EyWN££yg§¥
+-o>ÉGQŠÐM’ºÅHš¼5ô¦¬^aÝg7Ë:þ*ßÒŠºœ$gšL(ÚRƒ‹·¿rÃ9üÉɶ­}S“’§†€bˆ"o‚MA‰ÝÚÕ–Ûót᫺_ “k =÷«—…yôêõîøÄ
+%¶}/˜?ºQãI§(>Žîóé]± êí,õ}Y•
+‡&¥RJo
+ÃïÐ,’ôÊÔ¥T|0Z»<”­7Ë8 º°Ê2:B¡Õp·qÿ€
+:Í4ˬ&¢øXVõö|d
+šÁ SÊÐ)U´DãChY¢“|Ò‘Þ2CljÌiB‘H!SààŠÜÅd©Äöµ‘„,ñKòرŒØ¼5RJÄ[£Ø!ÝaŸxOôˆ¤+‹ÿÒ¥QK‡½3:( ‚m± } ’60 @:sõ“;ð[GéN¬#gUGlð-•9u¡„hãÃêPbD<u›FŽ¼;–ϸ³ooõÇS¼üâà:$i¡d{Ð?6&û;&VoâeYÞÌ¢XŸ=ÑD€ú}Šî9’+‹•t€ZQ ¤eÕî|á? ’1¡at‚Tçå9µð‚/ø¤ðŒ[Õ‘â>eVB>Ãx,c  ÙzMüH±î÷ÇOÍ“;´½µ¼üdHàs2#;©%ô·âoÒ5|v8}C×4®#ùp_Žî‘´Ií±1©=’+µÇÚ¿Ú“/GéÉAž"Âà§áõ±!{Õ<
+yª%s ¿~.ö浨@P:á6÷ËtcÙðù›sÝ~òjAéƒ×ðs8d4ÉQÄÔoãd`RD¨_„+OZÍ­67[þ5ih±2Z.Ò=|=Iw³òI¹¥$« r@¡ÙÖ‘•E am°ÿ+‰ò¯rYs¢+뜎þâKÂKH8ñPz%ö <Î;Þm^­yÞº5çÌI Öe%“^èÇžó^',xêcæõƒní˜ò»Ð[2…Pæ"F9ûÙ[k^FY¹êÖZü
+endobj
+1414 0 obj <<
/Type /Page
-/Contents 1122 0 R
-/Resources 1120 0 R
+/Contents 1415 0 R
+/Resources 1413 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 1067 0 R
+/Parent 1394 0 R
>> endobj
-1123 0 obj <<
-/D [1121 0 R /XYZ 56.6929 794.5015 null]
+1416 0 obj <<
+/D [1414 0 R /XYZ 56.6929 794.5015 null]
>> endobj
-1124 0 obj <<
-/D [1121 0 R /XYZ 56.6929 75.7394 null]
+1417 0 obj <<
+/D [1414 0 R /XYZ 56.6929 122.0233 null]
>> endobj
-1120 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F56 618 0 R >>
+1418 0 obj <<
+/D [1414 0 R /XYZ 56.6929 110.0681 null]
+>> endobj
+1413 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F47 874 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-1127 0 obj <<
-/Length 3270
+1421 0 obj <<
+/Length 3228
/Filter /FlateDecode
>>
stream
-xÚÍZ_sÛ6÷§ÐÛÉ3J
-µö”òìíÙ?{†ƒV7tLMa …T‘žÌt(Òx|Ä´:LE$GÓþw£¼$Ád&¥0Qô h\
-4¼«\`be×L$G‚Æû6¯˜´Þ”Å¢À­u:ÝZp@×®,wB¯*ª%U< ¼Üb„ÄÚÆn[ÏÜçYoo®jæœÿaaÚœç\ÛêqÌInÜ‚&Ñ™ÒÈÍ»­léâ84¢pTji/äÔÏu ®l³"JÒi·h;êØô xüŠ‡fÞØ… ûF³q±²À±çí-3UË{ªTu–cÚ eè,2²8’` ŒœbU(~•SeC¤~wc…ăÂ/A þp‘z¯r›¡Å¨!
-ÚÇ8„tZÚ¦áòÝÝ÷Ð*©ßnU¸ÝRlAÒ¢®HzyÕR”@Ñ^<Ï‹âQ -v^æc¹ü÷<
-wûŠ°/þ»`y"çi}§@µ§2šªò<c:×A[²&“.˜:ÏI«Èòf±-æy&zña´Jû¤Yç–,¡“ˆ\8a‡@h((_^fTqÛ Z-÷.Öܽ,ÖEKDJæà…õŽÛjš… RÐîX_Xî;g6ïò s)ªƒ™v±ÊÁ¿b
-Ûrõž¾™}d.dÇሔ„𱲪›ÖÁ®xzÍc-} ÚWËÑØFV–
-õÝ‚Ãnðü‚¹-Lýd†=
-O‘N³nAàÎ v"Y ã¼fÐh€µ¢êCùâ‘HY·åìM¦±ñ}q׌R ¸²íÉ1ÆÚÅ;îƨ®ð‘ír”lÙåž\–õ®Ì} §Éâs²Ï*xKaÉ¥ÞاC $"5
-•7œ$@nõ†Rvè c”Ç„Fq«÷ƒèjñ.oy'—QûVX>õ^Nà^<ì1òP®®é‹žÒ‰1â«b¹¢ë3…í
-¨1£
-˹qG[hx#A¡‚êÓ-}³&A©€Ôš¿&•ØûÄ݉$´iï%ã‘yC5VÂC‘Oz{õ’FÊ@‡/Æ‚#FÏ
-úàøÔ†46໶Ÿ?/'Vv– 9[?æ‚~*‰ydç'e‘ T"äen.iÀÁ{;ýЀ¢3 ·1lªhº®1£)˜š<Xš§À篨èö…$Ûa D‘2'RYT.+@#% ²n¹¢”µ¨:’`vm¨8˜ÌVÃÖ›—<m×PÄÅîV¹DÛœFÄ*Ö`9‚îP¤Ø§½›h73–Ôt `±9jå³çèHwÄÂ5·Xâã9jÈ‹€˜˜å®hWƒnÐXÚꪌÃÙéÄ̳
-(å“è‰ý]ÜCš;O2Ïû£‘tȇÂË}§~ 2£R×äG×U¾®«bÑŒY(ËqßW}Žž×nsÄ>ÇÆÆAŸÖ-ç^wAAî€6¾¯{½ÑɆ%>Ûá:BI¡óþ>˜¸î5‘íC]x©
-ǽxéîÀ®“ý$´j,Ъ“a-""·rç3–A0„Æ:98@?|òØK}r]à¾dŸÙ5œ`Û~PöY{HÑg¦1ÜâP%¹öè®
-ãCÏð»CŸÖÁžûRÁ'<Qþ2L"¡CcÜ5$ ù‘O”€ƒR&üð¥NÑÁ‹‹Ò.`kb@ÂÊ>p]‘>ÁYîåÚã,¬ð;våKOfE׿š®péŒgs÷Z¤ª[Ïé–Xó…$Ý»òk€¤û{9lÂË•ßâÙ,cÖ!wä€8WWAFG×oNð ë…Ãk<¼°GxJ+Z_„ñþ˜å^~0PÇGòãÑê
-endobj
-1126 0 obj <<
+xÚÍZÝsÛ6÷_¡·“g"ð ½'7±[wR§ç¨wkû
+ƾº<gæ'͆³¾œ_üýF¥èD&“ùÀW„Y&&óüÇé믯¾›_ß_ÎdN“àr'áôËÛ»7DÑôyýîîæö«ïï¯.Óh:¿}wGäûë›ëûë»××—3¡¢XÅ,þóîîš&Ýܾ½¾üyþÍÅõ¼yx,*”÷׋'9œî›‹0P:‹'{è„ÐZN6Q¬‚8RÊSÊ‹÷ÿìFÝÒ15E¡„Œè)
+”Ù–¶a[nFiÉ0=ÙNQœ¢ê%ÌÌBÙ«^ªêE¤‚L©x’Æ:HŒ‘îAW:Sh„wï+Û¾‚¾H¦ær%rúöêjºÝ]ŠlZ·õ².‰²tkZ›Á´´æÛÛ9ŠŠ¾íÚRcSä34ïã…ØN¡Ó°Ó)àqoˆ{ùLÒi×à.Øz¨wÔ(Ú†ë¢ië]±4%õ·Ýn[7"S9]t-‘‰á1#”%<–ýîoÀY¹µEÙÎð*UÓÆîíŽFŠ
+–oL[Ô~¯+ÛÀ–Q¨¦6X¯78¿X
+­žÛ h¼bi©“ÛG[Ö[ç Ð]<Ñ-ÍïÈݱËö¼Ã^cW“̦·àfJ‚g ïHÅ‹”¶&J³f§æ‰G.ãfQwÌäÑ슺cNÍS3;öTòÖnJo¹iÍÂ4αßtË5µ Ï
+ á}å 4+³a"9 >´¶bÒf[Ës´RÙtgÀy]»6< ½ª¨VÔñD4ðj‡{[³k=s¿œw½¿¨qS3gû›m-ï¹1ÕÓ˜3’Ü‚”&Ñ™²Øí»«Léò8 ¢pÔj),ÍsI¨kÓ¬‰ÒÀ„lÚ-ÛŽ&6=^¿æ¥ƒ·féÒ¾VìÅ@\® &pœyÏLàÔÀò:U[,;‘ˆœEFjI°FN±2À ¿Ò©²!RÝØ!ñ ñSÊß\¦Ùkkr´ Äaû´uGPNKÓ4ÜžÏߨ yûuá¢9¢Ü‚¤e]5PôlÕRŸ”@Ñ^<Ï‹âÑL-fQŽž“üc…»CP ÿ»bybçiý¤P¶§ZjTÖæLCç:cKÖdÒ%S–´Š‰Ì6Ë]±°yЋ—ZÉt/ ÍƲ„Jcrá”  =¢ |¶Ì©ã F Ï.6<½,6EKD*æà…õžÇjÚ…
+ RÐîØ_ž»`6ì–¹ÕÑNK³\[ð¯@Ö|íÅ ]Gl×ÖMà˜Ž!ñv‹ñƒ4WKÔµkÀ<-”GKCX¨E„„Iþž­€Öò37eìP9¡þ8#5áèÂoLÚõ6|`S®Ù bº­15yÙÏ€+â¢#'è$¿œ{ÙM³©0†›¦XUN8 :IttàarÈs]®ÒœpéÑFÔÚc®äò{`£¼Þ€
+]
+TøüNâÖý6Ô` ¾.€ŸñáÄ(ØR¦,ÚÂòL‘ð½uiÙŽ:àÖî0©– Tšnµ² #Š~jÙ†g  5<y]w%ŸÀ‘¾ÈHÌöQØŽ»ôÍÍs!;—@¦$„uÝ´v%Ó[^kèÙ¾Zæ6
+X©Y*Ôw »Åû Ö¶(ó›iöDh<[D:Í»%;؉dÕŒólX˜Á x
+A á‹¥
+êL7ôaÌš†ý£Rkþz˜Tâĉ{I!iÓŽ%í‘yC=VÂc‘ŸnzóšVŠPE¯ÆΆÙ3„äÝ>•–›¥J³£ŽK^aŸüC_ÚæÀ|7²ÏGàåäÂÎÞp°õÓéºa-è·XGö~S R%B^ææŠ|Á¼'‰Ó-(š± ¦ë6¦MO75V4 [“ =ðøàþ5]\²Ž@)-‘Ê¢ryX)‘u«5  ¬EÕù”ËpjCÍÁF`¶BoQò¶]CxZå
+m󱌫ÀrÝ¡I¹Oy7QnglÉé
+Àbs2ÊwÏÑ•î2ˆ[1ÄÇsTP11Ë}Ñ®Ó`°4ÕT‡«Ó™ fˆ¯C4:öÚQûÛÂIl(–©õpCyváh¤×Êr5¾Di©émušÙù*Î5¶ìrŸÔéÖßpLnà®'—kG-ws(¯ÛääÐ ¥@ÐcÓÉtÏô²pl8PÊ+&Ñ5综‡4wŸdž'+é’ׇIýBdF­®±' 7•ÝÔU±lFo.ã¾êkô¢~tÁ‘ølœx›„}Y7\{ݹÚø¡îõ>D$¶øn‡çˆ¥F¬û‡dâ¦×D6uᥤ°êÐ4Gø‚­a.ŠÛŒø CE^¹Ø<¨Äuþ¼h~ÁlUæ¯
+§³øèî®ÒÃ&tjlЩ›a/&"·rï3¶A0„Æ*Œ89À¼Û»¡ÔcéßcH2‚/„@ 7ض
+:
+MßÓ’ƒ¤Ö~qîϲTàßRüU8y1-êŸlþl-J•egþtª
+O—>˸±Ê‚8“éˆèÿnÿ¸Nendstream
+endobj
+1420 0 obj <<
/Type /Page
-/Contents 1127 0 R
-/Resources 1125 0 R
+/Contents 1421 0 R
+/Resources 1419 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 1133 0 R
+/Parent 1394 0 R
>> endobj
-1128 0 obj <<
-/D [1126 0 R /XYZ 85.0394 794.5015 null]
+1422 0 obj <<
+/D [1420 0 R /XYZ 85.0394 794.5015 null]
>> endobj
-1129 0 obj <<
-/D [1126 0 R /XYZ 85.0394 769.5949 null]
+482 0 obj <<
+/D [1420 0 R /XYZ 85.0394 465.493 null]
>> endobj
-474 0 obj <<
-/D [1126 0 R /XYZ 85.0394 445.1692 null]
+1423 0 obj <<
+/D [1420 0 R /XYZ 85.0394 440.7907 null]
>> endobj
-1130 0 obj <<
-/D [1126 0 R /XYZ 85.0394 420.4669 null]
+1424 0 obj <<
+/D [1420 0 R /XYZ 85.0394 255.2465 null]
>> endobj
-1131 0 obj <<
-/D [1126 0 R /XYZ 85.0394 234.9227 null]
+1425 0 obj <<
+/D [1420 0 R /XYZ 85.0394 243.2913 null]
>> endobj
-1132 0 obj <<
-/D [1126 0 R /XYZ 85.0394 222.9676 null]
+1426 0 obj <<
+/D [1420 0 R /XYZ 85.0394 76.199 null]
>> endobj
-1125 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F57 624 0 R /F42 597 0 R >>
+1419 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F39 858 0 R /F21 654 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-1136 0 obj <<
-/Length 2988
+1429 0 obj <<
+/Length 2977
/Filter /FlateDecode
>>
stream
-xÚÍ]sÛ6òÝ¿B÷@ÏT8|ì[š8­;‰ÓsÜ™Ì5} %Úâ”"u"Çýõ·‹HJ¦çâÎuô@`,û…Ý…ÄŒÃOÌŒe6“Ù,Í43\˜Ùb}Âg·0öã‰sæqÒ|<뇫“¾¶r–±ÌJ;»ºárŒ;'fWËßË; <ù÷»‹³Ó¹4<y}þZBi#“—?½øåêì’l˜úÃùÅ+‚dôyùîâõù¿^¾8Muruþî‚À—g¯Ï.Ï.^žþ~õóÉÙUOòøX‚+¤÷?'¿ýÎgK8ÝÏ'œ©Ì™Ùt8Y&gëm3Z©©NÞŸü«G8õK'Ù$8“
-XòOZMñÉdÌ*©<ŸÞ—ë²Ê·Õ=쮠ﺼ]uÔl‹âûÃs§­ªR­™¤O9¨²°­•fÿ ÿÛªHŸÍ¥b™àú8´Ž®Ð¤ê
- ø8éáËŸÀ2yššÀ ™ô¼œ[Ω%?Εцßv†ž+ƒ½ý?ôZ¤s:×'SÆÓ}Ãà
-€u‚ iÓÇ€µ
-6U™güÕªlÉЋÏùzSЮš»
-•¬š¶ƒ¸¥` ÁÛm¡í°'ÀBà®!@·*ë?ä™'dDxyI]¤ûyü†…÷¯
-£þ]Ù­â.Ò#ñWŧÜÛŠÖ¸Ñn\Ó&Éë%{õ }ÂêG/ h (Qšy…}åC#û¢
-¿«¢Ú4÷mW¬Û@BÑÛuY‡åw«"®ƒ“Mâ2ÄjÑ[5Ü·)Ë”Lý4]:p üÌ{CóªäE-/^ÐMÔw?£©h`YT §Û{êyyÁ·
-¹Ÿ”¡ˆXeÈ8F•Å³ÌÙ.…Ï’}ysà«áGØfAe”ÈÆl¼ì×$”ˆãCB;¬¬FY©ŸZZý°~ªBýô}Ñu”¸¶««7O¨”^QÔf“®\ó®™W”¨„x”ÆÀΆâõÁQ-©C…èÐUr~]vaBÇ[⸠Ñå&d„Eˆ*ý,B°«Ë®ïl!Ž]@úÝz‘Äð¾ßÒbZ¼Î·%½š¥T@: Žª²U¨øR+å%*&·ÐZä Ê °ŠØâM¡]`€€«Ôˆ¥å€iÕÜQ£j¼
-ÕŒýðšpàõÏf"… ÚHý¤×L±”§ê+_w&W nLò¯y°Š+î©x¦¹ÐRâÈÓ8€ ®ga-ãNQ®üþÜ«üH”šNªÜ~ rYš
-ŒÖÑ-•¡€€.b¨‹Û<T\ )ZЯÀŒ&Å7'uP€Ä1TgT6kÈŽö *¨¸1} šCý ,3ú6Ó[4ëf>v5ï
-ýŒZA¬âQÈ4ƒÂí½ ù°BàT%gôv, Jî@hÄ´ñœ„qû-}É—I‚
-endobj
-1135 0 obj <<
+xÚÍ]sÛ6òÝ¿B÷@ÏT8|“¼77qZw§ç¸3™kû@S´Å)EêH*Žï×ß. )™rœ‹3WûÀØö »K‰‡±0–ÙT¦‹8ÕÌpaùæ„/î`î‡á×,âåtÕ÷×'£âEÊR+íâúv‚+a<IÄâzõ[d™b§€Gÿzwy~º”†Go.~†žPÚÈèÕg¿\Ÿ_Ñ„õK¿¿¸|M”šWï.ß\üðëÕÙi¬£ë‹w—¾:s~u~ùêüôëŸNί‡#O¯%¸Âóþûä·?øb·ûé„3•&fqÎDšÊÅæDÅŒV*@ª“÷'ÿNfÝÖ96i!˜åÈ'¥YôŸCVÙ”Y+Í>ÙÿmW8 _,á(©1Oœ€öqÀå»aÇ>ª%ÈÒ*¸÷2Ö1³q,FÙ§Ù nç©^ÄF0iA/Pø>°Ÿ_½go/®Ùùë_A¸2MtÒ³œGgÐ!#Áþk}(Emc–¤±ZLiÝuqÒêo eX,E:Ï )5S(Ç*eŠ dЫ§¬ÑÈ)„J-ùqžLȽOFÝþh­ˆS–èÌGÆŒÇûFöÈØdœ0( |ç “Z|—jÆ)ÙN$¤tl¿^—yâS¶ÙV ºusïáý}ClµjOE]Wø¹Û¦E©Z@,™P@‰Ï¨>­ß;X¢˜M¬ôË¿óÇÉò5õš[OŸšUy‹§¸-è0uOà¼ÊºŽyìb0 ‡iÑ¢| ‚ǃ;–à{9¨×ë²Ëw]W6õ>É·¼w-ò¦]u3gêœj¡Ò3`Œ²2Z]Þ–7Å
+‡*Ênš\L¥pþf“•5Á»¢ýX´~O×7t%š+kàî&ëÝ¡p>óë²aoYxža^>ÍÎuò‚f šöUçÎ!<ƒ§»ï×%€àŽ£Û¤—+oêÎŒBWÂÉšmÖöe¾«²ÖË b×±Ú½+¸­7Íå¥xÀrW~,üd` öëlãqýÎ §ƒJˆ]·ËªêáT€«@Q&º!Ô°¹ñ¬ºÏà¾{W"½G&
+­›®
+ÜŒNc°†‚à]‰¶Ðõ8’`!pß _—õŸrÌ2 ¼º¢!žÇYhýƇ­Ó €l³²% ¡PÑ*ë3ŽLÂòAW`–X‚=àhŽÑø¾ì×ÊÌUIüUñ1s¶¢5ÚmkÚDY½"à ~~LXÝLã„=p%J3«p¬Üuhf_Ô
+^ù¸(x«é¥Ø°!f)pÏm@ÓU ÊOÀl04§JN$ÐsâÝD}w+šŠ&VEzÚ>ÐÈÉ Ú„Saœf”×\
+B¤^·yù;ç2PpÂDJaùþñü¢pJj¶mÙ´eï‰;yÑì ›…ѱSÿ|Òé
+Jü@ ì¦kª]_ÐhSd5Ü™Öü.eL`8iX>0
+ø5˜nêÊ/ L,ò¾ DÝÅqàk©ëÞ÷ÕÄIà$7ž¾+¬óæ5§¯ÞؤôÆfôhŒÐ÷Þz^'°ë,Åho¥›¯OtІÚ`sû í™ lìݲdäËý™.zŠ]ô4KUr‡Àk³ëú™ÂHg¬_D2D2ñtr\c“•îº&/³Þ½&ûÁãÔŽaøÖŸù¬¥ö þðö H'0 ¾<{{¾ÿ$žaðºs"º¼,½þ½q,™ªMº$7´¼ò[:¥ñÊCGڛƽ’6xÂÁlòøŠH­:Ô:|´Ø'=ºjzòÑ8.Zòé-V"åÈÎh­÷•¢ò`[ÞÕͨ:tþ¢†g;sN^ï5Òàˆ`Ëc${H ò:©ß€Áõb;y&Ý)j¿+Ps÷Og´`Û¦¬û ™{Þ<ø\f]LÔç ½ó¡¦²Ü8‰v%
+ôþ9™2‹øË’Äù]ߢ´î´ÔR¥DØùÌ=6`é:Yhž2mâ­çË› :1–5”ä$6è$‘à§zÇÅö¶fõ)°Õ@2?=Ê×Ýù(bLóôr S©b©´æH©˜5¸Ú˜¡Ã¹“î(Çù<öL ¿,{^RŸT b¡>ÇžÄ0câôä”? C™Ý–5íÝÜ™Ðý s'æŒ +ž¶6+,¦’{zl? Œ&—`ýL%N§\)QgÑ„ø_˜E¢ ËÓÏ°È
+ful¼OðHç‘£þ¢,z~eñ[<hq ×æK+‹3“è§ ‹JH†elÊ¿)>r’J)B´
+ÚlÔ—›bÙ7ËŠR:€â×Y_&².ö/ª (A †J.oÊÞOAäxG·>¸Üú<¥ðA¥[EvuÙwSÊÂØõΉ$D÷I‹ ô&kK—–",5‹O'õÛÊW\Q–ÒÒ`èåYN‰Ö;|tâÙ à*uBÚcZ7÷Ô©'
+ﮀsINÊùþ¼—ÜHšŽªÌUˆ "›šò|ÖÁm•¾Ò€>`¨‹»Ì—f é™W§¿Œ…Sê R‰s¨Í¨kÖíÙ“×pc†btÇBfpmf0&èÖÍ\ìz9|‰
+6Ù§r³ó«ÑÏß×üË0²‹OÙ5–?5`m7–SÔš>oF81ˆ\¤ è‰6|‚¡*+ž$à¼!3yò§P†Gu‚šD¥öiÕ†AÜOIÖßœ›ÐX¢¤z¼ÂƒD<’/$OÝ—žZ*±Áš¾ÙÄ•ûe¨Z€üöÈÐ4r{ê#÷!ò KM]øÎ3£ÃÞk·Ù®êœÞ Åøô‡o#X`§ïk£¯J+ù¢®èŸÐŠ ¿¿N„‡Z¡_R+8ðMÒKŽk…LÇû‘\ÜÑm¬¢súÌ, MJãAè„rµq¼„†x‡ãŽZòfÒø(€ú£G„AY¬¼ºr!áð%a!$6{žŽ:7zÇáÁËñÑËñ©—ãþ.Þc5°ò)˜°ö¥à ~Sñ ÞR‘B䃆,5d|<ŸÎ|@kân³DKH’¹_9ñÅgÓÝçþ¦jü]8W•$GTzÈÇ ºF\¨ qòè_ÖJe‡U“£ÿ ùM%endstream
+endobj
+1428 0 obj <<
/Type /Page
-/Contents 1136 0 R
-/Resources 1134 0 R
+/Contents 1429 0 R
+/Resources 1427 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 1133 0 R
->> endobj
-1137 0 obj <<
-/D [1135 0 R /XYZ 56.6929 794.5015 null]
+/Parent 1394 0 R
>> endobj
-1138 0 obj <<
-/D [1135 0 R /XYZ 56.6929 756.8229 null]
+1430 0 obj <<
+/D [1428 0 R /XYZ 56.6929 794.5015 null]
>> endobj
-1139 0 obj <<
-/D [1135 0 R /XYZ 56.6929 744.8677 null]
+1431 0 obj <<
+/D [1428 0 R /XYZ 56.6929 769.5949 null]
>> endobj
-478 0 obj <<
-/D [1135 0 R /XYZ 56.6929 645.1992 null]
+486 0 obj <<
+/D [1428 0 R /XYZ 56.6929 672.3174 null]
>> endobj
-1140 0 obj <<
-/D [1135 0 R /XYZ 56.6929 620.8596 null]
+1432 0 obj <<
+/D [1428 0 R /XYZ 56.6929 647.9778 null]
>> endobj
-1141 0 obj <<
-/D [1135 0 R /XYZ 56.6929 421.005 null]
+1433 0 obj <<
+/D [1428 0 R /XYZ 56.6929 430.1905 null]
>> endobj
-1142 0 obj <<
-/D [1135 0 R /XYZ 56.6929 409.0498 null]
+1434 0 obj <<
+/D [1428 0 R /XYZ 56.6929 418.2353 null]
>> endobj
-482 0 obj <<
-/D [1135 0 R /XYZ 56.6929 255.583 null]
+490 0 obj <<
+/D [1428 0 R /XYZ 56.6929 282.7013 null]
>> endobj
-1143 0 obj <<
-/D [1135 0 R /XYZ 56.6929 228.2785 null]
+1435 0 obj <<
+/D [1428 0 R /XYZ 56.6929 255.3968 null]
>> endobj
-1144 0 obj <<
-/D [1135 0 R /XYZ 56.6929 186.806 null]
+1436 0 obj <<
+/D [1428 0 R /XYZ 56.6929 213.9243 null]
>> endobj
-1145 0 obj <<
-/D [1135 0 R /XYZ 56.6929 174.8508 null]
+1437 0 obj <<
+/D [1428 0 R /XYZ 56.6929 201.9691 null]
>> endobj
-1134 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F57 624 0 R /F42 597 0 R /F56 618 0 R >>
+1427 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F23 678 0 R /F21 654 0 R /F47 874 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-1148 0 obj <<
-/Length 2593
+1440 0 obj <<
+/Length 2405
/Filter /FlateDecode
>>
stream
-xÚÅYÝoÛ8Ï_¡‡{Šå‡¨Åalêô¼h“^ê½.¶ÛÅ–c²äZrÒì_3R–l¥iw÷p(P1äp83œßÐÂãðOx‰f\¥¡§!Ó\ho±9ãÞ¬½>–&pDAŸê§ùÙËËHz)K#yóUWÂx’o¾üè_üëüÝ|z3 ¤æ~Ä&Ž¸ÿÓìêͤô¹¸¾ºœ½þåæ|‡þ|v}EÓ7ÓËéÍôêb: „
-µʲøíújJD—³7ÓɧùÏgÓy'r_-ÁÊûùìã'î-A»ŸÏ8Si¢½øƒ3‘¦ÒÛœ…Z1*åfʳ÷gÿîöVÍÖ13I%X¬•¨%°è+±D¦1U§,RRuF Õ˜QCÁ¢4Õƨçe9 T*üz…_é·ë¼Éij>ÓÐä2Ÿ•íËÖÕD±¯ŠÖ’Ð~á7ù¢®–Í‹IʸÕû»õ±ðYE»níQù—mY,Š¶|¤ùf›/Šß9—ùÒpŠüU½£¥üK¶Ù–ù ¼¨——:îiȽ@–j-nb­ø†È†)K’8r¤b–BzÝÞÜ€¥ ”fBðȢτà@œsVÝç;´:ÎÛl»-ª;ú£¨è;{wŽœBÊ¥¡ Ï›ÜòQ)÷«lƒ£$õw‘øyS—û¶¨+ZýkÞ®³–(
-²±öÛ]V5efé`ee6×Ú5{G³Ùri™6´`.ðP`-h¶h,ùb]€hKš½}¤ÙMgÑ]8G‡±W=}E˜ó!&Y¶Ûf#v°)Ó­,ëMV}b?«PŠ$òßÍoh@Š,jó]6ȱäþ´jwEÞÐ&ÚñìÄ‘fyp±¥…M¶Ì‡œÊ<kÚ ­ƒMÝ´¨€8™­®”§šâ®2¾ ^w%47§ÃµIpy:,[E™¯ ­2ׂ3»ânÝ‚f!ýù¯gé«H-Ãz»­›¢ÍiúpYt¼,µò²GšA¯ÀoÏ+r˺3®ï›}V–v÷®h£ùÑõ¶y…’Ê$Ý£_*ˆ 7Ë 'UÈœå¡h×4@Z÷”Çî)­á‚€,Ê$S–A½/—´°Îî-W{øƒe±…Dñˆ}rñÒz}wЈJ
-ÎñÙñvPT)é®D'Ž“Žýfm¥ƒY+Ìf4aœÿv¡½7ƒENËC—&ʇuÝØåeÖf4i²¢;…dˆí„1öƒŸýÈK{×bü“Sqô(L%æÖ…4«ü $ÿò.m e`p‰4Y¬èKRÁÀ%Ä·Î,å¦îœÍГW€ ŽõA×R‘‰@ö+€ ÂsÌ#×65´ÔlQo>ÑÅüÇ•^HË:=HÈC~K­W©b1jýŸÛåéÝÔ“Ð>¼ìÐ)?dtJ:æ, •èÀÁ t
-)˜RJ{@ËBDhÅ\ßÌ^Ï
-õUÄ*Á®qÊß
-ÄÂÑ7¡j! ÖðɘIœœ|ǹGFíš”Ph&Eöñt$¦œÅ¶‡°!Ñ!åÕ«´ÑN‚q¦• -´¹op ÿKÿ¤Ý
-0+  ¹Q˜}0*Á+/ÚÂatÄþ+sOf•¶Þ\^ЄàJÓÈ´U8 4DÍþ¶É?ïóªuÜnó¼¢Qþ@þ2_2j:?¬Qª¯¯N…5:°Qn›¼\ÙqCßE™5룗ùϬ,}†o88½¶;ûÚñ›}c™ÝÚ™Ú
-ÐÉÝXmea’ ¸‘¢‡€qæpÓ$ݶ•jQî—y÷ÆÐË´
-\=ŽÄXúø¦O)´¥{1Â
-ÐL"”c4»ºxóË«éX‹ AË'²Wµa)C@>IìxÎçoÈ„º SŽØCAxñôL؈˜;[vøqÏÇÁûǪ;ü0"—ÒLcF1ZŸ-¼&¦9:=<‚À†ªhi?Žp%bg7€vôÉ‘›„y‰îÓˆø@ÊØùSüÜåÇdbÙä­ñ+áÜUtRË®ù.óÃè¡ ¨Öã©Na$[Êš¾YõHƒ}õ*•}|£§Ï-J(H¹=7£Øì'l4 Ó«îÜc‰Se.z¯ "¤†¯É¨¶/Ä醾¦;„“‹ ½ŽE”ÈÔ阃Ñ7lBHwWÿyMŒá¢º@Ýzþ3`¥¶‹.þ~‘jÀŠE& uê„¡ð}{û Q©
-ќć}Ú…Œ¦–¬3åÁ ÐÞugw²°õ*soJé£W®Ã í0ÿvïa£”A‰žœDH'-=EÝí7] (\½h‡uÃ`3“ÎnÍ£iÎFnˆ
-*í)\
-endobj
-1147 0 obj <<
+xÚÅ]oÛ8ò=¿B÷ —¢D.dS§çE›äRïu±Ý>(¶ %×’“æ~ý 9¤,ÙJÓîÞáP b†Ãá|Ð, ðJ*t¤:&’2,6g4¸‡½7gÌáD)êcý<?ûáR¤&:áI0_õh)B•bÁ|ù1¼øÇùÍ|z;‰¸¤aB&‘Lhøóìê5B4~.®¯.go~½=Ÿ¤q8Ÿ]_!øvz9½^]L'±ä@@8¿__Méröv:ù4ÿål:ïXî‹Å¨0ü~>ûø‰Kî—3J„V2x„?(aZó`sKAd,„‡”gïÏþÙìíÚ£cj’B©x:¢'.Æô$5Il=—å$š…õÊ|yØ®ó&GÐ|þ¶Aà2Ÿ°p•íËÖ!Õˆ±¯ŠÖ¡ày6ù¢®–Í«Ió¨Õûûõ2 Y…§îÜUù—mY,Š¶|Bx³ÍÅ”ò|i)%áªÞáVþ%ÛlËü•Ñ=x‚îIHƒˆ1¢¥äV6¶tƒhEpM”J5 ,â0XÐ]‘lj„$ŒÑÄ¢7ˆÁ'(¥á¬zÈwFSÆÞeÛmQÝãE…ßÙÍC<r;0Éc¢c[š·¹£#4 «lcVJ‡» SaÞÔå¾-ê
+wÿ ’¶ë¬EŒu,Ãv—UM™9<ØYÙÃõOÍnš-—ŽhƒÖˆ°a.Ò ¡EãÐëX["ôî ¡›îBœ‡A)ãôySUdï‡0#Ùn›è<i@G«,ëMVXyÒ0« * oæ·¸@Aµý.ˆÍ”ÓpZµ»"oðN,{pÄ‚Ý܃dqc“-ó!¥2Ïš6jëhS7­À„òìdÅÔÓ÷•õ]ðr°WÈhno³qpy¼,["F™¯,®°f1]q¿nA²˜¦á|mÌb ø(–%½ÝÖMÑæ>\d7=-‡-ÂÇì !Æ+Ì·ç¹#Ý©Áìï›}V–Oîô®h#+ù‘yÛ¼2œrœî_
+ˆÌ—1žTrà,E»F°É
+ö2(!þ¾uæ07uçl½xð˜FãZ" /Màý
+`ƒðóȵKÍ6YÔ›O˜ÿñ¸x3iY¦qPJRÁ¾¥z -HJÓ£êýçNy>z’<Ëž£@Ë-ý‰!©¨“)’J‘4•êÐCõ+'ãŒ!d 5„Z±6ýíúvöfM‘d‚†ÃxèÒx_…’*“„ýÛþšFWÚºÿRÒ„(Õý¥(J »Ä0‰T
+ê0zOÁP0‹U]“ž³‘畃·¦ÿMåúÃÿ‡Ë2͈J¡œG<%JÇi¿Q=iX9è5ÕÐG‚)cõM}2ãDk?3J•(öJõ'Ž”ÚÐwƒÃÇI¿îõˆ²SÆ® šØ…ÌU¯³‘I̬Q"ìcgs Þ½5üÏÓhÆ X‹MNUl®>ŒÐXkH½µ•õ  øa¶áÁë$
+zByÂQŸ²
+²ïò)¡ L§Š@Óƒ.?÷-^2h£ɼX>W ^Ÿf%!Ư„¢ã:È¢:tv‘O ®0‚J¶s[+³…#
+$$Ö f%Ôz8âš îxz;®n>|°O[4¼¸:g~P°~w>»ŠÞOoÿ5½Ïmæ¾ä``Êlñ•d`ƒÑ×ìÃI¸šL;wóvJ.®ßdر‘ ¹"žÚƒš)
+endobj
+1439 0 obj <<
/Type /Page
-/Contents 1148 0 R
-/Resources 1146 0 R
+/Contents 1440 0 R
+/Resources 1438 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 1133 0 R
+/Parent 1448 0 R
>> endobj
-1149 0 obj <<
-/D [1147 0 R /XYZ 85.0394 794.5015 null]
+1441 0 obj <<
+/D [1439 0 R /XYZ 85.0394 794.5015 null]
>> endobj
-486 0 obj <<
-/D [1147 0 R /XYZ 85.0394 714.4345 null]
+494 0 obj <<
+/D [1439 0 R /XYZ 85.0394 732.3673 null]
>> endobj
-1150 0 obj <<
-/D [1147 0 R /XYZ 85.0394 684.4451 null]
+1442 0 obj <<
+/D [1439 0 R /XYZ 85.0394 702.3779 null]
>> endobj
-1151 0 obj <<
-/D [1147 0 R /XYZ 85.0394 595.1519 null]
+1443 0 obj <<
+/D [1439 0 R /XYZ 85.0394 613.0847 null]
>> endobj
-1152 0 obj <<
-/D [1147 0 R /XYZ 85.0394 583.1967 null]
+1444 0 obj <<
+/D [1439 0 R /XYZ 85.0394 601.1295 null]
>> endobj
-490 0 obj <<
-/D [1147 0 R /XYZ 85.0394 394.0393 null]
+498 0 obj <<
+/D [1439 0 R /XYZ 85.0394 411.9014 null]
>> endobj
-1153 0 obj <<
-/D [1147 0 R /XYZ 85.0394 370.8687 null]
+1445 0 obj <<
+/D [1439 0 R /XYZ 85.0394 388.7145 null]
>> endobj
-494 0 obj <<
-/D [1147 0 R /XYZ 85.0394 305.4099 null]
+502 0 obj <<
+/D [1439 0 R /XYZ 85.0394 323.2073 null]
>> endobj
-1154 0 obj <<
-/D [1147 0 R /XYZ 85.0394 280.4837 null]
+1446 0 obj <<
+/D [1439 0 R /XYZ 85.0394 298.2648 null]
>> endobj
-498 0 obj <<
-/D [1147 0 R /XYZ 85.0394 138.799 null]
+506 0 obj <<
+/D [1439 0 R /XYZ 85.0394 108.8668 null]
>> endobj
-1158 0 obj <<
-/D [1147 0 R /XYZ 85.0394 112.5279 null]
+1447 0 obj <<
+/D [1439 0 R /XYZ 85.0394 82.3901 null]
>> endobj
-1146 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F57 624 0 R /F42 597 0 R /F56 618 0 R /F84 797 0 R /F86 977 0 R /F77 703 0 R /F11 1157 0 R >>
-/XObject << /Im1 790 0 R >>
+1438 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F39 858 0 R /F21 654 0 R /F47 874 0 R /F62 990 0 R /F63 993 0 R /F53 957 0 R /F11 1293 0 R >>
+/XObject << /Im2 979 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-1161 0 obj <<
-/Length 3047
+1451 0 obj <<
+/Length 2130
/Filter /FlateDecode
>>
stream
-xÚµ]sÛ6òÝ¿B~ g,ŸÑ77Qrî$NÎQ;Kó@I´Å9ŠTD*‰ûëo H”E¹îe:ž1– °À~PbÄáOŒLÊR'ÝÈ:Í f4_ñÑ=¼{s&šq\4î¯úyzöâu*GŽ¹T¦£é]WÆx–‰Ñtñ)I™b€'ÿy3¹KÓ××oJ™¼ü×Õ‡éä–^¤aéÏ×7¯hÆÑðòýÍëë7¿Þ^]XL¯ßßÐôíäõävrórrñyúËÙdº»rŸ,ÁÞ÷ËÙ§Ï|´
-Éœ3zXøhì“2u§qÑ>¸w¢Ú[T*©=Дùw£T2Œ,ÇešLê¦Ç]ã'ïF zFI¸ûþbœŠd
-ÿerd€“[iG)HD"
-> ¯ïƒ.ð±ÚêL¥ÚÒL «-4?äÙ^Ô\?u{Ÿ$x,C”'‹@*žíÏìÊqÄ7E‚§;ÕNƒbïsÊwyëݾOE˘\L¾wEÝ‚;ù üŽˆ"FCx3¹™@æ ,Nþ9‹88åX™SÅ8W1À÷dS-Û¡lK²ŒËçÇ°…E)FÃðÇ árLHc£¡Uy;t#éX–Y×7³Gh \9‹wîÖÀÍ ä öÿ˜ÿ#Aw†¹¨×ö”Àýøa“ª¾‚Kˆr­×m€|^-ÓdRØ® ùœ†¶Ø”EØä FZÙ6[øû Äî“%¿¹®Z”w¸äÎë><ßù>jš"Ÿ/ÃJ3œ…­yMc †“CäÇ2lÈöÇ‘êƒ ý—¬‚"-Qs<L¥)% © <ÃäŽE ÒÁ÷Ew
-k½Õât[t-A>'WG|—4ùe[ppŽ—¼^7XCyŒÛ/¤îo†*« ¹T$ä€úEQ÷9&*;'×Î7åì ''lpB/јª¢ ;!ÿ¼zõê–]Ý~@f^E|ñ€ c‡ÜqPÛ÷·×o®¡~NÁ'r†Ù„d=¼Wl(Í
-Dÿ‡ûÄX4Ü|¤ñãäö·Éí9›ü~õîÃÛÉóP i <§áåÍÕ»ðòœñaÛ§(Æ”"”µ?á„ø7(8!ŽY0D”8A”xB$ŸäŽx
-Q3´î™Ò“ÏD*Ÿ‡”Hfl˜
-¤‡Õ¬©Zz…U›ó)?ÑGhß)¸‡ù z¦!ÓkÚrQú}U—Ʋq]åsJ0&qž-RdŒËìÐIÒíS;x
-ýaìƃˆ…,®ºGÄ9=Ÿ‡Í5Íî°5Ûn½í~h¶ô¶.|‚%É|qÉ×Å~ï@•Ä!Ô‰,}B*ãÝšoQЀû|4Ìòù[Ȩ–„Dô{tXžÛõèê¡B D¨^O¨¤`÷l
-p£ä.wƒnÂB+?(<%x§* %þzÝijNøÉ™VÜ>éŒà”è òv¨“.eÖió( ê@ïþJa÷RütéEñéùýùó
-z-vß<~œª±ä—êr1dÏPÿ«'(Ș.š{4¸<”ŒÝ&ŸûJ%Ž{´êq€ê•ã*DF¿øÁ„wÍعV¿ÓÕˆý`Gˆ¥Ô–„gÿÕ ‚xN‹b^®òŠ|TÂ54üYÐ%Æë|±( kg‡>%¼£<2Ø#N)Ÿbq
-Qãk^Vù¬Šig
-¸Ã'š4Ý _ýÛùÒð!§RÆ•Œ¶j)0žY¹Ô·ú!ŒÍ;BnO!‡ÔL»½¦õÖ˜Q®;Xµ‚|?j‚,A“÷Äñ“Ä{q*‰À÷AÃçÚEÃ;ð‚i-c&óûpH»Öµ áJÛõš`ÖŒ”1ÌŒMø(
-endobj
-1160 0 obj <<
+xÚµMsÛ¶òî_ÁƒÒLˆàDo®­ä©ãÈyŠÚyÓ4Z¢,ÎH¤"Rqýï»Àe1®û2ÍËÅb±»Ø/€%~,QšhËmb¬$Š2•Ì74y€¹÷,Ф‘(íRý<»xûN˜Ä«¹Nf˯ŒÐ,cÉlñy ‰ Cà@¿ßMFÔ+:x7¾ˆ ©øàú?Wg£)Nè@úóxrƒ‹ÃõÝäÝøý¯Ó«¡‘ƒÙøn‚èéèÝh:š\†_f¿\Œf‘»j1*œ¼_/>¡É´ûå‚a3•<Â%ÌZžl.¤DI!"f}ñé⿆Y¿´×LŒ.4ï±}vR–hSÎNÓ"_€R"ä•Ì`»²lPÏ‹¦Á™vU ð¥|]8¥ál‡5c Ä”rL—庨òM <ÔÌ2ó°C¹Ä­Ë¿ /Cض¬æëý¢â•U[÷Ëå§ó6N–ù¶†%p‚êÁxdb™8à8\¡ê]ùPV=² J¨Y ‹ì›m1/ ¬IRI%É”5I
+V±JqOŽÂ‚ó„Øó€±cr¯& ËvÕ#«³4œ!.ï¦ã÷ãI°ÒÁtMÑ"[o;7®ò€ù–¯÷Å„kr÷X6E$
+À|¿Ã©Ú>™ œ¾‘ÿT¦¨üt&h:a ¸2ÍÀt†XÁ3O8óbÈ,žŒ‡Ñ]eôiO„ô3‹z“GrïŽBšoÅ.Py‹ùdhyò ±«<ì·Ý•õî|é¹Y„fÄ­2ž\ßþz3ê‹ ~užºš'lÁ£˜&d‡èQ˜âºŽ´Êƒ1ï‹¢BõÌÑ´}IJg²…V¯ÊRŒk•ìÏR4I­ œkû}^¸Ž¯
+¤qÑà#ÁaÃ25ÀèqˆfUï× ¤¼/·+š¶Þ›/[HÂ~"ÉPŸ$CÁ‰VÇ OÒÃqâ$ýu|ÿDe!!%°ÈÒ”jp?äœìRûšà.]¸±qÅ%àê
+iW…Ë\ˆD
+ò;ûu›p¸ÅkFmÂ9'Lð×4ÌšoCͳ7ÇÿoUç
+endobj
+1450 0 obj <<
/Type /Page
-/Contents 1161 0 R
-/Resources 1159 0 R
+/Contents 1451 0 R
+/Resources 1449 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 1133 0 R
+/Parent 1448 0 R
>> endobj
-1162 0 obj <<
-/D [1160 0 R /XYZ 56.6929 794.5015 null]
+1452 0 obj <<
+/D [1450 0 R /XYZ 56.6929 794.5015 null]
>> endobj
-502 0 obj <<
-/D [1160 0 R /XYZ 56.6929 602.6023 null]
+510 0 obj <<
+/D [1450 0 R /XYZ 56.6929 572.7144 null]
>> endobj
-1163 0 obj <<
-/D [1160 0 R /XYZ 56.6929 580.3261 null]
+1453 0 obj <<
+/D [1450 0 R /XYZ 56.6929 550.4382 null]
>> endobj
-506 0 obj <<
-/D [1160 0 R /XYZ 56.6929 499.3874 null]
+514 0 obj <<
+/D [1450 0 R /XYZ 56.6929 469.4994 null]
>> endobj
-1164 0 obj <<
-/D [1160 0 R /XYZ 56.6929 472.2263 null]
+1454 0 obj <<
+/D [1450 0 R /XYZ 56.6929 442.3384 null]
>> endobj
-1165 0 obj <<
-/D [1160 0 R /XYZ 56.6929 264.3736 null]
+1455 0 obj <<
+/D [1450 0 R /XYZ 56.6929 234.4857 null]
>> endobj
-1166 0 obj <<
-/D [1160 0 R /XYZ 56.6929 252.4185 null]
+1456 0 obj <<
+/D [1450 0 R /XYZ 56.6929 222.5305 null]
>> endobj
-1159 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F84 797 0 R /F86 977 0 R /F77 703 0 R /F57 624 0 R /F14 608 0 R >>
-/XObject << /Im1 790 0 R >>
+1449 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F39 858 0 R /F21 654 0 R /F62 990 0 R /F63 993 0 R /F53 957 0 R >>
+/XObject << /Im2 979 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-1169 0 obj <<
-/Length 1031
+1459 0 obj <<
+/Length 3279
/Filter /FlateDecode
>>
stream
-xÚåWKsÛ6¾ëWðÐ5c¡x¯£âЮ2®œJì¥iŒYœ¡H•¤›¤¿¾xQb(ZÊÔ¹U:`µX,ß~X¬P
- 6û žôÜýy›Yg4ë[½I&?ß1H fA²íù
-‚$ûÞþ2ŸÄ«é S20QÃ7‹å[§‘n¸}\Þ-î_ͧ<
-“ÅãÒ©Wñ]¼Š—·ñt†HD±v@¼‹?—±3º[<ÄÓÉ»IœCî Abâýkòá# 2}ºwˆ4ø¬@€¤ÄÁ~QhDH§)&ëÉoG‡½Y»t ¦À0%ÁŒa@˜ÆæÅmÝPoëEB`”v!I¹ž`€%Gè£>ô#@¡§0‚‰Å¾m Œ¶%=[n\R³…±YÔ&ÿB¬šéŒ ¶;elW[Mµõ
-7CÂ'Uª:mUæôõ‰Pm*;fNP$E¸Ø:ã²jYsÜ)ëvÊ7õ9/ü^Ÿ”‰XǦnÂÄ6ȼܩ:·šŒ?7yùäD“ʪާ…W¶^ðëÒrã­ê©Ÿ ¥ct¸ô1ì¹)Ò¦G
-o™à@BäKó׃ºJÛyë8vp€6[£]%æaU_ªy>ªÚ×dný7n&u«þ}²ºqêÛåü×øÆißeÎoÆ*ð\\î s¬°\_È\’×Á|Ê\Î÷»ìV¼œ9A£k*c:6 ¥E¢Þ]¯7ª¬Ú§ýËt¯lÉ€ábp¿]z«jšîÒ4ù>/ÒÚ$×>h•‹]sóÞa^Ð óS·s­}2k8äƒöé¿­êA¡Ë½¾µÁe¿í:k¿d@`ÉuZ‰v‡œ¹K+iS™®dHx~';5^Ó~\Vº—±nQ%“x„š%’È[g¹0ÚüoõmÂS7œº`õ¥Ue“WåàŠÙÞÉR$­½TmO£Û›ÌÝq¿Ê>5V2Fáå­iZKÝÑë£s]ŠfH×$‚…øèø«šA ¾Ì b¨­¾k¿’äapŽÛ‡ùz}
-IÙ9»´è
-núì‘WKÀ÷¶ó§¿4D<N•#¥|P%ŽÎn €
-ÌGBÿwendstream
+xÚåËrÛÈñ®¯àÁUªDd^
+™LÕ,IU1Í–›36{€µwgÜî™»MóᮟîÏþz-“Y¦±ˆg÷«,2­ùì>ÿ¼ýÛåo÷Wwçs± ÏçQÌ‚Ÿnn¦™”š·n¯oÞýãîò<QÁý͇[š¾»º¾º»º}{u>çRE
+wçE»Ü•‹¾‘‘ºuAæ©.vÔ­³›\a›ô»vç\EÛìMgy4»lL›;È µ »iI»²®ÈCÄ®
+:‘¼0÷iyÊÑÉæÿVÜ u$^«zDÎC&¿È¥—>Nl¤ýÞÌI® Åæ'Äœ'àlÉzË`³o;Ú¹É:̪pÒÁ·¦.¦„Ý#
+OwƒEo hYP42¥mi/ƒc‚š%àÏÆÑm¥g!N§öc¢O;‚™ùLlp¢}±‡˜Ô Ú|¿Ùï#~bø9Š™ÉŸPE?
+r²Ø%L1N‰dÔK¸L‡ÎXÈTì¼ù.{šŠ8JK_}
+ß&Û}JعrcÍýãó¦j²¼Ÿ-]¶Ïœžê>Ë`…2j¶»rc#RH²ŠÝcáëðÌo²F!½Q€¾qN©èë)Ç‘Hõxò²p@ˆ&}Xé¤Ã
+æëpäI¨X‹>­‹©ç¸sÿ8bØ6Z«ðeÞ:d0¬ö^d—¡ã“2|I ¥£÷2`xfW¹ÏVK`zÛí²º] Ó¼]M¯:x¥]u[ö[°3¶Ñ«8y>ªs’P0åNcªW^èåí79óˆ}¯†ÐÇWÜ–º ª¤CØ·å`¬±55J—$eö˜]k6¯Å#ÌÉX^¬Av
+J7pE©¡®E§WX‹q˜Ê.NÈ
+
+Ìîª|¨mÝZ« ©F¯ìô¨DÐ6ÔvëÌΔ®µOæÑÆ›½èaühßâ`äÖ·MÛ– 2¥F`\ Pš C‘˵þVY«¬¿…vߺ•²¶?KQ®ì(µæw?}ÿÛ›q¸ÙÀ¶o@³â8¦À:ÖG¤ŽíF`1)Îe4eCZ˜p gM §'lKqþªÄÄL=“
endobj
-1168 0 obj <<
+1458 0 obj <<
/Type /Page
-/Contents 1169 0 R
-/Resources 1167 0 R
+/Contents 1459 0 R
+/Resources 1457 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 1133 0 R
+/Parent 1448 0 R
>> endobj
-1170 0 obj <<
-/D [1168 0 R /XYZ 85.0394 794.5015 null]
+1460 0 obj <<
+/D [1458 0 R /XYZ 85.0394 794.5015 null]
>> endobj
-1167 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R >>
+518 0 obj <<
+/D [1458 0 R /XYZ 85.0394 420.8405 null]
+>> endobj
+1286 0 obj <<
+/D [1458 0 R /XYZ 85.0394 396.5009 null]
+>> endobj
+1457 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F14 681 0 R /F39 858 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-1173 0 obj <<
+1463 0 obj <<
/Length 69
/Filter /FlateDecode
>>
stream
xÚ3T0
endobj
-1172 0 obj <<
+1462 0 obj <<
/Type /Page
-/Contents 1173 0 R
-/Resources 1171 0 R
+/Contents 1463 0 R
+/Resources 1461 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 1133 0 R
+/Parent 1448 0 R
>> endobj
-1174 0 obj <<
-/D [1172 0 R /XYZ 56.6929 794.5015 null]
+1464 0 obj <<
+/D [1462 0 R /XYZ 56.6929 794.5015 null]
>> endobj
-1171 0 obj <<
+1461 0 obj <<
/ProcSet [ /PDF ]
>> endobj
-1177 0 obj <<
-/Length 1550
+1467 0 obj <<
+/Length 1368
/Filter /FlateDecode
>>
stream
-xÚ•ÛnÛ6ôÝ_!äÉ*Z¤îí0 MÛ-]1lMúÔöA–i[ˆ,ºº$͆ýûÎá!eÙR/Aè<<÷Íþ¸“„ÌóÓÀ‰Ó€…|?óœ-œý6ã'}¾‹‰S7ô&"vÜ!‘—·³å›@8ÂcQ$BçvÓóŠâ…©pn×çW»ìÐÊzáŠÐ›Ç‹Ï·oéVÀâ$æxË)ã¾ë /¯ÿ|EØ)}ndÞÕEûH«+U5ÅZÖY[
-¡ Ï>y¡wyõ®/†[Ñ<Ó¸’γõš–D,˜ï³6ßÑYy$Óî²–ÎUG[yVÐHsÔ ÍjM@UäwU¶7¬6ª&¼M×vCºÆ
+xÚ•]oÛ6ð=¿ÂÈ“ Ä )ês}jÓvëP Cã>­{ eÚ*‰šD%͆þ÷ñx¤,Ǫ·À0t<ïŽ÷M¶ æÇYL(Ï£EšG$¦,^õ]ìÍÞÏWÌÑD1'qĹYÌì®bž‘8 ÓÅjÊäÍúêö}È!%IÆ‹õn”•¤)ÉÒ8_¬·wÑjÙ-WaLƒtùçúW<‘4K£FDB²(Ïì7~{‹Ô9~îe1t¥~ÂÕjúr+;¡KüXDx”„Ž_‘Œå¨@JØrÅ(¥Áë¢}?²Ñªpñ±ìµgÅ9É“0qœ8%!Óñ|Œç—, Gäxؽ/4¦¯ï>öæËn
+Ñ ÐK·5´Žg³E )‹¯¨¨ên7èaªÃÐ; lFž\œ1’Çqh/.ªJ=®¥ËÝÓŒ™Œ÷¢(MÍ) ¾™á‘<cÜ ·¿ÙÍ2‹#Cö2f„Hob†aÊÏXòn*Q|=¨JΰŠLX…ì…ÕhúÉ€s~&LY–U³Á(uA€ÖÄ £Inœ‘‘<7‚ìs_6{Cš˜€6A†å`Œh…߃x}¡4ll2&,(Ô’Ó(68õ€»4x<¸Ós Ç?Êpt.Ö ÔËN§‘½IƒÇRÔ ›jЦ€îp¹g†a<ò5P¡Ðv+
+ôU”N|æ$LŒ/ÐW{¥¶îÌVŠ¹Pa$ËSÆà ¶Y
+ýM#
endobj
-1176 0 obj <<
+1466 0 obj <<
/Type /Page
-/Contents 1177 0 R
-/Resources 1175 0 R
+/Contents 1467 0 R
+/Resources 1465 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 1183 0 R
-/Annots [ 1181 0 R 1182 0 R ]
+/Parent 1448 0 R
>> endobj
-1181 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [513.6761 73.4705 539.579 85.5301]
-/Subtype/Link/A<</Type/Action/S/URI/URI(ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos)>>
->> endobj
-1182 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [84.0431 62.7606 448.7754 72.9224]
-/Subtype/Link/A<</Type/Action/S/URI/URI(ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos)>>
+1468 0 obj <<
+/D [1466 0 R /XYZ 85.0394 794.5015 null]
>> endobj
-1178 0 obj <<
-/D [1176 0 R /XYZ 85.0394 794.5015 null]
+522 0 obj <<
+/D [1466 0 R /XYZ 85.0394 769.5949 null]
>> endobj
-510 0 obj <<
-/D [1176 0 R /XYZ 85.0394 769.5949 null]
+1469 0 obj <<
+/D [1466 0 R /XYZ 85.0394 574.5824 null]
>> endobj
-1179 0 obj <<
-/D [1176 0 R /XYZ 85.0394 570.0146 null]
+526 0 obj <<
+/D [1466 0 R /XYZ 85.0394 574.5824 null]
>> endobj
-514 0 obj <<
-/D [1176 0 R /XYZ 85.0394 570.0146 null]
+1470 0 obj <<
+/D [1466 0 R /XYZ 85.0394 544.7049 null]
>> endobj
-1180 0 obj <<
-/D [1176 0 R /XYZ 85.0394 536.782 null]
->> endobj
-1175 0 obj <<
-/Font << /F42 597 0 R /F43 600 0 R /F56 618 0 R /F57 624 0 R /F11 1157 0 R >>
+1465 0 obj <<
+/Font << /F21 654 0 R /F23 678 0 R /F47 874 0 R /F39 858 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-1186 0 obj <<
-/Length 3204
-/Filter /FlateDecode
->>
-stream
-xÚ¥ZKsã6¾ûWè¶t•EøÚÛ$ãIœÃÌd¬ÙÝT’DÁw(RáÊòë·Ý H‰.§jgÍÐèÇ×-‹E
-D´È÷7Áb s?ÜæY:¦å˜ë»ÕÍý‡8\d~‡ñbõ<’•úAšŠÅjó«—ø¡ûûê§ûY0â ?
-%ˆGžïüòéÓŠ¸&Uê+‘†Ìöîãû9I±J¡˜çéaõõñýœ(lsýDÁ‡O_n—ax_?>þ‡FO_n£Èû××'à·ð‚ͽû¼z`ÞÄ¿mÞw°KÉܧßýò¸ú…Þ¾ÿôñéñý×w·‰òVð†;ºyX :ë]úÇͯ¿‹ ¨ÿ§›À—Y-Žðø"ËÂÅþFEÒ””ŽRÞ<Ýü<ÍÚOgïQ PËõEªp!”/LŽo2Êü0MBw“·K—î診ÚР5]_ðõû\7—úmMóbšÖêÖÞ’£
-Ë0õã$“v¹O|”Fîó4vŸßÁ[¦¼¢#jÑß¡nÛb]¢v5Q›ÛÔë+¢ñ¥µ`Ùš¶Åc{‰ŸÎæ਷"õà¸f3³gûQ–8fS½Ä^íMÕѨ‹¾-ª-olgXÎØ:Eû©‚Œ_¾¢+™úadÌþÜWyWÔ•e¶‹®OøÑb)³ÌWA¨K!ü,Šè&ۃɋç“Ý“”Òî ¡÷[*VI2Z- ü4Lb^mÙÍlˆÄ ç_(ÇŠ®¸1ôš(õV;¼,\(×ÍïLy Q±?î^ ÚSÛ™=ñ·&;ÑÌšŸ‡Rç|ˆo×JbÙú|¨Ìt]ÿ‰Ã;ÒLú Ê)†‚ÕqWä;²ÕcQ–4*‹}ÁÆn…ƒÞë­×Šgö‰±¹óTKϼvÇÜ­ÙØЈ–F—É0¥8WÕ°~¨¯oÍs;QÂ{6ºëí׆&­ÃíK ¾$\Yx-(ŸÞëgâ`'
-cϢ
-sÄØ<§bÀ1Iš‰¿ bÈìQââfÁëÆ 0Êž#²[›R ~ ‚°4„=àd
-`Ë/¸)¼œç+
-Eé¢%@ûø"í4…-Üa‚i|Ý覰—"d±‘gÈÂS´Û#Qœ' .ÊRïÇúˆÞ%+ª6M ŠLµ!8üñ
-{§Ú&`Ä~G…Ý P÷úDܬÇÔ‚Ë 2.­rÂ< æSmÛK/˜–&B„K¸÷órÿ—iê9„ ý$Z s!F!*ScQ ø
-´ËAˆ‘ê-ar,¬¬·s¾‰)0HÎÀÅÕÔ3¸XÜc™¦Ë tÅ~ÎMS‰nêìÏ°)é‹$N¯+õ¿NÑìU¥ÿKÏ·Â禨›±…SÀÍõŵKe©0þ;.•9Ç£ÅF‰ø‹Ö›—Ÿ@1†ç€ÖC 8“œá¢âÀѾJ%aa‚;R¾ÓÕÖ8º –ñÑ´-WL¶eÄ}½))×ÝP§ámÐ`¦&U4õ«H½Z`@îUÙ
-ôðeˆ¶kŠ¼s• N˜SMê¦k§½Œ‘×_w3H0ŠÜʸl$B PÆ2åÈ"9®¼?~‹œ;„‡îx™'×éy³AøŽ]J
-Éžëd‰ÐÛ8ùHíY>ŽŸuΖŽoí®îË ×ü)é©dÛýÁÓ-
-aôŠ]J/´YL5 kâ8A¶Ô/Ì:D®ðœf°
-`èÌ3õvd`ͧµuyÂG·¸1¾… Ï$
-¢ÚÜG‚ýí›9Ñ _ÇÞ’¶¹â|¡¢ååÏX3¶eغ\b”fn RŽ1-ÿð®ƒ5/ö'„pEØ`“£f@¶Êü –®ÿBjZê²ÈOóc”ÈøR[Öx°6C»xãZü
-endobj
-1185 0 obj <<
+1473 0 obj <<
+/Length 3343
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ZmÛFþ¾¿ÂßN ¬eÍ‹ÞŠÃÛfÓnïô/dKkë"KŽ$¯ëþú#‡œ±dk›
+Î1äHÿ/ÝôÓ$I¦o`î$~aƒpK¾/Ž7o®5 …¤W'|q©ŽëzÕÑ¥^KÃeÿA ÅLh_i° `+0Ø|‚{òµ Bë ·s·Þ¶MÓ“­guNƒ®èeÎòÔ`å
+‘xÁ,FŽÝìQ1 ‡aâ-·xY¸Ð:«i~[T{•»=ÝKA„îÔõÅŽø»b}hËþD3+~î«lÍ›|»FËÎΛêÀüVÍï8¼£“I¤æìÁPn9nËõ–ÌôXVªrW²›ƒÂAží²75Êg¶ukéh¯<ÕÑsÝØmîÊ®ÈM&Cˇd’Ä9Ð}ÝÀBø¡¼CW<P-¼ç"ëæë‚&Ãév áÊÂëàðé½y&v •´Ý²UY™36Ô†žÎ†ËäY±³‚3“ñû¡Þ·åKYò³»ñÁ†øLо'¬MB
+k J¤æŽñiÜ žÅïÙn_ñ$Øâ΄e|©ÊšÉxó†Òd<Ç®bK–“MíKAÂHµúŠ}¥ajï—=ónB $•@VÞâ%ku¶›ŒÃp¹2‰-ë:~ä¹½Ù±-_¯H&Lû¹[òš”
+PÑ’îhhœç±!N9íK›Õi
+ÞkP?Vÿz2âà‰]:á‹FÁ ŠÅ•Õ+·Ê0¹Ì$×M¥¾w}Ö³¾f•ºi-¼ƒ)Ø¥{ˆ–
+h—!&„£ô—„©¡°ªÙLù&¦À >[+OàbMpeýšÐA_î¦Ü4Qè¦vÃþ
+ñ­7-?†bBÊs@;@ 8‘œá¢¢ÀÑCïJ%a`‚ÝÒz›Õ›ÂÒM5tˆE×qÅdZ!@Ü5y‰Lë¬wuÞfg«~8A ¦¦ôe¦hÿ´ÀHàRµCUÍqêv”ôS©«ýp]fãºóIwûg4km
+3X |È<J©±g«[ I }*&@O¨óò1Šrà;ÒK[t=+µî æÜ›<££wÓ„B [nüU½•¡Gh !XlDb™Ï¨QW9Jn@@ë_³ô4 ƒœ|økÞ9t)A͹ԨUmùd
+@µuqÖÑpw ±Ø‰ñ]àŠ¶$Áý"póQÅÎrg´8~zƒ§b eý‰ðAâÔ*²®4… ŒŸ©´1‹ùûªkøěީšYÏ#åcºÅ±Ò/cΗڰ ™Â«7£RåKé ánfîØ'jsXÆ4’LÇ„^HYŒOÆÊq‚]•½0«ûa
+hDÙ† Ó|ßTåú4ÝÂc÷×+î´Œ#ð`u®øò×K­ÐÇ?'™ø“ƒÀÕ4ù¯VÎ8OhK9¬œ†5zâë„°R¸³D_inÿ¼åZõÿŸJendstream
+endobj
+1472 0 obj <<
/Type /Page
-/Contents 1186 0 R
-/Resources 1184 0 R
+/Contents 1473 0 R
+/Resources 1471 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 1183 0 R
+/Parent 1448 0 R
+/Annots [ 1478 0 R ]
>> endobj
-1187 0 obj <<
-/D [1185 0 R /XYZ 56.6929 794.5015 null]
+1478 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[0 1 1]
+/Rect [63.4454 757.0719 452.088 767.2337]
+/Subtype/Link/A<</Type/Action/S/URI/URI(ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos)>>
>> endobj
-518 0 obj <<
-/D [1185 0 R /XYZ 56.6929 769.5949 null]
+1474 0 obj <<
+/D [1472 0 R /XYZ 56.6929 794.5015 null]
>> endobj
-1191 0 obj <<
-/D [1185 0 R /XYZ 56.6929 747.0488 null]
+530 0 obj <<
+/D [1472 0 R /XYZ 56.6929 739.5018 null]
>> endobj
-522 0 obj <<
-/D [1185 0 R /XYZ 56.6929 613.0366 null]
+1479 0 obj <<
+/D [1472 0 R /XYZ 56.6929 704.7645 null]
>> endobj
-1192 0 obj <<
-/D [1185 0 R /XYZ 56.6929 586.6546 null]
+534 0 obj <<
+/D [1472 0 R /XYZ 56.6929 563.5308 null]
>> endobj
-526 0 obj <<
-/D [1185 0 R /XYZ 56.6929 473.2336 null]
+1480 0 obj <<
+/D [1472 0 R /XYZ 56.6929 535.7626 null]
>> endobj
-1193 0 obj <<
-/D [1185 0 R /XYZ 56.6929 445.9291 null]
+538 0 obj <<
+/D [1472 0 R /XYZ 56.6929 418.2412 null]
>> endobj
-530 0 obj <<
-/D [1185 0 R /XYZ 56.6929 376.148 null]
+1481 0 obj <<
+/D [1472 0 R /XYZ 56.6929 389.5504 null]
>> endobj
-969 0 obj <<
-/D [1185 0 R /XYZ 56.6929 340.4845 null]
+542 0 obj <<
+/D [1472 0 R /XYZ 56.6929 228.1296 null]
>> endobj
-1184 0 obj <<
-/Font << /F62 634 0 R /F90 1190 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R /F57 624 0 R /F77 703 0 R /F58 627 0 R >>
+1229 0 obj <<
+/D [1472 0 R /XYZ 56.6929 194.8993 null]
+>> endobj
+1471 0 obj <<
+/Font << /F37 743 0 R /F67 1477 0 R /F11 1293 0 R /F39 858 0 R /F21 654 0 R /F23 678 0 R /F47 874 0 R /F53 957 0 R /F48 880 0 R /F62 990 0 R /F63 993 0 R >>
+/XObject << /Im2 979 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-1196 0 obj <<
-/Length 1975
+1484 0 obj <<
+/Length 533
/Filter /FlateDecode
>>
stream
-xÚ¥Û’«Æñý|…ÞÌVY, 'ÇÞÛ—].Ÿ­J99y@0’È#à eýõéžî$qâTe÷AMߧoÓ 6ü‹M&ý ÊãMšÇ¾ „Ü”í»`s
- À„ôÓ<ȬÀ˃Âëõ¸kÔpÔÚÔÝa±ÅIÈbIä§I@v2_<lEÞ“n[Ý‘ÁŸz jÚaV ü\J§ çS‘9“ŠgóÙƒ”Þ@J:m¸èþ¼ù=õ…€²`kÏôó1ÂÃØ+zÒ£“>Wj/½î_²gÑ&÷ó$LØ1O‹˜rMQ,¼ AƒnFSã!ñÉè {Æ`Ù‡ºfáMSÌœEWPꎽ\PëaÕààkݦxe/NýƒÈ<uVÙ3c[U #QXr÷†GÃÃL1‡Ã ÊØ„nÃ4õÆþ&^£‡ ‰~5¨);µ×¤õ¾û 9( ,w'“²ƒú\WÌV~Ðä`Éh½'ü±î ›³ñA\ÝÝ–cƒÉ#e€º> °UQ~1t‹r°§X) † œ®,¬û6ðH.-Ëm©÷ߌ:²f>;Ö¼ÿ‰¦‰?L"Wó¡«ø®ìU NÔw†¡ƒ»Ã„žL}P}]4ÿ8¶;èñõRΠÇòÈÚû»î°^¢ꀤ£Hx•ˆP¸@!å_£­x@3ÏÌ¿»Ï˜£* Kê^aÅH踯ˆ¥Ñ†80õˆ8)}jX
-*“`¢%”-~ôiéÃZUsu„Î6÷È ¨²B«ÉèäçfP(#4çám-†!GX~„úþ~øáýûŸö‰ôáÙ›+qwÄ‹³"ìN©Žp&e’l jí4S>Â$@Gø%üž€R·§FK]t¶•W+
+xÚ¥TM›0½ó+|©¸6Æ`³IÚ²RÓ4a«ÕxT‚Ó@6Úýõµ3·¶ôTEóÆoÞ|x€"b~ Ž “1JeŒ9¡•[ µ9ûêQÇ Ï¤ð–u—{Ÿ¿°I,“(AùË–ÀDŠòêÉÍóé"#Nü!Oˆ—Í&à‘ðXNÇ‹,4þ1[f“éb¤±Ÿga,ˆ0ñÌ)Lg£ïÙøó P§Ôžó{oš_¹m–f»øí==T™žï=‚™ ˜J¡­s†yÌØÙÓxKïçEðæô:4<Îæ"J¦±¡éq‰fŽìô–z«lO‰ßÕ½êÀ,7ZwÎÝkûäþ/¥và)šŒê­-¶uið[xØUE¯*8˜ØyžE_€U· ã`wXUz[€×H¶.²RZ!—{Sô7üÐŽÛôRŠ%çÑ©'ÂTÊä)…Ú{2è]·ÊÜ,#‰Ÿoê˜Çâ- ”úŸ Œ‰I§Àßë]بWÕ\cÁ*uÛ›|u»vx_÷v
endobj
-1195 0 obj <<
+1483 0 obj <<
/Type /Page
-/Contents 1196 0 R
-/Resources 1194 0 R
+/Contents 1484 0 R
+/Resources 1482 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 1183 0 R
-/Annots [ 1203 0 R 1204 0 R ]
+/Parent 1486 0 R
>> endobj
-1203 0 obj <<
+1485 0 obj <<
+/D [1483 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1482 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1489 0 obj <<
+/Length 69
+/Filter /FlateDecode
+>>
+stream
+xÚ3T0
+endobj
+1488 0 obj <<
+/Type /Page
+/Contents 1489 0 R
+/Resources 1487 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1486 0 R
+>> endobj
+1490 0 obj <<
+/D [1488 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1487 0 obj <<
+/ProcSet [ /PDF ]
+>> endobj
+1493 0 obj <<
+/Length 1978
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ÛŽë¶ñý|…ßâb­(êšM“=M² 9 iOh™k«+‰ŽDÙu¾¾3œ¡$Û:Mî>x4wÎ#‰Uÿb•'A(‹x•q„"Y•Í»pµÚ·ïóĉ ’XJxX n™Ie«Í\É×/￉Ä*
+ƒ4’ÕËëh+Íò q±zÙýcýtPG«»‡M”„ëüáŸ/%±8ÈòL X&’ +ÂÜ ¼<!Ö¶µîÆتÝb"dœF,–Ê KC²“âa#Â0\?™¦1-ü©3 ¦é'"(’Ä+à|&r¯`Tñl?{H’uOJZc 8›î ¼ù=Ì™€R±µgúù†Ñ~è4=™ÁKÔ•ÚsgÚý—ì™\A‘F);á)bS@ IÆb½Õ½%¨7õ`+<$>Y3bO,÷PµÀ,Öª®ÕÄ©Ú¥iÙ˵êûA÷¾ÖmÕ{qìD¾Ö'ÝZ=1¶ÑªˆÂ’Û  3ÆÓk뺉²l=ñ7]×f¿‘èWJ²Õ¯†´À÷
+
+U[”Ár Ö:i¸¸?\ ßÜÒ“i{ÓÙjhèëéùÃW  ¸áЯ4ÐAZúLÛ)@lWšhtc• ”(z@ÅŽ­J–R{
+¦ÛÙغªóëçß/E˜Öÿ0]¿ÿîé'„=Ž}Xi¿ÁÙqÔ°à×=Án[^ÞjwX$Œ~âô¸áÃIUµÚâšà1Þ¶VåafƒTWmY;Ý/èÅS-\âÔ;q´†h# ý»ïTÓcåÅÐÕ¾­pO.©J}Wõ¥(fðèFÈ$¼JO¡¸`;(B˜â¬“ñÒeÈtìÒ€¥ßôÎk«à䦫ì…dV±aO·¼/·</SLÕvó:´;§5ƒULã FàþÞÛ,&Q¦9T+‰ÃÌ«pF¢ßÐø'À_U$ò‘¦Þ‚aJ"۟ʹæG¨£*ßÔž9*ÈëÂqf©‰/b~êü›>¼R
+zr‘B€_sTm ©+}Í#ʭ訉JÓ¸w
+endobj
+1492 0 obj <<
+/Type /Page
+/Contents 1493 0 R
+/Resources 1491 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1486 0 R
+/Annots [ 1500 0 R 1501 0 R ]
+>> endobj
+1500 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[0 1 1]
/Rect [348.3486 128.9523 463.9152 141.0119]
/Subtype/Link/A<</Type/Action/S/URI/URI(mailto:info@isc.org)>>
>> endobj
-1204 0 obj <<
+1501 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[0 1 1]
/Rect [147.3629 116.9971 364.5484 129.0567]
/Subtype/Link/A<</Type/Action/S/URI/URI(http://www.isc.org/services/support/)>>
>> endobj
-1197 0 obj <<
-/D [1195 0 R /XYZ 85.0394 794.5015 null]
+1494 0 obj <<
+/D [1492 0 R /XYZ 85.0394 794.5015 null]
>> endobj
-534 0 obj <<
-/D [1195 0 R /XYZ 85.0394 769.5949 null]
+546 0 obj <<
+/D [1492 0 R /XYZ 85.0394 769.5949 null]
>> endobj
-1198 0 obj <<
-/D [1195 0 R /XYZ 85.0394 576.7004 null]
+1495 0 obj <<
+/D [1492 0 R /XYZ 85.0394 576.7004 null]
>> endobj
-538 0 obj <<
-/D [1195 0 R /XYZ 85.0394 576.7004 null]
+550 0 obj <<
+/D [1492 0 R /XYZ 85.0394 576.7004 null]
>> endobj
-1199 0 obj <<
-/D [1195 0 R /XYZ 85.0394 548.3785 null]
+1496 0 obj <<
+/D [1492 0 R /XYZ 85.0394 548.3785 null]
>> endobj
-542 0 obj <<
-/D [1195 0 R /XYZ 85.0394 548.3785 null]
+554 0 obj <<
+/D [1492 0 R /XYZ 85.0394 548.3785 null]
>> endobj
-1200 0 obj <<
-/D [1195 0 R /XYZ 85.0394 518.5228 null]
+1497 0 obj <<
+/D [1492 0 R /XYZ 85.0394 518.5228 null]
>> endobj
-546 0 obj <<
-/D [1195 0 R /XYZ 85.0394 460.6968 null]
+558 0 obj <<
+/D [1492 0 R /XYZ 85.0394 460.6968 null]
>> endobj
-1201 0 obj <<
-/D [1195 0 R /XYZ 85.0394 425.0333 null]
+1498 0 obj <<
+/D [1492 0 R /XYZ 85.0394 425.0333 null]
>> endobj
-550 0 obj <<
-/D [1195 0 R /XYZ 85.0394 260.2468 null]
+562 0 obj <<
+/D [1492 0 R /XYZ 85.0394 260.2468 null]
>> endobj
-1202 0 obj <<
-/D [1195 0 R /XYZ 85.0394 224.698 null]
+1499 0 obj <<
+/D [1492 0 R /XYZ 85.0394 224.698 null]
>> endobj
-1194 0 obj <<
-/Font << /F42 597 0 R /F43 600 0 R /F11 1157 0 R /F57 624 0 R >>
+1491 0 obj <<
+/Font << /F21 654 0 R /F23 678 0 R /F11 1293 0 R /F39 858 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-1207 0 obj <<
+1504 0 obj <<
/Length 69
/Filter /FlateDecode
>>
stream
xÚ3T0
endobj
-1206 0 obj <<
+1503 0 obj <<
/Type /Page
-/Contents 1207 0 R
-/Resources 1205 0 R
+/Contents 1504 0 R
+/Resources 1502 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 1183 0 R
+/Parent 1486 0 R
>> endobj
-1208 0 obj <<
-/D [1206 0 R /XYZ 56.6929 794.5015 null]
+1505 0 obj <<
+/D [1503 0 R /XYZ 56.6929 794.5015 null]
>> endobj
-1205 0 obj <<
+1502 0 obj <<
/ProcSet [ /PDF ]
>> endobj
-1211 0 obj <<
-/Length 2583
-/Filter /FlateDecode
->>
-stream
-xÚ}YÝsÛ8ï_‘·*3kWŸ–to‰Ó´›\&Nogîöh‰±y‘DU”âzÿúPV¼ÚNÇ$>H
-ñ¶—'wªiT³#Šµfª~£k¡ß‹š©›£éeÍ*E1tn ÑÞ(óœ|g¼ÑAõçvµÃ¶R…è•nÆ­áŒx*ò+yòñÓ{yèÿB#öT욶ÅYÄŽÙ‘×ÈQŒ³ˆaˆXJStjkmºµÈ`sD#¢Dh«dYH$Ž R¢åå"
-}ï“5E×ã*1[£I(©µ?±¾9iHñ{|¸ÌC晴=dNC¼ß'-\màÔ–„KÓo)Žï Nï¶éeK€r@ì­,lÜp,XCšÞž'è7ü•?[Ù)Ìp
-ŸÝf¥|••nm¢Ø%È°Äzyæ4¨Aöƒ(K2ÜʱÀ÷L±—6‘`l ¿‚~:Ѫ²:Ò Gƒú-€û¬i¢"8æAw/,ݼ*ŠAƒg€°„ùÊ»·9
-.Ü52>õJ] '$¨‰¬ÈêVÃA%ïVSèõ«ÅSo+ l1ãw{›rwÏ`€"×ÃÌ“¸&NR¾Y@ ü(Gà„†ñÆçtãÍb­›B¶vk ‘[`ðIªR½’Õx…‘;]>±ÌpºüŒé´ÙmÝVr’…QÈ[â`ÓÊÂú—€ƒ cPa–MöFÝ][áÀôÀV½4DZ·óa¯Š=¯RUs)3µzc¸a ?!”ïmUAbºEòåÊÏ©0=f¥£;ÓÓäºó…ÃㆀFFv¯pô4ö,¸ä^f¦¥ÖÝ_%\\ `
-¬k”x϶Þ60¯G³@¡P‹9ëeSXKâtL¯ú¡ç "*߬·›[ÂX”¡¬‡Áæñ–ćÁðÀ³ˆõžâ~Ä,»ôÔ ¬%ª6‚å÷·kÜhIWô3f'ÀLbZèŽ묟4r.Æë%|€~-»YÉ#Í\ ¡}9`ˆl/‘øØ– Ò
-Hä¥m–!yÌ2œ­y$ží9#€õ-o+æâ°#ìZ8­Pœáw׉r ˆôC¸ÁCÉÐ<›,ðKɃ7É2.NÒã­âÉ8šÒFĸyâϧªÿfÇ )ÜÈgÙ˜ùj_¾
-È1î𥑈6Hy •ÿ'‹ž3窄Š
-ãéVQŽÜ¸Æ²d]þu
-i~„„DœCÐÓí†VJc‚£„¶'JŠÍTœBB5Gbj,@Äo¥nmú
-Ý@ýÜTÝrný@„M
-7Ûì!`•CÇ=ÜØl¢ЭÿöG¤”Ÿ Å7PƒÇfƒ°œäuBÁ2Q‚‰ß%!vy›ZëžXkÑU‹;ÕCŸ^U¬y§^$qï†ÁVúªj"^WZóº-U6Å’¯ÿœµ
-³¿¼Xdƒ¸Hâ´„*7lü1€?*~6ïa›ÊÁç–‰´#Ž¾q®Wæì-ýÏ% $0 ˜.Yrïõ„š0‹—9ß<ZÎRð¡o«HÂŒ·—¶O·22ŸÞ„üíMÈÏoBná°ÑÇ­[ñã4¶;“·“U¸sH
-Núçˆ` ›·ðnøA'»¾/„«¼ÿV¤Ö
-¿Ùø7Ä“|ÎV¨Í¬w£™û«<¨yp\ï;üŒÕ:þÍ­zÞ;Yýrvë,(š¿¹kQ–º»†“Ì^¬†”0 `àYfôø© y¶yÌ&)MäXÓ!+„Mi¹ìÿ³è˜ÓÙ$§ÚM¡ZQÑÔ5-óÏ…Šö.àÐÖµËü¿@Ï ¸ÀlRm²Øž?"†n¸r—4ß‹WIB[ißo@ãŠ!Y„ƒ7½j‰N•§fg›·m(ÀÛ1~ˆC¯ ù>Þ‹ ˜š¡è鉼•¶háÐ}ÃP¥HÚÈáCi³¶.G”§øbÈV$/“ ½½Ž6gž¶Å(…ë«·´ô|çâ4&¤{ÒúÓtÀé9nO>ÌNÞæãÊ¡@˜]š(¹©<ýÂëªÊ;ãÏ<½¼Fçéß%Põ Qì:@`)C¿Ü•¯Õ€·[Û
-endobj
-1210 0 obj <<
+1508 0 obj <<
+/Length 2638
+/Filter /FlateDecode
+>>
+stream
+xÚ}YÝsÛ8ï_‘·*3kW%Kº·ÄéGÚM6§·3w{´Äؼ諢×û×@€²âÕít:&‚ññ¨>ü .Òxé‹,ºH²hûA|‘Wïü‹ð>¿ xM‹e “î"é2NÃäb1Ýäúé݇OapúËÕ*Œ/žžÇ³VIº ã hÅ¿½«¶Uu¡^.ÂØ÷®.ÿóô•ä¢e’&ÊùpÆjÁ6S‰\™qq-E„l»x-#±´x\.߇­ó—º9”ªØUªî'²Á2‹c'+P7r¢'aRïºÓꙆ_´é›îH“†‰ý^Ñàæ~CY,z{ÃgŠ‹l™­ÂÆËL¶FÙï›a·‘ñv0ø# #8#H½?|?̵,‘B¼íeà©®k]ïˆbµ™Šß4•Ô5ïeÅÔÍÑôªb‘<ºP¨¯H=·>ÈR>è ûs½Úa[ê\öº©Ç£áŽx«Ñ¬p«ÇOk4Bäe¡ÿ ØR‘—7t,Îrd ¯V¢§-Ò±P&ïôÖê t«3AgA#¢Ô€EÒ4${)by¹¡ï}²ª4Õ¸KÄÚ4$”Äê[gnzõøp™…ÞU­zˆœ,ž½ NZº*˜ÚÀ­- ·¦ßBßœÄÞmÝ«¶
+õªÊ¦µb· Åbkå7· ìmjYÁÚ²(Hqc(Æß3ù^Ù@‚±52üJúéd«‹òHP bh·
+F`4†dƒ\#å¯hòЄ6DÖ5DuÛÀEŸV‘ë›W5.O¼­4pÄÌ l6e.Ï`€"ÓÃÔS%˜&ŠÎ, ¾ˆÀÄlƒÐ0f|Foë¦ÎUk™Ÿd®KÝkePŒw¹ÓícË §ÛÏ„ v[µ¥šD¡ùHlZ•[ûp’!ct*ÌÒ©ÃÞˆ»TÀ±5L|iÅ C¤¡u'ö:ßó.e9gð®õÅ cø ¡|o;èÓm’.W~J›<f%£;ÓÓääºã…Ý㚀FFu¯põ$ò,¸d^j¦%ÖÜ_$®s.`
+¬õæñ3ç,
+;(“¶ðÕuóçÑž<N°Û+Yáøö™a!±½C94Wz쇸^Ш©ÝbW'šçþ0)F‰ËWÂű(M­Þ‚ÿ£,Û= ײj·ª,Y©oêõ¼sIêR¶VÉÀ& ¾jôN÷¤¨ï}ü1èK%-YsÇ3†µ‚RÚ#.Q( ’ùÔT§7F ŸgÐ[¦nKt X\DRHó#$ âLŒM²ZI(1Žb:ž( 6SQU‰Ù`"~«šÖ†eiX*oj¨ŸÛª[Æ­,aÂÍ6[XÅÐq76›¨tëÿ€ói äç\ñ Äà±Y#,§
+X`àYfšñSòló˜NBšÈ±¦CT‡.’P¸èÿëÒ1¦ÓIL¤ë\·²¤©kZæŸ =í\À¡=¬*ù3Ý_Ø'à‚³SµÁÞ_а©¹r4ßËWÔ×ÇO;6qÆCñÂ`L{5œ[{ù®õ÷ãi³³±Wà <ûs¹ .èõ€zìb|øëÞ…¿T
+^Pè-ŠF®Ü{#xóÂð¡¡šö&È_[?ã!V2æï‡È2C ØÆ’[e«"ÒÝG]Ø«>¿+à°Íú½™MK
+'Œ%ô
+A>Äú¼~5gŽÅÚ
+x&4ÐflIæ ¾º4¦ Wp`4 9œžÕgœÞÿ0ás‹!G(_˜Й¹Ì˜<ÓoÊ®ŽùoÙ)°àéäòdYòwõPˆ³ÎDD®ç–6ôË}0ðÚ~k;  ÛÏ”4´è.ܧZ 8WìuKú 8¯³Å&ù©®‘\W~¶å\‚jgtÃk–¡Û$œ…¨2oÍW•â׉q&+4„Ø
+endobj
+1507 0 obj <<
/Type /Page
-/Contents 1211 0 R
-/Resources 1209 0 R
+/Contents 1508 0 R
+/Resources 1506 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 1183 0 R
+/Parent 1486 0 R
>> endobj
-1212 0 obj <<
-/D [1210 0 R /XYZ 85.0394 794.5015 null]
+1509 0 obj <<
+/D [1507 0 R /XYZ 85.0394 794.5015 null]
>> endobj
-554 0 obj <<
-/D [1210 0 R /XYZ 85.0394 769.5949 null]
+566 0 obj <<
+/D [1507 0 R /XYZ 85.0394 769.5949 null]
>> endobj
-1213 0 obj <<
-/D [1210 0 R /XYZ 85.0394 573.5449 null]
+1510 0 obj <<
+/D [1507 0 R /XYZ 85.0394 575.5478 null]
>> endobj
-558 0 obj <<
-/D [1210 0 R /XYZ 85.0394 573.5449 null]
+570 0 obj <<
+/D [1507 0 R /XYZ 85.0394 575.5478 null]
>> endobj
-1214 0 obj <<
-/D [1210 0 R /XYZ 85.0394 539.0037 null]
+1511 0 obj <<
+/D [1507 0 R /XYZ 85.0394 542.4777 null]
>> endobj
-562 0 obj <<
-/D [1210 0 R /XYZ 85.0394 539.0037 null]
+574 0 obj <<
+/D [1507 0 R /XYZ 85.0394 542.4777 null]
>> endobj
-1215 0 obj <<
-/D [1210 0 R /XYZ 85.0394 510.2426 null]
+1512 0 obj <<
+/D [1507 0 R /XYZ 85.0394 515.1876 null]
>> endobj
-1209 0 obj <<
-/Font << /F42 597 0 R /F43 600 0 R >>
+1506 0 obj <<
+/Font << /F21 654 0 R /F23 678 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-1218 0 obj <<
-/Length 3135
-/Filter /FlateDecode
->>
-stream
-xÚÍZëoã6ÿž¿ÂßÎÖZ¾$‘é]l^M»—æb½C[àd[‰…•%×’“øþú›áz$v²½Mq»‹À|g~3ä ‡âÿù Œ‚È3ˆ
-BÆÃÁlyÀwÐwqÀݘ‘4êŽú09x‰ L$¢Áä¶CKLk>˜Ì28
-løáòÃÇË/nŽ¯¿û×áH„lø+ ÙñÕ)UÆ?]\œ'g®zsv|zyuCøá(Ž __Ÿ]^þ“ú‘*kZOÎƇ¿M¾?8›4lwEãL"Ï¿üòÌAÂïX Pa7F –*”A¨¤ô-ùÁøà ÁN¯º*Î!–çX)1à*
-:»`…&:,q8â ĺH‹tä$ëéÕؒަ봘¥T½,nËõ2©³²@ái ˜0´K°ÁH² Š¹öÄîÈ_^ßGD#™Ï×iU¥UG%ðÏâN4eGÅ@R¨À(®,IGFÇ–Ì!×COJëaB ÔÏ…M³šz²yZÔÙ!‡Õ˜H×n<ÈBc³¢N׷ɬ!TÌ©£JëŠJå­£ÔÙláŠi»¾h«å|3Kç~ê«)ŠŠÂ5èp„zl†uI¿°N–guR§T¯fIžLsW»DVŠ´¦-¶©³â Ušx8Y´ Á€¤[©TóÕíÊ
-E+(ïâ{Dš £Žf¤ŠÐlR ó?Ù,©ê*”<ˆe3îBÄ´ i†Ôâ„­ 8#k˜È=F´»Mñab"R±V%ßìàR‹@j)ÜâÇÅv“Æ©“2’–I\­Ï$¶XÓÁÅ=?¨, |=¦ªo Á
-<ßÁ×a ¥ˆÝºßäõ^M b.ß‚C‚W± ŒyÜ·Á–o´"ΆߵF»õÁýÎÓj¶Î¦®†öl wy9õgˆ7ˆfÓ;k¢†j¶H—©[ãÜnDh]–ÝŲö´yçf¥®ëæü„
-BÆ*h6S)èð™xž’»;"z—Ônóü!N‰Ç‘kKš¾</h{ìò‘TAÌA½Ÿá
-BPC,LØwÿÛ,ÏGç€ÙËÍc@ËýŒ>©Ö'GBqwüL×L#°$xE›VŽà
-ã!t½™æٌʓC#†åªÌË»­ QüXK³·8çQ
-'¾né(ÐfÊD̃Ð(¨0pj:ú<ÆY>WÒh‡^¢¨;ñÛ½ößaóë…<œ‘‘Þ¥Œ¡Æz
-®(
-Çý Ú³‹š
-K°"¥z¬‚tŠÆz1k†QÙUúX¿‘™u˜úzÍ,Œ7 W‹ (Š°ëG÷: v ½v¶¾^ìÖòè„Ù‘¡€òòjrvs~ÛñÉY ¢â²5À—"Ÿ½pµœ¼ZŸÇü¾››8€p¿„¨\òÏŒb
-Iz¼mkV òl¿P]RÕ‹Ø L‘ÇMê»sÖØEŸœ5O¯kpÚ°¸Ÿö"맪ÔVÙVÇ…çyž9o’Üå{…4„yý|zÖ?ÿ¼ÛH\–4»O]‹ÃÃelÑø> ÃaV/ÜÉy}½{–Bõ¯<Ó4/t›-.}z·ó”õuR/ü}³^$nÝe2[dEZ>F·W 6);‰^ÑW.ÖgÉ*™âûÉ–êv7íß dO {‹‚–Nj ™>f”4ÚsE¥úUu„Æ`v0âf妩ïY¯³t¾ë1¨ÜÔ}•ÐcÊM1O`^õÎé "1º y»1(sŸlû¹ë“<©ª¼Is[ã<-—‰§vCIí=éäòô•ôµ :Z`QÏ¡²ði*,76Õ¥©›²)²ß7n¼•ÚÀPj .âÃ]Š¶âŠÐ±€p$â(“Ð0ÀÚN+ª6·ËX€RVíÒ‚'bz=Á!+¢'ïØSöFÄö­q]5óÚ7¨N·µ5{ DÔ™· —ºùCûb'zï(¥ä˜“Qçççgøk›Ò(žð™'¯±÷X؆¢Þ.ÇCAgЕ—)½§ÀfÈî
-«Ø5u“%CÁ®ïY2¶¥lÐX”›|N­NDìw“får•ƒ§M—`jé< g¯ãÞ!ԓʽ$za¤ÔÇuV×H+¸CP)èÛ¦y9ûTQ¹JW V]عö Ä 5ÌÀ%öŽQ¸€}yšÌívÂÿ!'X:‚öѦ¡v-jY¢Ûõ£å[ê¼y+}¢°ô1HÒ£æ¾÷žÞ=<Á‹ò£ùT ø5G cPºEÞnnSÍÄTŠÝÏòÝÝïŽTóôùÌpðÜéÌé“Ê k, †äÙ§4ßR‡ÝE•ZÔtá
-~ÏI‹ƒ|ò¬p÷YB…ó >,s5Ä
-nëÕÑû÷(wUYÎ7ï³bdUó?®°ö—…Î5“É
-endobj
-1217 0 obj <<
+1515 0 obj <<
+/Length 2940
+/Filter /FlateDecode
+>>
+stream
+xÚ­ksÛ¸ñ»…¾Už‰` ÒétÆçØ©sãÚêcšËL)
+’8–HHÙñýú.°
+à?‰ˆD KF2 ‰¨e›³`´„½gÔÂLÐćúizvqËå(!IÄ¢ÑtááŠIÇt4_FÎC0þxsóxõ—ó ÁøÃýonooî¯opzwûåñóÕ¹ ÇÓ»/÷ç“X&b|õðpsÿáîŸs¥[½¾y:ÿ6ýtv3m8öoE®Ùýõìë·`4‡Ë}: Ob1z…I@h’°Ñæ,œˆs·²>{:ûkƒÐÛ5G¥DÂxÄÄÄ舆„‡°éËI$„Å’99Oh
+µK×}9©…Ú©"SVNÅ¢ÜmÒ:/ }y$AI"„!Œ&< Z%P‹þîá%Bé|¾SU¥*œþˆà
+þÁ—ZœÜÓ. d‚ÐXHƒÒ¢‰¥AsNã±CÇãpŸ²x2ËkÜÉ窨ós
+Ô¦vî‚°yQ«Ý"ÍDÅ7*UW8*STŽ_Wy¶²CÕÒ7€fZÎ÷™š;:¸W¯”¾ª¾\#=¸J]&ãºÄ/ÐÉ×yÖ
+çU–®ÓÙÚÎî4+…ªq†Äöu^,ÁPy"ÇÓUË
+9%’7pï´"1’AÍ Zì¥A+Z8.c8HŒÐ¦R¸[HÇ\SˇA«’÷\ÆŒð˜3Küªx;Æ$¸Ðc’GÜ0©©u™Ô+Æt4qÇVƒhñu˜ªÞ¹ð|€=0lÂ9“–îçýº>*Æ„„’ò߃Co!©ìÚ`Ë·¶"ŒÿÜxë«ýÎU•íò™i{6ƒåºœ¹â ¢qzkM¸Pe+µQ–Æ­qDXÝ”>±¼6ïì)e·o¯qÀE,IãL’„ú‘@öGq(+‹*wûÆü5ܲ Gœ…Vþe=ïÃ…-RÑù> L0Ë€ùÊ<J“È°ÚÏÐáµt|•Rˆ”ÓØÌ`È£%‰ ƒÚ#%üWä$'Lpw52 YH˜I§³75Æ“V~<îÉ6;ò3+y… ¸S¾
+ƒ¯J7>:sh‡+Æä
+¨MºRiQ!&“XŒÒ2+4“™€e–yÁ, ¢21+`îšqdžõÁÞM¥½©t¬Ç}ñÙÄï1—óÌhòè(š9Ñ’ñl ù‹²+öBï]¤³õ­wGÕL­K_ŒDЭGt Jë•Ú¹°œ]èMš­òBÇöˆ‰R²«˜gé6éBDû™ˆlŒ”Mˆµb-è‘É#]vqõ=ÇÒEȆ33ªqäa /AŒ0bOÍ”[Øír4‚}=ä{FPØc1¨徘§p®2µˆ•>lXîa„æ ¹³dXzMßpVø½^§UµF;©©Æ>”›Ôa{lÂLt4¹¾ûð¨ÃÈ;‹ÇDš–Xèê¿pü0}2.”¨Œ˜rjã€-£a,,òHYp3¨^Æž©T­h!In½D¦^ F¶&ü[Y¸*­r°-`ð¸ýp¡(Ð ¸…vk
+œrý†‹KÓÎÔjŽ{é¾.u%‘µ5¬•‘$θa”o¶k¨U¬¸uáEé8]×+,Hm¿~Vôd[V•5ýÄf
+ø– ã$»êÈÎÕ"…"'­†4î~ Î^¥»·s
+|@Ä E<¾²¨êóÌU(ݬS‹mòåÊë²|¶£üY]6MžWDœÄœ»Š•½œÏâKßä2 -4úÅåBÅô’Í8Hi“ÏPÕ–ô1´3ÕVeÆŠ2£‡
+ÁÊEmBj¢3¨Èx_¢må¡
+•ë®q¹.7:BxoСT?zÓˆ ö§®a
+hìæe¶w£Ð‚uÔmúÝ?,Ûú¶.ÁNp¥ÚƒéjåDÎ\Qß‘K8
+ýdŒf{Ñç/ÔüDZìñ×{Þm yêã›æéOC™— ˜˜kúÚÔÆôÚ¼*ŽCƒOýÞ"&¯z¯CÅ~3s½‰{gi6Á\œãÌžNý¡t]ÙN&}Is÷êmƒïÚ*Õ¬cÁ=™M@‘~¬öŸ'ì(
+IR9b1të!?4#w`âŸ8´¢¼¦R¨[+Rõ‚”»åÅn‘ $IÞçªg< Ô!+Ab;f<’È0–þ+O?AO¨ˆ!Ü$¢›¨›ªcùV(ŠPOÒçÕ±_XhPñéß|(üA„ünÔ@iÊ_ÁðhÀÃo}Ê”1"B!O“n i÷^õ$Lvi7Í#ì=ô®˜`Lº"ä·uEFSÚÜâ¯y#ÚN¼•‘Lºï€øäEþŽ\û\fÏéVA]XY¨{èQZ¥‰}iTHÄ×ɧâAPˆƒò"N(äiO!}ÚÃ
+ñiÿP!wΰ§–~Y7-)Ô N~G …!a’ýHCÔ 9(§¡Džò˜S”=õI+È'ýr€ÍþÛ{£‚&øš|zƒ6`3ä*Ö©è*ãÚŠþj_èÖ—Ê®J‹½nÁÜ#2Ö&Œ…$‰CjÃrý°+¡s¥×c]ÌIÈNk­9®2i<
+òÿq…§Øj«KrPU-É»"Ã,n|Ūì_¥«8§æ%c—Õ™²S–~ÐTH â°««ÏVW_Vuj—®ö˽ëÕàÎÑQïˆá »“RnaŽ‹ÙÂxrŽŽËùÑVÐ=ªƒ’ö¨^YY@ã”yµéõ©ØAl¶µ u·õôJ³VA×+ýÂPzaÀg$ÙÉ&Ä8ÿž«ÿU%à1úO¤4>öÿ…E«ÝPÇG¼ˆÉ˜„1 ±LéË&ÁçîO1Yÿ—ÌÉBendstream
+endobj
+1514 0 obj <<
/Type /Page
-/Contents 1218 0 R
-/Resources 1216 0 R
+/Contents 1515 0 R
+/Resources 1513 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 1183 0 R
-/Annots [ 1226 0 R 1227 0 R ]
+/Parent 1486 0 R
+/Annots [ 1519 0 R 1520 0 R ]
>> endobj
-1226 0 obj <<
+1519 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [401.6435 61.5153 511.2325 73.5749]
+/Rect [253.7995 314.5359 417.685 326.5956]
/Subtype/Link/A<</Type/Action/S/URI/URI(ftp://www.isi.edu/in-notes/)>>
>> endobj
-1227 0 obj <<
+1520 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [55.6967 30.8502 511.2325 44.7979]
-/Subtype/Link/A<</Type/Action/S/URI/URI(ftp://www.isi.edu/in-notes/)>>
+/Rect [63.4454 279.5831 208.8999 289.7449]
+/Subtype/Link/A<</Type/Action/S/URI/URI(http://www.ietf.org/rfc/)>>
>> endobj
-1219 0 obj <<
-/D [1217 0 R /XYZ 56.6929 794.5015 null]
+1516 0 obj <<
+/D [1514 0 R /XYZ 56.6929 794.5015 null]
>> endobj
-566 0 obj <<
-/D [1217 0 R /XYZ 56.6929 769.5949 null]
+578 0 obj <<
+/D [1514 0 R /XYZ 56.6929 769.5949 null]
>> endobj
-1220 0 obj <<
-/D [1217 0 R /XYZ 56.6929 748.2826 null]
+1517 0 obj <<
+/D [1514 0 R /XYZ 56.6929 748.2046 null]
>> endobj
-570 0 obj <<
-/D [1217 0 R /XYZ 56.6929 748.2826 null]
+582 0 obj <<
+/D [1514 0 R /XYZ 56.6929 748.2046 null]
>> endobj
-809 0 obj <<
-/D [1217 0 R /XYZ 56.6929 720.3635 null]
+1066 0 obj <<
+/D [1514 0 R /XYZ 56.6929 720.0412 null]
>> endobj
-1221 0 obj <<
-/D [1217 0 R /XYZ 56.6929 647.0664 null]
+586 0 obj <<
+/D [1514 0 R /XYZ 56.6929 449.6752 null]
>> endobj
-1222 0 obj <<
-/D [1217 0 R /XYZ 56.6929 635.1112 null]
+1518 0 obj <<
+/D [1514 0 R /XYZ 56.6929 413.7675 null]
>> endobj
-1223 0 obj <<
-/D [1217 0 R /XYZ 56.6929 529.3677 null]
+590 0 obj <<
+/D [1514 0 R /XYZ 56.6929 413.7675 null]
>> endobj
-1224 0 obj <<
-/D [1217 0 R /XYZ 56.6929 517.4125 null]
+895 0 obj <<
+/D [1514 0 R /XYZ 56.6929 387.3208 null]
>> endobj
-574 0 obj <<
-/D [1217 0 R /XYZ 56.6929 180.3481 null]
+1521 0 obj <<
+/D [1514 0 R /XYZ 56.6929 230.2407 null]
>> endobj
-1225 0 obj <<
-/D [1217 0 R /XYZ 56.6929 143.7717 null]
+1522 0 obj <<
+/D [1514 0 R /XYZ 56.6929 230.2407 null]
>> endobj
-578 0 obj <<
-/D [1217 0 R /XYZ 56.6929 143.7717 null]
+1523 0 obj <<
+/D [1514 0 R /XYZ 56.6929 198.3547 null]
>> endobj
-644 0 obj <<
-/D [1217 0 R /XYZ 56.6929 116.6563 null]
+1524 0 obj <<
+/D [1514 0 R /XYZ 56.6929 198.3547 null]
>> endobj
-1216 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R /F11 1157 0 R /F77 703 0 R /F57 624 0 R >>
+1525 0 obj <<
+/D [1514 0 R /XYZ 56.6929 198.3547 null]
+>> endobj
+1526 0 obj <<
+/D [1514 0 R /XYZ 56.6929 192.4259 null]
+>> endobj
+1527 0 obj <<
+/D [1514 0 R /XYZ 56.6929 177.6614 null]
+>> endobj
+1528 0 obj <<
+/D [1514 0 R /XYZ 56.6929 174.3269 null]
+>> endobj
+1529 0 obj <<
+/D [1514 0 R /XYZ 56.6929 159.5623 null]
+>> endobj
+1530 0 obj <<
+/D [1514 0 R /XYZ 56.6929 156.2278 null]
+>> endobj
+1531 0 obj <<
+/D [1514 0 R /XYZ 56.6929 98.4347 null]
+>> endobj
+1010 0 obj <<
+/D [1514 0 R /XYZ 56.6929 98.4347 null]
+>> endobj
+1532 0 obj <<
+/D [1514 0 R /XYZ 56.6929 98.4347 null]
+>> endobj
+1533 0 obj <<
+/D [1514 0 R /XYZ 56.6929 95.3752 null]
+>> endobj
+1534 0 obj <<
+/D [1514 0 R /XYZ 56.6929 80.6106 null]
+>> endobj
+1535 0 obj <<
+/D [1514 0 R /XYZ 56.6929 77.2761 null]
+>> endobj
+1513 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F47 874 0 R /F53 957 0 R /F11 1293 0 R /F39 858 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-1230 0 obj <<
-/Length 2591
+1538 0 obj <<
+/Length 2936
+/Filter /FlateDecode
+>>
+stream
+xÚµZ[sÛ6~÷¯Ð£4Sc‚àåQ‘ÕN츒²ÝNÚZb,N(Ò);î¯ßâB" tº;~0 â£Îwn8 aø#£ˆ!LcÆ>b˜°Ñöp…GO0·¼"RæZ ]›Rï6WÿzOÃQŒâÀ F›¯ÆZÂQDF›Ý—ñôáaq?¿ùÏäÚcx<E“k†±-Ö“ë0ˆùåS¿»y÷ñæÓr5}øù7ñÐï˜áéý\ܬ?/—‹õf!oW‹éüæ~ "dòÇæöj±Ñ¯mþ4‚)ç?¯¾üG;ø…·WÑ8b£W¸ÁˆÄ±7:\ùŒ"æSªFò«õÕ/zAc¶ytHUZæšú(
+` ·BYŒêQ­P¸P¨’â
+ý²z?ó þèÿ^Â0ŠbŒÌEÏ µÔ9¶o’ICQHY|þV$‡l;¹¦A8þü¼Kê´â7Ñ8+Ä`½OÅż<$jð>9¤BlýVÕé¿zï·0š
+Ÿ%Û}V<‰›òk…_Né1ßÐ>ñ¯«ý;©ôi±;NH4N_+5“4Û½Ö{dÕ;Ä;K‡n½›Rv½k)­÷ tx€ºÕûö°Þ;à‹ïuZTÜ–…BÒí>)²ê ]ákyì)Ÿ'¬Üa•–ú„…¦CŽuüÆŒu /§§SUÿ€é!EaL.˜¾)å @Ix
+\Ð}l &ø}Y\ošÀžY‘ä=‹ÓDt— ÞZÃC^Èè°ÌŽÉ+gVØ ë>¶ëV¦O.èÞrè^IiÝG>sèÞmè¾mѽ ¾N·B¡\”?¤oâBrLŠ*º†Ñ
+‰Í\
+G üù©xv:ý ͽ“£“£Üa±#â/s—TUª¢µhˆJÈ:«Ä°‚`9Ü!Ê™rÂcÔ¿@º!å ]IĻ⦠ڠ¾m!ßI¯.·%ïL€ŸÜ•»^Ó4òdÊVžÌGD2âÎÛ&#¸'ØÛ6Ï9pˆ"?6svLD¢„E»f¡'Lçå£wR\™…ôb¹r‡}µ;ÆÒÍÒÿÐ. Qð®ä…``JÙíBKµváûv»pB·vq†=lpž?E Ï BJ¹ËoK^V47=PÉÈNe-Ç/Z{àwº9h „ŸGùF¯„²XlÚ‹íDd½“â:FðÁ¹<"Ñ£øßÃYÑ‚Â)Ç2‹¶O !YÜx’¨NÐ+7¥ÓÇòT÷º
+ œ7±UŸE ü>Æ[ânã3¤Ƨ¤”ñæ
+JNhÃøúØã3Á§“kæù†%ñ;©s^)ð†3cFÁ|dVÍNj3öëÄÃcØИw»4—«ÏÓç¼|SÏ7,4¯P~­_ÿ)°`
+¥bH#˱‚ ´>=Û±¾eò"^¸Ú8¦ÖXãEá8¾ÐÜ1¥ìtk)ƒnÇѬº¥û {˜îø¬<D¿•¨6ë™ý7“ Ájy¬„ŒðZ˜XŸžž`Öì`ü}ö}ð
+Ò:õ¨u;<wvó¤ø+{²E›»,ÏõYïß4 ?FAèÅLÂr˜„’Ò&GŽS'´a}l‹I˜àëô˜©£’ûS»Ãš6-‰´Î¶C'f柟Îê£XËöœ×˜vµS‚<L.Tƒ¦”CíJªÍú¡#ë;¡ µ÷±-j7Áµ'Bå—Ué>yÉx
+¬äÄç<‡°\Èu¥¡P#ó‡Ëí·ä9­Á¦Ô¾Q½U'~÷c°½S µ"á¥6L)ËJJ³bGZvB,÷±-,›àíõzúÐvÕÚ]Aë ƒT{$Å0nÎßKºYw‘gežæybI†ö¶ Áˆ±wa/fJ9ˆPRšˆ(tá‚6ˆèc[ˆ0Á§ÜšÃñ]š4ÛqOuÐ=¾½zVÁUh&?–ºÙ7ô@Ð|îÆ'ÄNÞk?wã“òtF­Ÿ»QLTŠn"ê"¾$ŒJŽµ^çu>µ±Z¦Ûìo"z¿LºQET¶å >]8ß&Å)9¾ý@ºCä…Á…ž·!äø¨J
+é#QÌ%’ ×ø¤ªlù¢Ê@“ D~”@‰ßÄ_> öåpÑ|Ëöõ­1
+~/öé ÙZn´\\ýTÈ~jö\\Šù“ËSþx¦ª´
+¡“®„R†ø·ªzÅ:¡ÿãÏfͶ<¢Qd Ý(òâP½ùøì£^F#Ä"/xõÿp=7endstream
+endobj
+1537 0 obj <<
+/Type /Page
+/Contents 1538 0 R
+/Resources 1536 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1592 0 R
+>> endobj
+1539 0 obj <<
+/D [1537 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1540 0 obj <<
+/D [1537 0 R /XYZ 85.0394 769.5949 null]
+>> endobj
+1541 0 obj <<
+/D [1537 0 R /XYZ 85.0394 771.5874 null]
+>> endobj
+1542 0 obj <<
+/D [1537 0 R /XYZ 85.0394 744.8677 null]
+>> endobj
+1543 0 obj <<
+/D [1537 0 R /XYZ 85.0394 741.1608 null]
+>> endobj
+1544 0 obj <<
+/D [1537 0 R /XYZ 85.0394 726.3962 null]
+>> endobj
+1545 0 obj <<
+/D [1537 0 R /XYZ 85.0394 722.6893 null]
+>> endobj
+1546 0 obj <<
+/D [1537 0 R /XYZ 85.0394 707.9846 null]
+>> endobj
+1547 0 obj <<
+/D [1537 0 R /XYZ 85.0394 704.2179 null]
+>> endobj
+1548 0 obj <<
+/D [1537 0 R /XYZ 85.0394 689.4533 null]
+>> endobj
+1549 0 obj <<
+/D [1537 0 R /XYZ 85.0394 685.7464 null]
+>> endobj
+1550 0 obj <<
+/D [1537 0 R /XYZ 85.0394 670.9818 null]
+>> endobj
+1551 0 obj <<
+/D [1537 0 R /XYZ 85.0394 667.2749 null]
+>> endobj
+1552 0 obj <<
+/D [1537 0 R /XYZ 85.0394 640.5552 null]
+>> endobj
+1553 0 obj <<
+/D [1537 0 R /XYZ 85.0394 636.8483 null]
+>> endobj
+1554 0 obj <<
+/D [1537 0 R /XYZ 85.0394 622.0837 null]
+>> endobj
+1555 0 obj <<
+/D [1537 0 R /XYZ 85.0394 618.3768 null]
+>> endobj
+1556 0 obj <<
+/D [1537 0 R /XYZ 85.0394 603.6122 null]
+>> endobj
+1557 0 obj <<
+/D [1537 0 R /XYZ 85.0394 599.9053 null]
+>> endobj
+1558 0 obj <<
+/D [1537 0 R /XYZ 85.0394 585.1408 null]
+>> endobj
+1559 0 obj <<
+/D [1537 0 R /XYZ 85.0394 581.4339 null]
+>> endobj
+1560 0 obj <<
+/D [1537 0 R /XYZ 85.0394 510.1696 null]
+>> endobj
+1561 0 obj <<
+/D [1537 0 R /XYZ 85.0394 510.1696 null]
+>> endobj
+1562 0 obj <<
+/D [1537 0 R /XYZ 85.0394 510.1696 null]
+>> endobj
+1563 0 obj <<
+/D [1537 0 R /XYZ 85.0394 506.8333 null]
+>> endobj
+1564 0 obj <<
+/D [1537 0 R /XYZ 85.0394 492.1286 null]
+>> endobj
+1565 0 obj <<
+/D [1537 0 R /XYZ 85.0394 488.3618 null]
+>> endobj
+1566 0 obj <<
+/D [1537 0 R /XYZ 85.0394 464.2921 null]
+>> endobj
+1567 0 obj <<
+/D [1537 0 R /XYZ 85.0394 457.9352 null]
+>> endobj
+1568 0 obj <<
+/D [1537 0 R /XYZ 85.0394 432.4907 null]
+>> endobj
+1569 0 obj <<
+/D [1537 0 R /XYZ 85.0394 427.5086 null]
+>> endobj
+1570 0 obj <<
+/D [1537 0 R /XYZ 85.0394 400.7888 null]
+>> endobj
+1571 0 obj <<
+/D [1537 0 R /XYZ 85.0394 397.0819 null]
+>> endobj
+1572 0 obj <<
+/D [1537 0 R /XYZ 85.0394 325.9133 null]
+>> endobj
+1573 0 obj <<
+/D [1537 0 R /XYZ 85.0394 325.9133 null]
+>> endobj
+1574 0 obj <<
+/D [1537 0 R /XYZ 85.0394 325.9133 null]
+>> endobj
+1575 0 obj <<
+/D [1537 0 R /XYZ 85.0394 322.4814 null]
+>> endobj
+1576 0 obj <<
+/D [1537 0 R /XYZ 85.0394 297.0369 null]
+>> endobj
+1577 0 obj <<
+/D [1537 0 R /XYZ 85.0394 292.0547 null]
+>> endobj
+1578 0 obj <<
+/D [1537 0 R /XYZ 85.0394 265.335 null]
+>> endobj
+1579 0 obj <<
+/D [1537 0 R /XYZ 85.0394 261.6281 null]
+>> endobj
+1580 0 obj <<
+/D [1537 0 R /XYZ 85.0394 246.8635 null]
+>> endobj
+1581 0 obj <<
+/D [1537 0 R /XYZ 85.0394 243.1566 null]
+>> endobj
+1582 0 obj <<
+/D [1537 0 R /XYZ 85.0394 171.8924 null]
+>> endobj
+1583 0 obj <<
+/D [1537 0 R /XYZ 85.0394 171.8924 null]
+>> endobj
+1584 0 obj <<
+/D [1537 0 R /XYZ 85.0394 171.8924 null]
+>> endobj
+1585 0 obj <<
+/D [1537 0 R /XYZ 85.0394 168.5561 null]
+>> endobj
+1586 0 obj <<
+/D [1537 0 R /XYZ 85.0394 144.4863 null]
+>> endobj
+1587 0 obj <<
+/D [1537 0 R /XYZ 85.0394 138.1294 null]
+>> endobj
+1588 0 obj <<
+/D [1537 0 R /XYZ 85.0394 123.3648 null]
+>> endobj
+1589 0 obj <<
+/D [1537 0 R /XYZ 85.0394 119.6579 null]
+>> endobj
+1590 0 obj <<
+/D [1537 0 R /XYZ 85.0394 92.9382 null]
+>> endobj
+1591 0 obj <<
+/D [1537 0 R /XYZ 85.0394 89.2313 null]
+>> endobj
+1536 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F47 874 0 R /F21 654 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1595 0 obj <<
+/Length 2839
+/Filter /FlateDecode
+>>
+stream
+xÚµšÝs›¸ÀßóWøÑž©µHâóщ]ÇmãæÚIwwº} ¶’0µ!Ü6ÿýJH‚¢½wîä! :X?OÀ#‡ÿá‘ç#?"Ñ(ˆ\ä9ØíŽÎè‰_[^`%3ÕBS(uywñÇ[Œ"ùÄÝ=‚¹Bä„!Ýí?gˆ¢ ŸÁ_®.?¬>.7³Ûë¿'Sâ9ãÏ™­çòd{¿\.¶w uºYÌæ«õ’‹àÉ4ð#g<»½]¬ç«¿äõ™˜Õ©G¯ÛÉ—»w‹»ú±áOÃÏüíâóg´ç¿ðÝ…ƒhz£üÄA8ŠÈèxázy.¥zäp±½øO=!¸ZÝjZªZfJ]rý êEȧ„Ö Ê ª¥Ä‚~Þ¼½"ا_º¿ÂU{ÁNz¦º–:×íB˜˜È#A[÷}‘¤O“)%d\>3y°JK–§¬”góõV]ÏÔ@R”yòp*•øÍê¯ÅF^eéc–ãTÝ»<dñAÏöû|‚Ã1+
+u_üò"”óÝY%êFÈÅ.ÇR=ã.ïÊýQMt˜Š{%6ÅEžG*éC¶Û='Ù¹©ÞÅé)Î_å ß!êÝT|y"Š£¼@Ê‚WK¼¡¯M5ÀÛÕmÆ uoX‘Ne’¥|¨?ÎÅÿ`|Ÿ&”B§ŠÍŽÉ‘Õž¥eòã–rè$7Š¸¹Ú(blžãDͼŽL^Þ¾%;š°:¡°7HM§ ;È)ât/oB­om¡¾añáÀK³>¥¬ô‚ö#Š];h(Õº–ªAêôƒ¶ªn@Ÿé6‚né~ÏÔ_üÜ=Çé“Zˆ9;°§Xñ>˜í²|/ù’§^o Øpèq=š˜)§]~MÒ"KÕðÇ]™=°üW(>rCÀ›B) -USð¨o¡`S (tu›)@ÝóíLþô÷‹¿ y$·²ˆ†«¥JÒîºk;âÇÊŽÄ ÒŽê¸ÊéT±óœá‘)
+ü6¡¹"´ˆ‹òej˜V†¾Wg7±´ûçšXÔOŒ®3à ¡”…˜–Ä 1›j@¬«ÛL êÞlgÜÌ=YMXRC’š8€Ä&¹Œ¦&%µêEMPó#ñ!ˆrÄ&fØ\bg ¶Ê;Ö3µ¼£&ñã:Ù!”²ÀÔR
+Ü0¯±²ÝóY¿ÆŽÿlÇ êN(eÁ¦¥jl^déXUl]ÝflP·ìª†<GüY²´àÁQ”™‘#»¬üqzyÉòR
+­nåàw–Uƒ¾©W`äø.ñÆ[$ï¸{ÎŽ²‚£Wjôú”p»Õè' K\z_$iœ–ê’,Šù°îÊÕÚÚN6;%E‘˜:Bœ3íåL#g÷Á@I
+¥ú9×R€³¥¿`UÝp>ÓmäÜÒ}Íí 2¢ÆäîÓ¯iö#íšn»Ûi× T†×2ðÂ؈ﴎΔ .OE?M-y%%>+_$öQ´a ¢˜{ž)O q@Ýf/·z]ug«~•ÐÇœøÈ †*S(ea®¥4sc±…¹M5`ÞÕmfu×ë±HwÙþ þš•?²ükSÕt;…ùòå¿
+žVv,õ2‹;=µ_é¥ðº….?PÊÂKK5íbi_[U^]Ýf^PwíéÜP{:7žn íÊÙ¹Q§»É%W³õL]ñŠ!Ù³¼²¿¢§Õé“Ö[A>cUdóÛa‘͇A‘-.*¡Ëªá•¦¬º:ý³²¹Ã!‰…î²h%­
+ 6ÙKzÄiÚ¼§ïëÂœ¥›ƒBêâžlóã üõ¦ƒ¹pcðÍPªãÔRuˆt¨%o±ªn6ΙnãÆié†!2Þ“T|Ž—Y®ËúfYªó§ß&Èä¡}O¼¹îä7
+Ù‡¬äsŠ6¬º°Î¾h<5é·/ž›úþ€ƒ…R–u×RMjb{SlU Ö½«Û¼îP·ð¡Y·d›Çe¬ÚÃÉig›ŠÖÉÓ)Ùá"—a-/Œ_XÈõ]×’É_2–«*ÝôEU€[èÐ[{(ea¡¥j¶¼Š°ª,ººÍ, n#‹Úè¨W»¡ß'B0OØß]Æ9´Œ³7ˆß „³o mBý8´PÊ[SÙ¦·ÑUldŸ­úUÎã~žÄzªÊ'ºy=ËEGËèœ^Üâ°óMK'žüN‚ص˜~@~ˆ0u†>k„,F(¡æã0lÉ5lzÁgÅæ¯"€âû‚µûµÁÌx$/X·ðmµ'¶ê9~„( ]¯¥ãÇu|LåYq¬¿ûSØOž<=—¿ýååa‹?…uêìáþ2¾áATx#i"^®„|õPb!"röäØA„úÄðèÿå3fƒendstream
+endobj
+1594 0 obj <<
+/Type /Page
+/Contents 1595 0 R
+/Resources 1593 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1592 0 R
+>> endobj
+1596 0 obj <<
+/D [1594 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1597 0 obj <<
+/D [1594 0 R /XYZ 56.6929 769.5949 null]
+>> endobj
+1598 0 obj <<
+/D [1594 0 R /XYZ 56.6929 771.5874 null]
+>> endobj
+1599 0 obj <<
+/D [1594 0 R /XYZ 56.6929 744.8677 null]
+>> endobj
+1600 0 obj <<
+/D [1594 0 R /XYZ 56.6929 739.887 null]
+>> endobj
+1601 0 obj <<
+/D [1594 0 R /XYZ 56.6929 713.1673 null]
+>> endobj
+1602 0 obj <<
+/D [1594 0 R /XYZ 56.6929 708.1866 null]
+>> endobj
+1603 0 obj <<
+/D [1594 0 R /XYZ 56.6929 693.4819 null]
+>> endobj
+1604 0 obj <<
+/D [1594 0 R /XYZ 56.6929 688.4414 null]
+>> endobj
+1605 0 obj <<
+/D [1594 0 R /XYZ 56.6929 673.7366 null]
+>> endobj
+1606 0 obj <<
+/D [1594 0 R /XYZ 56.6929 668.6961 null]
+>> endobj
+1607 0 obj <<
+/D [1594 0 R /XYZ 56.6929 644.6264 null]
+>> endobj
+1608 0 obj <<
+/D [1594 0 R /XYZ 56.6929 636.9957 null]
+>> endobj
+1609 0 obj <<
+/D [1594 0 R /XYZ 56.6929 611.5512 null]
+>> endobj
+1610 0 obj <<
+/D [1594 0 R /XYZ 56.6929 605.2953 null]
+>> endobj
+1611 0 obj <<
+/D [1594 0 R /XYZ 56.6929 581.2255 null]
+>> endobj
+1612 0 obj <<
+/D [1594 0 R /XYZ 56.6929 573.5948 null]
+>> endobj
+1613 0 obj <<
+/D [1594 0 R /XYZ 56.6929 558.8901 null]
+>> endobj
+1614 0 obj <<
+/D [1594 0 R /XYZ 56.6929 553.8496 null]
+>> endobj
+1615 0 obj <<
+/D [1594 0 R /XYZ 56.6929 527.1298 null]
+>> endobj
+1616 0 obj <<
+/D [1594 0 R /XYZ 56.6929 522.1492 null]
+>> endobj
+1617 0 obj <<
+/D [1594 0 R /XYZ 56.6929 495.4294 null]
+>> endobj
+1618 0 obj <<
+/D [1594 0 R /XYZ 56.6929 490.4487 null]
+>> endobj
+1619 0 obj <<
+/D [1594 0 R /XYZ 56.6929 466.379 null]
+>> endobj
+1620 0 obj <<
+/D [1594 0 R /XYZ 56.6929 458.7483 null]
+>> endobj
+1621 0 obj <<
+/D [1594 0 R /XYZ 56.6929 444.0436 null]
+>> endobj
+1622 0 obj <<
+/D [1594 0 R /XYZ 56.6929 439.0031 null]
+>> endobj
+1623 0 obj <<
+/D [1594 0 R /XYZ 56.6929 413.5586 null]
+>> endobj
+1624 0 obj <<
+/D [1594 0 R /XYZ 56.6929 407.3026 null]
+>> endobj
+1625 0 obj <<
+/D [1594 0 R /XYZ 56.6929 346.1003 null]
+>> endobj
+1626 0 obj <<
+/D [1594 0 R /XYZ 56.6929 346.1003 null]
+>> endobj
+1627 0 obj <<
+/D [1594 0 R /XYZ 56.6929 346.1003 null]
+>> endobj
+1628 0 obj <<
+/D [1594 0 R /XYZ 56.6929 338.5253 null]
+>> endobj
+1629 0 obj <<
+/D [1594 0 R /XYZ 56.6929 323.7607 null]
+>> endobj
+1630 0 obj <<
+/D [1594 0 R /XYZ 56.6929 318.7801 null]
+>> endobj
+1631 0 obj <<
+/D [1594 0 R /XYZ 56.6929 304.0753 null]
+>> endobj
+1632 0 obj <<
+/D [1594 0 R /XYZ 56.6929 299.0348 null]
+>> endobj
+1633 0 obj <<
+/D [1594 0 R /XYZ 56.6929 284.3301 null]
+>> endobj
+1634 0 obj <<
+/D [1594 0 R /XYZ 56.6929 279.2896 null]
+>> endobj
+1635 0 obj <<
+/D [1594 0 R /XYZ 56.6929 264.5848 null]
+>> endobj
+1636 0 obj <<
+/D [1594 0 R /XYZ 56.6929 259.5443 null]
+>> endobj
+1637 0 obj <<
+/D [1594 0 R /XYZ 56.6929 244.7797 null]
+>> endobj
+1638 0 obj <<
+/D [1594 0 R /XYZ 56.6929 239.7991 null]
+>> endobj
+1639 0 obj <<
+/D [1594 0 R /XYZ 56.6929 163.7723 null]
+>> endobj
+1640 0 obj <<
+/D [1594 0 R /XYZ 56.6929 163.7723 null]
+>> endobj
+1641 0 obj <<
+/D [1594 0 R /XYZ 56.6929 163.7723 null]
+>> endobj
+1642 0 obj <<
+/D [1594 0 R /XYZ 56.6929 159.0666 null]
+>> endobj
+1643 0 obj <<
+/D [1594 0 R /XYZ 56.6929 144.3618 null]
+>> endobj
+1644 0 obj <<
+/D [1594 0 R /XYZ 56.6929 139.3213 null]
+>> endobj
+1645 0 obj <<
+/D [1594 0 R /XYZ 56.6929 124.6166 null]
+>> endobj
+1646 0 obj <<
+/D [1594 0 R /XYZ 56.6929 119.576 null]
+>> endobj
+1647 0 obj <<
+/D [1594 0 R /XYZ 56.6929 104.8115 null]
+>> endobj
+1648 0 obj <<
+/D [1594 0 R /XYZ 56.6929 99.8308 null]
+>> endobj
+1649 0 obj <<
+/D [1594 0 R /XYZ 56.6929 85.0662 null]
+>> endobj
+1650 0 obj <<
+/D [1594 0 R /XYZ 56.6929 80.0855 null]
+>> endobj
+1593 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F47 874 0 R /F21 654 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1653 0 obj <<
+/Length 2728
/Filter /FlateDecode
>>
stream
-xÚ­Z[s£8~ϯð£]µV„lmm•c;wwÜ;½³³=ó@Û$¦Úà\æ×ï’@`{j·ò!tÄùÎå“d<pà|†¸¸ˆ9˜ 6‡+gð cwWXÉŒµÐØ”ºy¼º¾õÈ @G¼Áã“1—ßǃÇí×áäáa¾œ-þ=æ 'h4fŽ£{§óõh̽@ P1ä9ÛÅͧÅç»Õäá§_åK¿9Ì™,gòaýåîn¾~œ«ÇÕ|2[,ï@~üp5¬–m~v¨XóW_w[øÂW¢Ï¯ðà dp¸rEÌ¥T÷ì¯ÖW?W£å«]¦bÔGÌ'¼ÃVŒwÙŠÈ£„–¶Š“±0Ï0I‹(¿n¦¢”ùõ;] ¨¤Æ¦X¹
-|·™â²ô˜æ‘ö”K AžÀܽðL©~ì*©*¼‚À^VÕ5xgº»Ák(_$YõËR8þ'Md# “üI;¸Fp¶\wÁçb„=ßmÂw¯àû¼+BÕ59=ŸòBx½1ÃD
-%Åú0=Ž±WcA^c!f1±ƒkÕÿ¸Kyš¨Þ_ËØTC«èû®€实±Ì¿bè’L·RÜ`º7é)ÙjÌ™Nå
-U ùÿæ”ïdk¾ÿS¶ÓþýG0æ0¤,Hh©
- êø$lª $Úº{0•/£g0é‹ÎjáfW±
-ô*~>EYí†í9&é.E“d+ ß«æq÷rÿ»ÙUv÷ûíDÂeÀRìv7¤,v×R•Ý}×B¬ª »·u÷ØÝT¾ŽyŸ²áÇè]6jnT¢”Š¤ˆ«¢’²‚AC qÚñ¸^TçKg•‰"ÇgØ@ ^ªK<@:t‡ñUu¢Áð³º;m¿r™ õ‡352ób,_¥¢‘øöáw]ëhùÕ: VÄõF¹Š<ßØïÁ ©§ôŸÄqœnÖ Û>ŸºøÇX§zŒ÷*I¶šqÍ¢—hŸCëóGêäòK$É”ê÷ÇJª"I¾o)ÂVÕµ?žéîödžò*ÈçoE”äçI9?i¦XÊâAþ‰²¼"I^Wb
-²öÉÙR˜y¯:§ªsÊ<.¹œž·sã$c&ÆÏm2§Ëû=0¬jŸü×\û‚ õ—0¥ú]¢’ªO¢|ÒïVÕµKœéîv‰†ò5ìŸôÁßòT³™ äƒÝ!zßy¡ÉsÏw¶Õ6¶e}s«k;`:Ëô˜{ˆr¯ut»Šòô”mT}ZE›4ÛêËÀ¾£Þc\ØŠKÛ ÖB•P… ö©A‹^À–âü ÍËè¾SÎÐX­TG$'’¸è£[Ž‹<1MaIŸnÅvÉ9æ/òšzfE)€‡ŸÔÐDý¿%+Ks%°R_ö{ˆÛDÍ+]ºëX/›·)’›éU5¼¤NoŠ›fâÛá­eúÑU2¸Ü±dl‹ÒÛ–Önh µ?Y®'ÚÓ…ß—§ ßï„—À.'à­‹½§½dίjt˜NÓ=ìwÞ éöŸsD¸‡/ü¦ê7¿ª÷ Üb›Þ€¶ânLÍ┞ðá}–;Oâ©ó 蛿%WÉsiGü”VG! ±H@øPuxò愨“cѨè6 *º ½½'ÇÔÁˆCã¨Ë2)& _ä•$ôÕ1F§É’*éiT„ÉO}%µ«æB×Ôxó=NòŠGµîÝ,×”!ñ{Ÿdœ*ÑÿÏ?+2Ûú=×oÔñ º®%¾›g?FÑ¿?:_úƒ
+xÚÝZ[w£8~ϯð#>§Í" q™7'N§Ó—$k§wv¶§ˆMÎbðNoæ×O ]‰ÞÝ·=~0H%}P_U©TÍ<ø¡YD]Äþ,Œ}—zˆÎ¶‡ o¶‡¾› $dRh¡K]>^üå= g±8˜=>ksE®Ehö¸ûæ,®ïV·Ÿ/0õœ¥;_PÏ“­W×›ù" bÖAXWà9—·—ŸoïoÖˇ¿ñA¿{Ô[Þ­øÍæëÍÍõæñZÜ®¯—«Û»Aóï/®Õc믆<žù_ß¾{³¼áÇ Ï%qDg?àÆsQãÙá§ĥ>!²%¿Ø\üUM¨õ¶CÇTEIäÒ‡#ºÂh†SŠ{Ê¢±LZeÝMZI“•E’g¤;þ’«òd¿¾Kim|Uâ»~ngQ“âOFÆX”RìÁ¾­ß_áÓïCdD=7ŠáÕ¬ÐJêÛ×-QêF!¡}ð%¼y8s„“û¼ÕK:¿Î±ç¤O¿ÌÄÇÎm]Ÿ@5mOùÌÇÜ¢èî¿TJ„îV‰¬=ô`Âh^RÞ{W•ß’6üîXÍQä”M¹-ó–ƒêŽ]Ï‹Á@Úç
+|ëvÿT—yÚ¤4°´Ã1O°ÈòÄõ¿á3Ö"_‘…“- KýTªKYlAJiû\ËÒh…Ölaˆm°œÛœë®²wmô„ÿ›´ÜWÉñœ4ç-Ÿ-ù€ÝˆÒX¯`#çÊåß'§9ÏEÏ—¶‡:›íË)ÿ#­!ÿ§YS€€w‹.Î%ô­„ ì we‘½‰¨Äï9ø°ÃÆhÆŸJKu)3ÅJJe?Ah)eX¡;ŠÏ°Ç)î_f…Z¶>'O©,idg+íè–OÔ© Û½ØûÿE«äÇ3/díd08íOu£xˆÍ<¾‹Ã©,T—²ð ¥ºÄÐRé°Bk< ± <èàÜÕ"a§a¹Oyà¾)Ù¿^F›áJ[EÃ~Ïö‰Hf#é0Ë:-NÌÞÇ+%Äó\/ õÊTsÒ¢>iÝ´bõûçF‚í§ Œ$‘9Ô)žžÅîTI|4¨%‹Ð½ÔÚ6éöyÆÛtUÅÈ¥áT5R—2›Ž’R¦ã–Jº33ìqÓéKÏô±ôLH£U™µvb=š…¯Ôaj5? mHm‡B6–'ÿœ#§M¡`ïO¤=0œÖÌØÅ•ÿ”œÄq#›åcR´92ÇhX0zP
+€gÙTZ¡5&†Ø&tpU"Yâ„+u6Æ®$
+ÛsOX6×WíÉ'—Èö?ƒ¹'}ÛñƒS’X#ÊÇعtùÀ¶
+É)ÌÔ”m<äKùá˜ßûPÆúIL ¯:õiD'c&LÈttÙ>†±€vd PÇ©Ò` k±ò ‘õåI•±Ï ¶IWg“ÿÿ( éiMÒœFk2(„,vt=_ºveqîGVO­Íõ˜0„,,˜Hë5!ËgIB¨û\Ávv`ÃÕ>J
+¿á3Eân„ãP>{ø˜ Ÿ\}ŽyþèpnØMendstream
+endobj
+1652 0 obj <<
+/Type /Page
+/Contents 1653 0 R
+/Resources 1651 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1592 0 R
+>> endobj
+1654 0 obj <<
+/D [1652 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1655 0 obj <<
+/D [1652 0 R /XYZ 85.0394 752.341 null]
+>> endobj
+1656 0 obj <<
+/D [1652 0 R /XYZ 85.0394 752.341 null]
+>> endobj
+1657 0 obj <<
+/D [1652 0 R /XYZ 85.0394 752.341 null]
+>> endobj
+1658 0 obj <<
+/D [1652 0 R /XYZ 85.0394 746.4344 null]
+>> endobj
+1659 0 obj <<
+/D [1652 0 R /XYZ 85.0394 719.7147 null]
+>> endobj
+1660 0 obj <<
+/D [1652 0 R /XYZ 85.0394 716.4024 null]
+>> endobj
+1661 0 obj <<
+/D [1652 0 R /XYZ 85.0394 690.9579 null]
+>> endobj
+1662 0 obj <<
+/D [1652 0 R /XYZ 85.0394 686.3704 null]
+>> endobj
+1663 0 obj <<
+/D [1652 0 R /XYZ 85.0394 660.9259 null]
+>> endobj
+1664 0 obj <<
+/D [1652 0 R /XYZ 85.0394 656.3385 null]
+>> endobj
+1665 0 obj <<
+/D [1652 0 R /XYZ 85.0394 589.5443 null]
+>> endobj
+1666 0 obj <<
+/D [1652 0 R /XYZ 85.0394 589.5443 null]
+>> endobj
+1667 0 obj <<
+/D [1652 0 R /XYZ 85.0394 589.5443 null]
+>> endobj
+1668 0 obj <<
+/D [1652 0 R /XYZ 85.0394 583.6377 null]
+>> endobj
+1669 0 obj <<
+/D [1652 0 R /XYZ 85.0394 559.568 null]
+>> endobj
+1670 0 obj <<
+/D [1652 0 R /XYZ 85.0394 553.6057 null]
+>> endobj
+1671 0 obj <<
+/D [1652 0 R /XYZ 85.0394 538.901 null]
+>> endobj
+1672 0 obj <<
+/D [1652 0 R /XYZ 85.0394 535.5289 null]
+>> endobj
+1673 0 obj <<
+/D [1652 0 R /XYZ 85.0394 520.7643 null]
+>> endobj
+1674 0 obj <<
+/D [1652 0 R /XYZ 85.0394 517.4521 null]
+>> endobj
+1675 0 obj <<
+/D [1652 0 R /XYZ 85.0394 502.6875 null]
+>> endobj
+1676 0 obj <<
+/D [1652 0 R /XYZ 85.0394 499.3753 null]
+>> endobj
+1677 0 obj <<
+/D [1652 0 R /XYZ 85.0394 475.3056 null]
+>> endobj
+1678 0 obj <<
+/D [1652 0 R /XYZ 85.0394 469.3433 null]
+>> endobj
+1679 0 obj <<
+/D [1652 0 R /XYZ 85.0394 454.5787 null]
+>> endobj
+1680 0 obj <<
+/D [1652 0 R /XYZ 85.0394 436.5019 null]
+>> endobj
+1681 0 obj <<
+/D [1652 0 R /XYZ 85.0394 433.1897 null]
+>> endobj
+1682 0 obj <<
+/D [1652 0 R /XYZ 85.0394 418.4251 null]
+>> endobj
+1683 0 obj <<
+/D [1652 0 R /XYZ 85.0394 415.1128 null]
+>> endobj
+1684 0 obj <<
+/D [1652 0 R /XYZ 85.0394 391.0431 null]
+>> endobj
+1685 0 obj <<
+/D [1652 0 R /XYZ 85.0394 385.0808 null]
+>> endobj
+1686 0 obj <<
+/D [1652 0 R /XYZ 85.0394 327.3726 null]
+>> endobj
+1687 0 obj <<
+/D [1652 0 R /XYZ 85.0394 327.3726 null]
+>> endobj
+1688 0 obj <<
+/D [1652 0 R /XYZ 85.0394 327.3726 null]
+>> endobj
+1689 0 obj <<
+/D [1652 0 R /XYZ 85.0394 324.3353 null]
+>> endobj
+1690 0 obj <<
+/D [1652 0 R /XYZ 85.0394 300.2656 null]
+>> endobj
+1691 0 obj <<
+/D [1652 0 R /XYZ 85.0394 294.3033 null]
+>> endobj
+1692 0 obj <<
+/D [1652 0 R /XYZ 85.0394 279.5387 null]
+>> endobj
+1693 0 obj <<
+/D [1652 0 R /XYZ 85.0394 276.2265 null]
+>> endobj
+1694 0 obj <<
+/D [1652 0 R /XYZ 85.0394 206.4674 null]
+>> endobj
+1695 0 obj <<
+/D [1652 0 R /XYZ 85.0394 206.4674 null]
+>> endobj
+1696 0 obj <<
+/D [1652 0 R /XYZ 85.0394 206.4674 null]
+>> endobj
+1697 0 obj <<
+/D [1652 0 R /XYZ 85.0394 203.5257 null]
+>> endobj
+1698 0 obj <<
+/D [1652 0 R /XYZ 85.0394 179.456 null]
+>> endobj
+1699 0 obj <<
+/D [1652 0 R /XYZ 85.0394 173.4937 null]
+>> endobj
+1700 0 obj <<
+/D [1652 0 R /XYZ 85.0394 158.7292 null]
+>> endobj
+1701 0 obj <<
+/D [1652 0 R /XYZ 85.0394 155.4169 null]
+>> endobj
+1702 0 obj <<
+/D [1652 0 R /XYZ 85.0394 140.7122 null]
+>> endobj
+1703 0 obj <<
+/D [1652 0 R /XYZ 85.0394 137.3401 null]
+>> endobj
+1704 0 obj <<
+/D [1652 0 R /XYZ 85.0394 113.2704 null]
+>> endobj
+1705 0 obj <<
+/D [1652 0 R /XYZ 85.0394 107.3081 null]
+>> endobj
+1706 0 obj <<
+/D [1652 0 R /XYZ 85.0394 92.6034 null]
+>> endobj
+1707 0 obj <<
+/D [1652 0 R /XYZ 85.0394 89.2313 null]
+>> endobj
+1651 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F47 874 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1710 0 obj <<
+/Length 1567
+/Filter /FlateDecode
+>>
+stream
+xÚ¥XKsâ8¾ó+|[S5h%[~í’e&K²ÀÖîÔdÆPÅÛÉ°¿~[ÆIÕ·¤~©¿n©10üˆá¸È ¬ÀðŠL#JzØØÀÚ}hžAÅ4hrÝ,z¿ÞÙž Àµ\c±nèòö}b,VßÌ!²Q4`ófró0y¼Ÿ Ÿ~ÿÚX6Ÿ±ƒ‡Ó‘Ìÿº¿Ïc=œ‡£ÉôXHà¹6‡OOãéhòZ
+­¸ž½Ïûߟ{ãEívskÛÂç½oß±±‚~îad¾c¼Á
+»ÍH5vá@õíƉ2Oa+¡a Ï®Ï4ÝBV˜<z‘çŒx) …ŽswØóÍV^.ñ|Ø
endobj
-1229 0 obj <<
+1709 0 obj <<
/Type /Page
-/Contents 1230 0 R
-/Resources 1228 0 R
+/Contents 1710 0 R
+/Resources 1708 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 1283 0 R
-/Annots [ 1231 0 R 1233 0 R 1234 0 R 1235 0 R ]
+/Parent 1592 0 R
>> endobj
-1231 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [84.0431 793.5053 539.579 807.4529]
-/Subtype/Link/A<</Type/Action/S/URI/URI(ftp://www.isi.edu/in-notes/)>>
+1711 0 obj <<
+/D [1709 0 R /XYZ 56.6929 794.5015 null]
>> endobj
-1233 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [84.0431 756.4942 140.332 767.8862]
-/Subtype/Link/A<</Type/Action/S/URI/URI(ftp://www.isi.edu/in-notes/)>>
+1712 0 obj <<
+/D [1709 0 R /XYZ 56.6929 769.5949 null]
>> endobj
-1234 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [507.6985 756.4942 539.579 767.8862]
-/Subtype/Link/A<</Type/Action/S/URI/URI(http://www.ietf.org/rfc/)>>
+1713 0 obj <<
+/D [1709 0 R /XYZ 56.6929 771.5874 null]
>> endobj
-1235 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [84.0431 745.1168 199.6097 755.2785]
-/Subtype/Link/A<</Type/Action/S/URI/URI(http://www.ietf.org/rfc/)>>
+1714 0 obj <<
+/D [1709 0 R /XYZ 56.6929 747.5177 null]
>> endobj
-1232 0 obj <<
-/D [1229 0 R /XYZ 85.0394 794.5015 null]
+1715 0 obj <<
+/D [1709 0 R /XYZ 56.6929 741.6995 null]
>> endobj
-1236 0 obj <<
-/D [1229 0 R /XYZ 85.0394 694.0474 null]
+1716 0 obj <<
+/D [1709 0 R /XYZ 56.6929 726.9948 null]
>> endobj
-1237 0 obj <<
-/D [1229 0 R /XYZ 85.0394 694.0474 null]
+1717 0 obj <<
+/D [1709 0 R /XYZ 56.6929 723.7668 null]
>> endobj
-1238 0 obj <<
-/D [1229 0 R /XYZ 85.0394 660.6469 null]
+1718 0 obj <<
+/D [1709 0 R /XYZ 56.6929 709.0022 null]
>> endobj
-1239 0 obj <<
-/D [1229 0 R /XYZ 85.0394 660.6469 null]
+1719 0 obj <<
+/D [1709 0 R /XYZ 56.6929 705.834 null]
>> endobj
-1240 0 obj <<
-/D [1229 0 R /XYZ 85.0394 660.6469 null]
+1720 0 obj <<
+/D [1709 0 R /XYZ 56.6929 679.1143 null]
>> endobj
-1241 0 obj <<
-/D [1229 0 R /XYZ 85.0394 654.2654 null]
+1721 0 obj <<
+/D [1709 0 R /XYZ 56.6929 675.9461 null]
>> endobj
-1242 0 obj <<
-/D [1229 0 R /XYZ 85.0394 639.5008 null]
+594 0 obj <<
+/D [1709 0 R /XYZ 56.6929 645.9962 null]
>> endobj
-1243 0 obj <<
-/D [1229 0 R /XYZ 85.0394 635.7135 null]
+1722 0 obj <<
+/D [1709 0 R /XYZ 56.6929 621.6566 null]
>> endobj
-1244 0 obj <<
-/D [1229 0 R /XYZ 85.0394 620.9489 null]
+598 0 obj <<
+/D [1709 0 R /XYZ 56.6929 538.1235 null]
>> endobj
-1245 0 obj <<
-/D [1229 0 R /XYZ 85.0394 617.1617 null]
+1723 0 obj <<
+/D [1709 0 R /XYZ 56.6929 513.7839 null]
>> endobj
-1246 0 obj <<
-/D [1229 0 R /XYZ 85.0394 557.6417 null]
+1724 0 obj <<
+/D [1709 0 R /XYZ 56.6929 479.0839 null]
>> endobj
-746 0 obj <<
-/D [1229 0 R /XYZ 85.0394 557.6417 null]
+1725 0 obj <<
+/D [1709 0 R /XYZ 56.6929 479.0839 null]
>> endobj
-1247 0 obj <<
-/D [1229 0 R /XYZ 85.0394 557.6417 null]
+1726 0 obj <<
+/D [1709 0 R /XYZ 56.6929 479.0839 null]
>> endobj
-1248 0 obj <<
-/D [1229 0 R /XYZ 85.0394 554.1294 null]
+1727 0 obj <<
+/D [1709 0 R /XYZ 56.6929 479.0839 null]
>> endobj
-1249 0 obj <<
-/D [1229 0 R /XYZ 85.0394 539.3648 null]
+1708 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F47 874 0 R /F21 654 0 R /F14 681 0 R >>
+/ProcSet [ /PDF /Text ]
>> endobj
-1250 0 obj <<
-/D [1229 0 R /XYZ 85.0394 535.5776 null]
+1730 0 obj <<
+/Length 1914
+/Filter /FlateDecode
+>>
+stream
+xÚµXKÛ6¾çWh^ bøE©§æÕf dS4[ôìAkÓ¶YR%y7FÑÿÞ)[^9FQ ¬ÉáðãpÞ”˜qø³T3®²xf²˜i.ôl±}ÆgkXûù™ð<±VLÇJÁdb5Ò*e:•fƒ¼º}öâ')f’³$‘zv»ÎJŒa<›Ý.?Í_6­–Å׫Hj>uuwû 튙IÀ]N0,Q:q;ÞçÕ./‰¿É׶öˆ˜©8‘~O¢YÂuêö¼bâ*œóù²X#?2(ÃT’7ùÖz5ËX–ÈÄÃ(ÁT
+2#nvç~–ÒÐèÍÍG”uýe×Ðx×eÑï‚ –i‹“© Ë|ÜWuÓîÏÞÞ:M8
+4‹„ ©)½ SêøŒQRÎàö;@8›¨ìè†Á$×pÏ´õéÇ涽óÓèžî¤•$¸a:K4œ‹›óå²µ·Êè,¸x+áùÌŦÒ,Mt€\”ù$ ÌXššìpupU”¶L>Ò°TrsŠùåÀl&0#…¾®Ót ^{šºí¿;§ôøϋžT*– ®Nñú‹xý¾ùx_/â¡MáÅL&O콿÷i³Í?Üá­øb÷ÈgqÆ“Sèx%w.oD
+3ÅåØ>Ÿ:ð¢2Âعn˜ü¹³í¾nzÆØݹˆWF²ØˆÿñÇç#~àG|´9/š–,É”ù/¢A|C´À5m]Ö÷y´ 9h6¨õBÎ}óöãëß®½½þp3pR¾Ä‡”ÿ´.(ŠGüÌ5_ÖÛ¼¨ ýÇ|^T«ºÝæ}Q#Aeóu{%ÒyÝØX…gêh-§égΕýZÜ—–È}]—´X¶·-!­¼Z'U Xw1íH”´;v)næ×=Qáx”«#nÜæ:ÜeäÏTÍ€U ±ZÂ@bñìš2ß{r¿±DΫîŽ Ô¼÷Ûœ¬ž‡Æý®­ì’–Wt•í ÝIt TnGjÃå<ða†PØ%\YÃì}Ýõ¡Ì_ËéJ%ò˶¨Š+1ïú6ïk'<wp I6Ô™3.=JBŽïkìé’;°k·©k=á1Z†ÕmGK÷v‘£n¹^ÑoÑûÕà%Ô^€\óç°‚òÓ=„;ë‘¡g¤ jk‹`®qÁÍîw×7»ýGðù°Mû´ÉAíüТ‡‘~7ùƒõ[°p£Õ®Z`LäåpX³šP¸Âl¢µù¶Âc–Å*Ô>²sÌÒ,ÓpÇŒc(â_–ý¦Þ­7GÅúL¥.™VB¦ô<¸JÉy…1^–{œ9u/‰þXô¢-êí´•EeiBb½ÛÚªïÐtZ‚q‰;/»š¸6yçI4¿Ïû…‡ÜÖKå쌿Ö”jœ’R(Çn?¤Š˜|IÉ#>2(äZ„@êzŸ#!Š³C¦’¥u¹%™¿$Ú=ÄÞŠ†Ý.ÝîiR{¢s`<c¬‡z¬OrÞ„Û¼X7$̉ˆnZL‹Èo %l,fÜ”»tò´È›Œi{;F›i§2*“ž…Î'l—¯y]<Ø
+oŸ¥óß«²øb‰nó¶,\œ
+Få–¨eÑ‘?â-« 'Z3!EhM_Ø~ñLuùrX
+ï$!ObxQW« ¹©ÃŽÇY0Gêÿƒ‚,TÕgÌF£ÓˆÄzàóÿ! >¿É…Ås{íáûœZÏï/æ`azzXÇ ÿù)ÿÁËÈ÷ê›IsN’’S%M]ç;* :Çjg=[C D©»¥¥¥]å­£PÍ€I î æ;ëM ÏBmz(ò)?€· 0ßÿõîÃû·¿`€×.&SÅ’4‘ƒ¡´«ùí&\•’òñõÓ!ÙÈyµ'ÊÁ˜¸É×™Å,RÏ…ë©É󦌷 ÙÕuX<Ÿ&œlÒš·®#„s}C¿Ô†Âàõ;ú¥Ï®ÇÅ\е†X,ó†&¾è¿×× •öÁ–D£¶Þ#»C@õ±Iço êŠN­–?câõxÐÛ…×ôȼÑÀ4Ò»ïÝN='c"‘Á»¢Åt“zHyK+Ÿß¡•pétµ÷DÊe‚òŽDFÃ6†ÔŒ4¦Ê7—aßÄ3ÃCN¯ïð=bB >?–J¨Ãë
+ˆ!íOHƒ‰ãú&äl Bï+Ý‹’§ã*ˆŒ¯ßå›Ç!GbI¤. ¿ç5ƒSwÁ¿ë&ô·ÎYpè…¾ŸÏZ†Q'Èž%:ðÐ÷ÓÑ7 ž°Tf&
+endobj
+1729 0 obj <<
+/Type /Page
+/Contents 1730 0 R
+/Resources 1728 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1592 0 R
>> endobj
-1251 0 obj <<
-/D [1229 0 R /XYZ 85.0394 520.813 null]
+1731 0 obj <<
+/D [1729 0 R /XYZ 85.0394 794.5015 null]
>> endobj
-1252 0 obj <<
-/D [1229 0 R /XYZ 85.0394 517.0257 null]
+602 0 obj <<
+/D [1729 0 R /XYZ 85.0394 769.5949 null]
>> endobj
-1253 0 obj <<
-/D [1229 0 R /XYZ 85.0394 490.306 null]
+1732 0 obj <<
+/D [1729 0 R /XYZ 85.0394 573.0107 null]
>> endobj
-1254 0 obj <<
-/D [1229 0 R /XYZ 85.0394 486.5187 null]
+606 0 obj <<
+/D [1729 0 R /XYZ 85.0394 573.0107 null]
>> endobj
-1255 0 obj <<
-/D [1229 0 R /XYZ 85.0394 471.7541 null]
+1733 0 obj <<
+/D [1729 0 R /XYZ 85.0394 538.4209 null]
>> endobj
-1256 0 obj <<
-/D [1229 0 R /XYZ 85.0394 467.9669 null]
+1734 0 obj <<
+/D [1729 0 R /XYZ 85.0394 504.6118 null]
>> endobj
-1257 0 obj <<
-/D [1229 0 R /XYZ 85.0394 453.2621 null]
+1735 0 obj <<
+/D [1729 0 R /XYZ 85.0394 432.7569 null]
>> endobj
-1258 0 obj <<
-/D [1229 0 R /XYZ 85.0394 449.415 null]
+1736 0 obj <<
+/D [1729 0 R /XYZ 85.0394 303.3232 null]
>> endobj
-1259 0 obj <<
-/D [1229 0 R /XYZ 85.0394 377.9399 null]
+1728 0 obj <<
+/Font << /F21 654 0 R /F23 678 0 R /F39 858 0 R /F53 957 0 R >>
+/ProcSet [ /PDF /Text ]
>> endobj
-1260 0 obj <<
-/D [1229 0 R /XYZ 85.0394 377.9399 null]
+1739 0 obj <<
+/Length 3967
+/Filter /FlateDecode
+>>
+stream
+xÚÍZësÛ6ÿî¿Â3ýPe&b$ÀÞcÎy4q§qr±;×N{h‰¶8‘HE¤ìúþúÛÅ. R‚¢tîËÅ3!´x/öñÛä¹€?yžåI^¤Å¹)t’ ™ÏVgâüêÞœIn3õ¦ÃV/nξûA™ó")ò4?¿¹Œea­<¿™ÿ6y‘ÈäŒ &¯.ß<›¦y&ÒÉŇ¯¯^]þ¿3M “wW?_üD´Ï
+höæõõ³ßüxöú&,f¸`)®äóÙoÿçsX÷g"Q…ÍÎá‡HdQ¤ç«3©$ÓJyÊòìúìŸaÀA­ëe€Iªò4ÂTžK™Y–ŽXI®RåXp}ùîÃO¯i_?_æpOÐS x'Ρ:Qyn\— jÝ?­ëY¹¤uóÐÎʾnúÝÞñ8r0°$†nœy}™LšD+q›eÛ~êhÈeý©úž:¨bÐa*¥Nt¼›J›¤ð/Œ>ÍáäþÑU›‡jC?šrUQ –_E¦ŸfIaL>ëqý¥Ðü£—‰‘2?Þ$¹VöÈ Q£é°•; m#"ZáÔ¼ø½i‹4É2«¿<­ot8íhÇ…I2U˜ñ´52Ý—À®ÔÌ8$µú^~ šr>'ætÜÎþX_Hí[¢}ÞV›§gRÊ ¨š*ŠÉÍÂÏ>+j{ËýÝo7÷ƒ>2{ÍMæmßWó)rNU ”¯(!Õ¬^9¶jÒ´½_øE{T<ŸÂùr¦ŒçS<ŸšÌÚeÛLçÕ²^Õ0ñxTØ™Åä_‹Š[o Ðm×ëe í(fÃQÆ$¶0’Ua' {¨l’[]p³Ò-÷­ežd6웬ÞývU5=ë-+WIŸEÛõxZÏ£Ú bldqZ{•_2sª]>T<O¿(yf
+(ÁáÊÉ]K‰äd¢nîwbní¤F‚HÜq“6ÂÊLž@m>ÍJ•Ržfe:f¥¶ÄJø®]¯ö¡žWó ™ØL§'Ù(óœÛÌÚ¦Û.û.bü`Ám?5ü®êgßmÃètÜØK@e3§E#ÃëŠw@©ƒâ‰8Æõ˺# §¶tp ±)Õy"S)Ç|ºYð±QÛõò‰~Þ¯Vþœ«#Ǽ',W붙wc9ž×ÝzY>Uó䘥Î,x?™/[êa«ã–:´Â=ºEïMjE’ pß_œÔ7:œttr6ùÓùxÒº;ʺön¯ÊkãÖf#êŒÔo¾Ïé0~t•œ1øåŠ[o×Ç™ z§Á8`ö Õ˜í[á¾½÷Ž2ûK“?iœÙÃIëfˆ§wjRH@ŽKPr«q%Çtø’SsÅš›£?ok*̉ú{š, ¼úÕyÁçTqÁßw¿páúò —@Ë“˜‘+@õ¤ðÆàÀIóÄJ¡½iqÆ¼å ” /û¡\Öóáfœz+è^ˆ,«7Nõ5fXö–…:¹@-äÈÇ<–wœQk«­ü8ó±^2’]WðE«‘[Diß®ÙdµlŽJ†º1=Jª
+·¼žn °õw£Ð‚¸Š'ª(×ë
+ Tã„Eg¸-œñâ´i
+–üü5r&1ÚúnY‡ƒ@¨RíáßOâ¸B˜JƒŒC-B
+<yuWèÁ¨¼’ôÙ²tG
+ÅßE&.¯¨Lj MݱÀAA¥¤ªš›·€$6õ|î08üFÆa>ªVÐ")dêw5Åõ*×éX¯b–Y餰ÂÃJÚA|B¼f2o™ýªÉ Ã2½p{ 30ØÁÙ‚ms¦ÀþK3>ù’íåÛë=ûõ¶êêv3^ÜÃ7|ùv¯çË·ﯯ^ßDû&AüöN5j¹
+£½;˜Æà*Ì4 ¸Ý[.ˆ0@1>U]Äöç
+PEqÂöÃÒt8L>xu¶æáoËøJ3µs®$Uó®¼tÊæ%~„ÆD 3"ƒçØõQîúŽ(ˆªðË!ÃÌ+$\LÑ+ø*isµçtISôÁ²Š‰]
+bç¥ó®^V¢î›[ˆ3SaæÖj¯ˆax'lTôe áZÓ¡¤O³]¹(nC?g€/ì‰X °Z錯«YS@ËšŠg|]"Ç‘ΞÔ=£ðH¼Ûl°=éív9'ú-›u
+!g(=¢Íå:.=ÂD°î{Ë ×ìb`½~X§nðÝT8NÔÔ°MÕÉx:ÚͶ£˜x¸ìY»ZA7EFú±câL p»0›WIJü!PS ðZ3íz¨ô
+–ÁMÐþQôAåGÖ)ÆøÝ’Ö(:r÷#ÆƉ75v:_Ç/¼sº­*FÓ`aPÃï·»(i~ºÌC³çŽv¼B§ÕŒû¡X;ŒO|Ázâ‹K#ý¿eŠpŽS÷[¤پKå]³¸óÌa‚É>ê¼D.½v8„aÛs*X‚â%I±ÄðIÉtÒoʦÃýcJÒ%[£;4)º„
+¼aíô¸š\íË( YóÐ!ÿNËi¹–3=ô«¤Y$Lƒ2À0Þƒi
+endobj
+1738 0 obj <<
+/Type /Page
+/Contents 1739 0 R
+/Resources 1737 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1592 0 R
>> endobj
-1261 0 obj <<
-/D [1229 0 R /XYZ 85.0394 377.9399 null]
+1740 0 obj <<
+/D [1738 0 R /XYZ 56.6929 794.5015 null]
>> endobj
-1262 0 obj <<
-/D [1229 0 R /XYZ 85.0394 374.4276 null]
+1741 0 obj <<
+/D [1738 0 R /XYZ 56.6929 752.2728 null]
>> endobj
-1263 0 obj <<
-/D [1229 0 R /XYZ 85.0394 359.7228 null]
+1742 0 obj <<
+/D [1738 0 R /XYZ 56.6929 504.0748 null]
>> endobj
-1264 0 obj <<
-/D [1229 0 R /XYZ 85.0394 355.8757 null]
+1737 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F39 858 0 R /F48 880 0 R /F53 957 0 R /F11 1293 0 R >>
+/ProcSet [ /PDF /Text ]
>> endobj
-1265 0 obj <<
-/D [1229 0 R /XYZ 85.0394 331.806 null]
+1745 0 obj <<
+/Length 2766
+/Filter /FlateDecode
+>>
+stream
+xÚ­ZQoÛ8~ϯð£‚ݨ¤HJâû6Ù"‹nšÝ¤ÀÚ<(–ì±¥¬%'çCIQ²$îjz8ä ?~œÒ¡ ÿè"!a’/ÉCA¨X,·gd±†¾ÏgÔè\X¥ _ëãÃÙ‡_Y²¡Œ£xñ°òæJC’¦tñ.ïî®o¯nþ:¿ˆ >†ç‚à÷ËÛo—_Pvw.£àòóõ=|‰@‰*µ˜W7ŸÏ~;»~pÎøS”'Ÿ}$‹üþ팄L¦bñ_HH¥ŒÛ3.X(8cV²9»?ûÃMèõê¡c
+€¢P”P¦RÂdjµ"TòѤ2$2eFG-vd"2‘XõñT ¶>Žc«Ö‚WÛ¢jô·¬p“Þ<”„›!U¶Ø–uµ™v;-7ª¡sÓÁ´Z\Dø•¤pˆ8 cB¼?¾]ÿy.DðOtäëÝÃÍ×Ûû‘uèQ&’r=./×c€%!hbüè6¦Pë¤@õ‘Õ~û¤ ¢z…2Eý¶e]™!ïÏå9 –Ïf‚•šrU,[üŽ”Ñ{f—•<—vЦ®_ö¯Ö픵Íòˆ5“ijg”ê5û l’bÝ…]œ!584¯›ì€Œ&qp_oÕx–âÂX¢&lŒ¨)ZÓ·Ã>cʲ5¶ŸJMPÒ+bÖ3ÖA}Ϭ`wžð@N‚ÆÙÏ‹¶ØmËÊ|µxÀ à3
+jD@¤FÁ
+IJ²Ô‚ª‹ Â[dÛÎ60wU¬UÀÖÓ;à[‘UÛAªùª½Ð9$Df]_Q­‡ŸÆ%")8Gé€ç î' ¼e›½
+YŒ2혒¹ ¤„›ò¥@±öQ7,¯U¿:;˜Üá2Q0°ã9{\Õ»íyh&) †<¸ŽüíÛœ) ã4Ž\
+°†Ñ.ž½|™'‚÷ãXsձĭÿÇQéCB" ¬1
+¬ñZÍ(]øZºRáéH¥â´ô*¿Wõc»|¦ ¨“–Ö±éó8t`û[£±âÁ÷¼ÆFU·Ø€ŠåQµàÀ|ºCÑûsQaKC«Ù©Çd[3 –®7™Ý qq•ANÁ/O¢¬÷;üZ6øÙÖÎ.šývug¸ žK18ÒûjS4vë*ü¼üë×?MP6ÁûÆIlÐT…GãÇ_èhº°^š©læ€æ2kLÏðCã¡{êªÂ´ÒŸ‹½)E,$‘ˆOðÈÓšá‘Õr<z[Ñ(‚ýN#1oØi[ЈÝXÚ74‚LŒ4‚ÒˆK#n`S C#N}©1H#•Ð;¥0PWÇJžm ÄT:VjµCÕfÿÂvk­è < Yê*Pÿ¤ s #"©Q,MÔä e¢6¼Ïdò•åÛS¶|yϺ̥I²}ÍÚò©Ü”íáœRªâ£O‡ÒøEüm©þ·…
+ÝBSsUT xž6Æ^g¨·3&D.!Ecx‡Þ>VÔÞ½BeÂeÀúû“²ó» nA±(Y<Vê›$^øçj 8U“gŠAlI ÌŸ)_kúL9-&»UŒ†ÉYã]˜<²>&{æujV!I§fbjVLͪe.²·£ªwTõä…¢u…Db.ˆ£#Íjª0ø4ŒÆyú´UÝ£´…œm!  eÍ%otç'è … '´»mÅ?¬æòÙËÆ=„ƒÀ+ï@S發°
+܃¦¾PB,ñrì*vý<5 1QOÔòÄžÖ ÄVËA <š02!|ÞºÓ:6ßÇ7¦a"hÒ·UØ׉¬»¯´(RlÓøPÕÕaÛ“#W]£HúEò8‹,zQ…PÃœ€Øך†Øi9ÛYVW›Ãd¬œ5ÞÅÊ#ëã±²gjfðr§Jë,ëjs÷ZéÝ2Þ1±ÄŸ‚ÂìtžÖ tV˃nµÉÖÓÐÍ÷ ZŸ€Î7ùÓ-–°H÷Â?Øñ­L &ü'þQPIÆ‘8ª§5ªÕê¼ËçA3î:´>ªoka!̵ZØ×4Eûˆ"¬wAty…•ã²=ˆ«¶\bWžµ™Êu¨ðTšItq*„‚÷|Gܼà@N.ìX÷ΆžªÝ°ïYWxÐÈf®:úr›Ù×gH ÝC§ú¢‰ &ÓΤwgSÕ¨ˆ L8%ü=»“àioºqaÐÈÌõ¥5ZÐÇ=5\7¯ë1ÏGÚ±¦ÿ“ÁÉGõ°)Ú¢‚jx’ÃTDaš&'ît¾Ö4‡–ãðržÃ³Æ;Yçpϼæ0°ÀTÐÀŠ ¥†Ãª…Ÿ®ðSqxù\,_°
+›ÉÂYÃÝ á‘åñžé+üÉpª84¿(>ê§/—÷÷öA¶¨¼ßá\‘ètMmä~™
+endobj
+1744 0 obj <<
+/Type /Page
+/Contents 1745 0 R
+/Resources 1743 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1748 0 R
>> endobj
-1266 0 obj <<
-/D [1229 0 R /XYZ 85.0394 325.3687 null]
+1746 0 obj <<
+/D [1744 0 R /XYZ 85.0394 794.5015 null]
>> endobj
-1267 0 obj <<
-/D [1229 0 R /XYZ 85.0394 265.8487 null]
+1747 0 obj <<
+/D [1744 0 R /XYZ 85.0394 695.9587 null]
>> endobj
-1268 0 obj <<
-/D [1229 0 R /XYZ 85.0394 265.8487 null]
+1743 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F21 654 0 R /F39 858 0 R /F48 880 0 R /F53 957 0 R >>
+/ProcSet [ /PDF /Text ]
>> endobj
-1269 0 obj <<
-/D [1229 0 R /XYZ 85.0394 265.8487 null]
+1751 0 obj <<
+/Length 2849
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Z[oܺ~÷¯ØGITR¤(©@$=ÈA{êž8hÄòŠ¶…h¥ÍJÃùõrHŠÔmO[ìƒ(rÄÎ|s!¹tGàGw©ˆE‘»¬àqJhºÛ®ÈîÆ~¹¢†æ%zãS½»½úÓ_Y¶+âB$bwûàÍ•Ç$Ïéî¶ú½‹i| 3èýÇ_®ß$"%IôöææÃoï?þÞS$@@Hô÷·¿}~û7컹.€ì—Ÿ®ïn½úpë„ñ¦„)I¾_}¹#»
+äþõŠÄ¬ÈÓÝ3¼˜E²;\ñ”Å)gÌö4WŸ®þé&ôFõ§K
+ài§ »7ŒÇ9ð_V3J(K‹X°„95ñ|IM–J©éÕ—¶»;ÉýùÔËé’i’Ç<aÞKÜÕœ=4Gö”±˜“4 ùß*}w¼~Ãr Oº‘D½†kÕí#¾w~ϯ$%§kšGzu×"}%û»+  H{_Ø¨Û »ïgyz¹¦”F
+¢ž‚
+tú!Ofš
+m[ ¨†3ŠHŒ¡ÓI«ßz¹_´c«ZÅQjCÓœ¼Â<¥¡uõ#´µ=„ÝçS‹õ?/´ï­×,ÿuÕê ¯Á³_,ÂÊ Â¯C‚¨OÆ/@£ڀ„¥r«µð¢#¼(Ø6sG5ç>‰ðYÌaW²ïgÕ¹Ÿš¤{·±´jór9¹æ
+ãgß Ý×ë†I2ÖèBØô©Ö ã¨F؃Þù¦‚iVÐmþŽj.@hðQ&%mím¸µ lÃÝ11‰F‘õëhV y8š‡/™‡dÆ<Ü77æáÆ<<8ZÞ6lYó"¿J}ª óXªÑ<UU«Õ•ÍÜ>B]´dÛ8ª¹¡}@Rµï$ðÌ#¬y„5Ìch ÛY¿öáÂØG }Ä’}
+káÛGûcŸÌÙGSQÄË'…цÑh›?Â/œÊûTëFsT£Ñšfõˆn“óxD7c½|Dðþ$M¤±ûF–¦©DšG¯„°òq½b£‚ÇD\8Íðˆ6”dˆðê°>È¿Ü®”k[<mµ6e¹\¬ù<A7æŠqZ‘’¢Sçª/uÔM,¾›T¯?è–.CÁO²"±Ç· ¹j1C
+ïý_’3Sàæ¹:F[
+endobj
+1750 0 obj <<
+/Type /Page
+/Contents 1751 0 R
+/Resources 1749 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1748 0 R
>> endobj
-1270 0 obj <<
-/D [1229 0 R /XYZ 85.0394 262.3364 null]
+1752 0 obj <<
+/D [1750 0 R /XYZ 56.6929 794.5015 null]
>> endobj
-1271 0 obj <<
-/D [1229 0 R /XYZ 85.0394 236.8919 null]
+1749 0 obj <<
+/Font << /F37 743 0 R /F48 880 0 R /F23 678 0 R /F21 654 0 R /F53 957 0 R >>
+/ProcSet [ /PDF /Text ]
>> endobj
-1272 0 obj <<
-/D [1229 0 R /XYZ 85.0394 231.8294 null]
+1755 0 obj <<
+/Length 3318
+/Filter /FlateDecode
+>>
+stream
+xÚ­ZÝsÛ6÷_¡™¾ÐÓ
+!¾HâfòàÔNÎmš¸µÓ»›¶”HÛœR¤*’NÜ¿þv±
+–D!_ לp¬…°æ2f‰â¼oóö|)e´95ªn³ÊwØŽ‚úžÆP>O–º é“›ÑÖôL·Ûüœ鎺E…zõV¥¡aQ¢ÈŽì«t“ÕHV3EÜÁúÓ…¸`¡’Žârf äÊÜ×^¨v(s¬ÜÖuÕì›'Až¹ý¬šºìÚœáê‹¥H"&Ç#çÌh-ìÊwöÜ4œQ~ŸveK§´ìÜxÑÐÓœ¥ü5 EeÙ@·k
+8µêÁ“¹y•;th6mÚ曼róýÁJ3<²D1Ør~•·ëW»6ðÄ`o÷s¤Y¤¸?Âo`íDöœ€w¬
+ªšÎ@Æ@[UmE…Ý8iq¤po¶0 Lj‘^ƒž+¥‚
+…·ã–­Ú|·¥‘ÒR¸…h¸LÛâ)§7ÕžKZ9êÏEYÒÐÊ‚NÂm‹ÌW“Çõ£]Ì•…6à
+ìÓÞ6²z“UC²hZ?eH9½5',᱇)r\?ÎÜ•L\ƒ×bf)f@û•Hž£+yÕÊ
+:ªµ;)xº¸ŒG2ú«àbKîÌeKPÓ(9mS‡TÇmjOemꪻoŠ?ó×o&VU)8r@îIÞ=Õ”ùت*Ãbé1wkU…×fl|º¼¡À°IÜ(‰Ço±ŽŠc+
+Òì)ßµEC0²F-6¯.?܆nù9Ë(¢]°Ë›™Û&cO°znó†¡Éãdͬ˜é—bÓm¨ƒCêÏ5S±6cõß•£ÝBCMôøl 72Ú/ô÷ Hk©Ý¸UQh„ô ²fK8-ŸÏ9çŠlâàg !ÐÜz®]‹–|Ä: ƒ]
+çÇ-/èÛvÝUYžÍ™nKŠáu?«?;‡Gs·»,ô@.ŽåÂ逅·©[áOò85õœA‚Ö:í§)=ðÖ©õG—ïžÝBnâÊÑ’Y=¦k<aBJó‚® ¨N蚧²º–gUóú«‰¢‰ˆ õiÆ=Õ”óAø‚öM&cÖ·
+DŠðA'8¤:ÄžÊîë—ªþmAXQU>Ác”°lëiþ=ÕT€1ÁÞÇadÆÜì
+Œ{”HÜ9­kûÌ,‹ßsjÙóÄÆíÇ lÄó0|ÀgJ8ÚUݸ™v§K»UÛ‡èd“:îJaë±Û¤Õ’PÌQhÆöø¦Yº*q¡C0¼Áø Bir
+8Þ‡¸ØAê cC bë¶Cyº~¤Áñžh Õ©Rê¢c#Æ"À½@ ª¤é—½O×p›
+7õ×P‡—áN}tÜDûÙoîæd¡;Wš%"ác×7IãÓ,+Zˆ]zåÆŒ£®¦.e‰QÌÒ„ ’ò“0ØÓ£é!ÐëÇ´™ r‹a…|=É!ßñõC #‡Œ¿µ —‚
+QB`ÒúP¥m׫£ÀŠ CPÁc#f\™¡¡×èomÃÆ­«o›mQZåêcl-/gªÀ*L©{|©
+,À§%É| xÙ¯wò@ÜPŠáÜ^¿ûöŸ·WÇoânðK/Ýÿ€ê<•Å@»ë°Æ´ü=~ýü™à ‰X¤yZ„žj*à †³Hšh,„M¾°”™[u·©
+>p¨Ì©F°àTtgwž•Ç°ò»Éhñ¹r3»ÆÓX<ÌT<¥bÚôµ³¯‡*q ¿†¸¢š¾µ°ì•R‘ ùû«ÿø
+'\Kb"†Ã8ÖºØÆ8ýò†¢h}Îï+ز>f5Àº3¼F›b\,#Àš5ý¡fsq«Á´|)nõ‰ž¯pÆAY׿ƒûÙê¡Ž! ï?[à@ŒÁ¿9NB0Æ~ØÅÙÊ4ÅÂËüòªF°ˆ÷¹ª5ÑÆWÒ@þ5Y—ÑHPÞ\Â\JSõŽÜ9롹>¼Š;e'>Œ/x`§tèí´f픈ф*³
+0-1—ñžóÿd­D.?2/-CªãÖª§ê=V[omålµDg„ê4÷žjÊþÀmqkùÿ Å cr)¢ NÌL˜qNŒH·ùÃ?z‘Ò6D/]A†ž°~”¶¶ø¾ObJ†^g1cI¨ã±ùk@ãXÝÁëÖ˜Ä)ý÷æW\—œê¶zÏy4kÀú-ÞcFƒÑ6îaàJèŠ~øôs¤»ë›÷W´Õ?]ýt}u;c BDKtlö_à$}o®?\bˆŠÍ¶´_¢RÄ)[”žšUÌ’u$ø‹õ
+'õL-׉,±^ÜË¿6è–¶ÞìjŠYN¯ðíÒŽÈ`´Û–nœ¬° A@pE×éÚxÛ¶©§„/؃A2GE„í.gËÓî,•r>@{ †>@»dÖJ‚ - èïÞûëTj
+endobj
+1754 0 obj <<
+/Type /Page
+/Contents 1755 0 R
+/Resources 1753 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1748 0 R
>> endobj
-1273 0 obj <<
-/D [1229 0 R /XYZ 85.0394 205.1097 null]
+1756 0 obj <<
+/D [1754 0 R /XYZ 85.0394 794.5015 null]
>> endobj
-1274 0 obj <<
-/D [1229 0 R /XYZ 85.0394 201.3224 null]
+1757 0 obj <<
+/D [1754 0 R /XYZ 85.0394 204.5196 null]
>> endobj
-1275 0 obj <<
-/D [1229 0 R /XYZ 85.0394 141.7069 null]
+1753 0 obj <<
+/Font << /F37 743 0 R /F48 880 0 R /F23 678 0 R /F53 957 0 R /F39 858 0 R /F21 654 0 R >>
+/ProcSet [ /PDF /Text ]
>> endobj
-1276 0 obj <<
-/D [1229 0 R /XYZ 85.0394 141.7069 null]
+1760 0 obj <<
+/Length 2180
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ÛrÛÊíÝ_¡‡Î”š­÷Æ[ßœØÉљ۔9í$y IÊâ„E¤ì£vúï»4%Ñ£t:| ‹Åb,.+&>1ñÄ2ž„±f>þ$­.øäæ>\K3sD³!ÕÛåÅå{Nb2˜,W^ãQ$&Ëì‹÷–I6Üûõn±œÎ¤Hî]ÝßßÜ^Ïÿc4@Á¹÷ûÕíç«„»ŸÆÒ»úp³˜~[þvq³ì¥J,¸BQ~\|ùÆ'þÛg*ŽüÉ3 8q,'Õ…öóµRS^,.þÞ3Ìš¥£œIÈ1Äc*Ð! ÂTÓY
+C¦#Xs ºfÓ ˜Gñ¨É?Ø $âÎ…~u])ÀE/31K6›²È3T¹”^Û¶['݈3G’ùQœWœâ“ŽÆÞâ™PÔEW˜“ÃÀYñý«$³”d+
+ WÎèTBøõC:(ñ†Ü‚· ÿ'· ‘ãQÜJk.ÿçÛä4Ö˱™¤f2ÂÈ£|‹XÚùõ- °ø|÷iêûÞr<¸KŸÉ8hÕjÄ(1ÿóñ\E±39y›¼‡©€À[ÛÁ®(QÇÚ£ukB’˜€úÊ}fË·u‚N˜”Å¿L
+ÔeBž_Zig±í4òvuûJ¸ r…Û÷óÔ[éû(¾^æ]z¹ÍÛ¦|bpÅW½FL„°?Òüåß¿Þý~óŸK¢nÓ1¸Û›,nnHWwçcüºi;Œ¶ãèZ‰ñ"Cd4@fuÛæéì{¾ÌëÁ¤ÙA[5@-¦{ý}zÿZ)¬4ˆXè÷tã
+–Duê÷íç‹óGßs± 6Ì>€í Ó5 •é—r•€T @3¥g
+Tú˜¨Æ{X
+7tÀâõ¶§z9(6_fÉ»¬¬·íòùé›C¥c¥§Â&A»Ôš–IÛŽö)ÌICÔ3¼aZŠß¹b5Ý«üÂø˜á§ó wÕC>Ú@LJ-Ž9vg9vûÍX¶‘
+¬Íõ1¿?Îò{NŠîU~ªçG-Z zŽË£/³jd—CVeò8¶‹f:ŒN´ {(°U2G¥Á·Ñ *Lâ0h\ß,Þ}šß/çw·#ya$,Ž·JGÃÒ/–4øk‹jƒéHÄQ'Í„©%Øä[€+S¬áØ\gì;$MC®ìëø×°&)KËCÂzÿ¶<¤M9z8?¿·rfÅ@ˆä­-tí,IÕ1”OOEj 1|~HL ¦¼?¨Klmk@
+­;,Z[ymíŸçΰ ½Çâ)¯ßŒ˜BB”àÚw>óš)$„Jß]nÓå¹]lí¸6e†wU•˜Pû6¶„,½{<"…„ø¾xÜ1Û'¥>‹¼QF]'IÂ?Ší”Õɽêñ
+endobj
+1759 0 obj <<
+/Type /Page
+/Contents 1760 0 R
+/Resources 1758 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1748 0 R
>> endobj
-1277 0 obj <<
-/D [1229 0 R /XYZ 85.0394 141.7069 null]
+1761 0 obj <<
+/D [1759 0 R /XYZ 56.6929 794.5015 null]
>> endobj
-1278 0 obj <<
-/D [1229 0 R /XYZ 85.0394 138.2901 null]
+1762 0 obj <<
+/D [1759 0 R /XYZ 56.6929 626.4701 null]
>> endobj
-1279 0 obj <<
-/D [1229 0 R /XYZ 85.0394 114.2204 null]
+1763 0 obj <<
+/D [1759 0 R /XYZ 56.6929 517.4334 null]
>> endobj
-1280 0 obj <<
-/D [1229 0 R /XYZ 85.0394 107.7831 null]
+1764 0 obj <<
+/D [1759 0 R /XYZ 56.6929 438.0429 null]
>> endobj
-1281 0 obj <<
-/D [1229 0 R /XYZ 85.0394 93.0186 null]
+1765 0 obj <<
+/D [1759 0 R /XYZ 56.6929 376.8269 null]
>> endobj
-1282 0 obj <<
-/D [1229 0 R /XYZ 85.0394 89.2313 null]
+610 0 obj <<
+/D [1759 0 R /XYZ 56.6929 339.1376 null]
>> endobj
-1228 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F11 1157 0 R /F43 600 0 R /F77 703 0 R /F42 597 0 R /F56 618 0 R >>
+1766 0 obj <<
+/D [1759 0 R /XYZ 56.6929 306.6767 null]
+>> endobj
+1767 0 obj <<
+/D [1759 0 R /XYZ 56.6929 271.6646 null]
+>> endobj
+1768 0 obj <<
+/D [1759 0 R /XYZ 56.6929 207.5268 null]
+>> endobj
+1769 0 obj <<
+/D [1759 0 R /XYZ 56.6929 137.3205 null]
+>> endobj
+1758 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F23 678 0 R /F21 654 0 R /F53 957 0 R /F47 874 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-1286 0 obj <<
-/Length 2680
+1772 0 obj <<
+/Length 4060
/Filter /FlateDecode
>>
stream
-xÚ¥Z[“Ú:~Ÿ_Á#T¯%ßÉÀÉÉ\–™œs¶’<£WŒMl3Éì¯ß–uA6²È©-Ð¥¥OîOÝjµF.üÐ(0ÁÉ(J|'pQ0J÷Wîh }Ë+$d¦RhªK½¾ú×MˆG‰“„8=¿hsÅŽÇhô¼ù2ž9ž3ÜñûÛ÷Ÿn–«Ùã‡ÿL¦8pÇ_ÝÀÝÏyåéór¹xz^ˆêj1›ßÞ/AM¦Q˜¸ãÙããâ~~û7Y]Õz½xš|{þxµxVËÖ ¹[ó«/ßÜÑžðã•ëxIŒ~BÅuP’àÑþÊ<'ð=O¶äWOWÿVj½íP“ª”ÌÔóð/(4HœÐÞR¨ï™*¥˜B¿¬n®±àoýçEtôIÏ •Ô9vjØGN€£.öl2õP0žß?±‚?^­xÃKYñÂÓ¦ÙË[Vly½ÙQ.ù©LI“•o._„8­^³”Ö{–ÞÃc7q‡1,›A¿ƒjig#—Ç|]‘bSÓ‚@™÷<NNÆBìÏIŒ³_ÃÒ¦\ÓŠÁ¦
-aŠ“n€øÐÜK†à8¼Àª&eaUJ)VQèYXµAk¬ö±Í¬êØŸkÎÆ‚/(Ü ­
-Úð'œõ—¢!«›*[!~wû÷bÅ‹×eÛaO
-1v™—k’óòl³©&(ÓºãÈáÀÀÏé÷üÄñ4è÷¹Õ·åSΡëp˜—iºËÊwÜU|$Å‘To¼ôƃô†Ðâ NP&W
-iÜÆÃÜÚpOÔöÌêÀ+Z—ù‘›öÂÖì°?£ˆ72¡cËJJyËí†MöÕu1­jÞtä[„ n·k›—{’‰™ïÉžòº¡{¡®çDq Š½d¼rÄd¤ÈhΧhM™5Þ9‚d9´Cò%yË’, ª(Ž†)cØùÈ»À±&e!YJ)–±çZX¶Ak4÷±Í<ëØP±»¿Ò)¶BsšÓ­p»í™JÓ²Úðrë²YóÉ¤ïŸ ´¡8p°§³Æ&rÄ!Ü|ÏŠº,D³ô®]`B<RĽ€ßý¹aíEŠ\þ ­a9ýúÊ”3âÔ à„.œµº”…S)%9EÈENmЧ}l3§:¶ÒÇ¢HË 7?¨µ6 ÿ÷´ùYVßE̯îiïÔ'¨xž$xüv
-Þ¿²³C•å’ó8´¼  #;KºÔ0KJêĶœVèKgØF–:Ø+úã˜ñ3m^³î×éeµe-%¦Rw‡<K5Uô=‡²jLŒÕ$“‘É¿¯¸m³!ÚH7âºñÓÑ¥,¤H)EJXLÇ
-­‘ÒÇ6“¢c«“I˜†Ð(?™x¹©ŽiÃ=ÚÓ¼æ5 î0 œ0òü®ò?
-ãx‚i.ï?UwÊúÃ4°0&H.Ù†&e¡AJ©SÉC‘…´FCÛLƒŽ}“ºÎÛX¯µ…ûél>_9³÷.³ßQ7<TÔSö¡ìE¶)¨tBKѸl.[Ý—eó®Çnϳ®fÊâ#Œ=oäaZµTîƒñ}ïB¨©K ®¤NvçY·BŸ?Ã6ÞÁ¾.÷{éÈ”.æ¤!¼t“傸#°ðr{¬4×·¨8gUm C"Ç}ßrL½§´'Áˆ7h|~9qr‰Š“… !¤ˆHåžnÃÕxè›iЀ,¨IòžAüs.0ǸËÅ\Ò@`läË溮&ñ¸s¾_ûà?<?¼p¿Ö¥,dH©SÖY¢s+´FGÛ̇Ž}¦ûë*ƒ° #½`aîêìТÕ+ÜÂL Aä†àßdœFŠB¿çýúc¡És(‰Ñš4) MRêt‰B‰…&´FSÛL“Žý¹¦Ý[Ï,ÏHMû±]'·e²àêïD¸ï»î È>Ë›³øO^±þb¶TeÛ]ó/Y^QjtO(íR
-Y« Yëó!4.EGSÊ’õͪuÖT­«ã½•B˜5"afô¨pº¹ºCõ`N¶Ø,«²¦Åš÷¢ýŽ¼‰ü¥ÕO_Ÿtì]Šöu) RJÑ!ËÌ
-­ÑØÇ6Ó¨c Bʼo §„®Û­9Ï÷mPbß8gŽtÉ{"Óˆ÷å+Ýë–7ÎM`ñI|AÏš”EÏRê¤çÄf.6hMÏ}l³žul¥Ny5íjûSI62ÈI‘¨Ûó!vèç“ž™““ñC•ÕiiÊ-ÀÕkPá®ë øRVO—²(\J$ß7X¡5…÷±Í
-×±Åé\r©Ù:;ÛåÆËî,ÏåSäàA9èr𠢂Éq»#ÅÐÆήâ±·E6¾.5̃’:Ýcý`˜+ô‰‡3l#lu&„¾Ì´±"㸤x; ðÒŠ%Éè+pgJ#`ÇãHóø‰×¦ØÈ?rZÀÙÔ¶be¬ç/FN™¿ˆj KÑÿ°…ûöú­õˆb¸:.fÿ¼~‚ä@Àx!ÎÓ¥,tJ©¶—˜VhÎ>¶™N{¦î=¯ì=‡Œ¼n¤A‰° gzzŠµ6[žñd‡3Æý®­1¶.ä<ö&«t#»u]æ´é'³>Ùþ·¹Iç-~Á}$c-òÙV«ÁÀűƒ.ùUMh˜)¤… úm¸'öûÀFòu`~†áPOªcñb þ—´ÜVä°ËÒV5ÐòÉâECìÄAè/´ÐøÚáo¿BÓ<=mÀ!*LwÇü¿T´> ùÇœfMAÕÕº8‰Ð72p°nÊ"{'ìYâwìy J9ÛEìK¯ŸÀbkàɹn?u=¯ÈKcÚà.³A'öSk£â@Ž‚²ß~ìq;¯ù¬“¨ì+Txº,aºacx#»^qŽ`ü¦L2ÅóOØ?Iý]äEñ¥•ðw ¤þÎ…oJñÆ4ë#èÝQî%Ý®6ÅßÇí!Eìõ5-RÞšð{´‡ªŸß& p[ Ûg¿@cÝm{†@¹ýFnè+ÍË{>XQ˜ ñ­4[–ƒie”¾ØÀ”´ïu™M³jÁ2-tÙ} îòøÈ-Ÿm*ØdÀ/´î,òÆ2÷™Á‘Åv`,ÝHÔÞÞ¸T½+¹hmQYaMùÿcÉÝ ¶îÚÒL4ù­~ZÄBLÖ~(óF_¨ ‘9fòiZî§&~ìµ1›¹ãõÿç;
-$sž®’¤Q"Bø´ ¡ò"=¶çj^m— ÿœEð âÓ‡Éñ.®D(ìÈ«˜„ð¿<{¡5,×ÚÝ
-ÿuö‹öeÑìÄXØïr‰?ÁõìL*Vè+nÓÝÌç Ç®TÆʇÍéf¿~S/T3á`ûìJ‘W2Ôþb2¸_W¹‘ÿûƒ*-U9^<tã„›.0‰XÓGìž­¹öBlXúÿ
+xÚÍ[ÝsÛ8’÷_á·“«"†
+6Τ U!¢LkIBÚ6}µ!ø܇/Ô,ë¶+r¦#{øtìaÃ3å^Æ´–~T%|¾ñC7*q#U•ù=x[të·‡¢mª—hÝÔO3üÃ"ÓD(þ Â×K¥d¤l¬¯—Æî?Ÿ§S
+ØõÔx)-ó™9D%‰¶Üå×XÇyUÁCðRfðªx¥Åç¾|É+§NFGוõó ¸†RPÖ8,iùr‘£1yÍòÍÛßp¢S½°2Jȯ«…‘ÕÆOà¹ßå¿ñVç'ª´áËžûÜÞÿÏ"l
+Œ™&™nÊ߶˜Pg¤‘¤°“Ò3²|7' Ðs#’#aàÎáÙ·ÅæÍŒ(@Ò±Tâ‚(d”ØÄwz-«ŠÍ»®Øí;f¾Á§\lÊv_å_†¹ÆÃ/·Ô û^7î¹aîž@ã_MÍ"ÐSD*n˜3lXK@¯'7C³cV=Ï,c°úÆ„µ{«§Íðö©d²ÈûnÛÊ.ïÊ—‚H~ô`ÕH&þ¡á€Èµp%è4”rVçh88}M¸6Œ—LÇ#øÔ‹MñkËÚ3´úâgáî¨ß±PqñΈ3§¸Ô›~<5½7—'XÍh <Ø7áHf¼–,×óz*“ìXM•p¨z¸±‹~ÝáÒÁ¾!ƒCJN„Ý¢¡–w#_è—“(<×UÞ¶s*$âÈàvÓä£nSÊ"kâj Ë-™«uÎ ¯
+z¢]M®šæ·~O´?mÙl˜Áé4:²"–Óíy·Í›¶.x‹ˆ;×dØô®±.ÆÔ°áêvLŠ†¯7ÅSÞW§ƒyl¾»§'ù]ݘÑüh³guVVMëF‡8 ïö}GmÑ,ž‹º8äìÚ jê)Ö/´6â"îfÒ°qàˆCžG¥à.¼Òmæ=…©WºÃœâ”J§Ü "NÜÍ Ô„ˆ¶š÷x~mXdîî92@3r“ì$$à}œ¢“ë ‰^&1‹mŽ`$ :èd´=aÝK¹q
+á â8f»šg[Št
+¹õÈåØ
+û§âã`]dvÑî‹u‰A/ä§à+!@ž‚äY[úþûß}|I‰2Ú™‚;ù;ö~·Ëظû˜Fw÷ôcÓìò²¦®9>„_¾CÊ AèD»JÎ:>}x',Ó×<±w¿>™è=  '·Ÿ¨îð’—qgÁ,—÷ó—2ú$äJæaÔ$>œRÝïV.¥¢‹§€¶i†n.¶¹ GCŸ@Íâ³Ú£
+›-d •EÜp³i¾6Qb¤þ¿¦ùoºÂ”‚åMY7óL-Y‘µŠDcSMfŽ¥eGe}кàæS‹{Ø9~ép˵žŠW‚{ËÚ‚­!ÈÁ1ÆäÑØñ‘•áK"Wœe!¥f!ÜuÓ9x“–
+žmAspÄ€Œ4?Mᓽ£\ˆl}¾"s\ÏñsLk:-\»dÀåœ­ì€ Ø86ÿnesáDžâX€D¾Áìä@?ÉŠåâ/?b…-ñ¾¡;”EK¶3éÒ+xThÑœÁÀOJx AfÎk›×Ïdo’u
+à‰éG€O?áWˆº‰2Z¤Ï©$$-"IOb[*cÁcÈ8^¬Ð #É¡^ì÷)A}¡I
+ e*‚(î(MÁrŸÉP?È8 ]Ï2qGɊᇋ#”Åï{ôÔþ[UÂsP€ ÛN{u[W8Cc;*®"¹o{Hʾ̅ Ô 2×C^e ™9 $Á ‡H³ÉÁ(“Ø<ÝÍ$‹â4½\äWÂcvïr(•B‡Øp)[Aøðšå€Îês¢‰£DÆ!Qy<s„!ìÉFì+n2— ÀÓ%Nø.§ßï˜G¤jÜ^úÖϤM:…4M¦Fí¬žÖ" °ÆeyôL²p+ÌüTY8‰É1
+سhGB¥—O¡â4LOhƒI”µ4>›ÒÝÇ—„HÞ7ÑÉdß\&cä¹%ºó°P[¦ÿטúØFⵃtF±CiÔ¯ü{¶ZÛ$x•n^ 6•'°˜…rDIg#˜vœ’9eÎ!þ•îät.ö&ƒ“;`^
+®0œÝ¸¸ ]ñ<܇x¨y®ËÀáÿ‰.7Y¼»¿ýóû7DÆš ! d"i6TÉæ~¹ÅŽV.î~âÖŸÞãñ¯\ðO4BnBî‡xk>ýEšKÚí +ýI²åšP†zÙìq.¨øm«/ûm“x%?‚-7‹Û§–¦Î™¿|ÏÇ ûC ) #SQ’Êl^û²”·t™$Æù)™éqŽ’:HG"÷Z"Q[zuTÏ|CP¿êýO<Ó||”,O&_=>O¢,ŽOw`ÌWW¤
+
+9‘TÙeUFO.P_¥‘V&™Ê1 ¼¯
+÷ÆΔ‚a»R<¼Íé1MÎXR!!³¥–3BƒÕ kî¿åîm—øLŠäµC&‹ŸæüÝÊ64¿8ŠÉ¢ÀøŠzŽ»ò:\²É+|_UÍ«¯d­¾W²ö(œ,ý‡ãDc…"zæ*ö’Ói”À ©;sN<ªAA'W<áVCÏ×Ü™¹â›ØÈéÁ5<ð“Ä£¨šìMÝêTt§0Õ%Jÿ¼åiÎdF22i€¹åßÎœ Øáeöà¯Ge&ļž&à‡Ó4À÷yÿªM¤Ó`ßÀZ
+⤱Sû# ër5ètJ…aÚ‚_Óõ 7†ƒì3÷|GK©³…N©DÙ¯) ø@Q•SË;kSöòæüm-‰4½œ•KNŒÙ?ÁàÅZÍÕ©ÉÓo™6õÁkAÕëÝ°¥,~¦ÊW‘±ÑC'6zË…“¡]#§7ì ö`%üçÒáÛÔmŒÃü,Ž”5G×e|®üÕj!+ ýpü 6nù~ß“(þ£õ—ý~/wýŽo
+‡â—+#œ^±ú¦k¹»‹VÖ^ýY>'`ÓË·G«Û»ÆgŠ}›?‡sëÉõPTþ<{¯²!-&0Ôš»õ£4¤‹Z‡ãËÓ‘ ·á¨ˆX™¥ô98ìi¶˜EJ›P–Ä›AçnúÙñÙÚÜ¥~…çÖjî
+~|í5íß¾ð?ü=$+ Ä2Ü埮=N"¥2á™BÆE,ŽYpÊûÿª–³ßendstream
endobj
-1285 0 obj <<
+1771 0 obj <<
/Type /Page
-/Contents 1286 0 R
-/Resources 1284 0 R
+/Contents 1772 0 R
+/Resources 1770 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 1283 0 R
+/Parent 1748 0 R
>> endobj
-1287 0 obj <<
-/D [1285 0 R /XYZ 56.6929 794.5015 null]
+1773 0 obj <<
+/D [1771 0 R /XYZ 85.0394 794.5015 null]
>> endobj
-1288 0 obj <<
-/D [1285 0 R /XYZ 56.6929 769.5949 null]
+1770 0 obj <<
+/Font << /F37 743 0 R /F53 957 0 R /F23 678 0 R /F21 654 0 R /F39 858 0 R /F47 874 0 R >>
+/ProcSet [ /PDF /Text ]
>> endobj
-1289 0 obj <<
-/D [1285 0 R /XYZ 56.6929 771.5874 null]
+1776 0 obj <<
+/Length 2189
+/Filter /FlateDecode
+>>
+stream
+xÚ¥X_oÛHϧðÛ)@5¿’fq8ÀMÒ6»mš­½À²}Pä±#T–¼–œ^îÓ/g8R$g’8øAÔˆÃ!9ä¤ÙŒÂÍTBÍõ,Õ’(ÊԬ؞ÐÙ¾}8až'î™â1×»åÉÛ÷"i¢žÌ–둬ŒÐ,c³åê&zG9 4:¿Z,.Îâß.þóáâê4f:S:š___\_þû4æŠ3°R}ž_ý1ÿ„kקšGó‹ÓoË_O.–ƒZcÕV§¿Nn¾ÑÙ
+,øõ„'Ì~À %Lk>ÛžH%ˆ’Bô+ÕÉâä÷Aàè«Ût£„‹„|ÁÙŒ1¢•âg(MÁ…sÆåùµøãúúË×S¥¢¥5 6‹‘#é,æ ÉÓ¸kíy؈'#™¤°ZŽ»¦ír8#JÖ3å-ÎÒèÖ˜ÚRYt{(«”Ý.¢’°ô'U´¬;³¯ó®lê¼*ÿgVøiÕlóÒ ©ó­V†_ÚÃn×ì»7ðÆeTzéEî™ó¢0;¿˜×½´²ÝUùƒ×Ô±µe ¸‡T@Ø n+拳ËKàLÙ£@[%Zð£”h)^ó'4ISÏ”ïvûSP¥Ùí˼3ÕžQ4õ½Ùw­»Ë÷yÞÁWSͪ¬7øÖ¬Ã*"ukÖ;À¿·¦v[ÕŒ BÄ•7Ó(ÎDG¸ë¯ƒi;\èûÌlráBkö÷N' ÿôþEX´Á¥‰¼³^×höÖ˾3(ÜËLeù)’ÔF¤ûðÐþ±BæªünÆ*Á󰯑 ¼bשÚÇ™UCÆ™O§·mý .j¬óç^å¼mjˆ1!À:ˆ>ÊkÓ"§•ï."g\šråoØž}'œJµҳD' €Ô?(œè,ËÂpã±HÄͱnœ¦„g2}<Ùªx~¹˜¿ûtV©•’{SL}_âµÕ[Swè„û"÷¶2O! —wÞyÎçΟÞçî¥lñ+ĉݴò«k\õ…‹Ñ
+ ,™ÞPâš•dŸ­éøqX@/
+˜Ÿ€cã­QbR@ÄjÖ‡a^mš=ÔÊm ®”S¶OÌø6$-%Z ‡·PT¢dJ2N“^Týª(OÝÃ.$ ÚhÉzµnâ" ŠŽfTzž¢ÊÛ6 @4ˆŒü†^»‰Í@­¢ER%zÑë*ß„$KÈßAÇo8’e„)–Mç&Þ¼j€T¨w@»¨’'FÜ Ô÷Ú² (™ðÛwû¦kŠ> W˜Ÿ³ÈŠd‰ê‹Ó£f»2÷aåªø±ÐöU¡m·7õz¼ŸV´ È„¼ó³„M»“gïD ¾UÙÊÜ›êgã¯~D»ã¢
+¨7)`iZ‰z S™ÂÍXRúYˆbÿ°ëšÍ>ßÝ•. Jº
+Pµl`JA{$Ü¥Ñ[|<¦jP–€r°äžÝü›^ãH`ôÁ©Ì<#¸ÃŸw-ðÑCKð¸À¿5ˆ‰zt8¼À˜o‰¬ïMt$©N<#n}ƒ k}×” `«Ã‚Ñ* ¼à,b”ËGÁ“–À§ù/”{$·‡ª+`BáàR.‘$”Çý†×Ryß«±ïá…å=j­zÇ?óŸ6´Ãöè@®Ð¡¥ø¿ÿï~ü_&
+endobj
+1775 0 obj <<
+/Type /Page
+/Contents 1776 0 R
+/Resources 1774 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1748 0 R
>> endobj
-1290 0 obj <<
-/D [1285 0 R /XYZ 56.6929 747.5177 null]
+1777 0 obj <<
+/D [1775 0 R /XYZ 56.6929 794.5015 null]
>> endobj
-1291 0 obj <<
-/D [1285 0 R /XYZ 56.6929 741.0838 null]
+1778 0 obj <<
+/D [1775 0 R /XYZ 56.6929 751.8114 null]
>> endobj
-1292 0 obj <<
-/D [1285 0 R /XYZ 56.6929 714.364 null]
+1779 0 obj <<
+/D [1775 0 R /XYZ 56.6929 637.809 null]
>> endobj
-1293 0 obj <<
-/D [1285 0 R /XYZ 56.6929 710.5801 null]
+1780 0 obj <<
+/D [1775 0 R /XYZ 56.6929 571.6272 null]
>> endobj
-1294 0 obj <<
-/D [1285 0 R /XYZ 56.6929 683.8604 null]
+614 0 obj <<
+/D [1775 0 R /XYZ 56.6929 530.4875 null]
>> endobj
-1295 0 obj <<
-/D [1285 0 R /XYZ 56.6929 680.0765 null]
+1781 0 obj <<
+/D [1775 0 R /XYZ 56.6929 492.9536 null]
>> endobj
-1296 0 obj <<
-/D [1285 0 R /XYZ 56.6929 623.4385 null]
+1782 0 obj <<
+/D [1775 0 R /XYZ 56.6929 459.984 null]
>> endobj
-1297 0 obj <<
-/D [1285 0 R /XYZ 56.6929 623.4385 null]
+1783 0 obj <<
+/D [1775 0 R /XYZ 56.6929 390.8804 null]
>> endobj
-1298 0 obj <<
-/D [1285 0 R /XYZ 56.6929 623.4385 null]
+1784 0 obj <<
+/D [1775 0 R /XYZ 56.6929 303.7532 null]
>> endobj
-1299 0 obj <<
-/D [1285 0 R /XYZ 56.6929 617.0603 null]
+1785 0 obj <<
+/D [1775 0 R /XYZ 56.6929 225.6163 null]
>> endobj
-1300 0 obj <<
-/D [1285 0 R /XYZ 56.6929 602.2957 null]
+1774 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F39 858 0 R /F53 957 0 R /F11 1293 0 R /F14 681 0 R /F55 965 0 R >>
+/ProcSet [ /PDF /Text ]
>> endobj
-1301 0 obj <<
-/D [1285 0 R /XYZ 56.6929 598.5118 null]
+1788 0 obj <<
+/Length 2917
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Z[sÛ6~÷¯Ð£<\y™}rçÒ´v6Rf·Ûö–(›ŠTEÊÞô×ï98
+ …°ˆOßÞÍç·ofŸn}{wýÇ⧫ÛEGVHºà
+iúóê·?ød'øéŠ3«M^à3‘¦r²¹ÒF1£•ò#åÕüêŸÝ‚Á¬}uˆÚ$ÌHMf
+{.;„ ¾4ð$ðÿ+B}¸Ÿ/f·‚öönñqñ+Íh€‰ìhݬiêe‘µùŠž_à8Éh੶'=pØOÃý)È.¿Îo¿àaexrÚÚ5:Ú5êv„Gî›|w´MøïÂla4ÐäÔµ:иw×dFËÌCŠªÉ«Yÿ@$–¦h‹çœx gŠQ¬Q›Õy{ QãöÚ¡¬½.‡ì•3©ÀO’.K`㉱JÄI’ó”u¨ÒzƪÀ¥i.ú´}¬VÅ„‡<Õ
+Œ0k}/§ˆ;rJì^Ö¶]Ñä²®Ú¬¨Šêñè-Rè4Oõ¾tè§ì9ïáä´éœ…_9¦Ï“éÇ5Uµ#Ê¢I¶3‰Z‹¾ˆi¥W6ˆ©¶ûñŽÚÂ=ƒN®ÆAI&“ä’"¨3ŠàQVNüqª˜R‰<¿¥ l
+bª©éoiY~ÌÁõf-
+ž³ŠÚ/ó›_Þš×ÐÌ?ÜóøUÇ+÷5%Þ£Íÿ»Wµãìä‚Å ¡ ì PgØéQ–ë»JY”(oVë2{<±*‘°HA ?KW‡ ¬gUR±H@äëQ6ÏQacáô:}=Ñ“s•¡0btYGèä •.Ý[6X†ÈC¡¥úFŠv+BñõªüN={¬Š¿IjÈÊ/J¢¾•}š"Ù[·n-æÅcÕéŒ:Gol’†RPÑcR¦t|AKBÔ¸–t(«%ÃÙ
+Ê‘*
+endobj
+1787 0 obj <<
+/Type /Page
+/Contents 1788 0 R
+/Resources 1786 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1791 0 R
>> endobj
-1302 0 obj <<
-/D [1285 0 R /XYZ 56.6929 583.8071 null]
+1789 0 obj <<
+/D [1787 0 R /XYZ 85.0394 794.5015 null]
>> endobj
-1303 0 obj <<
-/D [1285 0 R /XYZ 56.6929 579.9633 null]
+1790 0 obj <<
+/D [1787 0 R /XYZ 85.0394 181.7045 null]
>> endobj
-1304 0 obj <<
-/D [1285 0 R /XYZ 56.6929 565.2586 null]
+1786 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F55 965 0 R /F23 678 0 R /F39 858 0 R /F14 681 0 R >>
+/ProcSet [ /PDF /Text ]
>> endobj
-1305 0 obj <<
-/D [1285 0 R /XYZ 56.6929 561.4149 null]
+1794 0 obj <<
+/Length 1916
+/Filter /FlateDecode
+>>
+stream
+xÚ¥XKwÛ¶ÞëWhqòiˆâE¸;ÅVRµ±ìk)ç´7ñ‚!‰-ŠH9U}H‰2¥§G ƒá`æÃ` C ?2 Šªa¤8
+1 ‡Ë|€‡kX{? Ž'h™‚S®·‹ÁïX4TH *†‹Õ‰,‰°”d¸H>Þ"Ž®@ÝÌæóÉu0Ÿ¾Ÿýÿn6¹
+ˆŒH4ßßOf7Ó_¯b`fŒG·ãÙÇñK»¿Rt4~?™_=.~Lb§ÊÌŒV_Ÿñ0~`Ä” ‡_a‚QŠó
+9c-%Ìÿ랬6ŸzÁ Q&¨ Ê|h„
+ KÅF#
+CÚyýáãÍÄú@UǵÎuQÃ5ß``h#N¾-Å !Zh·»ôyà©”`r/ǧðÂ,ÎÖåìÈÍ”Œª­^¦†{i—ÍPgIeÜXâÑ»Ætà+Ÿž¯È(-÷•ûN/÷ æ`¿²€ÅUYTo€"LZ%¶ª$¥vÔ¢¬-pè‰3à6ñ³¶¸­u¡wqf'n›Äζz—§U•–…Ï·%–PŠ"ÎÄE_Å’Pljßé1‹¾ãd8 ‰z'(P°%¶Ù‰5µñX3]èÍ :ä¹®wéÒL£‘.–»Ã¶³Œã6ÜûåÆ-¸M~º_·7á 8!’!€ÔC\?ëÂÂZoÊýzÓŽÝ1l÷OY£
+÷™2ÒÂÞ©-!¶‘ÁSZ› ÄîùØR­š@±ðÅÚÈŒsæpMìæ\öî A8"Ü þ3η™FË2÷h*B…¬å}cDóv»fYù5-ÖvK‘[8aík¹ÏKrìàÞ{ü×£S@…@’­çôIQÁÍ Àʵ9O™(ˆíACx²ÿ
+29ÏbÃÙæýH÷­û<Ÿ¸ì7þ0¿»|«ºUº.Lv6¹XštéÎ…ŸÖjR"©Â¶äx;ÝØ”Û0ÉÓ"7‹ëæžéA¯´=bé<í6.ö[|HJDiק
+ ØîÏ)eÌ$˜¿P½}}©ûߦ­¨endstream
+endobj
+1793 0 obj <<
+/Type /Page
+/Contents 1794 0 R
+/Resources 1792 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1791 0 R
>> endobj
-1306 0 obj <<
-/D [1285 0 R /XYZ 56.6929 501.9076 null]
+1795 0 obj <<
+/D [1793 0 R /XYZ 56.6929 794.5015 null]
>> endobj
-1307 0 obj <<
-/D [1285 0 R /XYZ 56.6929 501.9076 null]
+1796 0 obj <<
+/D [1793 0 R /XYZ 56.6929 635.5323 null]
>> endobj
-1308 0 obj <<
-/D [1285 0 R /XYZ 56.6929 501.9076 null]
+1797 0 obj <<
+/D [1793 0 R /XYZ 56.6929 476.3563 null]
>> endobj
-1309 0 obj <<
-/D [1285 0 R /XYZ 56.6929 498.3987 null]
+1798 0 obj <<
+/D [1793 0 R /XYZ 56.6929 407.9215 null]
>> endobj
-1310 0 obj <<
-/D [1285 0 R /XYZ 56.6929 483.694 null]
+618 0 obj <<
+/D [1793 0 R /XYZ 56.6929 365.2162 null]
>> endobj
-1311 0 obj <<
-/D [1285 0 R /XYZ 56.6929 479.8502 null]
+1799 0 obj <<
+/D [1793 0 R /XYZ 56.6929 326.9947 null]
>> endobj
-1312 0 obj <<
-/D [1285 0 R /XYZ 56.6929 465.0856 null]
+1800 0 obj <<
+/D [1793 0 R /XYZ 56.6929 293.3376 null]
>> endobj
-1313 0 obj <<
-/D [1285 0 R /XYZ 56.6929 461.3017 null]
+1801 0 obj <<
+/D [1793 0 R /XYZ 56.6929 221.9809 null]
>> endobj
-1314 0 obj <<
-/D [1285 0 R /XYZ 56.6929 446.5371 null]
+1802 0 obj <<
+/D [1793 0 R /XYZ 56.6929 108.6903 null]
>> endobj
-1315 0 obj <<
-/D [1285 0 R /XYZ 56.6929 442.7532 null]
+1792 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F39 858 0 R /F21 654 0 R /F48 880 0 R /F47 874 0 R /F53 957 0 R >>
+/ProcSet [ /PDF /Text ]
>> endobj
-1316 0 obj <<
-/D [1285 0 R /XYZ 56.6929 386.1153 null]
+1805 0 obj <<
+/Length 3193
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Z[wÛ6~÷¯ð#}±¸’D÷)mÜ4mâdk·»Ý¶´DÛl$Ò©8Þ_¿3˜o¢¤œ³öƒÀÁ
+iÏ—›3q~}¯Ï$ó,ÓbÈõíÍÙ×ßëôÜÅ.QÉùÍÝ`®,Y&ÏoV¿G/?|¸¼zõæß eEôm|±°BDï^^ýòò-Ñ>\8½|}y}±Y*S`2È–ˆèÕÕõõåw‹ë7¯¯þóþêòâÏ›Ï.o:Á†ÂK¡Qª¿Ï~ÿSœ¯`?ž‰X»Ìž?Áƒˆ¥sê|sf¬Ž­Ñ:PÖg×gÿì&ôú¡sÊ°:‹m¦Òm(y.eì¬U#uX'Zi¯Ž÷nÞ¼¿ºÞÛ‰ˆ…¥JÄN¥jÞ Ì´r……g̸pÝE>]ÒéXëL_20Í,©K‚Áµtv¼ä¯RʨؖwÏdè|½¦Æ}QÛ¼-VôØ”÷UÞî¶2‹Š&>¤›$sq& qT7C®Ãºé¸¼n–¸ä×ß[;à”"Vl+<Ër7ÍT0©l,m–—¬ãšm¨C©Á%cÙ®‹eù‡ªhHYíCA ˆ jl¾YßM˜þ[WÅa…Ú,†ÅN)tÀuD¡Ë+ôãœBeœ9«Y¡‹ç=uJgIjËÕqÍ6R§-4ÎP²› '"r´¼½Xh%£¦ÓðŠ(šoä ÿŽèÊûkYÝO¸Xo;r^=Oúa ß7ˆlJG7%Ï^?¶e]Q{“ó·Å¾p .ÈØ •¡g`S›Ýº-×lò¶Ü "iãDwÂæ®#6\Þæë›»¼?e“¯êM^V{V·Z$Ç%ë¸fDȦËöšñ”4§Jlôê-ž;¿­)Z¢‚€Ä´Z•d¤¶5Q)® á­Š=+ ºü Z’ÇV+^⺛í®-Ú½ >Ö†ïGW@ZþøXT«`jÀ ‘X7¶µ—dáU¾)?ùù²ö¿«Ã>aS§žHûÄë°Ot\Þ'V'q`Un‹e[o÷ÑÀŠ8…“ø¨piF¸‘WX§Òè±toëú#)êTäÕn0Ê
+™WhÆPì+7ÜùôPT#~=J$þóÏP)PsßH@¼†‡~Ê×%f¡œåÃ9–yX „`D¦d
+Шâ¹ä ŠëÎc„ß”ëPß N@VÚvדÉÆa&˜ÁN_q5Ü6’w‡UýôÕULm7ì7 •7gS¯‘1Ev
+å9@KÒX¨H‹1£”R1TÒrl}–àPI§xŽ½Š»¬üfûrá°ÿk“¸lrñŸÀåýça¯úÿ6æÄ’ifÉQõåÀìdÉÛ²jùÀÏ9x¨·¬ˆf·ÙäÛçtÅW\å>Àïw›¢›¸e°i@¢ºk¤ªˆ] õÐofì—š8qnäsÖQióº™Éë°u:.oòÔU¨²ØB²Ÿ˜€fÀvT¶ŽkF¸qb’@;•céþÕe9ý<Òéñ©¬wÍš–ØöZö­’³‰Ç¼iBoÎ4x8
+5Ÿ›ø»MlÜà †Vât£&¨!Á2Îe3Ê›ìx¡Á V‰É¥Y¸bgÕÍ4Õ^®Cm–ðO9sæ<ø7H~G—“ÒÁExXÓ”n¾z fÝe5*D0³ö¥…êJ‹œæ …-PƺKbú$åÎ
+¹öwÒ î]"W|+±?Ö\HýÉšÀó!ÄÙì¥(Jྸª œ‡ý¢ÀÓºv©>o1òËÑ>µêò¦P05¼ÖèÕb¸ÄÏ[®§%TnJMêé^XÒ56.ˆ†¹*0WE§5"T@̉'ÄP`þp*TòDÀY|Ô'証¶ô«a“(y˜¯„ÊþnÈ t:sóÄ°§?ZíŠîðõ¿=~t×Øþw]4ÝtÎ4ÚÞF³.èØçDà©Þ…Û׃Á:w2K¼ú–öDÞ4ä:|2w\þd~s*ïöÇØ”¿!''Þ ¤ÊGåë¸fΩŒ $Ýc oBNÍ"@ÛpÂmû„›SPì£Ó‰!…<ÚDê¦)o×1Ñd 'Ͻ/ìeZIœ&"d¾@åÖŸ[ü <Šs¶óaã+Ýù¥B’>Žp‹L›Á*ÛüéÐ"ÏËLMóù²üd’Ïó-®³ýyïlhÛ2ÔO† ô¯ÚüÕÔ y)<S‰-
+zh¬ž«|S.é!¤GØï\ótˆ0ÜâW»Í#H¢
+endobj
+1804 0 obj <<
+/Type /Page
+/Contents 1805 0 R
+/Resources 1803 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1791 0 R
>> endobj
-1317 0 obj <<
-/D [1285 0 R /XYZ 56.6929 386.1153 null]
+1806 0 obj <<
+/D [1804 0 R /XYZ 85.0394 794.5015 null]
>> endobj
-1318 0 obj <<
-/D [1285 0 R /XYZ 56.6929 386.1153 null]
+1807 0 obj <<
+/D [1804 0 R /XYZ 85.0394 751.8312 null]
>> endobj
-1319 0 obj <<
-/D [1285 0 R /XYZ 56.6929 379.7371 null]
+1803 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F55 965 0 R /F39 858 0 R >>
+/ProcSet [ /PDF /Text ]
>> endobj
-1320 0 obj <<
-/D [1285 0 R /XYZ 56.6929 355.6674 null]
+1810 0 obj <<
+/Length 2888
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Z[sÛ¶~÷¯Ð[åi„â pÞœÄͤi“œÚ霶´HÙ<•HU¤ì8¿¾»X€)’>3~ |
+<(ÎPaXœ€*¹Åü·lÛâ@°ÞŠJ³4ÆÁê}[ÖhÈðe³/ÖåïœË¢m–õ»¥lû©¬òú‰ÚíCÖð©Ün©ï® ç±)rkkê9d0sW~-üä‚Æ›ò¾ÊÚãáRè¥+¾ìK÷äei¦Dœ,VB0ÇÒJÞ–»â™¶}86Ôjö4/ËËꞺÊjM}»¢j³­Ã 6….jßUqÈœN ·~´'ÇM`?fåá H
+úTd›ÁZ‘YnËMxúÕé/ÒËlÛÔÔÛºgS{\ñ¥©}r )Ú†~?fÛ2ÏÚúиuªÜM/ ¢CÝ=»Î «>º•×ÙšÜÇž#P¨Õº=ºU«Z– ¼R°P¹¡žmf×½·*“Ë긻£½a¬ÞPçÏ?ûéúòºú¦¥îÀ¦vȺ<É
+@=ÄH,õ ÔĪ¢ ÇaìL›X¹ P­÷ðB ¤‚p¥°æ¤ò˜s©ÂA–Eq÷ĺ ƒŠbÒ–Š"çeÔ‰NFƒÞÁ¡!p
+¾mÄüîjdûž
+ÍÍû¿u1»ª»—›aŒ¶þiƒµóO;…ü3fÔ–H&…‰^P[€šQ›GMúKOw
+^8m’y:Ôˆ =Ý·F)7}!Þ‡dêh̶MGÊ~þþ 5„ÑÒeÌCÙ>ì€6­›iå*É¡æ• f”ëQS¯M_·HºŽæ%èP#"ôtK6Hû2ÜÿX£ž~t3ÂÁzã'ÕÉ=ArØb_¯&UÌA4-_`!j:Qu(›¨êqþ¡¢4òEÉ¡¼/«3
+\ЖÆ•€ÚdMK¬BD¤ÄòÎ: ¨E iwƒà0TŽâK›ˆw% U¸N!‡œÕ‹/SiÅǸ•¦N(™ªÓ…
+j
+¨{’A½Ö 8y^Üïï»*×
+6­2hˆˆëT fTæQVe_Ïœ(bÆ=¿¥lÙs"h¦Jô·|_ÕáÇ”7ºúFeNþ¦ÞEj8š`!lç yçóRi]JÁ¤”ê]¨]z É  C“,IR3¿µlêü0‰À­z[w3¬Ã
+š¦{iµ{{È-ŸÍþ
+X„Ø‚߆µëú¡D¦$}Ði^uñSžì ãöÐð´‡–þÐÐXcùx>öMz~Ïç¤4P%êó¹|NùO9¯Â/–°aàû(vçû8öDTÓ‚>"x¤Ñýb lšc‘ÿkDÒÁÿ8?Ä—Š¼?áoYí3<†íÈïØY߇ ‡} û[ …&ŸúG øß-#±›w‘äÿþ'šÓ¿ E)SZOP3™ÆÀZ í„B…€c';÷ï6ç²ÿ 3íðDendstream
+endobj
+1809 0 obj <<
+/Type /Page
+/Contents 1810 0 R
+/Resources 1808 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1791 0 R
>> endobj
-1321 0 obj <<
-/D [1285 0 R /XYZ 56.6929 349.2334 null]
+1811 0 obj <<
+/D [1809 0 R /XYZ 56.6929 794.5015 null]
>> endobj
-1322 0 obj <<
-/D [1285 0 R /XYZ 56.6929 334.5287 null]
+1812 0 obj <<
+/D [1809 0 R /XYZ 56.6929 136.9875 null]
>> endobj
-1323 0 obj <<
-/D [1285 0 R /XYZ 56.6929 330.6849 null]
+1808 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F39 858 0 R /F21 654 0 R /F55 965 0 R /F48 880 0 R >>
+/ProcSet [ /PDF /Text ]
>> endobj
-1324 0 obj <<
-/D [1285 0 R /XYZ 56.6929 315.9203 null]
+1815 0 obj <<
+/Length 1618
+/Filter /FlateDecode
+>>
+stream
+xÚ¥XÛrÛ6}×WèQš‰ÜIôͱ•Äi#»–Üv&ñMA6‰tIÊŽóõ]
+2̧˼ªt:©²»ü{‘k‡ï-Š%ÌÁÓrLâ‘Nj]y•ÚjüŒ1]»ï™ê|/¢Œq¯ï9Ûx½zÐJ¨@‚*¯(ÂHÍœ^§®YW÷Þ¥ltëö¬+Ýü4N›0Ž‘Œ¥ç¤„ h§ÚÅ#Ë{ÁhâÂ'Þh¬îåq ã(¢Ìž'½„£æ«À!%ETJá öH¨ YkäÊD["«£XÊæƒùtjí8ùm~,¡ …E7Ô_õóÎ?ccø8Šð^nÄÎή7ç³3«G9uËM–g@Õ¤.J»uå]m¼i·>&ù6Y‡B+csléć àpØ–sWoO­Dˆ¯ÈãQ.HË”ÿ¨(V&ôÿ\/Þ_\sœtéUë2×.øóç
+¸PÙ‡Ó"¯Š²Î¶›ZŽ—ÔÉáa¢lu„RUCElX1IïuúÕSÀ™D K ž$lƒzEc±£WGPcÔgJ#»j^û”‚Ým!jYá¼Ë"àøs^'ßØl Q]ëW±ó¦P–ŽÏyñPA‚în Õ—A 唀Oc*´PͦH[†Z-fÒa[’
+áôÿš<ÞøÕ—vUÛCŠY#ÞŽ|Ž.³R§Àúç@æ Ž$my褮²µ6&xßoÂüd @N—ŸgÓùéÕùåâüb¨ã{Ù Ô~‚ÂO•/ü ²Úë0–¯ìÃíÖ1>/ê}œ†~Vgiõªßª’Ÿ¡]8S½•]G\4>˜¿˜-h£ˆazœ;]”mà$Àeô¶Œ¤BЛ¢º¶ÁЎעÖõX((RœË¾yé}Sr‹&<0JÕE€•P¹daúöt iêÛtU8‘÷I#\@ÏK×Û¥¶Û §)öi=6“@ðŸh»ñ2ôð¶­8°N¬‹~°gI54©¥{_Ù¾M o %d¿ogŽså8m±nŸûÓT¶ÉÖI¹~öUÍû˳Óv烼bE’óðªƒ:Â+jxõ¸¯R1Óž~ Òƒ*»„<Ž¢=•—»Q³ÍâG]VmNv§Í—ÅnÄ9–Ý©æ'Š î]™l\€ü4¬¿eõá
+endobj
+1814 0 obj <<
+/Type /Page
+/Contents 1815 0 R
+/Resources 1813 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1791 0 R
>> endobj
-1325 0 obj <<
-/D [1285 0 R /XYZ 56.6929 312.1364 null]
+1816 0 obj <<
+/D [1814 0 R /XYZ 85.0394 794.5015 null]
>> endobj
-1326 0 obj <<
-/D [1285 0 R /XYZ 56.6929 297.3719 null]
+1817 0 obj <<
+/D [1814 0 R /XYZ 85.0394 682.0055 null]
>> endobj
-1327 0 obj <<
-/D [1285 0 R /XYZ 56.6929 293.5879 null]
+1818 0 obj <<
+/D [1814 0 R /XYZ 85.0394 616.549 null]
>> endobj
-1328 0 obj <<
-/D [1285 0 R /XYZ 56.6929 269.5182 null]
+622 0 obj <<
+/D [1814 0 R /XYZ 85.0394 575.9131 null]
>> endobj
-1329 0 obj <<
-/D [1285 0 R /XYZ 56.6929 263.0843 null]
+1819 0 obj <<
+/D [1814 0 R /XYZ 85.0394 542.1583 null]
>> endobj
-1330 0 obj <<
-/D [1285 0 R /XYZ 56.6929 203.5771 null]
+1820 0 obj <<
+/D [1814 0 R /XYZ 85.0394 505.8522 null]
>> endobj
-1331 0 obj <<
-/D [1285 0 R /XYZ 56.6929 203.5771 null]
+1821 0 obj <<
+/D [1814 0 R /XYZ 85.0394 437.4739 null]
>> endobj
-1332 0 obj <<
-/D [1285 0 R /XYZ 56.6929 203.5771 null]
+1822 0 obj <<
+/D [1814 0 R /XYZ 85.0394 374.9822 null]
>> endobj
-1333 0 obj <<
-/D [1285 0 R /XYZ 56.6929 200.0681 null]
+1823 0 obj <<
+/D [1814 0 R /XYZ 85.0394 309.5257 null]
>> endobj
-582 0 obj <<
-/D [1285 0 R /XYZ 56.6929 159.3692 null]
+1824 0 obj <<
+/D [1814 0 R /XYZ 85.0394 84.1613 null]
>> endobj
-1334 0 obj <<
-/D [1285 0 R /XYZ 56.6929 131.475 null]
+1813 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F21 654 0 R /F39 858 0 R /F47 874 0 R /F53 957 0 R /F55 965 0 R >>
+/ProcSet [ /PDF /Text ]
>> endobj
-1284 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F56 618 0 R /F42 597 0 R >>
+1827 0 obj <<
+/Length 1899
+/Filter /FlateDecode
+>>
+stream
+xÚíYÝsÛ6×_¡Gi¦Äáƒ
+ðäæâÍì*¸üivùÏ?oofÓ€D‚’ÉÅÝÝìæêúi@9r Æxòæâæ·‹_ìÜÝTÑÉųùôÃýÏ£Ù}+XWx‚™–êóèÝ<N@‡ŸG1%ùø0"JÑñjr†xȘŸÉGóѯ-ÃΪyu ‚e‚ Aɘ¤8§=8¸B‚Qfà˜ÏfV©‹_æ·Zx‹u0Äã€Â{‚WÄ«4y9–ð|géÃ.æa„0c!¼gÀ¾¾¹²ì•Û%YeEV7UÜ”•z›.ÓjJä$-©z›8†‰¨±GŽ¤§f@ Gl0…0ur_üvÿÓíÛêae讋&­Š´±bÌ·u“®jûpYuY5ÙfµÛ4D,Ôñ Áæ`ïdàNüÆ ,žÒŧ¿Ë"Õïjb&‹„%¾’aј1»ÚA¿cô•ÊÍ–«u–§f3ýžÒÈŽ:sÓÜŸã<K²fkŸ Ó¬x´OÞ.‹²xNAa?ß”e>„7îC=ßåºÎêýØ`ER°q¨0!ôeÚSÞ~ÄÑQDˆ
+i$Â\ò/IËrßF—¯¨ÿ™,“é«¥ûoÉ¢ÿíYþ5+ŒK¤™öNà/ÍÎÿÏ›ûyÓ<õM³×Q0ÊQȔ𕮯«ÙüòíõÝýõíMûÖÑÎb Ø«÷eˆBy¯2”¦õ`“æÉ”íá¤ÞMü—Œ‹ÄNfг<V®˜g“réÖíª¯ÿ™«ÿ¡eÐä^7vrV:MldpÑS;9ÂI\èɘD„R®Ñs@» ¤r”ÚËQI™jæ2œ¼<¥…åeœØ®CZ5¤UD‡ªbrÿ”ÕvmJ‡D"ׇ’ìŠtúˆ*#›:]nr»ïÒtC0èôH°³Cæ-ªN‡‡TÓëVÖ½Tzý1°g3…!Ù+7Õ®ÅzJWvF-í(Þ5zvT§ôeÓ(ì´¿=·#®/>bµWQ"|ÜYpa›l•å±Ñž@ï7°Ä«¤¡úr”AiL}&Ð ¬”“‡Mc÷Ë»Uœ¿Ä['C²Y­Ýк&¬{èMƒÚ¤Eã J÷¾.<ìPå((<ú°gÚ2àªÐdó¶7fX
+~&0Œ”b»[œ€c:ùÝ$
+„ò±ŠÝQï
+9k™£PúÂXñÎÑqø=‘Aÿãú 1©“ûyšÃýz•¹D
+}`™ŒëlæÀ¬›ú(œà?p¬žqçÑq8=‘Ó_Hðž¿ ¨@î#ºRD’@ }J*Os(Uï á‹zbÍõñ´ÜîÁg%9pøÖºS xríÖŠ²9rؽ‡êÿúFÿw&¨ýAYo 6б¯dL7UlHYÜdßüm÷­:l&%ÆBË
+endobj
+1826 0 obj <<
+/Type /Page
+/Contents 1827 0 R
+/Resources 1825 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1791 0 R
+>> endobj
+1828 0 obj <<
+/D [1826 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1829 0 obj <<
+/D [1826 0 R /XYZ 56.6929 751.8596 null]
+>> endobj
+1830 0 obj <<
+/D [1826 0 R /XYZ 56.6929 686.1725 null]
+>> endobj
+626 0 obj <<
+/D [1826 0 R /XYZ 56.6929 645.3764 null]
+>> endobj
+1831 0 obj <<
+/D [1826 0 R /XYZ 56.6929 611.5513 null]
+>> endobj
+1832 0 obj <<
+/D [1826 0 R /XYZ 56.6929 575.1748 null]
+>> endobj
+1833 0 obj <<
+/D [1826 0 R /XYZ 56.6929 506.5659 null]
+>> endobj
+1834 0 obj <<
+/D [1826 0 R /XYZ 56.6929 364.9645 null]
+>> endobj
+1835 0 obj <<
+/D [1826 0 R /XYZ 56.6929 220.3983 null]
+>> endobj
+1825 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F47 874 0 R /F39 858 0 R /F53 957 0 R /F55 965 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-1337 0 obj <<
-/Length 550
+1838 0 obj <<
+/Length 3112
/Filter /FlateDecode
>>
stream
-xÚ¥S]oÚ0}ϯðÛ‚´x×_‰½·
-‹u^ÿ:ë$ÜÁ>OdµÍ¸Í¦ŠpwP>½ìó‡ÇÚ  h p.M
+xÚÝ[Ý“Û¶¿¿B}àÍX¾>^ìsš4vÜúÒfšä'Q'Ž%ñ"R¾8}Ÿ")ÒÕn§ÓóƒÀåX,~»Ø]Àd†á™i0ËùLå LÄl±½Â³x÷Íñ<óÀ4ïr}}wõÕk¦f9Ê%•³»U§/°Ödv·ü9»y÷îöí«oºžS³¯Ñõ\`œ½¹yûãÍ÷Žöî:§ÙÍ7·ï¯çDIJ€I6‰³·7on_Í_þùöå_þùÃÛÛë_ï¾»º½‹‚u…'˜©~»úùW<[¾»ÂˆåZÌžà#’çt¶½â‚!Á ”ÍÕû«¿Æ;oí§)ep¡‘ \Îæ‚"-`êI•a„¨`®8A’ë<ªŒ’”Ê—QÙ¼2ýêµÎ*tn8¶õ²*ƒк¾RrE®„`¬3¡ & U_²wå~Uï·×sÆiöX7­i±lSKGû£Þ•ŽVíÚòa_µŸÜ‹Åº\|h̲j•½«›¦ºßxN3™Æqûk¢³ÒM¿§(ªÂDj¯€_(å«Ãfc~=wWz
+ME"3xY®ŠÃ¦…&y‘èžsÐJ®½Ï”ÕîadI ©ˆÿ(ÕíœS‰—Vñ(‚Æþ7õ¢Ÿ@!XÙxÇåšðŽ¸¶»sò戳ÜTì–‰~IŽ˜PÝŽw°¢cbR$ÌÈpÀ<…ÝpÀ˜AHÆíË7°ÃUT E/_Ôœu;@؈¬]‰<{ó“£8-jû»lºÄU¹w¼míÈ7î±ÞûGøKu⸠–îëví8ªÝ< ^Xºží¼^¹7V'ÂL“°>Ö`>»b[6“`Œà15iîˆêár- `™Ñ Ôz·ùäülИi¿ñþøDO†ø´®ëî{«2óhTf~ã¼ÍCœH@
+TO@…Ì–å¦|(ÚªÞ¹7oß»ßÄDEvÒÏÎzóS{²CÅi'ŽvD…yê(F:TØž
+1…E0–÷”e߶î]±i¼ˆÇÉó8y‘=l¥£Ë¥¶iÊfBÕ.ôᇂðl[´‹uPoÝø÷Åòc¹o«¦´Û,…Ÿ‰‹úî=Þ|wxÕfyá)®È³N&îÖü ƒÛ=Ö×ëgM½-îs¤—½Åuƒüv¨\cé¾
++…³ò÷ªi›Ãn«(n¹èÔŠSî?¹kå‹Žê]ÓLÅõºÈ*1ÇÏ ‹8¢šósqÑœ<?€¡2Á˪)lIËü‡æ¥9¢¨÷‡ÖC”i©`±åþ©jüN¹¦CP®ã(šTdG ÂWŠç§‘Ý´ã/¡Ÿ‚]î轩?–‹¶úX‚IBB`¦)âó‹½1¹4
+ájÒ_”æÄü]ø?Là|–$˜àd*ÕåO¥"—M¥VÉTJj¢k“Ï€­ “)†‘КOK¹¢õ’)Б^ôd{ËT­†ŽÒËãœÌjðòèŽ~Á˜nJïPùÔ±¿ä<÷Œ»-o'‘›§3*?TÎûª\tCü}ñ46ˆB3nB‘D -J}&ñîrM %pY´¼N Ì›qÅÎÀ…"*À 'E‹\ ÙúpQ\è á´ߦ™f.†hàbhþ¥MD­#:À8ºq•!”fKVà#:yì´qÌãb„"ÆH~‚ÀV˜&£²C%4‡@ a<ÌŸ.P²vòví„!Pã¥g5›êrnýUÞ]kS³so¢a÷]ÖÁûíjoÇ‹âДÁH¼Á—+£ÖxjÏ}ØÛ ;¸ÿpyØ>6£>`QïÚr׎»U.%¢fš4”.׸¡D.k(Ò†¢sÁ¦JT#ÍÅ´\)!W¿@% ¡’ÁB*Q1éÚÝÓìÏ]ˆ‘‚-“œ4Éž*›ýiltmÊVEµ9„HÃŒFŒ¹aÞ37 `zº
+å\|àâKEù3<»Èÿÿ£"P :c–‘eÜ&‹5Èú|f i”sb”œ#ŠŸ)² …ê$75O­:RýãZñl_µ'™]HÜ}5ÚŠÎò.´˜9z Ñ£r^
+HÄäù¿oã«-A#NžYð×Äš.»ìMjÙ1¢,ž®7í§Mª¤*“’E®„hýzF„cÒ—íèŠuî³û{q,ÍVÿºïL5Àz[ z¬èüX ä4w|ºó¡¡¿ÆqN%—ð$ÔÅÇo<†§ñ¥)é*$lD*ï ûrS˜JõÈ@Ƭ“ý þJEßßßÙ4œé̈í[¡2msó»uWV ÕªÖx^×x´*ª°)ÙÓC+m =U‹bc™ éÞÿ¾³ò±Ø­ï¬Yì«ÇÖ\uQ"ûaçˆmО7¤ŽÌÖ ´À#H`SNGŽrœñ³ã­cRÔõŒyî(Å2Ìû£éÎgíúÐ8Js
+N)¹¡4 Í#Ï80=…å«á`¹t‘ûÄ`åd°Î0¤
+endobj
+1837 0 obj <<
+/Type /Page
+/Contents 1838 0 R
+/Resources 1836 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1840 0 R
+>> endobj
+1839 0 obj <<
+/D [1837 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1836 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F55 965 0 R /F23 678 0 R /F39 858 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1843 0 obj <<
+/Length 1768
+/Filter /FlateDecode
+>>
+stream
+xÚÝXKoÛF¾ëWèE¬Í.÷}tb§u‘(®%7Ò‘’‰R¤Ë‡÷×w–»K“ÒJ.PôRèÀ!9œ™Ç73"S ?2å é©Ô qLøt½›àéÞý8!Žgî™æC®·«É›÷TN5Ò"ÓÕf K!¬™®’/³·H¢3€g‹‹W—góˆ1*f77W‹Ëëßàžc`Œg/wì³›3Í.~¼Zž}]ý<¹Zõæ M&˜[þœ|ùŠ§ Xþó#ªŸ>Á FDëhº›0Ng”ú'ùd9ù¥8xÛ}rã
+ñˆ pE"’a?$ É0R’½ø)"!?y.ã§ùgsÎ7ï9pŽ¤Ä
+¤–]™¤ûÎÐQÉÈt¨ñÀ.Ï°‹µa‚(çllØò!]g›ç³9ÕbötŸ6÷ieošÒ^×÷éúCÊÙ¦t˜7iµËŠ8wŸfy²Ž«3¢fI ñ–Lͧ¹ì#{—Zq¾+ëÆxa:'IÎiΣÎÜ8ŠŸk“fÑ Lµ„•P·ycï˽Æö²‰³¼õZºK{m‹$­ê&.’=C3í“]ܬï³bëç۲ʚû½ýs|ûþ½œeð€€(V³›²®³oyY—; é#^Ûrð^è’d”NL"E0sIò{±§¸*ÌÕ1cL9äžð¼`V’nbð‹1È)‚Ã*áàkÍÉ@I¶-Ê*=¦F#Šá‰eG%ì
+E("N¢ÓÕ4ä:^M=—ÑøWY¤E¼;(ð="J±Óš{®€êqÁ(D„–cÝ«.IÀ“I¹‹³ÂÒ1Õå\ÏflµÔ·Ô&]M¥ÉqÏqŽ8UôÏ ¸NxÎsÙœÀQôæБV홪ǞÃ@ 9ÖÝ{îyËZŠúdíQ`pÍP$)@…âPFüíÕêîva?þõŒDzvñáÎö—=Ï@FN­]ÆœdÞ…¤S˜ïŠAë ¾<l©6mUøâuY~ÏK¨4m=>£+ÀÌݦU'§¬ÛSÚC”I®´I×Mš¼mG`'Ò ôSVq7wäžåÕ•ýøâÃòSàŒ!§Q;ÎíLŽ SêAÀâŸ9&¦< ž±a‚ò µˆÇ¹·×‹K+O;«h#YÝTqcšyt›nœÏŠµsÛǸh¡×ª'B¡H1„¬¿E‚À ØØqw«Ÿ>ݾî±ëz]‘º X>×Mºs±}WuY5Y»{Ñ 1b"rrE€§ÜTg€QØÖIâ@»Jw, W¿ƒ4Rš BèŠ)Š¤¥ÆV†1¬N«GðlÀEØ»ÆjX>åCÕûXB¡” ÓHc$¸V!,ö®#nÒç$Æ EØ™T0®çœ[€¿ÌÙWO‰žZ»Yl” `ôeéd]›l;ßd¹sôH­€ÁSŸ«½Ü$ · L}–5I¿µÛyž>¦ù?»é©mOU
+XG`.ï„v]±Ø&àçÑÜ#hSuߧèyO²ó½NkÚê‡vq—]>ߧ <–X„U°24÷eÛØ7všß¶»´hêó@ —ŠË·££Q„ÍUbŸ¤°•äV¾õMìT»óê™öí ˜¡¶mÕ»H¹¡*®DbÄh_½oÒfý¦³
+$ D AÕ°Ÿ›5š Ì#9^s†Ö?»A¨Èš,Î]#Š›x?9¤MêbºñMÿÏ6­²´F'»“­O] -ÍØ°6C
+èÓígÀt|ÂöLÝ¢Ïöõ l4Q'õyžC}#øRR2ÒwW»Ì¾¾yd¾rçbè3ÅxêìkãÞìÙµ‹Ífëg®:ÖñCl¶ÖÑ *
+A)7kôØ<­ŒÄ”p‡ý:NBX+¹ôå\ã+"ŽÌ»¶Ù¯?ú÷uÞÖÙczbÇBÂùʆåyNíWÏ‹É¡àŸPÖÇ~_Y(ôeÃÈ‹ÿ>òìy1@vó` ¸‡“ý·ãËߪÌ`½:ò'C$Áƒhg”9!ø0i1Š(ì ‡¶ÿ J{9endstream
+endobj
+1842 0 obj <<
+/Type /Page
+/Contents 1843 0 R
+/Resources 1841 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1840 0 R
+>> endobj
+1844 0 obj <<
+/D [1842 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1845 0 obj <<
+/D [1842 0 R /XYZ 56.6929 610.0572 null]
+>> endobj
+1846 0 obj <<
+/D [1842 0 R /XYZ 56.6929 546.0335 null]
+>> endobj
+1847 0 obj <<
+/D [1842 0 R /XYZ 56.6929 482.0098 null]
+>> endobj
+630 0 obj <<
+/D [1842 0 R /XYZ 56.6929 442.3696 null]
+>> endobj
+1848 0 obj <<
+/D [1842 0 R /XYZ 56.6929 409.052 null]
+>> endobj
+1849 0 obj <<
+/D [1842 0 R /XYZ 56.6929 373.1831 null]
+>> endobj
+1850 0 obj <<
+/D [1842 0 R /XYZ 56.6929 306.2376 null]
+>> endobj
+1851 0 obj <<
+/D [1842 0 R /XYZ 56.6929 233.2236 null]
+>> endobj
+1852 0 obj <<
+/D [1842 0 R /XYZ 56.6929 126.5318 null]
+>> endobj
+1841 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F55 965 0 R /F23 678 0 R /F47 874 0 R /F39 858 0 R /F53 957 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1855 0 obj <<
+/Length 2451
+/Filter /FlateDecode
+>>
+stream
+xÚÅYÝÛ6ß¿ÂÀ=Ô"†ß’pO›& ¶h÷Òfƒ; íƒÖ¢m5²äXR¶¹¿¾3ü%Yöö‡–#rH‡3¿™¡Ù‚Â[$ŠP‘ÊEœJ¢(S‹õþ†.¶0öö†yž(0EC®W7/¿ñ"%©æzñ°¬•š$lñÿ²¼}÷îÍýë»ÿ¬"®èòYEŠÒå·÷np}ïV)_Þ¾}ó>¥˜bdÓtyûã›×«ß¾¿yóЋ3™Q²|ºùå7ºÈAòïo(i¢OðA KS¾ØßH%ˆ’B„žòæýÍOý‚ƒQ;uNR%Dq©‘¦„ )æE Upð(’pó^QœÍ)*p¡¢¢5ôåwJ 8nú¦–e]W›bmŠÒL•Â4#”ƒXÃÏäë¹fÃmµ&”ªx,á‡Æx‡¼œ'ñ¼ˆ“uuJt¢¸çÍšU$Rµlw ‰“¥”o»cÖuåF±§4Ž.ª¦5Yî¸ëÍdzn6YW¶/ÜÆ"
+É4‘* R¾4íúe•íMNy ÍI’€ DŒ‘T)Þfæ\ Ï­¦šh¹|@+®W‘jiª¦;®X²4î»Ýe-RrézË:Ë‹j=×Ùé±3œ'C[TiüD¿ÛS}üè²MkŽ“Usü:w q{ÜpZç©ë]Vm *W¤Ë¢m«[Yñ#/ÜÖm}üâ»:ãgØf®9ÔMS<k_Š $¥T{EÂâ~ás•«˜°X?¨Þ<PPß:+
+~O?ÖM0¶ÆµNs@]éu…dQ­ÝYcšË&ˆVAÁ®›à€ëŠ .k‚›é–)‡èº¹ºe`šÙr¨Õ4&œ =Þò箚h&À¡ÓÇdpãU¼uwÜUÞ©¥Š¼6 ”[»Þªn½¶­ÿ5ÀÇ.êUÅ’ÈD¥×õ:京מËêu{¦W~­ŸÙ20Íl9ÒkB’8žlù7é5 „gX{.½Å–uðBurõq SÝG†¦ÍÍñ8çtŠ$'¶Ë—$ ÐhH|®_Ò€ëÊ%.{IÕ³øûõ¡kΗk’p`¿*YÏ5#Ú:ÇD´o=(´sÙLˆ™Œ§"žCe4
+ Û4­û²áÚWw÷¯ÝœÔuäf% RXq…O4ü6>íŠamdøâ&9\Ž—G0åS~^>¤,.ÅÉéÅ
+†!¥Ãæ!}§Å5œ¬|¦9} :
endobj
-1336 0 obj <<
+1854 0 obj <<
/Type /Page
-/Contents 1337 0 R
-/Resources 1335 0 R
+/Contents 1855 0 R
+/Resources 1853 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 1283 0 R
+/Parent 1840 0 R
>> endobj
-1338 0 obj <<
-/D [1336 0 R /XYZ 85.0394 794.5015 null]
+1856 0 obj <<
+/D [1854 0 R /XYZ 85.0394 794.5015 null]
>> endobj
-586 0 obj <<
-/D [1336 0 R /XYZ 85.0394 769.5949 null]
+1853 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F55 965 0 R /F23 678 0 R /F53 957 0 R /F39 858 0 R /F62 990 0 R >>
+/XObject << /Im2 979 0 R /Im3 1102 0 R >>
+/ProcSet [ /PDF /Text ]
>> endobj
-1339 0 obj <<
-/D [1336 0 R /XYZ 85.0394 752.4085 null]
+1859 0 obj <<
+/Length 2185
+/Filter /FlateDecode
+>>
+stream
+xÚµÛnÛFöÝ_Á·¥
+v¶´8²‰J¤*Q¶ó÷=s!MŠ”ÒEºbÏœ9÷ÛP$Áð$B"i¨I”áH`"’Åú 'O°wsF"δAšv±>ÌÏ.®™J 2’Êd¾ìÐÒkM’yþKú)4
+8]~ºú8™RΙL/¿|¹š}¼ý/¼ H€‚qúéröõò.À¾L M/o®&¿Í>»š·âtE&˜9Yþ8ûå7œä ùÏg1£Eò
+/ch²>ã‚!Ák «³‡³·;»þè˜ 8ÕH2© 1,È_aË´7„g‹“)!1}ŠX8ˆX\¶GúĦš aŒH¦RP¤ a­(ƒCÈA“´BTiš(!Àq28iælì1 ’‡H0Œr î0>O¦’¤søKÓ«Ch‰ x#‘F"n„r¬“?‚07†¤ÎÚ+ûn¸¸]Óäc%]¥"ái—²WJÒNàÊÀ9œ%ŠîLÉ r9™2.Ó»¢œœîß΃–’uŽr ¤ŽZ–ÙÚæ«Ë€ $„Rk¿³»@º~¶añû„âÔn]䦥]ýcqÙ&{,VEý-¼¯íâ9+‹ÝÚ½ª´®8ßV›°ÊV«°ØVUí„;P.\ÀDG‚`GDZ¼+ûä$âD§vÂpú¶°›:¼{ 91i+ƒ‡VAIfºVd)ÊMÔò±(ó_±À🌘„c„iŽp}Ñò Á¦(Çi”,+ó°ØÙº9UMƒ¾D(ÜÒSxawNK¨[»«öÛ…S©tU¬‹z7†PF4púZ.~û2«íêNϤ˜¥Ø…Ãk›•‘jýœÕÍÊŽˆJH ¬eÔyº1‹ËNLID©6uQ•fU‚^;ª èVv!_]VÁp¿»Ø¡&}}¶åHÐBƒòï-Ó´ í"’ ö.7¨N«2@â7lRDÑÁ æ`+0åÖE÷¹‹QÚÂG À1ÓÍÖ² ¹!HcJûnõ$0é“Æ*Ý¥ó0˜"ÃÇõKQíwù€_„æE”9ÉT¹Èx ¯ƒœq@Ÿ‚pèц÷­­³¢´y¤°tb £÷µ€(Þ'F!MqSCÐa åÒ ªNºõû{ƒb/ ´Èé{gû±ž5¥i­ŒoƒœR6>/¤@&(Û
+¸ÁïódÆp^h±|V½ZFBñåF&]b– ÒËnæ(×ÔðË{ ¥©S‡¯—nñb·;Ÿ»î¥Ü¯C°áP·Ü¾õÀê€@ËÓöéb·O‹åíóbKˆnÕÁHihþ!¶ÙâÙN—â‡Ò
+Ý_hvZ¼kD>ÖkP!˜‘}ïª,(Ïê,¬–Û Ô÷jE?ðˆT\ŽŠ~ÀO;)-‹ÒåmÏgþtXV˃½Ü.³ý*zù¥°¯n¼¸¯™¢ðRF˜¿eÊSùÌüù›ð¸æPw¤ù΄ù
+ÁäMÇãÚ7‚òÊ ñ:ÌwŒ(ƒ6”ýO®Aendstream
+endobj
+1858 0 obj <<
+/Type /Page
+/Contents 1859 0 R
+/Resources 1857 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1840 0 R
>> endobj
-1340 0 obj <<
-/D [1336 0 R /XYZ 85.0394 717.7086 null]
+1860 0 obj <<
+/D [1858 0 R /XYZ 56.6929 794.5015 null]
>> endobj
-1341 0 obj <<
-/D [1336 0 R /XYZ 85.0394 717.7086 null]
+1861 0 obj <<
+/D [1858 0 R /XYZ 56.6929 436.0529 null]
>> endobj
-1342 0 obj <<
-/D [1336 0 R /XYZ 85.0394 717.7086 null]
+1862 0 obj <<
+/D [1858 0 R /XYZ 56.6929 286.4775 null]
>> endobj
-1343 0 obj <<
-/D [1336 0 R /XYZ 85.0394 717.7086 null]
+1863 0 obj <<
+/D [1858 0 R /XYZ 56.6929 207.1916 null]
>> endobj
-1335 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R /F14 608 0 R >>
+1864 0 obj <<
+/D [1858 0 R /XYZ 56.6929 96.5058 null]
+>> endobj
+1857 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F62 990 0 R /F63 993 0 R /F39 858 0 R /F21 654 0 R /F55 965 0 R /F53 957 0 R /F47 874 0 R /F48 880 0 R >>
+/XObject << /Im2 979 0 R /Im3 1102 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1867 0 obj <<
+/Length 2451
+/Filter /FlateDecode
+>>
+stream
+xÚ¥YIsÛ¸¾ûWè6rU„`%€£³LÆSÇ/v¦^U&F¢,V$R#Rñó¿ÝXHP¢¤©šÒXFãë b
+?61ŠPaåD[Iej2ß\ÑÉÌ}¸bf‰f)՛ǫ׿
+=±Äf<›<.^†PcØäqñuzsÿþîÝí¯g\Ñér=S”N?ÞÜ}¹ùÃÝ_[>½ùðþ»°ˆ ’etúùîÝÛëo¿_½ì¤I%fT (_}ýF' ü÷+J„5jò J˜µ|²¹’J%…ˆ#뫇«ÿt “Y·tLJ¢ ×#*àl±Jñ”%™àÂëàËãoŸ>ãA€\$£“ψ²F;ºÛª-vUÑz½<¼4m±i|çm]5õ®-÷›Àv•DÈŒ>RÂÆ:s|@×3FAÏ»j1ÇH!2"˜äŽâ.ßãòЂÈ<·ÚmÿçÚ·*\éZM±ûYì|{^Wíîš™i½öû¶\—íK/l¯"ÜÄc¤r›<¼Tõ¶)›Ã{Îà²h\©Œ8æȵ0œ+ íQÔRB•ÁËë9xÐÚÐF¢þÜèïëì»?‚JÕ€ŒsØ©›z¿›³|±ØMãɇ[’!kOþ-ržp
+„P*‚V—åÓlY®‹¶™"Z yÈöÇE¶?Š—S<¥&†S}ȳ¹È3€á˜# ŽsÉ9nG8B¡£¹šÌ:¸Àš-à~„1Ä¢ý0þ³k½Œl1Ô(âuœÂ$°U`P–föŸøN¬1fÜ»Ì:Ž³”¥â@4Îaܲ~g±\Œq"”ȆGŸ×›M^-Æ,nƤ!]\°<é¾{ÿðöóíýãí§»nÕIß=ÉÇàœ(àÞ6ºô[TMÛUáõ¶ØåmYW¡»ôßÜ‚WV
+Jã‚^¢V€H?ëN>ˆ¥Ïe»òÃUíG"6Üຬ
+?\oñB‹z翹“öi¿)ª¶yu Ø·~ÁvWÂ` óŸf…æéf›=ì²{ ì–^#Z.h6TˆGÆýÍÛI®: ‡˜ç%†FGžÿÌËuþ}º½üÔeKƒ³qC¡µ@.LçQÈ}UÎó¡È,
+g ')y@ãP “8Z‡GíáÀãÛ{ßË©Š9çb
+ôZT‹²zòd½^ÜÚ=lSµN‚E"G`u ïEùT¶9†f™M›ò©ÊÛ½%âQP ©‡Ÿôª†Æ|¿óÞ®ÔS½ Ú†éz ¿ r#£½
+ õ¿*ç+?³oŠ@“ûO³ò0Ä­]¿˜û~ëûèñ[ä‘EQ9Ré¼$¸ó`£‡ Ü[&íôq%JüTS¾·fMû²v¬Ì¡ÜØ€ÈtÜÐôž;^ì¿÷EÓq¦£÷¸G÷àÉiÒõÍPT üp›õz°Ñ¨è!Z|—qv>a¾ÊA'!íÜì›@ù=z@{t/ß_‚[ðŸ±ðo4d›€‹… ÁÌ¿ÿ‘ã,eé+‡U@ä°TÚ~çþ½¨Uý\…ƒ×
+H#æ±%a€ò‰š÷tì’i“5]¹wÇÞá+ç©þ¢”?í»ps8â½2Šé¢€jfム¯êg?îç£6Ÿ·apÈb}!’ú‚GçŽLç
+÷íÊ•:KFŒUâd9’JÈ€[Æ!ܱ£‘q˜I)’Q·B~iŠ‘Ô›StÖêLÑ4` f#ŒŠ1“1¡Yð3š»õÏyá'‘÷.Ò»2Íã–øÎÀ«> 80$T¸ó¡7ú¸_·å6æ eÕ´y5/š4ãs[ÄÛe7ÑróõÚÛÚnÛº(ïœÛ2¸©Úåo©ßÞÿ”i eI¢ GÒë¢ðYÏ(F…&ýÁyŒ&Tg0©Fçc¥²…í
+0H8P, 0<Q{øfhµLЙd#>£Ä6¢<«ïà½3+úå‹b™È^U½nF³(å뢿FgNPÞ13¼=œÍ z]€BGsžÆÁàÇEW•>D 0
+=MRü¡§9iŽ6#Ò¾óÖ˜6ÆHälq{1ìÅí%r|ûSg…Š4ÇB ¬C½Ç³¡TE5úÄSR÷åRÖî±}hÚÜ¡»'çžjˆØŒHló’Ët/¥®e "ÌœøiPÝ㶯ÂrW§.ŒTð ÷ÚÓœ¾Ö@ãnõÏÃÍ@»Œ‚¯;³Y$9Úl Y
+™¬±éfï«þ‰Ìè{Íg]?=Aµ@Ný%*ÁGþYhWËþë¿Kûƒ%–h†ŸKP ðƒ"<…cLŠÞý±z,ûÿ³@‡¬endstream
+endobj
+1866 0 obj <<
+/Type /Page
+/Contents 1867 0 R
+/Resources 1865 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1840 0 R
+>> endobj
+1868 0 obj <<
+/D [1866 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1869 0 obj <<
+/D [1866 0 R /XYZ 85.0394 751.8794 null]
+>> endobj
+634 0 obj <<
+/D [1866 0 R /XYZ 85.0394 711.2251 null]
+>> endobj
+1870 0 obj <<
+/D [1866 0 R /XYZ 85.0394 677.4622 null]
+>> endobj
+1871 0 obj <<
+/D [1866 0 R /XYZ 85.0394 641.148 null]
+>> endobj
+1872 0 obj <<
+/D [1866 0 R /XYZ 85.0394 572.743 null]
+>> endobj
+1873 0 obj <<
+/D [1866 0 R /XYZ 85.0394 498.2696 null]
+>> endobj
+1874 0 obj <<
+/D [1866 0 R /XYZ 85.0394 310.9784 null]
+>> endobj
+1865 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F39 858 0 R /F53 957 0 R /F55 965 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-876 0 obj
-[590 0 R /Fit]
+1877 0 obj <<
+/Length 2033
+/Filter /FlateDecode
+>>
+stream
+xÚ¥]oÛ8òÝ¿ÂÀ½Ø»1ÃOIì[š¦{^´i¯v¶û Xr,¬,å,9YÿûrH}Ø즋ƒ‹ç{†3bS
+?6U‰4×ÓXK¢(SÓÍ~B§°÷Ë„9œ…GZ ±Þ®'×ïE<ÕDG<š®·Z ¡I¦ëì÷Ù[¢Éüõ¯×ï•àrF"žh o¾Ü¿»%·Ÿîß#æˆ*O8UÜ¡Þ|þ|wÿnùÛ|Áêó…¢töñæþëÍ„}žk>»ùåneˆMîÖC]F‰ÿN~ÿƒN3Pù× %B'jú/”0­ùt?‘J%…ðr²šü§#8صGC¶“*!ŠË¬È,–a 33H±¤D'’uæ,dae,²89ûª&cDH`†Fû3?Ù¹9tL4w:dy!˜G
+6t'£œhªÕX²¯M>_®gíÎ.#H @-.´8öŒ‡„E\9¬íaÎ’Y½?c°©«o”òÇã!m‹ºÂ])óP2Æâc9¬ý±i‘ðƒW«ª_¯‡>«tŸg¸ûR´»^L >]ðˆkãpp”V݆pg †ãh––õŽíÝk•á¢É7Vï¼uïí¡¨q]TæÏj‹‘åok·
+3[ù0hL>1:[¶º«eæÎìro[wbµÃÝ¥Ïô˜Wù!uŒ7uD¬§áùUÄa§ÈMC\‚4¢‘IÁ„D2Aϼ·§dì| MÍØ?•¹¥
+¤/gŠPªØ+ùK‰ìŠò•gžŸ ÷vyÿA7Ù¾¨
+¨‰ië5ù’o5«;ö1­Ž`44ƒPÀ Z•Ëœ³&…è¨ZJ(‹ù+JÀ•‰¨+B-øعãïñhRá,RPMX~g——O¸r›tuBCUUÀ.¡ ”×z4àk¸~X~\®m?dþÖËO÷«€:Ó\Á}⿪/ªY7gyÊ}4c 8]˲‹ëPŠØXn;·Â* ˆ #Ñ>€Â¢2mP@Ƕ(‹ö4gŒÍ|øC­Õ c>þ1™×>ó€=ÜÖ¶ŽÂss<¸jË‚l†çKê
+7}’C<H±³$÷_Ô装íÕ½ÅS|àÜ?Ä#ßû¨j)!B×í*ûÿýÁµÿ-cðBÂÃ_#ylïƒÈ e´fL^ˆÎ¨iHy@öÿ‰Sѯendstream
+endobj
+1876 0 obj <<
+/Type /Page
+/Contents 1877 0 R
+/Resources 1875 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1840 0 R
+>> endobj
+1878 0 obj <<
+/D [1876 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1879 0 obj <<
+/D [1876 0 R /XYZ 56.6929 605.5421 null]
+>> endobj
+1880 0 obj <<
+/D [1876 0 R /XYZ 56.6929 504.7499 null]
+>> endobj
+1881 0 obj <<
+/D [1876 0 R /XYZ 56.6929 441.2539 null]
+>> endobj
+638 0 obj <<
+/D [1876 0 R /XYZ 56.6929 401.9804 null]
+>> endobj
+1882 0 obj <<
+/D [1876 0 R /XYZ 56.6929 368.8239 null]
+>> endobj
+1883 0 obj <<
+/D [1876 0 R /XYZ 56.6929 333.1161 null]
+>> endobj
+1884 0 obj <<
+/D [1876 0 R /XYZ 56.6929 266.6983 null]
+>> endobj
+1885 0 obj <<
+/D [1876 0 R /XYZ 56.6929 206.1673 null]
+>> endobj
+1875 0 obj <<
+/Font << /F37 743 0 R /F53 957 0 R /F21 654 0 R /F55 965 0 R /F23 678 0 R /F39 858 0 R /F47 874 0 R /F48 880 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1888 0 obj <<
+/Length 2595
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ÛrÛ6öÝ_¡éKåÙÅàfú‹“:m·ñîdÚí-Q7銔5N§ÿ¾çà
+ÁRH½6°OŠi¶XlN…›æMC€zèãñø ¦žÜDOÑú¤f‹plU7-vEYÒè:œÚam•W/ «^áñûqD|SÜÅ3Y
+Gö´9¢K™0—Hw ÊÏùýV›2.=Ô£t¿´¯G€z=”ô€(œ4(Æ‘bÜïóðݪ˜¯†8‹H¤@=Ä›ñ“
+&‰gD
+&¹Nû¾1#ûÒÜËÈ4J™¢ê¤h­ž#áX©G.7–AœPû»‹ÅÈí
+â†I£÷x6m:½õú¯ï
+°¥…ç€uE_’ \ëõíAóz½ÎªˢʟÁ0‰Váì(…R$,á&yJ<–ku¨gÀIÄ:Ðó6^STÊhºÎÚù*tÄœnh²Eu3S 9ÈN#Ç"‰‚ðhœ8 jÀº
+¤äés"Ú1MȸÎì‚3»Î™a­­ ’mAÖ`os@M’=l‰ ãÛpOPB˜‘èa'¡ “0ë’ƒˆÕÜBÔ¦0›$G\Ó
+ÌúÀ5oëM;"™D³$yè›Ü†k1Ö†kbŒµS×ÚÍ`y¢Êç^Óo”8§£&°»®Û€*¸9Œ‚È|ŒõÂÊ2ÍÝн¼Oñ#>%!×hÔî%8äÎAR$œ1ÃtîE¾+qG—e‚ohï[|ï[RN;ØJPÑ…Ý¿Eê^Q®— ·ñž"Иъw®qÿÁŒˆ÷‘K>éIê‘1O‚B,xRÂ{ž„1Šl$é\ FÞ•à\) ®_20&;p$§ª+àºj¢Þnæù S:¦ó‡e ,Ñ?P7#bÑ`póÁ@,ã—ÌîìØ=F2aÍ0‚t$XuHW2QÓ9&r„¡@@A
+!MÞÀ*§Áùå¦5oZdÃv v6÷ª›¼ îiøSØu ž õFy*„ˆåƒc:•†Êðe‹Mjrƒ‡òÓ‚%¼žŠËŽ)åô>«ìjOÄâ"ù o‰1Ô÷5)N‹j^n^²Ú[<lÚ Ú»Eakr•H´`ÅFaOÕá†A=ˆ€e½!Á9(é¥1C«ÈÈËc•¢á JDë-˜Vzõ4YQ5' º0§émÝ4ÅuÓùç˜`–H»’d</CîNUW«=+@4Xæ‰
+ý§.\ Ëš|f5AAšõ"Ô ymo'Üo›a\'Í÷u~Ó3+%b¶øþJô¿XØÀ¸ˆÊºsî" [Ô[_Aàø-4YÍ1$q„Ža?I¼áv õ=Ét—Ý7¡ª r“Wù†úÞ~_ÔÑÐH7Ž—þÝmÿPçz:ñˆ2T°òòüâ5mN ²›M¶1Õðãz¦:|¡9ˆ å%?Þèpð ˜6}ÖJð:è6SMRÀï^
+^÷Ü@­×4Žú}FS*6“}=ô¹Ô1É»¦p½ö¶–ù¾dÒñXC÷ÄîÉÊ&Pø¹ªwU ¯»“ƒ](Q­‹G.UL¨îÒgAÄF0nðÕºï¶!a‡‚¡ëøBÕPÚ¬ga{gö¶WÏÃú’X\ÓJdÊ?)Ýn[6ÂdIfºèqYê´{$_ÔTÉá›XKw7«â–@”XpD&Š«i |ÛÆWgÇx*åÁCVpÛì.+ʬóÑÖY2rsõÔº ñàcž$ê³O/Þ_þt6cº8¼‡yh¶¾t¯8Á׉æ`s¥Ø^|ÉþñÚáÔÑÿ ñÚ‘„}„ÅîH%,Œ1ø«af9ŸþéQ÷Ö¡Nö—õ<+±I{>AûÏÎxäæÏC£;¼‰,ò¯$dχ½&Õ“Ù]ûÕ¢+O 
+xúj9zµ{p5Äé¶?DbÔÅèp¨»ù@HûÞ àã:eÔsþõõBô$Ù¾4žä¢W‚hTùjÍgë…y>Ö a¢È‰R>ýƾy¿ü¯Vš/º¼¿–úÃy.‹·g_Òr)Êò݇”_¾ùzmtD©~ ö8rÀ€WÛ7¿¨ÎÝ¥}ùã.ýu÷iw¡þýëÛŸ¿ÿž¨û\ ÿ;ùÓwÄýßQîÿ¢Õ SÎÉñ!@딊Hò'„9$½û3ó!íÿTQÖ_endstream
+endobj
+1887 0 obj <<
+/Type /Page
+/Contents 1888 0 R
+/Resources 1886 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1891 0 R
+>> endobj
+1889 0 obj <<
+/D [1887 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1890 0 obj <<
+/D [1887 0 R /XYZ 85.0394 420.6717 null]
+>> endobj
+1886 0 obj <<
+/Font << /F37 743 0 R /F53 957 0 R /F23 678 0 R /F39 858 0 R /F21 654 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1894 0 obj <<
+/Length 2221
+/Filter /FlateDecode
+>>
+stream
+xÚ¥YOsÛ¶¿ûShz)=¡øKï¦ÚNêNíäÙJçÍ$9Ð"lqB‘ªHÙM§ýîo)R¢-g::\.‹Åîow!6¡ðc“Øp3IŒ$Š25Y¬Nèä¾½;agÚ2Mû\?ÏO~z+’‰!&æñd~ß“¥ ÕšMæÙ§ègÂ(94º¹>?›ž½¿~ûîâútÊŒLd4ûðáâúüò§S®(0'¥ÑÕìúãì7¤}85<š½»¸=ý2ÿõäbÞ©ÕWQátúãäÓ:É`¿žP"ŒV“'x¡„Ã'«©QRˆ–RœÜžü·Øû꧎švÃEÌÇlaz¶0œ(¥å$Q†Ä‚ o‹Ü~z o;Æ©PDÇJÁ€så9/Kؼ¤Q³´0&JïªG‹4ûgºZöMÆú«j’0&AU'dSf‹‘9'Z˜žò¢@¹wßp©ÌÞ§Û¢Aâ¶
+ &@©íæÑn‚V«¨i±¬êÉŸ)†'„ÂÁ C®´Ìöd}µaM˜^Ø,,®¦NíÉ”qFTBÁñ#F)î5†½»yŒ±ÜE€»œU«¯a>çQS…§_…³v@ï6
+,dŽ„ÆíEˆŒÙo·ï;¿ó×h×¼ 9º— ÷¿µAê
+¤#RôÛN–¸Œc´í¿³ÄáX¬æÆ;ŒXe*$tqPL­3û8ÿåýÍKf‘¡Ûkì¦lÁõö[ G2Æ8ÔOùvµ[WB)·§!9TJu½64Ö”ÒƒúÂœ…nÊcšCŸqÅ Q\ŒT)^ŸÏà™»sÃn»D‚mŠóΪ*^ãDßÊj]çõ~ƒ/ ft,à€L…Jy¤!‡Äl¸r‰y¼[wý°K!=‡Íz{“ÐqîÝ¥ŒOÓôK;ºÃ}©§€ÂŠvf©¸¢d®xoK°NæbDf{;Љ¼Ï‹ï¹ìF_G„CQ¨®òáe篾>ª¯/ýåq€Ož¼Íˆ<èPø£äC8ÄÂþ[ ñ»_U7Ͳ­ë×[ 9*r±ÜTU“åcutcLuîÒ Ý
+}Þ˜<.¨vâFqŠq¢ âïüâöìæòC¯~a/CøK î”·.ÕV–Ì´¹ËÐ&äûÀÑÈ{u¥ 5üHß
+u|W¢»¬Í“è² +§a5/£MÛ*Ã( K§Ž¶Ì1Ó:rá°ô} 3}竱§ ÷TÜ•ØZÆCÅ×ÄÏ”‚À_6¾¦>J$׃ú%ã…‰Q¡0®òÛ`b«×Ué[¹s‚¥¸2æx1" ‘qÂö[£¡4Wʳ—[,à«°±®ÈÄãõZ g4eS”ðNü5&H]‚º¡’.e¹w8Ûl±»Ú“ ¿l’Ái¤B§ÂæTGÛ@ ×n@íŽwh¥!1˶š¦cf¡PªVñj‚Bb™îd×xñ¥¢í 鈩M e¬ïIãǠܹïÚ(>ܼüÇ*Ï‚Ë°íÒÚ@Âñ5À„J’Áþ
+endobj
+1893 0 obj <<
+/Type /Page
+/Contents 1894 0 R
+/Resources 1892 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1891 0 R
+>> endobj
+1895 0 obj <<
+/D [1893 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1896 0 obj <<
+/D [1893 0 R /XYZ 56.6929 513.8248 null]
+>> endobj
+1897 0 obj <<
+/D [1893 0 R /XYZ 56.6929 427.0967 null]
+>> endobj
+1898 0 obj <<
+/D [1893 0 R /XYZ 56.6929 364.279 null]
+>> endobj
+642 0 obj <<
+/D [1893 0 R /XYZ 56.6929 325.4767 null]
+>> endobj
+1899 0 obj <<
+/D [1893 0 R /XYZ 56.6929 288.9693 null]
+>> endobj
+1900 0 obj <<
+/D [1893 0 R /XYZ 56.6929 257.0263 null]
+>> endobj
+1901 0 obj <<
+/D [1893 0 R /XYZ 56.6929 191.2867 null]
+>> endobj
+1902 0 obj <<
+/D [1893 0 R /XYZ 56.6929 119.4786 null]
+>> endobj
+1892 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F23 678 0 R /F21 654 0 R /F48 880 0 R /F47 874 0 R /F53 957 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1905 0 obj <<
+/Length 3038
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Z[Û¶~ß_áG/pÌð.ç)iÒ E»ÙÓlm´– ±%×’³ÝþúÎð"KZÊNqàQÒˆÎ|s¥Ù‚Â-Œ"TX¹È¬$Š2µXïoèâ3¼{ÃÍ*­†Ton^}/²…%Vs½xØ æ2„ÃÅoË×÷÷ïîÞ~øõvÅ]¾!·+Eéò§×w¿¼þÑ?»¿µ|ùúý»O·+fe&ˆQ¤ÓtùóÝÛïVß}¼ûþý»»Û?~¸y÷г5dQ<ýyóÛtQÀ~¸¡DX£OpC ³–/ö7R ¢¤ñÉîæÓÍÿú oݧ)Q(aˆ2<KÈ‚³cÄ*ÅGÂP–hÁ…ÆÇû‡ï>½Ø %T¼2Îà#˜<©„@´RÅ…JˆT¸î*Ÿ.iÂðËKF¢Ä’b°$¨[0«ÆK¾m@»F/óS×ìó®Z#^5'&“Ã/Žu‰†³s`‚sˆÖMý;¥üóés65ÀD2³|ØV­_n}¼…û2ïÊð ÷ühWúé…LϤ"2Ó|ÀùR>'Q”茪@XÕ©É
+¤ °Ï¤™H9 †ÃžÉ€Å§rY”xW;´RåÐêžnòÓ®ó7ëf¿Ç½;‚õ6¯ërçßôOÁÈnÙÔvæìÂ?Ff<án×<Uõç„üSÄH«®jBQÕÕ5gÎN5.Y™(p<SQ&><Ui pŸ”×4'ˆ4R 4‡1£Û–~°kÖùηMÛù‘[ÐêÆ_7§#|rô7/|ˆã]i¹ÇÊ¢–{Ö>ÕuZn|êÝŠm…&ù¹tfÁåN6“ ’‰,‚Éi¥õäÞâ¸ÒKë¤Ñn€I­ÔUI˜ÿ@Y0ácéç?µh÷n‰°váL·9¬ªÀ»7åÃ._—{ÀTë?Ü875à5[/:Î%|=1…{µD¨,ê3½¦‰²Yhþ3§T´…ÏÎrÍå_UÛ¡î|âx¦žç©ß΀«¬—«Ã"Au&˜ƒ þ@l9@ˆg2>†Ð‡ ®kiCF³o¼týÃr—?6G´w;A¦®ö<êü,
+™OÔç³Û!Õ|vÛS9‘?zFÁ~G"7¶W8D¶ú»œ²Æ ›Ï2@ûEÞzªs#-K°eÙ˜»O}º…p—Ü{(8ŽÜ¨ÙL^A@Es|æ¢9ªðà±êZ¬“ sü鄱Ï=,ãµ{*Ë@ɬl0PŒã@¸)þ CÓ#0&ˆab±sFꮂÚ7óÚ¡„vYÛª ÚŽTNÛ딶Á¼!“9k{SíÚÎcò2k‘(ÁÚX×\<àkÄÛ/!¶£UÚch §w³i§AÁ÷‰YtÃXç2ùͳ¿ÉÃË|וÇ:„Ÿ ¿D‡°ƒ…Þõ
+Hf ÓèÆæUO5¡œê+ªP]P}¤rbÚ¾(c%òÊ’‘(±ä¨ŒµDr5YòþX…ˆºŽRß6Ç`í RócP@³™d ^eñã: #w®òó©Ï¬œ>Óá›sž}cÈ¢x ~M52“ÄfâŠRÍ«¦§rªùò->Cˬ¾ÈÛÙ¿d.éƒGÜ|0æ²AG:”H0p¬¹‘×ã€Æg,8šºå8æ%ćíЊ€û“¯GtŸzçþò5ßU…Í>¯ê3ä‚ ~ˆ¸šúâDÑ
+åš‘Ã2auÉ¢õUØà#£ö
+lT`©lWas@k›b†S‚û»ÈW$Jð5B WXáOGmЀƒ¾vPŽãÇ©=a­é²ü„]SHá¸×ê^€¯èë¤Ô2eXqY·g_'ƒìl|%·OÕ]‚Fûr{®t¤Dö‹¢3ib_äH!æqŒW3Pß,˜ ÙÀnˆº ¦!Õ<˜z*¦cL–h#zK
+ÅwHApŠ{ÝZ¢„œxœöP·÷¥^Ñ8ß©”ßtðhûZ¥'[¢†ëWEùõUØW"ˆ©î;¬®¶„Y±ì— ~ׯSTëÒU aÓŽ¿†@2”(¾t.®~åºl[¿kf4F‹I¿*:pp™×Á]WõáÔ‘Ä. žœÛ™nà3] ™õÜÙÀô2…è.ç˜C¡å*o¤(þÚ7•ó„˜ÐÑ˳ð1¨Zð´sv@C!º,SS½à>4ŽàIU.òÂ?ö²iÓÓñ¥†Z:$«®W4 ÏSªÛÊ¥úr˜È£Št7^2Ý÷)êµ!DÏ’‰áÓaè×XÕ´Ô‡†ú±Çrqïó¡k½–ï©.8´HåZ{µÔÉ‹âàœ*u.²Ö—:/YK–:#ÞÆ)úçlùáÞ?@Ö\lÅ¥¨È ÞQɲëÝ`fŒžFEœÝ÷¢`ýs¿œÓA¿œÓq¼tßÌÇKÈŠ·âßÅKïJ¹&LêoLÞ¦íìæ𘯿„Ra$AWpC± ?6‹E®ÂÂà"‡TóXì©»dp…ì)êl½=6MΤF`„,ÓjHÅ/2×S%¸ÇVN¬ùŽØ •·µ±ò¶v®ò†tOu¥]Ç3-§•7NÙøë¹ò¶¾³kÍ  ÖÛ‹ˆ‡2É®#ÞfŒ÷½ÈÝÎOZn ’w8n\ûm%ÁÍ¿¯òbJ
+&PZfêŠ
+÷æ½²
+®:ב†{/¬ä%_…BȈ³ ô1Ã˶'òn_,«p…%aþɪ›æäÜ>z>GB€òä£7Ë¡€Síß 3¯ú.J¬Wk-Î8¸kÑdHuÁ‚#•ƒúéj­aî8Wk]䫯µ^ò•¬µFŒÛuêr¶«å|×,Ë»Ò5³œÙ©íöP’¾ÓÁíÍSíÒ)n&ë“YÁ!_¤öÛПžøÂ
+ýÑ &H€­›ÄF3Eíëòè{Çí*xåÃs˜<ßµq—ƒSþp6‹)>¤{M½{žÄ söH—Õô¼õl ÃnVZcÛx PÅÖVm\W~»ƒˬ8”»Tk,¬ˆÅ̽ûõõO÷?¾û”Ø=Å0A4ž»ðŠÿ!jbt×<¥Nl!n
+{ý/„²ÑÙé8 œ;„œã¢'çxásx:%ÍðXGCZC¹Žì4¥iÀÓñWQ‚j(Ð*,šp˜ûKÛÓM]:#BŒp=ždä×nסXqCÖrh -Ožž3ê:\âü¯žîØìÚ”×Ôf\^þ ™ é¿`èóWÛ†,ò܉=†Íxe¢ià]UÇ Ê¦v“Üœfqoâ…òZÒo:`+gÇgßóÈaWfíèÌümN("ÓÍVÚ[æÿý—ºó_!»Æðt\T"üXd
+÷ÀX6e½ÿóÝKÞÿn9ôÝendstream
+endobj
+1904 0 obj <<
+/Type /Page
+/Contents 1905 0 R
+/Resources 1903 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1891 0 R
+>> endobj
+1906 0 obj <<
+/D [1904 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1907 0 obj <<
+/D [1904 0 R /XYZ 85.0394 751.8648 null]
+>> endobj
+1908 0 obj <<
+/D [1904 0 R /XYZ 85.0394 153.4294 null]
+>> endobj
+1903 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F39 858 0 R /F55 965 0 R /F48 880 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1911 0 obj <<
+/Length 438
+/Filter /FlateDecode
+>>
+stream
+xÚ¥SMo›@½ó+öR™îì»GbÇQ‚]C¤Ji–Á‘¥°V1QÕßlg£8Ê¡BBìÌ›Ù÷Þ H¨{HÊ0C#@R”dÓ”<»Ü,À#&>buU߯yB Å)·^/ Tk$eõ^Rˆ\ ®òé$ž,òëY–G1‘ˆ0].³|:ÿÅLRvHJÃû4HïÆØ22,LgY=•·AVžiùÔ‘òžÓïàñ‰’Ê)¸ (p£%ùãÐFš@HRp~Š¼EðãÜÐË¥­pjWì‚ ")Ù;3¤ÅÌ(²l•Þ‹^«âžƒ”ÄL€(xk«Í/*©v/ü6Vö1Øìí¶OH/a×M]yè¡»ð烂j©Ý5Ãdæùt,5GRU³³»C×®»};†Võ¶n#Ôam7õº_Û×õËò¨40¥Ô±=!ï\‰¹óOH&Ü—DªlúPÞ,V_2·]ÝÚº™]ÝÆÃdoû¶Û½6Ÿí‰»°î…©Ò3ÅÿÞ¡·E$Àµfoëáëb‰W¬N¤zqˆúõÓ¶}äþjnÕÃendstream
endobj
-1344 0 obj <<
+1910 0 obj <<
+/Type /Page
+/Contents 1911 0 R
+/Resources 1909 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1891 0 R
+>> endobj
+1912 0 obj <<
+/D [1910 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1913 0 obj <<
+/D [1910 0 R /XYZ 56.6929 752.4085 null]
+>> endobj
+1914 0 obj <<
+/D [1910 0 R /XYZ 56.6929 692.3565 null]
+>> endobj
+1909 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F47 874 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1131 0 obj
+[646 0 R /Fit]
+endobj
+1915 0 obj <<
/Type /Encoding
/Differences [ 0 /.notdef 1/dotaccent/fi/fl/fraction/hungarumlaut/Lslash/lslash/ogonek/ring 10/.notdef 11/breve/minus 13/.notdef 14/Zcaron/zcaron/caron/dotlessi/dotlessj/ff/ffi/ffl/notequal/infinity/lessequal/greaterequal/partialdiff/summation/product/pi/grave/quotesingle/space/exclam/quotedbl/numbersign/dollar/percent/ampersand/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/asciicircum/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright/asciitilde 127/.notdef 128/Euro/integral/quotesinglbase/florin/quotedblbase/ellipsis/dagger/daggerdbl/circumflex/perthousand/Scaron/guilsinglleft/OE/Omega/radical/approxequal 144/.notdef 147/quotedblleft/quotedblright/bullet/endash/emdash/tilde/trademark/scaron/guilsinglright/oe/Delta/lozenge/Ydieresis 160/.notdef 161/exclamdown/cent/sterling/currency/yen/brokenbar/section/dieresis/copyright/ordfeminine/guillemotleft/logicalnot/hyphen/registered/macron/degree/plusminus/twosuperior/threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior/ordmasculine/guillemotright/onequarter/onehalf/threequarters/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]
>> endobj
-1189 0 obj <<
+1476 0 obj <<
/Length1 1628
/Length2 8040
/Length3 532
@@ -5324,7 +8416,7 @@ endobj
stream
xÚíte\Ôí¶6Ò ˆtÃÐÝÝÝÝ¡Ä0 00Ì ÝÝÝÝ’‚R"‚´t ÒÈ‹>ïÞûüž³?³?½¿w¾Ìÿ^×Z׺î7¶‡Œ5Ü
¬‡¹rðpr‹ t´P(ÐWç…C­fL9g0ЇÉ]Á¢
-Äü{fXE
+Äü{fXE
0Üú÷äè¹aÖÃöOÃoäæìüØã?ûÿxýœÿŒ=ì a.ÌÁAb¡ö™9Y® Ä£ò/z{xÂœ*Þè—ÖÁ»2#×Dj,ïêÃ8›ÇEµyÍî;Ýoª²n öA™ºÓÁß‹(üèX>ã.3v±ms™W`gÅúϨ¯"›
rn­êèš—ß¡RŽwð9£_²Ò¹Ð_8=óe4%v>oFÀk(Ù?`LÙ½¼`êú4ð±ûåÃ&9[~ƒ˜;26cLà«|r)Sƒj…×Íl(ßÛ
b¬Å7ÎßÊçÏVð™h9Žù,¢I‚°RÊ• e®äß·RÆ%=²ìÙ êt›œ(†Ì%³LÇî)®Ž>1Ù¥‘„µ…^Ñ2¼éˆO£Ý %õ‰>•pjÕr{2–ÂwÍ<–g¬™-j—!3cäáakIè,AŒ$ÁLˆÇÆ‹J¯³nöùU»Ïm›Þ‰D3
@@ -5347,1481 +8439,1586 @@ $OíœàÅ€DÈ
t‡Í=žÝbóÆÃwî6ß"£“˵?”JËOP2RÐ oQo+†â1)©w†¦ÜèådîI½ÈZ¿VÍ­(e÷åû È"QÔüFØs(úF$'‘qL ®/¶!õÔ ¤HvkÖ‰Œh¼È‰¬ê؉á¶o?Ùa:Šÿ±qêcŒ° gã!_QÇ~ÏWê¡1üaœ¯UÝGmã§Yñmn%ìRãr9÷¬ß0qˆ5†/‚E…(êÚ“†,W‚˜$Ù½ï¶åçLxËÎÔ|ú奕£w†Z|ÂV€ãž÷,éOd
ÞyŠGÝ ŽÎ¨Ý3lÍ4©¿Î\×T2Zª½Ag—.7Ù#ÏPæï™v¼eŦQLÞ»±Oþ¼Ô\’ ¬ÿĵJÅñ¾(š3Ç].Å*,MÎ>ÛBx(ÃSÃó|D³uû‚Þ¡ï†{:Ò‘Á¨2G9¡Cê{É•<|?ÒK áéá@F)Ø,êw÷ó?È ¸¢Ëa„Çh%Ù±o^Œñ{‹6™Ý @¥-«ä%Å~jÉwXjz1îi´·î¬%uÕ3^¿±g¸`d+ÎK[ŽDe—„]âò†YèÖýÇ?Ï>£³HjË,èkѸÍhÔ8Š” ™v_Å [ªJÖ®²9m=·âú?\‹k>¼à¬‡¤*³Ñ³ž,Y ê<‹ý¹uÓ Z/ZV$S·é#ƒmNOš¨5M@¿§rãÝ0Hõ7¬&7[àçŽAØñêOõƧÈêÚ5±pE6~d»Ž^.x¨T1¬µ¤$£Í7¿ÿ4òÆêüj§‹G1¬èípoóÌ3³QýÐZ:œNÍÆéç,0½‹Š‡Zg‹ðâ£à)‹Q©¯³‹X""œÛÆ0ÏÁ¾äBvFA‚)Y9(ÎYÖý…ì¬S…|¸Ôü¾“qbæÇN.LÔX§…_ï‚¿œ%%½¥åŒìé|°D>W²7}C–Í#—ZR¸­$º`bÛGο…a¿9gÝS%\”Á/œîñhC|?s§ Ø…šg¯ÎÙÈ)ª¬m}ÐvÖËk†Ÿ.bÉ&O
üõí+uqfº`Îa‡„°£â,I§ã¯½/‘˜÷ÇÝ›Á¤'P6ߢH‚Ú?÷›½šÙ¹˜Žà9¦ŠmHr7:pMRYŸ#£ 'æW¥¿ðKCß|-¡mWÝ躖nᲶË0–«ÞÐ3äÛÙ=j’¸Ë-,n–³e±€¢üb½iÙ;‘˜Hâ°l<)žL.ßÐYÖÿ°Ú·)wL=(‚Œ£± L|)=å'ÀÆ-Å@²öò¾µ<ÃNrä³6îµEôʃ3±d¶kÓ»¬ÿ‹%ôµøü·(kD~ô(¬_yñ‡Í; ¯åä²fùOî{&*‰äyÒ¯9ÛB±T¨d>è.<Sâ¢éX3p7«Á~ª"럽Ÿ“lË´ÍÔDQÿfŒ°Ì
-*s"}Y ;Ò‰¢ú{YÌÝÇí]p¶Òݯ€Ž¶Xo³êÙ}
+*s"}Y ;Ò‰¢ú{YÌÝÇí]p¶Òݯ€Ž¶Xo³êÙ}
endobj
-1190 0 obj <<
+1477 0 obj <<
/Type /Font
/Subtype /Type1
-/Encoding 1344 0 R
+/Encoding 1915 0 R
/FirstChar 67
/LastChar 85
-/Widths 1345 0 R
-/BaseFont /RMHUOF+URWPalladioL-Bold-Slant_167
-/FontDescriptor 1188 0 R
+/Widths 1916 0 R
+/BaseFont /XHCQCG+URWPalladioL-Bold-Slant_167
+/FontDescriptor 1475 0 R
>> endobj
-1188 0 obj <<
+1475 0 obj <<
/Ascent 708
/CapHeight 672
/Descent -266
-/FontName /RMHUOF+URWPalladioL-Bold-Slant_167
+/FontName /XHCQCG+URWPalladioL-Bold-Slant_167
/ItalicAngle -9
/StemV 123
/XHeight 471
/FontBBox [-152 -301 1000 935]
/Flags 4
/CharSet (/C/D/E/H/I/O/R/S/T/U)
-/FontFile 1189 0 R
+/FontFile 1476 0 R
>> endobj
-1345 0 obj
+1916 0 obj
[722 833 611 0 0 833 389 0 0 0 0 0 833 0 0 722 611 667 778 ]
endobj
-1156 0 obj <<
+1292 0 obj <<
/Length1 771
/Length2 1151
/Length3 532
-/Length 1711
+/Length 1712
/Filter /FlateDecode
>>
stream
-xÚíRkTבª¡¬òRIÕzX¹yL4„„0åý”˜™)É &4€ˆ*©Ê²ˆE—<EE©°ªÔJ-±
-·€/Ò*Â%,¯EªVEÀW¬««ôgûë®{Ο³¿ý½¿óÍp `Š`|„c$bAB •J  ÎÁ ‰âX ŒD„
-f&›ƒ‚ª—4ÏÆ{ýç»ø:.ôžk'J4GåNÓ…mÑ}åÙlÞÄø¢cBÏ=/¼‡~(‰26ö\”k=´yAÚNÖýÈåz¯_¬Î…ե躼êN¿Ÿ·l/™Í\»7íXmXí6µî‘`Ξ£‚†‡UEöÙ'¢æïåD¨w Ûøt¹{;cýåºG¤]Qøóªçw¦µ #0óñq}&÷ÌGëyÞ‰©¯z|¯;X£ßµñÁ£›+m_OÚ ô
-èéâOKr_oí ÖØØ‹›;LØÝ£¥·¿ïGƒ›Ï´×¸úÄ~µÔ·•^þ?c«Ö2¹öŠH=GçQh90Á€[ªÔuN ØÉ|É_–êfr6J¿•<qÆŒ-é†mA$ãÐËÕ%Ñì\s望ž.äê±*!±TrJµÜbÆí™cKœÍO‰M®†ð+vÂ~·*ÃãG+'|îtOhò/vþtz…T!}±'e¾"K§íš—ÕÜ]¶À®BÀtÛrú#ýçÜ/Nš6YÌ#ÖHÂáo,•Û®9^ ‰¶UC›cZî³#±ùVïæ†ÒéŸ`†¥õcÚ}õ!eæþ#;.fE½_`¼ãí\&.ye]?ÔaYžxˆ+th’75v_¨*¶ý0Z@”EæËÛo%o–Ö7ße³:¨Ì.îž[Ð2káŽM?:=Z–Qùe¼ï9~~fôÙ ^¿ßœo])I89çÄP‘¸æ@ê]qoHö3¿ïރ߱]ò8æLiaÁs³²ï´WE±dør—èfÛnF]·ª¹¦¬`·tn­Ãúw‚íu\^µóÙÕQÜÁû¤}œ¾Œ|ñ*áär§¯u)EP`áapëê,;ÜŠÚ®ékrh÷cåå‰Êü»¯ïQ&7v^+Ïû ‹Šh¤O´Wï›Eå±}Ûg‹V³î}p%îÓoRjøƒcçÅ­IW{?]»ƒÿ”ÄvO*bÊÈU=¼y¦ O²ÂåWÓë8sÑþ_ࢀ\…ÈWˈ4Úo÷tŒÄendstream
+xÚíRkTבª¡¬òRIÕzX%ró˜h   B,òF32%™¡Ã
+«Š@} Ô«p ø"­"\ÂòZ¤jU|uÀººJ¶¿îºçü9ûÛßÙû;ßÙ —°–Æ7 8F² 6$þ2™âêÌåÒ ‘“(ŽÈID ¡Ð¬ÎPÞ
+Àˆø+D|üñ4¦¨HàæÏœ$ €Xƒ¨BŽ™œT!ª†B®¸EHˆÕj>y#„#鑉ÀlU`’‚b4Τ&)¦Äà g¤½Me"D:%
+¸MÉdJ$Œcj€%³§º!”–BÖôâjõ¹f²ü”SÉË5¨Z÷;פed8ŒØtj òFœ Ñ Íô¬””«Q…KQ#€­dsW¾ÁÑô@T‹Àa(©P¥\ŽLáOWBù7¥ƒîþû×N%Ãä(FFêÒÀýƒ=CÄ”Iªñ\6— QDj¿=%Nk&Á8Œb)€Ç÷
+`ñøT+îJO àssþDTd‚‘SãCô6V¢”§¢E4Ó \áµå㽧¶ÕæJª»ŽZ3Ó–ÞÒqnëÉR/öpŸ—Ã5¢é‡Häƒ_í·ÚŒ³+ ùŠ+ùýôSâl£>‚³µ×ÞhëĬÜ1ëb8!iÆ¥òö¶÷4¶ß5-6§5¹?øÑõéÌsÖõ¡÷ A}¤pfíÍ/ç¦nìì7Ù| »•ÐËO‡îA¢ÿ{§èÊÄý ¼7Õ\šŸ°ï©ã+½ívOê-ÛR¡¡\fu½ÔûÅ.S«è¤AûS›bË„«#D³z\‹®(ï{»”Æú´4‡È~™=Øͺ”¾Û#ÍÏ) Ž‘F.8Zé ¨] öª¡[" mëZ5>Ø…sÃÚ|‡Ô†.žw1”Ö´‡ž<þ’ñë’3Ÿ$>Þ÷ìµÞú@¡w±p>>#ÆÝs¿o¦›û0³ƒK·¾ú™Ñ%N®úâ.)ö î³Yeh×üÛw »eLb…×óœnùÌÕÄ£ÝköVüK¶Îýëfãî‰ÖBwûp êáÏ[ ûyIþñ}Ég"oº_ªk<_àXW03ÑØX½¤y6Þ;è7ßÅÇq¡×\;q‚9¨vš.ôh‹î«Îf;ð'Æyèyá5ôCI”±iä°Ç¢\ë¡Í Rw²ïG.×{þbu.¤.Y×åYwÂøý¼e{áÈlÖÚ½©ÇjCj·it„sö6<„¬*²Ï>7§,'Š@½[ÈƧ˙íŒõ—ë‘vEaÏ«’ÙDœï™Ö6ŒÀÌÇÇõ™¼3­ç{%¤¼êñ9~°F¿kãƒG7W.Ú¾ž&²èÒÓ$Ÿ–ä¾Þ2Ú”ac/iîˆ7aw–Þþ¾n>{Ð>ÃÕ;ö«¥>­ôúóÿ[µ–ųWFê¹ê8÷BË ÜR¥©sbÀNæK~ò7“³Qæø­ô‰3flI3l $‡^ž¨.‰æäš{Wôp!CǪDXÄRé)õr‹·gŽ=.q6?%6¸,h¬Ø ûÞª [7Z9á}§{"#ÏñòHaçO§WÈ”²×ñ{’ç+³tÚ®yYÍÝe ì*´þ,·-§?ÒÎû┡i“Å<b4 þÆRÕ±íšã•àh[ ´9F¨å=;Û™oõnNáj:ýÌ°´~L»¯>¸ÌÜdÇŬ¨÷ ŒwÜ¢Ë$%¯,ã¢ë‡:,ËñDMŠ¦Ãî UŶF«ý‰²È|Eû­¤Í«‡eõÇwÙl‡ª²‹»ç´ÌZ¸cÓN–eFT~¹Îçœ ?3úl ¿ßwη®‹‹T$œ”sb¨HRs 室78û™ïwïÁïXŒ.ys¦´°à¹YÕwÚ³¢X:|¹K|³m7£®[Ý\SV°[6·Öaý;Av‡:.‹®Úyïê(îàÒ>N_F¾xr¹Ó׺ä"( Çð0¨54 Æ·â¶kúšÚ}Ùyyâ2¿îë;GTI×Êó~¢"éíÕûæ@QyŸöYÄb¡Õ¬{\‰ûô›äÁàØyIkâÕÞÏG×î¼0%r˜‰E,9¹ª‡?Ï´áIVØ¡üjzÝ
endobj
-1157 0 obj <<
+1293 0 obj <<
/Type /Font
/Subtype /Type1
-/Encoding 1346 0 R
+/Encoding 1917 0 R
/FirstChar 60
/LastChar 62
-/Widths 1347 0 R
-/BaseFont /ZZWIVJ+CMMI10
-/FontDescriptor 1155 0 R
+/Widths 1918 0 R
+/BaseFont /DTYLPR+CMMI10
+/FontDescriptor 1291 0 R
>> endobj
-1155 0 obj <<
+1291 0 obj <<
/Ascent 694
/CapHeight 683
/Descent -194
-/FontName /ZZWIVJ+CMMI10
+/FontName /DTYLPR+CMMI10
/ItalicAngle -14.04
/StemV 72
/XHeight 431
/FontBBox [-32 -250 1048 750]
/Flags 4
/CharSet (/less/greater)
-/FontFile 1156 0 R
+/FontFile 1292 0 R
>> endobj
-1347 0 obj
+1918 0 obj
[778 0 778 ]
endobj
-1346 0 obj <<
+1917 0 obj <<
/Type /Encoding
/Differences [ 0 /.notdef 60/less 61/.notdef 62/greater 63/.notdef]
>> endobj
-976 0 obj <<
+992 0 obj <<
/Length1 1608
-/Length2 6751
+/Length2 7939
/Length3 532
-/Length 7596
-/Filter /FlateDecode
->>
-stream
-xÚítuTÔíÖ6Ò’J Cw·ô€ 
-3 383´t‡ ”´„ÒÝ ÒÒ-%)!)ˆä‡>ï9ç]Ïwþzßó×·¾YkÖúí¸¯}í}íûfg1
- €RRRDì
-fgp™™róòòýËó;`ãþÈÍI4Ìà¸ùp‘NŽPæâ|…0öP€- ¨è<ÖÒÓ
-ö‡†3†°û>
-jg‚À¡hô Ì öïéü«OÀëÞÚÉ îþç4òOÖ?9À0h(ÜV€(|SŒ¹©mC þ^-„-
-Äé
-rÊ­4~Ÿå[‚lñI ]’*|vQ$P5(}Uï>±åt¹ªÍ³ÖÓJçlI€îf2x±q·eÝçø(Á»æ/h•Kš´mé¹7®³ˆk..ôhí뀡‘UÎãàGÁÞOn_6—,_ª'Nw¼Áo+¢©É«°(ʲ·¶9b¿ý<áììíîúÔrp»m•ž7=š]Æ—”#Â÷E:½‚¹I¡ç+›`lgI\kp› —ÈüôMõ¢À|ƒ°²
-œ…›±Ø§Ï«Fc³}m½}ä®V‡6Gr\> "KªYIó½1Ÿ·²Ÿ÷9Qg††1„K<O›ÎQî,,ÿxtä’3¹ÂtÐ#¦»è+Õ8+ìǤÈF¾‚¡Ëñê>¬”(æ33óÞ5±§Kí9uæêMæŶ¯’–÷O÷‘™÷Å㣛RðsZ1ÆŒ^&}ÐùQ íívRæXnúv†e ^êÛ¤J³T×_+'wßsšßÚ&ŽŸjUH§¹ÿ0Ä~QzNÂí#(êyžJéêAB¢]±\ꞚǼû¼Å‰#¢
-»øã}y{ꔣx$󙹕Ä7ì) –/ˆ„³Îé4»×c§zœïÈjYÔRy°©ûJæ—V‹V¦wß“ó ÚÞÆdêˆô÷Ô·³0øò…i°sOí?¡Ðd˜¹ò@ÏéÞcxL
-çÚ“9q93š¹“Ù10Îd6NÞ”QáW}Þi¢ioRŠäqY"ã¿› &Ù‹²'IU{ö+º#Phq"!Ô}q§t°<>J*KIý s]/wûW3´¡Îú㌜LgŒq~2Ê΃U.{òªÄþ²Ô²LPšPPn
-%5èëÖ,»;e9øüNŠ Y‘ vÅ—/<<vǨqA%EªŠ·Y
-GáÊCÚÅ*¼ä7/*§Åín‹+¤½oèg¼cèÿ jÇ7^96Ü@xÕÙf}¡ñÂSµË¸õh‚AF—GÌ‘ÿZÙx~åÓ‹ú®2OBëðғͦ´z+! v2gÅÜ‹†‡´©h³+®,:®1wJ:ŒéÜÊéxK‰ûžq³¾êüX¢'ßV IUm;³ª€‡HS@ž=T_ê ÙöHWçËm_åè˜#hcWÂWF– ©R8O°rD›ö
-­¯Àäzú~ø£<)¸4<~v
-é‘XÜ…AÉ/½3JÈ…–ÆÊ¥íÆ„›€ˆÅèažÜ‹[òú6!C“KZvââ‰Ê¨\ïFfþÌIòÅê ”×½]’À"ÒÖ0ìª:ðžD¢Â“P•7vîÙú¶ß‘Øݬ¢š³›Å1]»õ¢[Æ0áë¥z‹Þ°3éØ)ÏuµO"n`·¥(mèž<p=i9: sPSk_A8ãÀ¯Ì4د¼#tH$Á›¥®k—f¿‡§7'2̃æä¢XañîÖ:ô”ä¦ò[ãDäfU½•Íß«š²íYóå/õ$´PìHK׋~(¢‹E÷I9)°I­4áüÕæ=©Œã5öVQìºÒ
-hY$7U3~ñ4päáÕLÔ
-U¿ÍChùLð(+G ÞNÒ±˜¸å yB{v€SÐjñpÅʦDÀú´ÐFˆå¬ÞõËþÝýKxŠ|¢[ô‘tU¯™ÞUgkÿ*C‰wt{® Áå;»ïöøͪÍ%ç‚Ý'×k®DzÓ ±ri;Ìi/[ˆ?–¡zí¾ï‡÷$ƵèÜi“¤Ï+õÎqM­ÆJ:¯V£#NWßÕ}èõ˜{¤lŽ­.NPGIÀ}5ÙéŸ8rè“2–î±"`ÅîpMûspÏ~ÉŸr Õ[âÜ+\øv»•èkIʦEæÑØ./îœN3ÅEÒlÜ9‡f²AÊ“!ü¢µö<qÕ§>›¹Jjÿ˜¸{…öÚ1U÷¼05§lî¸:—ŠÕ­¸”ä&öƒÝ]Ôßû%gÀŠ%ÉëO¶LK¹]ŠT”I¹eÓõ–FAh]A·Ã/@Ú>Pw"d:¹.ë”19M¦àÑ£ðs?Ù¢––~§wøÆÌ°£_ÙV ŽÏ^¯ÓåÝ_ì#ê97¸›6!”UñuŠÞE(ÚÃkj't…×É¿è9ÑSLy¥Ïyîqk·s»ùµ¾Á’yˆFQù¤ [Üëĉåûæ‘>s\N«:òܵ„Ø™³=7ZQØ··B¿gð*ù&¯½Œ}^&¾óDžgçµ|ÿODKoââÕ¯Oþƒ¤£j¤óÅʬ~Ö³Œ_ñådNT_/üd¥×’ÙH*$hç¤2/û-0Òó)Ëÿ ¸’(4æd‰nÿœLõIÊ=·ŠQª¢|kA89Ç»=¯°ãá>kŠv3ROn&Àñ‰ô9DÖ<}£º‚P³Õœ2~„û¸¶wÑ·Q±@HfÝÑ=RUˆ`¹”~k+³x˜’x·Š}Ì;a—r‘­2`å-Å0{ªÎ817™†Ý€)2hô»}hïë õÔÚ+W/5¼zæÖm(³ìxÿ›tŽú9B*«tË[p{•¾ò3\>ŽJï,ä6>à•ð좒
-É7)¬G»ýØѱ†ùÛ#3/éµåhÈM
-Z²Û¢: äL²%T1ãͨ—¥^‹?BAI_ì¹øŠ\3& …§Í-0ÙySŠ¨W³4¬«·;çæ±û«ˆk U,~уûáNp¾÷Uê¶]RÏìŒ{g|õóÒî8,-’-ë÷síKiØíÒ_zQP¢Y§Ï>3Y«ËÍgAg(æ)„ºkß-µE¤çÂuŠ¨émº.?}&í;!æ&B)ž(;H…uz\J.‡”é²ìQ·óˬŸÑËM:Û{gjÜt|ï¦Öz½ÚŒyfE.:ð“+ÿŠ~z=ŽóJñ¼Á@ÔHÈ:Âû¬º,À:¶ìâ5ôê ¾]؇ðI[í2ñêá×n­Þ/5mêÉ«¸¿-Êä’8\ëã“ãÌȺ)ÓIsN ~{ØE§Ÿ)n[,÷Úix„Ci?éÍÿ)ãTâëu|SÃ5^¦V²…÷èû ü¨HÖ°GîxWÖ"/‹Uí®lF³“ƒ™¨Îý@ÝZ{¤ë;!‘› ±À]¾dOÉ›ñ«²àýa0ØÇ««â}£@Ýä§oºtÍJF:ܺ²8Ê^œ1‘ûl§ªæEéRûošD?÷®=¼»=ÓX#ô
-]‹g<V³-£¦ŒrœBBÅ–ù°\DÍ`>kh ¢.@3‰\§NýVró²C#Ô?Ö¿`죋žÚªJò‘
-꧛qÚüw…£·ñb
-Ðj¥×‰"̨"Œ 'ËÑ7úׯ‡Ø:W¼¤Fü¤H®b¹j†CV¿UÜLzßìÕ‡OSS\W$?KÍX uçP(îVš#ÒîøÇÌv¶×{ª'Z‰=ìx©oïUë*^„Í›Ú\^OiJdXÜÛÖoQy>lÞ)ˆöó(ÏXäãè÷[nÔGÑ‹®ÝWèq±ÎÿÍ‹³n/²1EÅlæqéF0Ÿ‚õ—¦ìk#BÕibÅÓ‰h>ª
-ʃsdLðén4r¼™¼ Á=äÖ<º<@Úúšg×ʶÉÆ‘*<ã# bowP›$ÖÌç»ÂËlöh¼ŸrevVMRMÐ8t=jÀhqí»±¼bG P¹Cú•32°AöÍf»ïQ)‰•5W¤¹¶ÙŽà×¾€ ½>î‚ÒäÔC.ýR÷f‰9sï,çë„ : ~±+2ö$5è)ª8vM_wç¾Äè>ÉJˆûNn‚”ëäkƒãÀb6²F=kJÿÃÉ%1%c”oYfðkxÒ¶ZzhÛ~¡bÈÚô‘­’ó͈7VÒ®Óìç¢j0·Š«qW;éKsF‡·ÚZ;25߆o›2ÜKÉMšyh|µµÞ ˜{JæÀT\]·B/âfÇ@xP™‡ò|d1£z†Žî›Seå]MtÞSø:WRÊ*ÊŽØ[cñŽð"àPE?îk'ÚÓÆêù²ŒHûÀ#²²£×G®–®/5¿âiËÑÓP [ñ¹Û?1ðßÁm“·»×@ks)j[Q¡1bD"¯‹[kbî%Ö”àbéÞ¾ÄLwðžî–“écʽ¾ÍÝÉÈQî"å$×3Ѓuq²wžõ$GM³þßviJ¾ÔË×d=5g»S–¦þÃsÒ;êiYŽÃý…Rnä®&nÇô;\·ªLÙqÄü˜²Ir™˜íµ½5e¶f""Áµj£èÓÒãdÂFÆט)ûó§¸ïôeQ™²ÏºùH{u׎ÈzÝsš…0æ=q<¨œ\¤Z©ÇûR‡\¾óc;™)‚ƒpt`õV«c‚pãøf“€60±‚]%]çtv…~ýͨ‚¢$ÙÔpœSõÃÐÍéóÂ7mgíq‚2ì¹yßÚ±œL“­ªr ªÁ~y³Û †o¼ú îå~ácìðdùÊöæÕ«“B¨U/‡¬S¬è =g×
-v
-Åõn`ÑSd)-Š…ÕY¤Ch§ÕÍt%-‡ÃÊ
-ãFaàÁHœ1a™ŒƒÍ°.Ç®üØí*¹Ô0y‰FÝ
-Ï6Ý_Uô]#ó±ä
-ŠŽt39‡nßh˜ã ÀÑ0½1¢| =FL§d’æsÙ_Ù£“-"¦‹Ï*³8/©h…—¨ÃçäLrÏ¢·rb¥{›±\&®¼ jÌ I_¾l‰Ï¯ÔB² 2Ýݪ'Þô\E–j“Ðò͈?Kåd—¡·–Î#·È÷!t%)G¬”–Ò¼çF–ß?ϸˆ¼'ùY3{Ä&v(£ÑÅòÌïPA¨¦,‹vä@)!~®RìõôÉ7ЙF®è”{¸ûäº2™ vFéä9"¹nqx§Ä 4þ5;G\tHê!2ìM)­Ä‚E,vµæ-ô¿üý€ÿ'
-ƒt´F='ú?=Œžyendstream
+/Length 8789
+/Filter /FlateDecode
+>>
+stream
+xÚívgPTݶ-HPPÉ™&çÐÉ™–œƒº–††î&K(HÎQÉH ’sÎ 9#$ˆ€øÐïžsn}ïüº÷üzõvÕ®ÚkιÆsŽ¹VmVF-]^Yª„p@óùž4`ö–Î(]°ƒ¯ÜEXYå‘P0†pP
+G8ÚCзÿãºP(
+²BÂÑ€Û¬Z
+JñDÛ‚Ñ¿s£`·n
+œ6B†NšVµúz9S,nq2BÙYÒ_+Ÿ¦Þsà›`n'.@b%iî§ZüwœJ¯îsúð {^¥’¸úCHW —Z “èŒÁv,!ieí1«¥O˜–©í[oF‹£‡y‚öƒÛ¢Aùx@”SÜeMIƒZ|
+úˆJý€•<.%sõ JŽÅ?ANïÝy¯2}oÁ[+B”z1’áž ‚`Ïtf¶¢tÈwŒ°ÏŽ·xÀ©þ™Ììè)‰ë{çqéœÅâêsn¹ÁâÑÈ!áLâ|®Å–êjÙµXùPüðáæN…:ÍâŸiËÉ#V
+.¡Þ&ä± .­µÙ:á%%¯ÆƒÀ+Ùì£àrÒôdxå ~åj}vøñÅ
+E“õî ÷*\ÔíÀ5´Êµ³nÝ¥¿ìv°¦Õ°“@<˜ÐÀÁæ„|º‡¹Uº–ÒSCö¡•Z„þîýÐni¯0q¡~‘
+5¿Õ¬g-Í=¥á`8Z4~  iN6ý”@}!ôk °)„COÊ,”úP¹EÞ}/šòÜ:o«4QßФháôBlågË”O„á1 QÏ—= GÖíÎ2‹$ö"Ä‚B5GmÞœ!kÊ€ÅÁFþ9¡Ë+TdùGô“Àû"6®ld&Zíeí{4BQãÛ£x­æ
+Çžó,g½Ã!‰âŒOòpÓª¥øℱ—ê¨,«镨’/+U²ðN\ú_øHîÙ;š2™´@r•zPÆœ±¹ú™5¿,Oì°v^=³ŽÐŽrûÊ`ÉØÒd±‡U”£'„/,&z‰â£óõ¾ Ôá­ÌÚ_'z8ƒ^»‚!OUáö:§˜VeÞö¨|BVvÔ0ó+·–0ûÖÓ¶Ú,V¿š J,â^´S´+kNï¯s¥8¡ËÐ f´“[„wO¹¹Ržáè.ÁFFM„l-¿?®f$i½*Z§g´É-@$ˆð‰´…G©3ªV;eW„ôÆwœÃðÇkÝüÓï«Ï0¾B¸9lZàâèàø3 x?Üßj¼¼ß· E=_a^ñêu(ýv
+-gھ蟖¤§I„²kZKéä”ð
+›û,¥ñ­º“Ûý ÙU@žXÒÖrÝ}Â;´w`D­.à™Œ«ž¥ÅÇ3\™»ølð­…Ébñƒ¥‚U³¢ÌöMÌœÞÎÛJ”…¶WkÓhý j¢’«qµD¹Kz瑳³B|óG\Caî+þ¹*ÊÛ~¡ñ¥ÎGÙ§}–ΪJæÄäû§ W÷HíÚ>ÛÀaòœúò4ó üN$ÕYYšžÇï_œ••W+vqƒÛSš:± 0ZÌ©„›a‚â[‹”%sˆ{¬Þd?zä­7~ÞÛsý3M{öži17ÍÖ‚\"éýGeã3mì7
+Kygm/®SÉçÍÄ\ÊqÈbO;z¸‰ð «-4'¤§€+k=ž~(6¸hLìÈÒúô<6»¯´yjÊ^"þxNLÝ°Ç%3jz˾‘e2 ÃÏfĺEÎ>_žÝ(¸š¤²uy•“®ƒ›{!Þ4l"ùíóQtñÚIÝE°ºÙu² ¯‡Ån¹¹ÄùÂGˈÃÄ ›
+?y“w¾ G$ÜË×ß™‹<Ê™2ãtÏ¢Þ}ÿ†­ @´yIGbc‚²Kê·HŸ|ëÖ x°–Ñx½Ùþ2—€_M”+=‘Û~d˜„“•/tŸ†ò³vLFd*°Ä¾ù±b«&} ¢¥çË/à¥2 ?‘©"B¾,|BÊ1û楛æŽÈkf}°¿Åø«þŒ„g“IÆÞyã8‚© .ͲmhïF`”ÜN‚”ƺʨjÊéž=wþ¼æuußÆ?ÀTÓˆ½~.%º·2¢_½¥’()“5”ôe-èÍÜhxlšŒS+é\d®ýÞ¢Ïd=ºñbfýFÇO¹!3‚"Ž±6÷'íjCœ´¾X‰Œ]Š*ÅÂBùwK‡õiŽ€hn"d²¦…Œ·âg쎓š™Îë`ÎÓp¦»²'UJfaþ»f[Ĉ]ˆ•á®þÍz´&—À$ñZ¼¡®i¾—fG‹LßÇzbÕû\dÊÅï격|X“Ý\sÉ•ŠØÊ+¾ÿ fÜŸ|>„%ýHÎÌÚ`=6"æ’P«ô9#Ñ\ Ó#3z-Rô|%ñ¨$¾Gc^¤‹M]÷²³Ôú{'¢_ýDÊû1éÍ*õ,θÈêÝþ²â³Gƒg¸LMa2B Æ»é»*+M[TÏ•´lm§2!ž7V¦Ôˆ·nŠæ‘’¸†pj7ŒÙ>ò"$›XêÐ:{—­¶^˜u^9Ì’„‡DW¬9%%^ ÑËå,W0ß²¦ÜÝ™ZÒ×ý/õ{øúÆ>²Ý” à/"ŽDkúmù0§_ì>WTxìÑéƹœ ‹›
+zƒ½Ê-%¯Oà¸L5“‡û’ªV,î½øÊáÃz‡>ò&ïw¼´rY6Ç—ÆJwŽGƒ ±Â*ÜA5ƒ
+ëšSùSÕi…Ÿ*z~Öå{OrÛÎâ¿z»—­’M®læ|Pû„î"‡ãüi®WêæˆOâ›Ð'ñëgÏbíbœŒÉQùb³ 3.ã…ñk›ÌBd¬ilüÖw_ãcÂŒ´¾,ã Ž
+¢&tG÷ü©Ï¾2¤ûôþÌÓ(v'«.Š
+òôÿÑü0íû¾€Žˆtß
+sožbrÌûvE ²ÁÅ/ÍWRÙu/w¦ØÒÕÛïòxœ‘ h<LšøÖ‘píÇâa ®”Y
+Kqh|>6œÊ³(æÀ’ßë.
+ a‰ñµoWkrŸÔgÔÅÖº›Ð˜wÜ6îÂÞN¾Ùö i± XüÐ~ýÅ´á´ÙÞVó Þ³6÷³Ý>EŽ
+‹^±Šî±nl#šñ‰65%,ç_°Oê”+µNý%Ùz¯>W7¶]•fzã}A}H›ÎÀSÝÀ~ƒQrNÉ)îs¬þr]Lf¸á“
+<á¼ØËûò Aê)¡³k¯×ývuSøGlVªs#Nu¥¬·OŠE•?.j?ø ÿ©ÓwGä“øݺ23oªkvSÛë>Ñ=¶ Ðz¸^"èÁ8¡-òo*N¡žº3Xl‰eÓk‹þœ %¿_>
+Ý‘o•~~æHj¦ä=ß‚§§Øç÷üÁ4fA|Nç“ž@íD2ÏJªÏ ªßãfœêvæ_ïùQÎ`œTäUí`­Ø@–¶Y™i"Çø¡Ñ=¸M×g•Õ´1š:Uпƒfèò©ü¢hçˆ Šl`‡N¤·èç«s¼„klbhL˜:g6(皊…KQ}ÈÞ]Ÿjƒ+ÅÁ7„,IL$¥<³ Àãyª1ÕÓ¬^Ubó¥s¼=õ¤¯æ-_ãº"/·ÒøìX¸¶å¤)"<XŠxÜ*%Å•€,Kß‹?¯‘¬’ÿ„Ç#8,Gi§ñ
+D¯°4Õ4øO‰h§ª‚Ã*÷)É›%ŠØb~ø-GÈs“I»øNà9-ŽSqÈÓºD {Ú½S\pzùÃuyjD¡«†k!ÈÅ¡ùð4yªQemˆÿÉX‡Fiomß­¿»jÑÄŒŸ*m—­´Ã”8Fèc…ךÆàAÔÉÜî°’Z¼5è篫a¸”dñF~²á)ž!“F³ò±Ëâ7£gªØjB}X€‰/‘'™“š"ZtÍCöEqË’¼R7ö¿Õð®ÒÂö@.)¨F…t ‘½uŸ¬®%Qò«§µEp˜Çd€™ÑÛkï#ÝýFø‡‰0A³KE*3Æ€F ‚é®0BÖLqÄ`nÿ‚Š%P爉䅟Ú*›X‹²Å·jÔi÷b¶‹ôRáó"¿¬žû6vTZRœÌ°T3 Séèv\ã«%øÜýI ¯”Þ¯é¡ëæ®ZÖ·mpßú”Qn?ø&Å—Â#Ôߟ›ì}ÅÀ^í° ª"Á"çt{RH:†×¼woŽ¸ÏhFO°™§éç€oÊC£B÷~”…
+ sœçã¸!q?Oƒ¶•G¯îW̳ŒÔ)HænÉøoÌF–A£Êå{Ç‘æä8£jýäUu;W+Aà¢ïóÇ;X;{¥ð”ÇÎwÆ}x" Æš=×N¿nc}& ±Éy[µ~œ ¿öµh¨»š«¢³ñ©"Ì‹üEmÊ`;µ
+Lj
+â³ß
+Ì Q=w¾?‰¦6ª~ûá¤àõd‰xW/aéÒÛ‹†Cú\»UÒâàfÒ~…¶‡Í
+¤´HNú2HBÃ8—GÂ+zq(6|£}h`wŽXn‘ÉÖ­\ƒd0ÖŸ9yEúQ§lõ8þ4»G“‘Èh(1›‚#Tšl8ùñ\^ß/Jö\¥H§¼¿Õž‹r2Σ}‰RÕ»Y€|áCžÓ|ƒi xCªݪÌZ-›Çð0ÜJLÕ—D9dkùåΞ‹üÀu !!‘}U?³9Ü«eŒiÒF̦ì½Äõ–çwNRi¸Ž~ÑqÂzÊ—eh )¶M# ±M¤µ.?¶%aÿ5ßóÀ€L]t“ö´ƒÓÈÙ‹CM³S­ê£²lµ^÷³²ÚfÉÔë'7±‹÷bqÛG2®K œ¾’j…Ã×?“ vœ:Û¤~í ^~ŒÓ}ü>[6ï¥Ô‘Uïi!~£óú“á{±±?Gywuîj>S–µ¿ƒÆçò8CëD?¯‹{ÇéëˆLŠ"X?¹ÒPÌ­ÔÜìô|/*_6fñfw
+=ÂRŸó>ÍjóðÔv)Ùyÿ¹[G¼Ü5)­…ðwÃä¼Ar«òqsV
+…üЦ^o{<´p–…p¤(„¬Ý¡òž#%
+o– ›.%§ª¿ƒàêÕÎ*4Z®÷„&§xás=G‡ü<ṼǕoÜRŠÂò7ð|lä”güâ(l€Â(Ù‘(8Å|)ÿ¿wÆô/þQL™ uG«ØâÐÏœÎÎ~N*{cÀt(û6HÝB=viˆÀ%ŒÐ/ÌÐà>^P䶊ŧ¡¯ÕrȈ=ÂÆé2¾ldÔD4“kêœÐw§3\Wd†@$B}vÓmwÝK&à#ýÁ?¡e6êœÿ¸¥*IÖÔ*Àií¨²Q„É¿åAFÜd@+íy‡íj¡×Ré­¬üž±àV{ñ)„ÓÜy¸K þÍç*ï¬%3Ã6ÄÐqO®Vîz
+Pdž·ÕŽÝKcì" ÂñקÃ߸Ð|÷”: úaAÞffñ~þµGµ³+ìMk{çg1Û»tîO±¶)0ÞÊœ<vŸj5Uq"¯}h‘ïÎ[ ã^ý­ŒwXcsÝX YVW³Zxg/ÁÍ& YÜÔŠþ6¾ÿ„×ÔĈäUu&S·+0›Ý)§LI4îÄR°vò[_•(ÉëOJ¼‡ŽÛXÄbÉÛú󅟃HÙ¾üª½[!+ØÑ™õd­¶¶¹c ¡µìÉŠaüð L²ëb_Àå¦RnMúY6F¿ÅýíÕ<úx*¸÷â&?ñiÛJÌ¤éŠ Žô·Î±¯‰Ò%§¤+Ž pñýïê=Ú02á=o !“®…-‰NØ ží2_Ûš,l|%ÕvW”v¨q$M1‘]–OmÍöèÂg®eÝ/Ý»ÈÔß1x±]Ô'ÎÝíÎ<± úa’'0x{&¿µx¯ùí©wÏ.o†l¬AÁ +Øο>Ú²Ê.ÔZlvp‡k³g¤…æ[FMIÁ‹£÷0ê¹³ÕvœøæhPKò´ ûäx´!vyÚ³×eœï?uúfK¿ŠÈ+>ªX'·[ò&&ÇŒÈSm"~Ê\mŸ$¯ GÊ-ˆýJo%ÛÞêdyž†õJ-»Û¼`~DÒ]FB´§Aäû¹xx²Ãò`}fZ%±ÆÈr™6³Á‡å_Êf
+í&2PƒóuíIŸ[^|uÊàïíŽl«0x¦ŸøpÙ(ÈÅ%mé…ÆÃð½/¯ ±sqØo
+ŠÉËQfþNÒúðÄCzòÛgêg_åD6ºq¸I“ª¸ÊFØ2Ëv­Ö¦™˜¤Pé¿g¦Uu䂱~Õ#ÉUz$¼
+ÇHÄ•vËÕ$«x-‘–ß™š¦#{eöòÓ`ÐhšDŸâ°º ë«×^9ÁB0¤ñ뫽‡í»˜m×ÖÜ¢Ò ¯-‘+ÖŒ!ÇBPŸÕvî¦è ·?§¡ºƒ¼E^$‡ý…’*O*n˜.—Çw2wÏ5N¨°xNÂø,†éõG#ËÕ€ª“ŸêÅUOr3~\Å[kÒ¸! 9×0ϵ
+CÝ_‹{™éÉYŠúð["šgì2eàß$‹îy;Þ;Ú
+_ƒ ÃižòÆv==·%!Ãd2KVûBàùü€ÿ'
endobj
-977 0 obj <<
+993 0 obj <<
/Type /Font
/Subtype /Type1
-/Encoding 1344 0 R
+/Encoding 1915 0 R
/FirstChar 36
/LastChar 121
-/Widths 1348 0 R
-/BaseFont /XMLQTD+NimbusSanL-Bold
-/FontDescriptor 975 0 R
+/Widths 1919 0 R
+/BaseFont /MITGYF+NimbusSanL-Bold
+/FontDescriptor 991 0 R
>> endobj
-975 0 obj <<
+991 0 obj <<
/Ascent 722
/CapHeight 722
/Descent -217
-/FontName /XMLQTD+NimbusSanL-Bold
+/FontName /MITGYF+NimbusSanL-Bold
/ItalicAngle 0
/StemV 141
/XHeight 532
/FontBBox [-173 -307 1003 949]
/Flags 4
-/CharSet (/dollar/hyphen/C/D/E/G/I/L/N/O/R/U/a/c/d/e/f/g/i/l/n/o/p/q/r/s/t/u/y)
-/FontFile 976 0 R
+/CharSet (/dollar/hyphen/semicolon/C/D/E/F/G/I/L/N/O/R/T/U/Y/a/c/d/e/f/g/h/i/l/m/n/o/p/q/r/s/t/u/w/y)
+/FontFile 992 0 R
>> endobj
-1348 0 obj
-[556 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 722 722 667 0 778 0 278 0 0 611 0 722 778 0 0 722 0 0 722 0 0 0 0 0 0 0 0 0 0 0 556 0 556 611 556 333 611 0 278 0 0 278 0 611 611 611 611 389 556 333 611 0 0 0 556 ]
+1919 0 obj
+[556 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 722 722 667 611 778 0 278 0 0 611 0 722 778 0 0 722 0 611 722 0 0 0 667 0 0 0 0 0 0 0 556 0 556 611 556 333 611 611 278 0 0 278 889 611 611 611 611 389 556 333 611 0 778 0 556 ]
endobj
-796 0 obj <<
+989 0 obj <<
/Length1 1166
-/Length2 7700
+/Length2 8219
/Length3 544
-/Length 8516
-/Filter /FlateDecode
->>
-stream
-xÚízUX\[Ö-A‚Cp‡Â*<¸Kî
-(¤€ÂÝ!œàÜ î‚kÐ .Á\ƒ\Îéÿtß>Ý÷é¾Ýïîý°×šcî1çkì‡ú¾b¤U×┲r²
-ò›c02jCÜÀÿ?20°¹Ä *kîö„kÛºTÌa
-`(öÔ´Õ¹êÖærV·?ưغ¹9 ÎÖæৗ«5ìd}jTj%ãäø+ÆšÉB``˧¡¼×Íêä õý°5jõçHVîÎ@(ÄÅüJö’ŸBÿŠÙ€Ý
-ƒ­ÿ±W1wƒA¼
-*ÑÕvgY…ˆoC~©):h?Ÿþ, ² ‰LÃTêlšºaV2Äl:¼"¨ìÀ7›™í“Æ朎PÀp«;¶ 0(þ<ÖÉsk[Þn}[3ì\À¯Äkì¼ÈÑ_
-JÜj£A¾®Í×|¥Óqª'•¸Ù»¤ùÒØæ¿Ø!êåu ©ÜQÇËï:ê¡î:óL1%ë×ÓˆœªkÊ{(T¯¿ûà!QµÕû©cûëM§¾v×É樂‘ß®ø7^9¦w?€èÜñ ®ïØz|q¾ZÓoMÉ2廊—»
-ÃaTÐ{³ã´òÈ"°ûì ø"»dѶ'ŸPÀ”LJï{Äg5—š5ü÷¾-\_&¯z«ç…u“Œ|XÒ,œ$Åï£ ¾â3ùåÖ Fo½Šõb~Ä4
-(ÈGK)›>>ÝQ9Âîw…&…!4£Cw‰fn·
-¬åB?C¿ÒM@'^ष=“ó¤y6ñ_ MóJU`âõ{Føbþ•yer~«tY”=ÙW,ƒ-ÉpÊÖ쨡È;‹ûìÀ·ªoºõæÉM?9CÒýÌsîoÈŒ0+C‹Ïö׊ŠÝv«íñ> |˜0mùðnmãÇC
--\»¸/³|Ô› 1œüEÛwLOÌJq ½3ðtª­â­jë96)[Gý ŒæC¡»çœ ³Cˆ±Rô
-@ZÊøv7•
-…«á#!]x€6+H*?¶ðU„5´[J‡™¿m gY+Ù×i?·ê=ظ¼2Ô;{çLâOž]V‰â„µIÞÈŸ¼:àu òÐì-ÝR¹Ù]ê\M4rчÔ_VèN ²“êjv¢!Ñ™:FPhR{ò^Ç•©K™÷F6Ûqö:çÌ äÃb÷[˜þîçÃd¯^™gi âe„faÛÞ%:²cÅ5GÞ Ti5+8áæñ6zj64Å÷¢Ù
-KñŠŒå€÷­L08ÞµÏnIÊ
-ŸŽÆ¼³ Îæq±@å즤µ…üÔ2Œ{5Ä·P쫯BóQ “Ž$NŸ„ºŠ@qê>0¢Úøóû߆€ÐN#3ûó¶5HG ¤µ >zëÔ\@6ýÊ@ÚU"ýB‹Zwô¾"L;}X`¯Sç¼,˜—@BgY²%„rt…èsóÌgÎÕ„†€FCš†Áë—Ñìqa?¿s¬ÒUn L”!›ËVQ·¦2Í…ÒÔ…ªYýý OgfÏc¤¨ÙãjãØf<—uR05»šL(ÖF>©+vfQ©óuÛµ­C½£àO—†h¸ X¼)NÁ.e«©lzíÑþv#áQÎ,©‰–qc–ØËzöµám„©MLÝùxΆòüß^-ÑcÍ0®‹{ÃШ›‘…Ñú/0‰<E"ñ±
-zv®õjÌ(71wºvžÀöë8FÊz¹/¡Ø—ÎNä:ÀÄg¦N¿$|ñÄèDNÓ“@I$[¥ãª?¯?­ ÇñK\RÇ7‚íìw¿^¢˜2VìEORøÙ+;hUµµVÒ84Ó=wõ €ôP®ómÍÖ̉Žw'F½og½cxìØï;
-¡Ðj´ã‡u\ô;LX)‹ï»à¾ˆŸÀ„µÙ–B6ÕfèÈ9•Š[­½ïÊ—_ûã@!¹ µVQ³›ÄZ²av"M¤þp\¤_·_ÕGÚï“—ÄÍó‚>=˜ª´^I.ÚMܧ5 ®Â',Žï䪦&2 ‡Š¥Î™lWš¢(m±ˆÎÕB|›C°Mî^á* p~ ;ãùýŒe·ÍÊá ±ÊÑûR=Jçjâ­“óÖ~¤ó>˜H±Ôåª1O-èª9FäŒañH®×‹™ÏÁ­7"ÞG6ª@¡s²1\Ç_Rjc·{
-‰PÄ—úõ=‘¸a·žM»çxó4^y²ÛVŽÚjÂA¨T\v—+ˆUmgÜô•!?5J»î%uwwl4²vde¥lº˜?R¹Œ£‰îN\ñhšzJÎî˜dgž°œ¶À"¤ÔSWõx×rò²çÿŽpá£«Ô ²Cê^ IoàE1£—ï5t.,©—rk·À2€á ñà§sÉf6$Y ÿ<úŒÜˆ&
-n¤¸þzîaäÂXµÓ·+`;Z1„#!¦²xÄJýz”¢MÎÄ Ž6ctÿ;¬Âm@ÌÞ¼2Átòɨñ3(¾æó*ðÚ—÷
-—ë}f²JrÀ—.Ñ ÃM-ÚšóÙ(ÁÄá_9ƘÉÑ» <]ô!s+7TcSˆ9”µµXÙ1"QŽÁÎgÁœÉwn"ï“éNNJ?.(9®DåôQ›'¿¬ÂûðöÜ@fµ–€›Œ¥ñWj„r™‘û±øùüÉwÕZ3¬LŽ*„¡ Ó}¸?ÍЛ÷J|^NòýŽØ
-?9«°fˆVQ/¹‚¾‚4÷vø‹¢¤¸| ௿õ!WµwúyÙ[BC—hÍ p-ubu†:7ÎÉ~<ïüÑ[Ì” ÆÉ 5<>bz¶ëŒ×g:{ºáó j èËñQæt¦u"yöƒuÅŠÂ}å†×ÁŽÂ‹AouLr6<ƒð•äß
-­Âµ»+í"·}=ƒ1 iË>˜>1òÐ8AžÑ%£³­™ü!±u‚>i„Ake“Ù+”¤¦‘˜µ‚{Ð…àˆ
-`*¡ µo‹™ËRÎ.AÝ7ŵ©¹m„º—·¿~Ñû²z³ö@âdTÏœ©Y³0ñ7",)xÑåºû«#ɤf· wKUé.@8ìw⺲NbH Žô;ï¥ Þø5 “‰ÏZ³QÅÏö×GOÛ,lÛÐ|‹†³©jç°3™^ JçU$hZ#TïÚY;.j>ˆnÔÖÎw²e¡ir˜Ð6ˆÂq
-5mh»nÓùÑmÐ÷ú?Ÿn:41]T]k,Rìa˜RŸ,«Ò3Sï¿:¨|Í?ñgÞ‡õ73->!]7Òõuí͆N½›k‰Á¼ÝôÙ+ès…Î{™3~¢a(’:Œä£ip]–Ì kÍ%ÁZ½äöÑ
-T¬ôUU6. þúc€”«1Ö²E):ÅDµTòv%×õÀáƳ6nå+"úë^Aìõ‰Ïå¬Ry2Mþ@½•äjì·Sc‘˜=Êï?q°ë ÆS$•½·‹e]Œ\²Â«¯y¸ ɼ±;ÊúÌ%G7§ûg×O>¹Ø©L­÷̶VE^»‰f6ëê¹ûˆ VYRŒcJÎ@Åôº%*fI²=ïz äÉ&²ïáá;Ï›yú Ge ò‚z¶s”¢Âá_¬Kª¸»N’Ð)¸VW{Ú3÷>“ HuvGÂ'Ö1{uæõÉ¿nIÍü ˜Éøj_<Ñ,DÉ™öýRÀ°éU Î^²ø‰_¢ˤ¯ïç€âœULˆ2¶‰_™ªá@ø|fè3E¿ Îâlç"å¶B~§ZÐ:ŠòñÛ-EÅ×Èœ‚±{h
-B Íç9ƒ|£ºŸÎ¢ÕC4ó©5û>â
-Õòјâbžtk[nyN㦰H“òN,úŽÚ&z‰ê +Ká-5’fÁw#9¦­^üÁe8$V•"@ŠÃµ;~'ÂôJ–B°7ÍÞ#Ýr-„+íÝÑå› Ä‰’ñ'1ßN”,÷T|ÂD°eW‘Š‡ ëЧ
-7„éô
-BRC˜Sþ0–YÊ>Î2‘ÒËM)Xvþá•Tè+€Ä×g$ž>ï …^ƒc ™F
-ŒD(©©³ÆBcýXÿ°‡C‹–¦Jcm̆äbp¥ú°¾¥j—*ãš—cô
-«¡ÏDùs·òY„3+Pµ~ËÍñD lnóU?µÚx„4iÚÄtŽ¦=ÌkhE_îP[åh]{ ˆR›³Ñô»º®Ù‰®¡²îLà‰JÇ3»°h1‡¸{ð äI„ÆãÍ
-ã;œû›±W2³1Ñjà|Ë4Ñ‹)èîZú£bìWyä鵇€~å%{“ÞÈýAyÏ {T$¡ž
-dugç,gÿ¶ùgÛ'îpRH¯Ö[>궥¼˜+¯p~ktþ’3ø@mÚ³•bzo·V‚Hµêæ&W‰Ò­¢jkÂȸáÍQéÆ|ü7½œ?ëî£ÖÇqDégXEÚlßC#?œ|*JºýÜ}K˜vÅPi­‚SÝÎ=VÞ|òþ±ÙéeŒY3")¤²Î>Œt¸ö¼²A@—i·ó¾åØx倛l jÂ(µ
-æ1Í‹êpÊ-oyÙØñòuuØ|˜E¦–Æ.›Îg7 ò0$§#Ðï«,((©)!ònà6nêdJ)aÓ)‚w^Å¿À_Šb±{zBÔíI&ºÏ,$c»¾HI²Wýîq†OrÊV\²/ɬ›"n;Iq¼¯Vøþ¸žÓEKýdu­Ï€C1ôF߯éjE¥o!íkõÅ2M2¾7²Ï·œÏM \ n•Rzå: ôÛ˜ò
-Ç–fU7ó|rFyØz0£³¾²ÂÞ;VêÓ(:³>¢ŒoþàÐ# ~Êç¥ßÏ—Œ9zcH·ñ
-+šÉù½ý˜÷ÛoðjÓ¥ +AšÖ}§‰Ö‚ðBàt8´7âM‡3UçÃÈÃA\€>àíÍÐ[u€ »™Ñ´æ–¦èJ—Ðö¡ÿMQLí¯vm¾ 7ÕyŒáH¤®Û‚G‚e6”úq\k—+ž•}¸Cz ÷L‚"}l¦Ý¡"an–øu†™Ò9Bƒ¥¨"ݪ@²&ëœÔЃ4 ùñ¶ÎçÄï[!œwpHvfCOmŽ»ÚÜÉ¢Ÿle‚(*÷–7šGy¡wª42Îœ¢$£íÚáÃHRp9¾åŽJ!á/lú¡^z×ÙÅ;ª.™Có¹ƒr{)²µÁñnqßÑ=÷é»cdÆ-‡è„˜’5—&Èì-…滇fk^`ØTØLj×]íy7«¡$áÓ|i)>Å—9í®g3Óß—?qkïz¡†sý,ÿ+¤åmÝ‚Hslgât: ˆ¬À^Öˆ]ÜÑæ>"^‰'ø¸Û®Ñʘ`‚IБ¸ïoá6föœíƒUcì¯u|'¡f3uá`ö»ï­ŒÎáb¡ŒŠòû†Ã
-â/~ç&¾Zæ3Ð?ø2â­;ßÚ5B2Tâ]Øn0ïÏom01#Úsø£¹€UÙWÐAJ)ѣǗÏú¨¶¦äv ›|N)ˆ2Â{ØQ« »-%VÞ˜§Ä¯í39ˆ(n‹ª8½îgÉ”ñTU¯„°nîs<맊o<KºVàHûÝòsŠŒÒåheK`R;ìîÕ$Jÿ”å‘Ð<X³go„f#¨‡Nê©äM ô{?»}…Ùy°M0|šXr‹*“T §¢ŽM§y©mgé<lñ…(ÝÝd4}o€MKÆ7šϯ7¶?}íw6ÐOÔÕÛ¾ŸòÑoJB-'ºúôÅIî(L£iià'Î>”ºîƒ¹s ò8©Ù§ft­ª¸¢Ä–ŽØ¡.n¤7,þ8‹™¿.è˜Ào€ßèÃ˦^*,bá+£b£‰  é\»<¤Ø/øh+gn”NO«5ˆ=R5¹UÃ'Ûµd¼Öº§EÊœ÷±È/xÎØŒÅrâû½žY
-íZ®}Ãeú ùT­+ǔŷ˜HRB! ÍbbgN\º]N)ývC¢1³*û¦hÄBÇúó2Iß‚ðþžé'RÜf¼šœÛÊ|)G̸~ 9Ô•ÙPÆdäÐ÷Ϊ‡­ƒªmµuçIÚà %­zû‹WœnלG’’eËŸŒÀ3x)Çm=ÅRûv|Ü•ò?ŽPŸ£'b:é¬D_›Îþ:éoš#ÅbžÃ¡|^†ôóuýt’²$yÔ¿­ì¾Zú—„©”Õ+cµ±j÷‰uQŠ¯O. «Ñì{ýivÁ±ÆØË'‰Rh<˜w¿4ו©r=fǽåŽx«~LýŠW·Õ¬[F_Ñ—¬ày0Wòïá ®>ußQÔŽCtžUuGö¢í¡µ%ª«±š1Þ˜¸>ú!È7[/ß½$i =J*–`œN6w³h·F¡Z_çeÚë¸sjhÙ-›Ÿ™|bZ8©_„ë¬l´g¸x•ÕU`•¶ž$ýΠeÛI˜P>¼JG q(â…³Ò¿@/fÎWEÖ+ êbòÞ$‡Å}ω]G5¨—È‚Û7ñ*ÒïÐ0cÐÎJ:/Þ²PÙduZ”3„M¿0sÒ0! ÅOŽ™  Žã¡Ý>ëÅ[ d`àd¿åe2´Ì ™&F¤íÿÆšj×®ï¥k—Ûë ?@,Å‘â8ÌzÞ6<Î|¤_Rö¦RM³šë·ioïOÝ i„î7}œï¾¥÷¶Ú³öK߉mŠýè"¢ÄYO=óÇY“Lï´Yƿ݇×R;uÚó.¬£e¼¥k„¡€¡•LԔˡÓõwžì™ÈGÚšž×¯“KÖ ªëÒïB™;„è]H*_?›ÎÞHº÷Y‰ÀÇÈépY›’Jñ¯yÑL€à¸×«¼3y cUêª<Ú ¹Ô×ÈÚ¹œ-Õ2#ØÏö€}ºþuÌÞ¢×5r`܇^¢ñøø
-=
-?Hb~Š rö¬ò{íÁ'8wÑ–î³dÄû´þÇo' QÈž†jOpöKGˆmú?—9&CÒäý=Œåì’dF¥})‰L^ M¿JÀ6\r¡ÁœÎÍíÌ‹—n–ÿÑ‹QÉaZÏ9A^:®ëž›àö
-ï| îCg/}_··í–sÐTvF¨ù³êÖßH9ìr3"ü$h
-÷&WI 9) €±*‰êÁZ1žÔxïÙú‡I¢,áY†å½¥ÔúÅGäu¬/Ñ ½+©T.Ô†?kÂڞǜs¶>û¼ßoeˆÐýK‡P6[mÌqû9,Ÿ‹€-ÐṆEѪA
+/Length 9029
+/Filter /FlateDecode
+>>
+stream
+xÚízU\\kö%Ü(Ü¡p'¸CÐàN…KáÁàîîîî4¸ îî0ÜÛÿÛ=}»çiÞæ7ç<œï[kŸµ÷^ß>õTÔäÊjÌ¢fö& ){;3  ¶5qqV3¶S`VY¸
+ì2SCL-ÿ1.¹löçwR¶wÿñ%˜Ù¸ØþÆ©[‚M­í@Îίgñ'²3û[JI;S{3°@ ò:•ÆNfÿþ M]œœ^íùó€^ßýko~-r™"/ÌÚ›
+|¶ªþÜz[)JâƼ5ÆÑíqýâBƉüÝz“¦[‰Ðºˆ„3ëŠ7.MBù‡¥p¹.¬",tp$‰äw7k>±6lœ l™PâC–A%~ÔSDº‰3`qÔ7„Œ=q~™ò’kmjañQlµ`{<ßw·:;»ŽÞ–ä”!}Ø¥çÿ8þ cã£Âÿfz¨]hð%E®£~òŽVN¥þ𧬠Ûhf¶W Ëw:XR}jB¢]ÄÃß>ÚÁ~oYÜb~_9äÃ%Ç¡ï°ÄÔ—«Ÿ³Ü©û¶ÐÊhíƒõ&¦¯ð»%ŠSä6QüfÃ`¹ %®“ßmÇ|?Š¨†ªÆéo
+ÍZ‹²™åkÒ9W\Ž˜µEÎ0³ÚpC²I;ü& âuuΆ¶sMѨ͞eÕ0p]³÷R› »û=¸lG+»ó”Ua×>Ÿ}’&ÚªTC&p«¬*å*]±–æú¾üw³ÓT^ ËcÝ-õn÷³Íi=Î]á)Iš°-V$¶º Ë"š¦
+g¸—Útk}Œx[ñ®Ìõ.€jþ¬´%€Ä4êª!
+k¬Öþ´qÃÆ´°µ­gê»÷ZÂJ¬v3’>‘M0•¬*3ò(ybQÛ_. ²‡ ÇP3âĤÙXÕ˜…FŸ~||Yà^òVOƒí÷.tc`ufÀûe¡ÏŽÝý}@csÏÊÍë
+‹¡å7Ĺ@œõ ŒÈ±-ñÚΔõ=±ýÄÆá¤ÇÞŸÚ‡ÓRCbÇù0X÷Þ­XcÁi¨>ýÅŸêr¦šæö!î!uÔµ€(vîkõÔ¥„–»ÓE±Ô¢AÓzzQÄ u´üÞäâ%`O¤ÊPÌu¯QM!3™e¤ßóÉ*Ä’C†òßoÐÚj0‘ûi·w/™#g“a¾‹RJ³’¿h(úõÓÁΫxƒ×KZÿ¾}_ΆMëoÁàþA¡ߟÒ_} ›mß± ݹe½¨ Ì6Ÿmà*Ç(O FÕr$[ÏEra&C…ö´,^.ßöpÍÈZ‘Ê4Љh6Ç£r¡ñß›Ûu‰j9…£d¯|5M¥[+Øë0Š˜[õ¨[Ù‡ì™}t ð&N/*ƒ·GÝ$®ãÊf½9à€ø¹ªöäŒüV|âí*t¨À› ¸ê…í+Êu!÷؉w6ºSyß‘8óý3N®AÕ÷³X 7šDŽ;‰tÛÙÛŒs•šŸ'Õó÷ÜÄ°£ç‰Í"7?Øë`ÕÜæ½k$8ﺒ[vX¦¬;; $ØÕÿÈ»—û¯“³Að^W Ú¬Îs0blD@Ê æPgW,…·°P@”ô36†—ò”оxíx=,‰Û=¨‰æ"Ú’®À<^jÒq©ç7>qOUeƒzIeÆ$uŸ¨nýàӾȹ‡t•µÔ ¾Ö_ÀI½…ÌeÃ޺Хèjâ6C9B:JëVÓ³w†cÒNqî_¾3¥öþ§²}l™ý-"yÎ>ò-Ì„4ÝÑkh ë-¹ùHjÿ‘šN¸ì çB¾—–"Y©4.
+A¸i9ŽÌä“op…~{ìƒ °CÏÕÑÈú²’a ÜV njBL¹Å°oÈ¡ê+PÍq—6 À=jßÝ"_¸Ï~pü\îà€²'æ¼Ì+(Œ1ó„À%CŠ‚â"t«%Ø̈Z rN:A&¼Û`¢Ó ¹MÑóå9~¯ßW'úØ·õ*òÔ}”w]ˆÈ¤%Á’U‡îJŒe!s‚ÞŽa[]s@éƒyhžuÜýIK±,>®øÝzÚ€$Vý®ª [‹g˜®ùœ7vØ>À‰Î” Æ>ìÆ?€á,=P-°ŽÑòsFö›œe‡H¶fkÁ–ä2W>JjÌdÑÒ*”Æd(ÛBçˆÓsmº¬vkuEúCǘžœ `g“Èñ[ª€O‚zŒJi¹F…ÿ3_â9N¯!úÐéLJgH*Û<ª" Æ)cømR"N|ÃI–Æ@àÂHóèg÷Ø!ÎÚVB†,õ ¬kiU¨£žÅˆ¨iGÁtä“üª›:æÝÀK¿±=q§‘Ï;+ƒh±
+Y®R®º)Ë»Ê&:ð1öi?¾rÀÓtãÓD÷Ê Ÿ
+~/bÕÉØ>íXÑîtÁ§ìF¥&ʤ§<õE¤O¬hª¥ªMó*æ9¥nïæS<¹
+ •>!¼©öHøŽÊ}1/Ì錇¯ü%ŽÔ—;f%]žª‚Q«Wnõ¢¨Ÿ¬þë×üäùs† ÃÐð<*:›Úƒ=‹’‰yÁbd³ý’wÝ·¨ös©n ﮼iÖU =³¸L…çM‹àÛ™,’¿ÚU¾Eï_‘¥b¾ZŒ~*{b´‡iÿ¦EÁqžtïå%¨ÿpá¹óp®Ì±´¯Å&‚ãßÔhUµÞ°Ö)³ÃéLïf\¬á?îŸ÷Ö|;Çè]zÑá8*Œz·2ÆwáQx+®w±Þè%ý˜¨Øôêã%Ãï ýü?ó>Ës«WÄ¡¹×ÏÕ|îÍä)”ÉáÚVÁL³ºVY¸9r‰ŒzÃrÄ¥$êío—Rè5t‡©ªt,uöEé‘w
+ÇÈ“Öó²‰ÁÕ¢eÓT­î^ú1
+ô 2ो±¦
+ I~Í)¤×™±'yš‡°öÞ»øþ¼¥þ2†kø@6×Øò¸÷k1v¢üsí†Ö]0RrÁ5í‘bíêÃ÷s,íq ¸{×vزֲá$Ðx:ûÕŒ|EÅrÆ~?ó¢Ìd¼ô3×n¬ÊKD¥9ÏÃjHpßí¤ªo¶Ê6‰ØŽ
+TteS¾¯<´`oCïO¥L"/[Q×f¶“,TÝÐÉi£È]²Ânñ¦d&hY·zp|„1v:LI0W$Í°¾}R©‹•èVuÑâ…u¼É³Ô"Ÿõ—JL‰æ3Þâã¸;Š%æ?¢SôLÌZl‡)u‹1¢99lŸÿR°uø¤qCdyÂã¾jw;‘Í7®˜
+5õ~Å®“ⶈDó:0K®sØaì÷
+\§«0ù¦ÞÈ»Ujáýì?ÓÁÛº€”<®eFÂÛ;/…)*ÈħDª7ÆúxYvƒ•©%‘æÜ€5¸¶rlb,îE{D‡‚n¾ºI¬Xß—F¸N[0D:.hIí{bM@Ž\LZ8Vô1KgçÓ&ÃÜsß~)Ì8Òr^œæÆcXÐúAÄ0ŸžÙ7eTW±çNÑ16ÑÜ=Lð‚ûHj•OáQ«FÑ®-Ž.S[Îæ€ø¦Ó¾/ø¬¤=™¿[£>^µ qj‹ïkñ‹—èYv3ÞåêšuÂKýÄE‚àÇ΀(¥'ÕéZI ¿týLô%-d8=ïò^%† JKÓó.›Ïïñ®„Mõö´‡\wõÛF?|Êà~TƒŠ0FvdíÓæÁBª0¤üx«›‚ô3×ÃÏc³3®{຿ø¥¦S§4@²AWÅ6×™»ž]}ÇçŠfTwn¡)¹ÃÔwâÁúábNv5)îðE3ÍEyñÑñÛò†).ùÄ»òcO:ôÖÉV½õ_/[ÝÞíŒOÂôqD=yeÅdæ&ûyi ‡wÝ©Zpî¨TÔ ¡J/>/å
+nñë炸™Y*h°‹?t
+H?¸eIŠ—ªÆÁÿ°’ó(üèšÐ@õºõ‘7=Au±P¶v«¢½Ò¼ ¸ªÁW…NÌÍeêáá²”eÝÐ31_&„‚òwnª³Á= …¤_"kÁíZkZÂì+ø'Õ]ß•|4¤IÉ}4˜F˜Q†[P»ký»ÇUª‘ÕŸÕó?FÛ>S—yWÞs‰K=!“ÖRÀX'<jù|«ž —íJ½jŒ—åf(^¸AÞ…k±ÎY§ð§-ï
+bÛ
+~kКYãYç–­ˆ'bK\û^àúe Üñƒ‡³žj YØ„— H_fU:º½ç(ëÃïø‰8lÞ@ÞÀ·k=†ŒêAotZA xÖ«Ž6;ÆÉ×ý¶Šêý¬Ž.†I/½üþ¢ôˆ7D[»fëä­î”îv¸!ëPÒÑ^š¡¾t¥-ÄM~&’~ÆÑÝ7ÇêãE)ŽÕÐj\ƒv+1\…xwÖ b´|}"ªÖœ°wU䆅âWcœˆ¸èiOõ·¶ê$hBbýÊɢ뽪¦¡­¡ñ}Zwö†U)fßu^ˆ”TQ(”9%S3 ôëhC,‚ܪ˜éí¥nÅ ha6Š/¿¢pg¾ÖéW,öPÏ=VjáÁ+)¯BK-b »&ÈÒÝÜȶÂjÜ:°Á5×ð§¾ëMflb†?î·A%ÑhNÉùM×jBòý/£!™^dýì?Ž}uÓxkàÊ̺‹”
+ºE<å_ð]¢Ò«¨£ëK#Ô8ß ôÌTòÖ8ïn§àôØùß¿[Ècj¦©YlÜf³Ó¢Ç…hum´—*KÒïòþŒÆ·R¼SØkæ\§Ç@°[‘Á¦lëÙß6úÁ¦;+36*ø¥ZS‡'Ï K¼GvŒµ ¾
+òI» ½KZsìã&&ÑŽ|(ã½%8‹|ß]´së"¥õ.6óá®3ïw?D`l0 £¬Ó Ý,w@§‘mÁÏ…XhÓ¸êC¡ùa6›t:4Vü•þƒË©¦©†ƒÀV’[‚ËIϨ*[Ûž\÷Üz–¼°9hóáäýÈã%Ôc‹qƒî‡<%ÝjÕL–*º¢ú¾V_x*]'×ö@Žî)Ï9o¦ån¤à>!­ƒKc~FlPWšˆâfh¢ô9&»»äNA0¢òǬmZû§æ;é ϼGªmnõýa ƒö½Ï¬¶íX@ä7^þs‚ìpé‡(ÍLÝ!·]ÓKC Ö'"öÂEàÍ •,³’]R#;·y#ÇVcðŠ®j°¤§÷b²º´TüñgOÞ0å¢u'”–å¯0Zèñ0É#fo1E¯NV
+ºÇwÞ‰ˆ``×긘ÎD÷Ô‹ß\Hh˜ h@pE…°/¯è$!1D¹‘VB¡ŽèòëFŽ ®–ÍäêEH˜$.¡KÑ~LtBðòUkÚþs“y‚üþHN‚>¸)Ïê:Ÿí»%²OzF?‰B:$ä÷K ¢ªLM$ åÉá‚=¨ÖŸ2OŒÞϘÅ}!¹ ið<ŸÓŸ^€Zògäm#q^åBÛáXˆ¤¢Žô^îpT%Ñ j÷Š—ûñyôR8Áà×Ò)Ÿ¬#2š>ÄÏøƒ§%£h¿ÖGbHGfh~LÚb„,Ô܈ӽ™”ĸŽi2µÑÉOvô¯L¹`Ň¿¤1BáéÅåœV×V æŠ
+ëJR†sýœS³o?Û\Yûylîc¿¥ØÚ&W}{é—%‹‚òCÆgØb1ô3šY- A
+µ ¯\M©°x2Y£|é´É˜™™ÃªÉrÊ’r¬^•†Wé7®uñ©·ßÔƒÞ½<‘Î7!+çRSOÝ3+èó@zÒã· ¾E2¨ƒk-Î\/…ËÖDÊéI}÷Žmƒ*Wç EÂÊœºJ Æ¥à·ÍìµO).­žÚûü{‰Ò—‰¯?ÕóR~µ\B‰2b 9®Ü}“‹Êú«ˆüßæ:Üoß®Œc…èšÎ¸°ý6QÐ%9ï"n9êäˆkà‹5…ªE¿mc©#ÓûŽ~SœNܤá‘kîdË¥=´Is™Í²ä»§”é~-®‚b
+ŸÃT¤±öVið„B»·¼P@V–bß]AhS­L±ä…M±x7̺¾!¤”ÃEúT<ÕÞwü(ˆ¬úA*U  ©„÷0[Û-© ^Æœ
+ñ"~£t¦K©¢ ·Þ+ÿ¥ØËZNrósÝ,2r,ZAqÙúK]¦äñæ×4«(‘kÆÉÉ ©^¬MòáFÌÔ[X•ty‚…ƒ\[$«Å
+Æñݧ‚}~¾+kv&×uXFû\éo¿æ€Òý¦ TÔW›EšÃƒùì
+|û;Îb‰; …ìs™| )Yÿ7™îÀø"G›àX!¾,ÒÈHÐã›}€ÖÞü‹i-PÁF²«ƒüÞ¦ZÓijýBõl&ü`>R}-•ÏT{@Æ×­ ›îMß.¹\næ€Ñ‡ÿloÙ©%Èä'$€n’ëó(½0ŽùnÆû d¾¹ G 1Ôù-F‹x
+˜Õÿ9¾|r=Œy©7y«ìýUT`-ͽ̷4k¨
+󚺪mÒгdÃÊ-e ¨®\øÔ¯Õ&/ævÈðnßSÙïK½c‡ê=åË×Pã{;õö{I‡´HCvÞb˜qÌŸŽÞ¥J—†u;òi²aï2®zú!¹BÕ£èæÅÊfùvwVúÃVMæÎüÅ·±CqßFê7|½xÍ·i‰¡dð‚nŽJ`±—æ)ÒFÅΓHú_FܬWÒŽÄxÏ|=çtà¾U×ÅhG³ùJ|~+ã4p¼ÍHSª# ùÞ”zâñ)åí‚äbÅ7Å!„²‘˜‹OõÂÍʵ6w"3¥·'Í{YVO"þDh‡¦£ï¶¸„Êt¿’XÅ/D*³íÜd
+½~O½—Åóè.¶ÅÀ[›ÿl8¨¬–†JEj`sí#'= Û|HåÈ/}'ôäÇ!›XÖÅ×@ú3ò%éJÉ M|–9qú€Ù¡¦‘.Á™m÷›±Gf )Û
+ª¬†ÒU8ã>Á<uµ ?Bâ¬Æ+2(¢š‚a—-<çfhF ³9žäžOLFzƒ±†Rºr]ÇÈ£"KԽΨˆ[ª, GÊÇ•ÛÃp‰ÕBÉÞöÓ7
+‹Š=TÄÔ&ÌC!¼ªZ økÚû#Ê7›•‹2Ÿº«áÍcTvšò¦[bc+Äû
+[Ñ=wy3WR‘úžv
+¢³‰¶U$òhØ0R"úkV9ödùZ#×yÔD¹ˆì˜ôÑ{<ô%5åVáÛÇ'¾.ÝOUc~QeAÜ<M#œNä^Hœýjœ—Ôn”\ëЇ”é¾tþ­NŽY±ßË/„r Ö‘½îƒ™×òͼPÛØP9 “,¶HBwúF:¤ÞH¾¼í¶ú;sÖµ¿Nï~ßÓÎc]æ
+n‹ù¥RßÖo$sj±E É”w…â­NÈ”A÷UŒX[><{a™®’cÈ÷˜ìÂYkvE#N¦ôßÔ2á ¢ç$WÂÄ¥s¦Iãã­ 9ë»Çô¾ª‹$¡=aLjôïZ‹ÃÃtn͊2ù!¡þ5ÍcÍ"fÖGÐ:~°çwˆÿÏMBØOd´¢ Ìð^A@Ê®$%¾bÍ:†¾]¥Qs4±›éÇL†ä%}‘a\bBiÚ ¨ „7±œ?DãD]+nŸk`¾bž3pþÔÊ63稜¨;ÛE‡Õýi`"ܵuêÆšLlVW©V· ³‹ÁO|´6¢/¤ƒm? Le>u¨Äþ_^Èÿ_àÿ S±ÄÞÖØÉÙË ä ±wúãÏLÈÿ YŒøCendstream
endobj
-797 0 obj <<
+990 0 obj <<
/Type /Font
/Subtype /Type1
-/Encoding 1344 0 R
+/Encoding 1915 0 R
/FirstChar 2
/LastChar 148
-/Widths 1349 0 R
-/BaseFont /ZTYCFF+NimbusSanL-Regu
-/FontDescriptor 795 0 R
+/Widths 1920 0 R
+/BaseFont /LOBUAX+NimbusSanL-Regu
+/FontDescriptor 988 0 R
>> endobj
-795 0 obj <<
+988 0 obj <<
/Ascent 712
/CapHeight 712
/Descent -213
-/FontName /ZTYCFF+NimbusSanL-Regu
+/FontName /LOBUAX+NimbusSanL-Regu
/ItalicAngle 0
/StemV 85
/XHeight 523
/FontBBox [-174 -285 1001 953]
/Flags 4
-/CharSet (/fi/quoteright/parenleft/parenright/comma/hyphen/period/zero/one/two/three/five/nine/semicolon/B/C/D/F/I/N/P/R/S/T/U/Y/quoteleft/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/quotedblright)
-/FontFile 796 0 R
+/CharSet (/fi/quoteright/parenleft/parenright/comma/hyphen/period/zero/one/two/three/five/eight/nine/semicolon/A/B/C/D/F/I/L/N/O/P/R/S/T/U/Y/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/quotedblright)
+/FontFile 989 0 R
>> endobj
-1349 0 obj
-[500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 222 333 333 0 0 278 333 278 0 556 556 556 556 0 556 0 0 0 556 0 278 0 0 0 0 0 0 667 722 722 0 611 0 0 278 0 0 0 0 722 0 667 0 722 667 611 722 0 0 0 667 0 0 0 0 0 0 222 556 556 500 556 556 278 556 556 222 0 500 222 833 556 556 556 556 333 500 278 556 500 722 500 500 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 ]
+1920 0 obj
+[500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 222 333 333 0 0 278 333 278 0 556 556 556 556 0 556 0 0 556 556 0 278 0 0 0 0 0 667 667 722 722 0 611 0 0 278 0 0 556 0 722 778 667 0 722 667 611 722 0 0 0 667 0 0 0 0 0 0 222 556 556 500 556 556 278 556 556 222 222 500 222 833 556 556 556 556 333 500 278 556 500 722 500 500 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 ]
endobj
-710 0 obj <<
+964 0 obj <<
/Length1 1624
-/Length2 5655
+/Length2 8351
/Length3 532
-/Length 6501
-/Filter /FlateDecode
->>
-stream
-xÚíWgP“붦ˆH•Þ…€é½ÒA¤W„$$¡ƒô^¤)*½Ez¯
-"]št¥H“"Üè¾ûì3ûž_÷œ_wnf’ùÞ÷YëYåYßš »¾‘€aQGÀ1"‚²
-Ä@df0@ˆŠDdddˆ¹
-êàˆÜ114ãåç¿û×Í/€×ŸÖ u€¸±îéc°ÿkG#€q„
-
-µpÁbX2}ƒ¡ H
-…U÷÷›-úÏóï‡@<! âéO\ˆSzf¦Š>§÷ªeg»~o(²°Öøe~@¢Í?=bQ¦Ôö¢2T°nXöò­×Äòç—|«ýít0ž¶TÈN‹ßmÞŽ|Êyî&)þÕ !ëB²Œm³ŸÝ®YH
-›®.½30´.¸¸~k¸I uc÷„7à¶{~
-ä÷wvÇ«éRèJV¡e’ìr¼9ùâ‚œô0˜"Än%Ÿ•MsÒºYìÎUBu¨9‡çͪ¸qæÍì}ÍlÓ} |e±ŸrºE©?G‚ü¯’ÍóEK0&•’O®&œ¾TÒ3©¢—]™7F=«Æo¬ÌS
-8O,llH?I76µTèXD œö³Sè.NwiçD8T¥2u¼ÁÏÔ ÈCiÂUЛAJéTH®gÜöI”1MëM`*o•æ¾ÐbÔõô©¹,V-u4ý†ýCÝÑUOKz‚—âÛë—ëÄä5~%šct]­§h¤²ÛNå¹öÿ Ûö’ñ?‰·ÏÊ*åI“y[qo.oZqO—f4!OòìC'=[b°ëL‡ \ö¬WK+õîI¢
-0…Ødgç•771ô|Ÿ¢‹y¾ÌõºbÓü–u0Æ_røªvùMc®ç¹ÃBÅ\n}HòýÇHyðîµ³p%Èuë@k+…–ß×ÏÔ\|©bû¬ç´ËOª?XçsË,[Õ©EWJaoD’ןÚªÙ‚(eT"Œµ6¼AhÒ7Y*¿é½|8 ÍÒäÒx5Ámê#)ѹ å€n_7¯Ë,f™·­ž³ö-üæS17É1I©wŠ—&ÍÄ°}ðnñô«ù\ t§kôaLs(‹‰Ó³ÅÇ?=1òJ8¹¬_Ãkvy˪7—‹´nK°°=içé0Â!O³v£þ@ë¬QueniÊ<¾³ÕµÑ”ÒÂIm¶ŽìQ#wœïa8ú<z/gÈlŠår¢g4t&*ÀD‘@(-=V›HÑü"§KÀF§kìqDœ4F—î>á‹ ï¶ù´eöä—ñsç•2´9µrœ%´5“Å%:ø”rBSÛÔ†Çàš¶/BÄ)¯o½ÑäNÜèÖ|ÂvthùL—XÿUš^ðöá÷FŽy
-ÀÛËÏ›ë"±¦­\E‚ñ<\þìa#®0G£Í¾ìÑž÷š¶˜œ ƧW3K2aØ•Ê/Õn$¦y½–î•Þç ùÊ1(µVÓ"bªùº©:¢OÃOò†Ÿ–Å°.(±Šb}ç”i¢Â˜¬ÿqî‡É{+_V®¸Ä´$¥¢P_[QeYjçWZo—¡ÀŠæUYþÇ»®i):q #ÏÙ@öN­³…sèw^—”ŠÖ¬®I)kæ¤Å‘s˲QMµd9^bU·ü½çw£
-÷oŽCÒ^ï'‰¶>ù
-ßX?zóä½ãÁÊñF—òû\šµæ–­ÎÆ:Û}|í.Mœ“îL#Ø*ê>~CÊ<Æ“¸R芧æx ê2¾D0ùÜšãæ­Üh<U±n\n:K›øš`9X£9§K@Ø4½` ?‹x;˜" ’Lœùñb¯TíhSþºÖ©"/xý¹\ƒsûÈQÒZ#d¶(ùX@/ÍïŠ.jf#ÏÕùÕõŒ ƒÈ¸ÑD/ù $³s_H|óÔyû­æëä³ë*åµÛÞ!›…9KçdäÌó¸ñoÒ>—gIè0Û„^áÒ% ÃéRÃ~îïQñE¸È~R<™¯—ÆksRÜx¦õ4«œßg‰½V?^ `ÚÖݪ3G6PøAb+aDoU¯ïN—íhø h.Ó FPïÉÃàFñä"}†ü»Š— á º 㜒žêHÿG¯2‡Ä *e&è°Ôóå[CVÆk´ø“ìtùÊœo$ô‡ÄÓ¯­ûÐ< ¯Z ÁéEºð.œd¤˜]KȮ۰ūe«úž\¤Ã£ó.¥õ—ïæ :@Ú55,g|ßæö7úh;6XÄ/>¶"ynö#®¼QóÀ<³{5”–SÐ/8*У‹‹GO JøL©‚¼EzÆÄǪµR¥xÂ]åÁ½œÎ+ñ6ý§ƒ÷ÎÆ`bINÇQˆƒ›§ôý6†„øågÑåîp&Ã8”ËöaKÚdagØ[Ä~¢ÇS/e:¯|¯ñÞ昮¡»œY¶šÄÐî«ŒLnc¶{ÂÏzõ/+åæ_9@irø˜crûó—?VpK[´Áúùp÷ãÌWâi{m¶ÝšÍš^¯ƒkBlïøôô¾ ™™úN‰¼·9˜¶Ë8ƒØdX'E?Šª!6œi<Á·
-MwY}6ŽûV¶Œ—n:÷ymO}€KQNUÁÆ®2¾)õ¼‘A”ɼÆÅ­…H?òês9úóØ‘)ª¦Ïý¥¼O8â­‰`ù£4ýÌÍͽ"/㬂ìÂ>ÂÇfSgL,D Ï\¤¶â2íÓ8MÇÇB3£[~„ûðü¡í)9ú{N»\˜"¯¬ê9AäÍÜBvLœ¿xa1ýÐÙ‡?¦•J§®2ˆÄ‹"]¥ø4wLôn´¼lûÚ¡ï§.|‚ ³®2èEs^Þ=ÒNQã·;\Ð2>“»ÕWlª”›
-ÉZI²L%g}W f±½‘¸»=ñLù’óZۉ׎¬fž6‡û|vØz½¨ê¤Ù›«™œç«R};·C:)†æ½QßÈ›x» ¾ˆhQ ¤Ç¹Z&âþ±þ6(Õ†i”U·À·³•>ÖõðpÉúP9w1Oêë@Œ#Ú¢Ð\ÂH´èÅ“ˆ²]WúÔùýÁ—¨£ÐtGÓÑ{£ˆÜ
-/%É =Þ0gè‚ž•/Š ³=K%äØï˜méð©_8êZr1OIE¯}}FºæÙ÷Qí0
-ÓKd÷5>£FÇíêN^)+&yä¬>Ki?bKÃþÂ5Ih\ðpX1„¦ ;ñ OÁµýËw•¢:ÙÔãoŽgX÷‘5XË2R²‹£ŸöŒ¼Ôö· ¾9ëȶÇ@‹këtÛ 6~lŠlÖúÊ›§29BÍÊS$ÔÑд¢Ý!œ_4ÿ’‹Ó§GÂXH×rcbé>U&tã”%…àJ6ì dÌ$V{
-ßѦ
-o>‡…~¼GYøüÈuQâ*³AÙŸK ¾ôµ‹«ñ–Åad|KtY;…Ü©_–èe 5ÍŸˆ¾#¾ïE’Ô{Éq;_þZˆ1ÔQ;—›ÎªD=!avhzìâ°l#<~á>Y×w<öì[oçü*Ös·ìûä(î·Æk*gÉç:]¢'‰!%y]¦Zd TŸšnS Uß\&xyu%S–9²îƒ'"šÇ†\ááº*ùx8"Üé÷žäæG»éÊB;âÊ(â
-¥~-1ßÊ·Sí·ÃÔ:Ö©—JZFß”-¦ âJ²FDDµ©›¹â1ËîÓHâÌäÅÖÓ~ì†Þr·ÂCÅS#\iŸ5뫃OË=iåw—3v0|¯†FHFú®Q…k<Œ"X1Ë”vuÔ4–¼¶uèSŒöÀîÛ
-Ú#ÎÝÅ)šjÀMs¤ârruRb&l^5!Í¢W#
-¼RK·=Ž–ùóoú©G–c£m¨fk
-³Ÿ“öÐ^£²P¶yWmnÏÄÄT‹Ë^­ZïÚ]:Ê>9mTl´ô£i¥OäáàÑýlú ±Ê(À•ªûjÊ,µrAAx-fLjpŒ >¬ŽÐþÐ3ú¾3êÔ
-yîoÜlŒà㹶_ µ'Õ ÍO.׸µ6}¾Â£×˜^N!Ý´’»ÒvµA±çþð kOg
-Ówí2ëƒ'Î`p+p ¬ã™CÏ?dÃÉ!¸äëõé)§»Å8Ë÷Ó»nübçG®ú•u™€ùw¾jaŸKè\¨§*A䦢3$ÚˆåúŸád‡9ðÖB¶€Á5 ³m({ôTá{~·sF'[‹»zèêæ±Hží:¼“þ"2ÉaÊøàý´ƒ¸KðÒ‹,—‚aQú²¤þ+¿9PáÝÄúÈMU:‰b2Ù œÂ áÆ–€œÉ§mle,sm&,Võ£r—“Gf—nÇßí ¥ú2ÑÅu´SEÈŒÀKG9é ìT\?µì/8—ù
-—
-IÃ%¢§¸ÁMÏ­W[öÉ%ä¢*¿gš]T›®æÅÖX=„~íuÊÌ»Ñi©Xp ÓYÂaE´=pÃõ{ó­›óŽ¾™É"ö÷¥ F84ÒL”ÆÙžÌ[;ôé‹åŽ~ ¼ãl¸jä!@šjUâŸs5ÌÃO ‘Å7o­\)ÄÈ’±0øzi*‘ƒu[ä Ùxm3È!5œˆ £ x‚
+/Length 9216
+/Filter /FlateDecode
+>>
+stream
+xÚíweT›ë¶.R´¸;A‹»Cq-î‡ H!P¼x‘Bq)-îîPZ(VÜÝݵ-íº{ï3ÖÝ¿ÎÙ¿î¸#ß;Ÿ9Ÿ©ï_˜è´t9el Ö E(ÎÉËÅ#Ð
+‚l
+°…Â
+qòØ€l1¹5 ðG—
+úhÄÃó7LÏ t„ü.¿à_bó÷Øõ'rn•Jrìÿn·þÑÔzœ¸ž— ðܪCmþyøÍ#+ õøp
+ñ8ù„E
+â6/ÄN;0|ës2©¶òÄXˆÇ`kmH[Ǽà*õp+? ýä†5€Á#/€ˆñÚǘRóŽ¸ ¯ *ÿ€9a÷æúÙ—þ¯½=g(Ÿ6)Ù³Þa0‰{<ÁfŽ
+pÍ¢”2Ö/õ‰`”TèÄjš 3L¿àƒíá!ŠH»  s…?VLãT‘¹Jˆ&‰g: ÉÒѧLy‰À¸Šge0å+÷&|ÂýÀê~sóTšù‡²©ttÔRmñIëëd°9:6+¶@›ÿ䧗%«ŠA~ªÎA ý¨£±bíè0TóYòs¢1…Ðg{Ü™ü_8X—Áx!Öy4´Ê3æmü,qÕ¡Fôž¸Uœ1”=Ê™gÊ™gÆȲüwâEÉw#A¯òøJàú•BþS›•¤ònë®”{w‘?ßW#·TæJZ…å˜>}‡Ñ•ÁJJù‹”ºŠÑäÊj¿¸°[f"­u¬x^Ø( HHŠ}Q¡‚ßaŽRz8Œ¶¦µ“;jÇÐ:šÈƒÏó%^%QÓ±¬­v˜iŒ¼Æ¤|hÉÊUq”J÷¹ù »Ìã:aẖ²Åà2]½Rô¶°÷\xT; µ7L4T3FÁ°.ÌkÛ4ä»Ïuä‰qÑÅÓÅŠ ›c´ã¨ˆ“Ÿ¾Ú:‰Á˃NG!òç»EŽfµ4ƒvZi•M –Þc’þÆXÓ"Ã-­íêÆáP‡³ÕÌ$’_?Nˆyéå…ÓÕ½mÞ+à„_½‘sãÙ ’I%pazÏl›€ÿ¶uçU« ·\Û×Ðbjêìb>U¸)}{QŸNßà—¨ªw%=Ák±äfZ%Åêos[1øÉ]·êñZ¬w¹­fsƒ\û¾cx‰¾¾‰ŽµMÌ(}–"Ú\ñ|1wNkõTƒh,.Wèçh7)m|°Íü'gˆ5’S¯ŠJ2ÇM<'sÖ+ ±UÇR·¬§ëÁµ&I"AkËðÖíƒÜc»Êþª'ºø®¾bÒ^XÛÒV¶ãž‹c&jžü õ«{Aî.5ûÛd
+Ž{âA‚ݧL3bü J?ÙnÁ›C#ŒGÖ:ÂûSÅŸ†¸XJ½·5^9%4•Õó’‚Ò¨î_Zúäu¼AÁÜ݇€,23sËÛZÉzÎgIÞf­35TìQ›Ã_ ?Ôn¹)-ödÙ­¤!á-æÔ‡$J›½Àzö‚õ˜»‹Š)Nü‹:¸¶’{ý[}ð|ͯÍ*Úe™à€\‡v,­:j±ªÖÙH’R<[ݧ¹}I¡ÊíÐRò´hst4ý¯3¥{Þë— à e¶A¥ÆÈ)f!ÁîÎÈWn];FuéÅTK&|Õ‹æ¾\c…GîàèE9#½‘lý¤z‡X,¾t8íèëàvO¿šåj›@’ò»²·1Z1–ÈÈWc7Ü^q7÷õÛHm®#Í4š‹9.<qÆ–7]Ï>é"घ»Ž;ʆW=™PNïÞmMj§%·™Gô(àØ/õ]-÷'?E4œ¥ºŸê ЗBáNIV}f…×–Ÿý•‰ÓBýó®aˈ
+ÝìËI–Ø+¥®kª+…k{p¶MÍÍ$]Lj&”?M(ìzŽh¾ÏöÄÝá6è g*⪈}Æôš.lÄÕÉ^wïkæXÏ7eKxvù»‡ù5QÁ°Ç•Ê.ܥ˯ŒZKòQóÂsÅhã˜\«l>[êß Ý“Ñ"bÇ
+idguÊ ÛáÜ‚Ñ 9¤ëË‘'jM.~×ÿfêKÃÔŸ’ SêkÉ'ë,Fèø.JìíÜÎXѶ%Ænvâš’¤¼ò\¤ëVù¹r >guΆɩ,hè‡ÓbѤÏ_9¶¯Ë`ÔT •#ÅW}gƒ|³f<×­ð8²ÿ5È âõm`cÚ—}çêã[ÿoöþ-ΣÆgLÊôµF&Žzê_Ùºœ['Xæ tqu“G.¢/­bŸºâi$g¿Ð ÿ
+#ÄÎÝSDº“l ¹ügTù®„B'æ|pÙž2SXÁÖ =‹ç~õÎK–DÛ+Ïk¢·­ÀICÇCÜ0SApðäcZ:³ísž÷½Z÷•âKíÀDÙl”osúòÖ'+˜EŒ;úØÏb ]RN;-¿Œº(·]({5ׄX’³øö÷ô~™Ÿ=ÇŒpy¾7rB>Ý#ÛÁr{Yƒ©3ßrƒlšê¼õ~±Y¬Ø)Õ`qyûT±ŸIJ\^Òº2¶5ù¶…ŒÂ¨ÆÙ½C+âa¹ÜmyüÊ€=YÙGzm’ÕŸ>ÖÃI)ª~•¢•¾·wZ䥗QyyŒRÂfff8û“‚
+¸ÜÏ„e) ªÔ5‡Ðz}Í=1¶à‡v‰ÓG<˜'}îpÂ/òʨ^ärÁÍ)¤ƒÇ¼V²YYÍsSsôaÛA ŽPWôÔ /U®øGÎ8G”„X×ö¥ïôgd” ŸŸËÀ¿ÚrsŸc¡W8DN0|’t&sõ™9©~ }Y%ÛZˆÝñ4Ã@hÁwKÇÊ0º7ñ¤‡>–"OhIåà"5àÊtþ]ÛŸe»ÝÁ†UyåÞå¼ë\_¹j†œO" o‰¾é~iŒµb âÔwyu«•¾Ö:
+ÓEWº?Kûß“IœñáÕtÍ{Be-ë Uu£tië9ÙVåøë_onw®YH°íy‚Þ|˯©KâÉ'zÙuLÔ‚™I…¾?Cfà.mQn%¥Ÿ•I\zQ[°³D]Yí7öT¬$&+ázªŠÜ^„§P•àÇ´ômÖSXS„α¿çd±³Á¡Y>RêÑ™½²†ò…*Ÿ~ûzr”46:bŒ*Ç´H]ÅúÉ êXË—P/f Îëîw¸ÑV%.Ð-HÙ¤œùÍØÁ°ù¦µŸÏ™¿Ï³Ú/€V>ÖG—ç™~]I§ÐRúå”ù5ÝÙo<…zÅ•—Ã!rÀÜC)4ÜKÿªdÞÌ5YG¨Ò!ŠUa dV¦Ä`ȆՃ¶å|þFĹšÆ#\XZ­•c…–exÍØ⻫‹
+ðŠâÅI´ÁAM8îe¹åÌ 4+Ÿ`,NÍ|
+‘†“u
+jT­C©i–Tu #s¥§Ú'¨jzÇ¢’‡‘]ž>û Ó›ãé4ý}AB1ö‰pvs!œÀZý¶Ù0¸øÖ5 =YÙ‘Õ®¨=×`«²Š©«åU:¯
+$¨éå,3£¨{Q¾Qê5¨§6µh¸‰Üüß <ü‡ŸP1[½;džFoU—%÷UÒÞ,²Éš5Vo1
+=JƒË¬À<2Í¢îÿ¸£»|µºÂmïÝa²‡kv¼@ˆw÷ÎÖý¢AŸyÆ«ïÌvÒDYœ32²
+©òc¦Y +«Æ€§Qùsýò:ŽrM£ÅÈ*iÀ· Kö î0ÐÇkøÄ<æçó|;€^QÞâÝ@öE<YÍ4Ë.8XÉË@¶ÞIǽL» ïk[¯irWÏE/f؇jÈ)RàXý¯œvb~ƒŸCL?;Yt^8+¾ç/*7í2êì)É=fIï#!½öôžcháîÌÃ{ØV°#ré\šùˆ58»ƒ¬«1Éz—xÝ…È®ÊÖ¡@Ñüâ—¿GÈvÄ­ð*†b>
+ăڙ~»À?(Ç«Ì_aè3µœÌÀq•Ò·'ZÍMÈòqZ£¹§ËSÅv8à‚¼Ô[=Ä2MV*ÇE¸ì¬Ömpx†“‘ò°Œ¢Ç¸ +4a¯ã§À!¾Â2J ’¯Ôc2Ä»îú£ GЙÓØQö(„ªž0ôéÊ ÕZÅÅ`¹‰ÞÍ>QqÜY·TÓlFrÙ9Ä>‚$s™|
+cúÝå99¯ vµI÷ðJÐ?½›ÉÇÎlâ—2ãÁ¯Ú÷ýŒ€%Í4ïÚ]zôMy\U¯_éCùÅ‘Oaðáׯ™I m>jzX <Pû0[:?Ñú"§¤ùñ’¤\H)Ìn®ö£d©üN_ºmíDÕã?³íÙÑÎ*–=ï;ÜRO†vhÁnOxŸŒ={ƒ³{oà¢;ËùNÅZϧ&ˆœ–#)¶[>P’·ž¿Á©Øô©:Ïûô.)¿¨h^iyˆpdÎ<öL#ÑÆ¥{¨Òܺ¾E¨ózÛ'¦îIÐÔñ`Ïõ®±G‘
+F¸lqF÷wã!ïlgVc8Agbf–FLD¿¦x9Š|s ý5þi.ñ½5ò.–so–¾¨ìû4§e5<eÑ”7t>CÚ±CŠH›zrŒøòx³÷ÛÅ»+Vˆ-j¼pÎén J™m–›Ñs°pЭ@úEƒsFÚ-V^@6êI]§gIëEJ‚J[eƒÏ%K\ñ¸\%kÕבÊ}½Ï±ª·—´Æs‡2ßwýÕk“Òhý€×U%'ˆW(“ûh?œGØâˆÏlíä7+#ÐÖO'›Þÿ²ºéúÅç78' K*ûTâàÃF\Úÿq$qƒqê¦tMŠ+éM4Îâ§7·!… û9B²cr˜xÔ©*ÑEö¬!ü¯¹Š G_á¹É³Ìkñ¹ïEãA GþHŸ#ÑÙfÓT¼äû<û˜}!gÆÁ¥¬…X Wϲlq*¿ˆé©°MWfüp]ýÕST”i;Çéyù>.¯GxfœÕÛ[$« LTmç¨m–fîîe¬¢¦§P*†tÑ5[=ÑTQ3<“)u k¥ }²ùbâŽ4¯w
+E,˜µ´´&¾Þ6º„¢ï¨Í$¹°ÁÜ<ÊÅ|˜oÏLŽ8ßx'%ì-ià_~±úáÚuY߉•ü]<ócÉÞ„Ä:g}ä­A™l=iÜ’Ù›Añþèuúéצ<Û­O˜àmæ5 ÜT… ò‘êÕkjÕ‹IG ¦X%-úú\¶qŸt§D Љ64>–_ÚÒâ[Nlòí3«KRÁp²–Âb]ÌJ—^»6m4×Ë'rÕÏ"d^D›y!!o<¥fN¸È%PZQ¯÷nœ•7Je( æ%.ÜÆÐFœ—Q Ú›v¢î*ï&Q_Ç1éÇ»OµMí÷S]Ðê—âO
+,öŠú"Erq‰3×{1NÛZ2ú ©ôeeE?qx
+‡N$ÝE¾ã!Nz(Ý}Xn×ü½aב´˜S€¯q=! ÆUwŽÛ-ÁWá‚}Ø\dæ”Qf¨ÛÁsZY THƒ-´/â«Î-k×ÖôïÒÉRZ¤™2ûx°.[ÿªt8HÕ«XE¥2‡U-äbO¶’g×Vs£I5üŒõ¤JÒ´Ù¼ëâ#LAôfvñͳýn™ÖM6H·Þî,ÙŒšípŸBIN"±Š…:2 íÀlÇV=+èw9fš ÷˜±ÁÕ"ÙÛ½ìøù<´ÓÇ™R]Y4B²,LˆéIL ׶—=™ùôÜ3BÍ]²'ÿÔ¨ ’]döŽ
+ÝݦDJ)ÙŒáÉ¡fl°«Sa¬c€²cý×Øh}ë –7‘:©„ÑÅeƒ+"Ï ^Œæ?õl^}âï.<œEÖöþÒë’QzM‚iDÓÂÂLTª¬õºÒk=mùP©ú'·UŒ´/€›0òû
+ä–“Tf0kˆ¯¨éÞ6¡"¸FÂéq$îDY7Êôµíª‡æ¢_Ä+ùXDLI¨#%ò8ß[”: ¨ËA|’z,¯
+ø¿BówÚ]ŒßxÅ®ª ÙÒš›
+rÒÛdê9ñb÷Cæ½óG„á·|9]°Qˆí3ˆ¥8ö•'|2 jK¢´”6¾Y¦·ü–ū؆Mì{"¶¶¤~lú…W²ÌÅ£¥ZI¼ýÇCLTb¼Ø¨ñÉ®-üGOdfEæ—ôk'Ì,³q½Š°ÊšBa›=As_|û¢Õå|šEñ ¦Ùá`uͶ‰:ïp0nÚ”Û+•¥`¯|,_
+Q^ ±ëkB˶ÉÝÏW)´XI6°,}¥¬>Ñ­
+ff|óéæîDÈ[(-’°1MXü’µÌǨæ¹Ð1½æÄCÍ`SN¡‡ÒÅ»ïaÏB±³7,PÄ_ˆ•Žp²Ï‰çó×CG®t¹=6Jøwº‡P×±f×öËÌŸ õò–ÙÍ·¿)—UôÑþN¶Õ2¤C.®;—ÿÔvcƒ‹&çî¼Ð›íø¡¢ ?’!sÛ yvØ·ïœÒÎkYiÌçhbÏ0¾IDê.¶Y_^¤+<@<«Nk¿±eopô³…+¥ºêhC‹0Hó³cŒÆÜHf Õ»uÎTÉ "[1ò™8ÍQ áMBšHiô*ó]ƽ ¨Y©ipá8i­Þñó°žÇª<FßèÍNa¼°ã¹Q[£ðbd Yfwp“—µ©Â·{äBŽT.‡)çN¨5# Ü\8£ ¦oåc—j9^ ÐbYHËoùIà3Ò"¾œ½OÒU›7œëí Ú£xÖ°´ =|MÆË•’ëé÷\Êã®›½›ÊLs (iï*{–2w}À ‚Sq¤”œz¬4XBc°ˆ/­ùšNߧ}‹ÆO"¼¸ò^µ¯Å•m¹•÷h„‰rd,ŒÛà½ûJtF ˆÛÑW¤\ʯ¡q—9-1;Š ’‡Vû·U¢“Äç
+ a¤)•Y°žeDÿ­ö‡Ú—«~‰ÕofØB8ûzIÅ‹‹—ç"ç6ZŠõæ ï?|ÙÊËûêÞVÓjˆóý ª¾$ù…è¾™A_%ãè
+½=7c…ÙG¬èÎ35µmªâÊÉmqZ†\B‘[›¸46ÊÎõÉé1‹äp#T‹ÀY̼†Ü¼²µ8c1@Ìõb$ýZÃ>ËA‡ýÿ Z*9/‹[ qM%ÛZîÔ3Ÿ"Å÷OÙýklT¢HFkmºYüéA3—¾OpkÄ·\;±©ô‰ãìµêOX.š²ÃÙZ|©9K>ø
+[L-‘×_ÎlrÉÁ~Õ?·åSç& ‰Å¬}+ž¾†¸WfÊ5na­¸À®ª|êkS=öê[¢8ˆžºÐ(ú°Oæ*ÔØ…ª\LêÊ°_PÄê:‚܆Ÿ0
+o¶d©W<DÐ?§|)"¶úšzœ8…û>r‘ÓÕ$EŠÚÜÍyÆokjÄÀ”*€Ò¤'ñË']Çåú®8šŸªBžß%[Ž1FôõU~zË7†Ÿ¿Ñ&¤”D·=.Eå°¹úiˆH× |v`—þ /õ«”WÕw°õ‚I ¾ª@+a®ó(©±ãA5¡=y=£­ñxç>USåD»<çÆÍMUÔ›€ÙlE— û†wRŽ{ÞÉíkGo-îçDq±¯R®¾  …ù ¤í€‹p¼ ìoB:04B»Ëß *pº¤¯O*=¾oFäÉ°ïCÀIüŠkú$ÛÆò wLv'
+OêX¡gŠÛm9#Êó2Ôq
+ÓRLvÏÍŒÆ/Ï7Xy!r8Ë!MÔ4ócK v&½›Ä4á”UO-EyÂTóT­âÑÕì}3Þ5ªV¡H·>”œ³"M*œjnøÏ3°ï|Ú÷×’4²{óÝéL¬!àW”¬Pfœ«ÙýFGó¼Õ‰}j™j컓íRÜAñÓ5Ý«rà)vw º'-¢ßGrËpnvÙ1AÛõ ·ºó\<užèÃbð‡ÖhQjÄcñž­Š:DqŽz,|¸>1sNñ&b®]?Mr)smWÅ€ÑûäÌ uQØÉ
+aàùÚîjäßÜš¨SÞ‚{ÈTvø…ùî)x“›”Vˆc†šçùÁüÿÿO
+æˆù_Ð@endstream
endobj
-711 0 obj <<
+965 0 obj <<
/Type /Font
/Subtype /Type1
-/Encoding 1344 0 R
-/FirstChar 46
+/Encoding 1915 0 R
+/FirstChar 35
/LastChar 122
-/Widths 1350 0 R
-/BaseFont /YWKQHC+NimbusMonL-BoldObli
-/FontDescriptor 709 0 R
+/Widths 1921 0 R
+/BaseFont /IJVGNC+NimbusMonL-BoldObli
+/FontDescriptor 963 0 R
>> endobj
-709 0 obj <<
+963 0 obj <<
/Ascent 624
/CapHeight 552
/Descent -126
-/FontName /YWKQHC+NimbusMonL-BoldObli
+/FontName /IJVGNC+NimbusMonL-BoldObli
/ItalicAngle -12
/StemV 103
/XHeight 439
/FontBBox [-61 -278 840 871]
/Flags 4
-/CharSet (/period/a/c/e/i/l/m/n/o/s/v/w/z)
-/FontFile 710 0 R
+/CharSet (/numbersign/hyphen/period/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/r/s/t/u/v/w/y/z)
+/FontFile 964 0 R
>> endobj
-1350 0 obj
-[600 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 600 0 600 0 600 0 0 0 600 0 0 600 600 600 600 0 0 0 600 0 0 600 600 0 0 600 ]
+1921 0 obj
+[600 0 0 0 0 0 0 0 0 0 600 600 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 0 600 600 ]
endobj
-702 0 obj <<
+956 0 obj <<
/Length1 1630
-/Length2 8144
+/Length2 10420
/Length3 532
-/Length 9011
-/Filter /FlateDecode
->>
-stream
-xÚíwePœí²-î®Á Npww‡à>ÀÀ
-hàà
-ºÃ¡¿ŽpÊ!Õ×®ðŽdÚ©Û£ˆëIÌå1ñ:–¹M !LŸ+ÏS·×Ö:çñkÏñù È [œÒ¡±Tlü+Û¿-ë•øET×—mÚ<oR[¼Óf0ïw&±½‰2eé²G$QnXß´gÕíÂ_ÙM0¿³­Ë]ûÛv¢^íH•%Ü’(ª»Mðîïp[¸x³ŒÎ¶imæéú‡¿ë' Ú „ÔEÛ¬Ó]ö~!þãømý­g­Rj$¸¤g2¤’Ä¿ïßæBýôQ2í¡8¹ò*Ö!rEºg²Y颺.€ú¡Yœày¢f°‚mÆ™¹@aæt˺—X[Y¶˦’åA$o,çí„Ùš”ÜÝU—w3&´|!| — Ã8¸XÁ⨡
-µÚ4‹î§AmëÁ$‘u]žœ¢ ¤é{þé o)¯v­zÞ·þ°ŠÇ~”0†S¶_EÑä¿XA^Àe#Ì”ŒCš¹þv৭
-ýƒ¹`Z¤†.,¡®Çsõ *haç"¿ñíéâ 2üE2î$ÏOt:Š« ŸÛ¨C™`öQÄ–ìëñçO¤¶"æ$:lþa8§}îsž©j“vå°yD±^¦ã z—FŽÝ†ˆ©DÏ®BcvgÖ5XØwχ,Ðiu–ŸòD~i|Ó²DR8T‘ð³ý@(åÚþ{7ŽvŽa±Ñz]|vJUånÖ7ý°z -’„Q¡¨o3mïønò¶ÿõò"±ë«Ä(,XFµÞ.¸qK0I4îÇîÄ{¾4{_(ÓLéfÉIˆ*aGÏ]¬]¬jaáv… õªø²!]J
-jEÅÖ*
-Ý–”èíC›ÇO/äÊBEQwÚüEšm˜§/ÞôRų#m ¨ŠçöØ
-o<sW,³âVݘ”43>Jªb¯-ûÏ¥š¯:ÜÒmSÂcòªÄòGµ›½d–ÝÒ±çfÐ ‡ï*7? Œø¹éݦÕáˆú»2Âœ; ä!X25#ÐjÓ¯*™Zðg‰æ²M¦Û&=N„¡#‰ñô¤—l.gýiŽõŒ'S"œ+€êæíFý=õ1¸nWQ5’F”ÕØ#Äù4]P³sÀ‚Y~ך4Á†Ç®~„ír ݯ¨¨è&K‹F¶òmis–rùÐe'¶“ná}%’,Rñ|ë,ã>aL¦CÁ!0Y1'Ü¥çýüªPXXÊH<–êĨŸer¥¹ãyPå`C—@Gr›Ô!à–Áa•NºÎÄ{eBÀ…P}jlî'qþ z#„y ڬȧ¯úc ArÅþÃqf§7ÅFù{ÂÎ;x’›¨ÇOÇ™œØνC;óA%‰|ó;ÚŒHö“IÁi²Š1€À+,lÙFl¥ÁxI¢ŠØcØ,ûœÐ×­o±©yÞ<œ_4Žø&Ñ337c†u¯ëКuÞp¥Ò+¥ÖU´vûŒ±³Æ¡ŠyT$Aø<)^Ô1&‘»¿¶Ã †ídD™.w2ž¯œ$à°î„!ðØÌÎfíàUœÚ¾QbÓ“›Û™¾ù*¹»$‚ññ8Ÿ°íBŒaº¹?'‡emj#§„böm«]²x.+„ä¨ð.]Ã8$Goÿ“1ŸjÏ‘¯G…%Z%½3WÈs&¾CÏñ= é>4Méݲk×]GÕªßMÓN~|ð‰,ï0Jž±öfË”Äzž²"Ö,¨Àå¼A
-/–Tª1KÄ"} žŒ"Ô,®ÿØm<n^Ú¯™»F¾*õ’ÝB>o¸Ny\ém<
-~Ç€ŸFš[pcù¢3yŠ˜…Š\ØrJn‚Kµ ú‹ÙváçÔN_1oÞAM¤œ“*‘~à0sæQ@ÚtíÁ~Ȧ.ìó?–µçã’»ÿ˜ûnW¿ mC­åÚÅ‚¯•Rî“CùW&Þ„Ù-’ˆ»[—CxþѧgT`&1|ÑJã—1`~ PVƒs ÙÇ„ Ú)a4»ZÇ[X€ÆF¹”2‡;mS¢ª&ä GÅ*‚b˜Xõê¬ÌyÏë:°íMhÛÔÑÜ-¨‚Þ¦!anPÏÇ”díFÚüÚI·«³J 95ò«‹iYïIôÉúqËñú“=ŸÑÒ~±úMuk°¿„‡dbMTß\4 6ê:Úq-u.Á
-fežÜrßCï£Üvµ~~1«e¥#Zç»×ÍÀ n®hÆÎJ/_Rîd{!ÏԺǤò3ìóðæ÷`¹’„¾%1íc-qlÇÙ‚iW¶tc L{þÂÄkIcl1‡E5Ã6Ѭ 3€wXGZ´/dÖýÞ=“?Â5¨r!>Æh~X ¾2
-×IÙ.Ch’Ŭø^AQ¾f!2¥ý+RS¢°k¾R•]ÍmËç ëDuÙ˸‡è™¨tÓv-º'÷W¿6ÐØW#ŽÛBÐô6Qº9É&˜7`~b8Ìêa²Èé’gΧñu NvA —’ÕW”Ÿm´ifø!:ú4$¹ ÷p_£¬eæš÷ײ‚®LO„yÆ0Ž6O Û—‡œjæýgWp„å^eÖTiDÞ6}Óû—FrV=+ì s¶ÔÈ·Þ:Û;§)^O¯©ótoibçWÒóÑ©„#þ²])Š2ã°À7 -ZC¨JBöjü
-|Ò‡ b9¢Ý—B”Óeß¡#Ï^+X¤½š^Ô€ã„R|ÿVöàÕâÞ¼ÒDNètúÁQµd¢L¤–²ž3TKâ³°Ñ.ëÚÑÕSÜO3†<—7?¿t—Æ<ôÆè¶?„^K”½û‰ßè€wºÌyÕ…O=ÑaÔ]:»4aNÚYW¦$ñX“S
-sÆ@es‘Xü>¹eéN!I±rÝ<¥ImÓávL^Vc°èé4%ÐvcŒ~ŽuŸÚ:æšÐ(^V©FšÉFÊ„5¦@w:¤ªO!¸Ò:¨M„Páüòonñ=¹/ )‰=D¬™‘x™( ;o•94‡Í‚¹m.Ïÿ&yj:f•…
-ã¯ç´½y5âC̆7’gj óÄâ|ÈÂÚÔ¤à¤ò„[ZÓôÁûòúêFù³‚V"vÏ[´¯'›0¡'Øüˆu‡Haq>æ–‡›äã#‚
-[ê©úɱշÆ#]ðN«³¼6m¥‰8\mm×–æO*Ídœà?Ôd&ùãͼbÀ`›ÂQ EÑöý¸R>™üý‡Âk<7½¢ŸhTª*ñ!þ™ï¹ûXâ%|‰ddu:Ò_'r䕯w–Möaª4¸Í(#在žÜköÓ?% sö)Y~;=N³2€†»F
-ØŸ;Â[·^[VÕG ô…›Ë5a¯Õ<M±kÕ¦1±¼âÜ0°«Áé&%=ösݨÃ8àŽd*vHᓯÜh¦îÇm0²‘¹Ñ5ŸkÞ²±ê"Ÿ¤Çµ©éì¹Ö-w^þbYm(<rq=ÍÆ$fò»Qf?1áùšÖ—æ“|!Ž(]U˜Z²*¹¯êë ýe<®mÒ…œ¡—7Å~·À2ÂC®,0¸úG”ý )ÛùáHÁšCEÅC2ÁL>þ·«Ê/qhÃP៻AxàIèŽòÔ*a‰íŸñýi"ñ”Îèa¦J‚ãU«¿hè6[é¹Î]¶ú£^þ Wœ ­„úž@Ô ú<O#&—)‰fÔ—†Ã¿7EÆ{ö`A#£(ø.‘ÄâW¨J¦½¹}+4zØ4ûuÍ”[1[Èhü] ¯VÒM¬Ãò˜ìy/*ï³›b÷ ÎÎ/ÊèÒšiçWOcFb)-}q‰Ïœ# 6ŠW*Ü¢ï|Ë>ØÁq‚'QÞG«Á.·C—‡¬ö™Õš#ñÕY”…ý !A¦S3çìºâÆe²OÙð<è4ËÕhB\ÎÛ/f–Ѿ39ó6©ÇfžÝ†ÒanÂÁÏ×áá–>Ï€V=Æ]‘ïÈ|zˆ•T°¹ÝH’“=æö+•ÜÐ~áâ>è?¥ðR­M :Öª”¬¯¤1ÕUÓ2jmƒ<ì &oÅ•M<Ã,Aí‹KoLÇ/ ÝžKÅ7™ ¡„<¾Cšì+Í5Êhk£JVY+x°ÀBú€ÛH¬æó§˜W+°
-Ún3!©E:qg^˜½“ çEÉHûK뵋Ùãi¬r°"×$n{G4.ö5b
-C'75¾caÁ¢ãmƒž•å ûZ *œ®ÉÙ @œË¼,A¾‚úqhîA¨øy#³
-1j ÚlÑ&³¤=
-Øcîmë5+ ¨38…y-5*6Ó¼'G†I¡s*Éžš<ªf'&Â÷ç)7+9Si|пŠ·ÖC7¿¦´kEª3¡1/`@;ý‚·ÕØ%T¿h¿÷m UBÉg€Kj2ç3gžE>Én+p×úˆlJ<2A1ƒÊÆø4œ/¥Epz¬&ôìÜ­ÿH\tõœÓ%±_~MgþD õ*ÖÆÇûÔ³ K½?€÷£–ò>#¹ëlY–ýaIø
-•ªÿ­^²~wå0§÷>¬­i¡”Ðer;á2\ŸS2ûkÿÚÙJ=ñ8ªÓ;åȲ¦p«.©I*ΪoFãÄjèŸ*˜®$rرpVxO)ß-.LòV"ëàÁËð:¾ßOw(ʽ +X£ÏÕ½ÞÀ ¶aøz·#  OÈ
-B–y´S,¯K.Œ¾ÄJ'7Z¤Ýiõ•®G@QÀn•?—‰†Í_#ppÚ“úëslg°ˆ!PB0ŽÇ0!)ô j«ïY:FŒ›|ƒY Þ +[#’¯f•YÞifýP!`9†„øQ1º*˜¹’οçÿ1›†•Ò»=Iù NeõÉ #˜' g€"C-†óçþ9#Èï³Æ<4Wkë]
-bvÑCª¶<áVÅák…î 4ÛFüÀãó´[OÝ­É›þ(œ6®°Gɹ|ðzCà"å:.B*´
-ÌÇý¦”ït†ˆQF'£•W”‚Jî‹ö¨RZ»å>Õ;v×òu"Bä—,IÆ÷
-?tBVå äÓÒ·&ŸõaðÎÑ3ã?ì‰ðˆz)ýþŠË¬MÜöõÇÈR‹[uY­Êâ™xŽ(ä©rLx¹d0©Ù¹9›—€¹`eîWœŠjÍ`« rëáeÕ0Eg—¬ÀpÛco:,Cú‰–èÓT` T콈l×ÓkŽÊ]5É_oÖÏ
-¿Ø„× óF¶?0PA–ßâeP¼šxoyT×]ƒ ߯ q‚éWëÆóªVüš'ƒ³DŠgªš­µ©’((_«¿ª²*ÉêjÂÉÀhýìÀß,[Rz<™ð<ËXs×;åäÚg&Ú
-¢…~/Œ%뺋 Í_g>êµÓ~ãYbŠ5|
-ËÐÿÁÓ6æ›.æÏcÖ(‰…4Sü4ºÖ. ³îñ à“ò<¯¬ˆ.76Ÿ?õ#»Â oyù£ðc ™2ô2Íû>Úé \‘ðc"l誤çoIk§†²ÇÝ‘Ïs§§+Û¤ßÈ„ÊMðʪìW¯> ÕÅŠJ~à‹“ç—=6óÎ/QP<Ž}%´5*¦²ÍÌà‹r][¸„ìWMfRA¾.¼Ôã·v’ówØøÍÄVn®q»7OçÙ`°W¹(ã#ðmL¢mÚ¬61$"ã”’OãÙ¿
-F ]bI“•C·v0ô]ïsŠ×V*à&Æ:-H<c°1ñõZvO(MDÁ™UnçÖÃMLw¦¼9Ìʘ'f {­‚HòZÆpQ¹e熶c08*k¿^Z¨¤ü”÷« jÒ ®íVÅFDøqÍGLÎL[Þ»@7U92ÇŠ ®•pTæÁ_Š6E{E-”»ì“¡ï–á䨓Ôò‰÷Aé‘E
-ö;)Ó5†90öê8’ÊøïSÏ]m/‚ƒÐ _èìûD"6ÅÐ
-ó/ ¤¤IÝn×ャÃH£J©´Á×í£\^"^?m¸î#ÜÓã­¡]?Âǫ̀ôÍÄ?õ}ŸÔ½ºCCv‰ ØÕÅóØôÉ‹ŽcÄqÙÅÄ 1È‚ÓÏAK–&ÇqJáw‡í¥óðq-²º5{Ü9cúxsœ…vtàtf>Ø.V/èàl)]ÆüjEÞ)â06¦±/ˆÅˆÅðŸ—Â>¦O9L:»åcþ‘o†, 1ÜÊ È6dðdrx·±+
-þuch`’WZÔ6¿©Rì2oŒ`¨ÍÍj“( FM›c¢JëÊ<^=¢fÎ(V«¯|^z‹D­Þ»©ÚÇ«×4úóeÍQCf¼5-LØñè‹9¤ÓlêÏÈßiÚNŽKš.¨¿’ò+sÈî/ ÙXй'ŠÝSu÷ _g““X® d–²žÃ2ÈÄÀÅtÑ"Ý
-GŽ—z¥YƹQëкtšI–X˜‡1·Ee#§r}›áŸz±g˜$>ÈÕ­&)׬H1ì¶SdrvëOËx0P(îée¬-ÒM`¢!03ðÜW‰M^®#Yâ
-.„²5ÚþÈÖñ^ž/|†Saï½ ô»ØIvê
-Ý»ê}­€‘D=Tÿéâö·½‡žëÑG]#ÂâuöñçP2ÀÂ,
-ï:/ÿ©Aàéžµ@vô®ž å—þA·žÈFàQ=á'ê²_Z»ÔÙÄη+YS1¹Êƒ”ÞTRcÖì`Qœú}V› v1g1ÒŒŠ$| OIq @Ýsêç?ú¾óã°!¾,»Ö.qðŠ×þeËŠ”l~a;$gõ…<¾9K„‹DüÆ©8®À¶IÁI3ýSȱ$FïßûBßP5åqÏ' KÇ|µˆ€€‰¥ÿî`Ëf_>´« Í@MãSì7nDAðùg·u{<úzoáiC&‘RÊVçÇTA¿Wb-ΟØ]2PÉ™Ð.8ÙËÍÙ.ò¯j|ƒz]÷ÞkZlü!½989Ÿðd¶aw¨É¾ ŽµQ 1ŸŒ¸9ŸTv2@&* •šíùAùÿÿOX€fήŽöfÎv(ÿã,bZendstream
+/Length 11283
+/Filter /FlateDecode
+>>
+stream
+xÚíteTœí’-îîNÜ%¸{pw·iÜÝÝÝ݃kp×
+äh-
+×u”ø¦ñWÉê!r6Y—fü…øÙGRŸ¾yKR‰vUå)0o+Xä
+ ø`8ï&-Ô§|_wñ˜7¦æ 奿i®™ÀÂÆC6K’kФZqÿ©Üõ-„8ª±Ïë½=Iæ¾xV@f³6Å-ýwËÄÎûñÌq#Eûu$u±ë5Äel&Qül‰x„ù»ƒ#MeȦ’9ázÚð¤Æ¯ëÃÈ E¸½ëâíŸ+óˆ°×CˆØ³Üg¨´ä·[¾Ñ÷pÒ!ìSðŸò“Ø›9"ÐbòMÀ8Õëq]yZsY£4îV ¯—…d<¥siáøÞù%Þ«¯ÔˆÝ¤qg'ä·„ãKä´¾ÀGq!»:½mQ!!&ßa?F±1Ž»ÁÞ¥Y†eP.hNø­1!/­öã÷œ½ð&  ‚¸a©7hèÛûŒýóÇÙ‡\š¯+D®ÉÑÐ Zƒœ0üÓvÄùØEýÉO¼ö~&ÙRm³ŽÊø=q¶qÊ¥¥»5ôÌ”ëb_ ¸mÓa…©!RÇ<Ê)¯$KåT¾C’"ú3Lº wìóÏ #uCm…›®££¥b·B_iÊîð¼ ]7‰Œõ• ðeQ ,®€”]®ì­|va!Ø;ýF‰E=ÅÑ8³¬5)Å¢u, ûÕðì^È ›Âê‡V+ƉC~~UY›¿> %<{ïè—ÒQs…ñpbÈNÖi¿KÚëC/`_IL»/\x7´×´mÂdšØÒeÖίð¸‡^ìë!>ûÙ;æ ê¹MQU,¯ÕêÓÉKQBäg~—šö–S£,QØú¹¸_ìMjŽCçqTlÉJ6È£¾šø (Ü×}Yô*NY&X ìs'«Q·’RïÍnƒa°1³'ù¶¢;\ ´ý6§eã3Qº7¢RÜ
+ã>õû~
+[`Ï—Ì/ù®—o MyYU‹â¢/ÿ¼Ý›Âœ¢ÝˆÓ[³¶MlÆ
+ËšÕ˜±{[½¤-üyª!Ø¥ò6¯Ë,ÝÏ–r‡{ŠÒþŽ•ðRö¢i³ 4:»ŒNt8¬¼GrØ¿š&¦².ÌP˜ã®—ae‘©Ö’ГÖNTX/ïbmåV¡îé1âûœ9åì¾ú;‘ùÑ­[BvÞÄÏdär{,‹&z¨½tEÒ2]A fS0ò}úö4kwçXN!ZÔ¿£I5·›_m—Ákˆìˆ±—|šÓC„8Ìx^]·=´–(LHž I3(ed7iwã—â ‹ª%ú£%wÚS?{drS[nA½G›;õ>Òi´ý'mLG:dŒhfL{¤ÞzÚGÛH,UAw™Ö PÖê=µàŒ dn¶h˜¥‚Jï ¡ßÜè{ruIîÏžçS?èôQÚØŒjT3§Ïñ¤ ŽYΡ¯jã"»t¡EM>í'ÎÄ—·pýèþÉR ?©0 o‹Oï|Ï‚®š!\Õsø” ¶ìOߨùu
+/À/„¡œ‹œãWÃ5t/‡…û’ÀÈÍL´ÀhDÔËá磑À÷7
+Ö«LA‘G´D©(aÿ à;ÔAG´Õ JU;_^\‡uç.-©¤î,+»¼Z‘=•¿RæŸÐò…FIجóÔ~ÅÇ›º1“|÷dÈ…¾^¢§ =Ô**sç «n-Ø[”Ú¶Q¶ñ¦D•œ1ÃØu®KÁ¦¿µÜ†y€´Pä†c(âÏnh0(iX²w¬N¸×õ¡ÍI˜û„ùÒ¥Èæbd¶ùq0«s°ö؆¿-ÆN™¦}ümšŒ­ü‡+ÈŽšœ=zàë…qãWÈÅ+¯|jeÅ5ÎtÿwˆŠoµé¼’{„Ùdã å”=\bHv8†Nt{„¿_å<˜m«3²”K,Í"ëT)(ãú`ÙP¸&«Âo˜«·õ£C·’=ø V–ŽŽ‚ä±à Ë1>F,.6¬z&·!^ ý‚÷ž·9š/–_Ý‹ROnOs!ºð±
+ ÍœçIËýMãèY=±Dˆ*
+Xÿ÷Ô­&?=b¬;”½î‚™ ¬«zGn£P6í±ÿû±Ù‘,œPýgµƒ6å Åù„ ˜:vn‹
+®õg JŒGâÖÜ3ûRÄë,’ Órw¨¾}óã”sᓱx&á=¥Ì\_ Îƈ߾lz'¦vC>_ €1Ä8ïÁ'nX«ÄÿÔ_>E듸è3cióú‚"“š¿X.,\Œ:ÚÎä½s¿ ‹Šs©h‰74’žÅïM$úÚ”t¹A¬Å‰V%è¼Úï¯àFð¥ìÌšjIp0!{»¢”§îYý2™‡5¥C)›¬ÜgªïvPc,ØÖ1#H¼l€àT3%H°øófØúï{l;¸¼ûüÓ ¿@vt MrO;¨|¡–Ï즪ègY§Óùî îÆô[q£¿èÄ" …W²Èj7ð!¸ÇŸ nV¼ð’"ꘕ¤i$| ðæjlF
+ÃÚ¶lóE7÷³3™N/,*+¿PC.m.>ÊÖSyüŠô¥–ƒ®v«~@ P2ÝÒf­NMTP-OÏ<a-€…>oIBeqì†bHpæÔt‡“ŽÄqj µ¥u!Œ»MB“†#z«Vk™…ó³;¨b„èC5ãAÆyÝYïØ ü£D@ìpøÃò¾×{àOÅvcwQŠrøŽ €e·52åeú/ ZLé¹ÉË`~>\‚hX"'N¡Ã$wõ¶!•õ[5ièÑsh7â”›Ž›ã¥ä»l—Ý~ú,;>Â|¡bŒ»-挟 B—ík.D¿ÛµËïÅÓ€”ÖWQ”‘]H‰Õ÷gÆPіتïS+ØT ‹§y3ÕúÑ›:u–ù§™Ã ×&_¡TT}4ÞÝÛ˜­¤¢ÓM2²%Òì½#øE=
+;½N
+¸»v ½Ê…éÔÔqKoœâ\¶Ý€×Ÿ0 hïóÚR
+¨T5=š€áÅ
+•½*V^¾º1êrðŒ*
+®é/Š)T,¯}«2lÍ,ʽÆÎ[ÙŸMÕ° Ú~(¤ÞQò«Žã¶ÚœuÁ3° QÑ•×46™›œö¬}Ù6tF-„zôôÏ
+x0Æà K¾'¯g~y÷ý|Ž°ž¡CCëLFRçÔûCx“U2x’ì¤Ú€òzô8i½‚“ÀÀºP &&åËk剺âi-`JÜ&â,¿Ý¦¯˜Á¦¯z‚+Ý°G…˜Ö¬l†0ÏüÜÖ9oHƒT>vüŠ"nC1Ç=ˆ§XØ„?ýËzñŽ7½Ò!·51 ضMcÿekxnºÒº1Èv&ÿ%V¯Œ Q¶Ù¾¡cÑ4~€Úgo¡ =;?§‹c6vÖÂ5NCÞ0è+wµ ý¶NùLCª•û‰­r,Ïbj¿ÞÀ×Otm‹yã«÷Q±âm·/SVæK |“D|VïáEV<Q¡)…xú—7'Õ^'å´U6æAÂÉ¡ehSÃQúÙì6p5 =‚ÔKÅ´t,ý‰> ¯-¢A–×pE¸6¥]“ ¼á£Ê h3–©pD’&ä£Ä É +k«ût‹2üWŽÜª|nÈ<~'>m8MUš™Ö²Z†>?nÆšfcBeµvG5?ÛbêÀ:' ñ” "en<Ma f'2$ûÌ]R_­I¬‹ÃXż #—ˆd}lu>ërv×Mq(‘¦aíÅýv&…æäüá —<šµWˆ¼üe®vz{óü·ÄÜÓ òŽ¦G§IDÃ"b_Ö Í%ËŒ‚²¢êx‡Ê^‘$Û„ù…üÆy uÁéQ_p$@ÖU/Èãˆ(w¡id-êl¡å¾kT
+K§4xÈÔP¶—ÛÛ‰Õ[û‹ÕÇo›_¶¤uÃwü`@Àr4ýÃ¥Šùâu.Çc^ʈ~¢{ªŽËûb²OÁw}ñx×—`c™ãø?$?q;a—C¸GKÁCÐJ&Ÿò"t¸§'¥=€gh¥Þ¹ê ýs§H½Q”þ¯ÙN0ViT®I‚ÀRÜ#Š,šõ@¯»Ï„S; —nÑ´„(ÁPþ±Óí'ó±÷t—¢ç©¤ç‹ûø?0õK*`ÁÎöÄË’&8¡ßçöìd„ÌV  }¼·Õ0£¢²Ü}çŽ 3ѬÅ@‘Òµ13LëÃAÏNÓó.WN8™œ `c¥ý
+üm££O<+„ºlMË´p~Mý™[ñ©ø·hÊW·N–&9_ 9øÂåÖ ÒgÙ0ª¸Lt»ÈéX+sÿõ„&ûI*ofʸèÊ /ŒÀÐÀƒÔ[ü"¤}.¸ûæ¥c‘çäß>3D|åOVη}ðî
+(ª4rQ¹!Yzˆ‘Yù_‡u¼‡Ó´Q½Þˆ®¸ËÛÌ«
+|ø2C¸Yƒ~Y¤¬BþLŽË¬ðLÕûvè÷Í ³˜U@âçÖ¾”5Ù¹~ÜCåýŽœ—® ‘ë†<…¡ÚÉ¡È„¿ ;÷Un¹ù¼‡ ã à™9 ZTêS½D,f¥‘j@xqÒ–iEÐ+ž²J>`ýáìÃÕ´Eñϼœ#ÄñN%€õÐ7
+l^¹C8I‘èe«3ÅA¤Ã¯ðÿØòk¾Z¬nk¢ªh±¡FÃ]ðÙ›·²îtxrJ¼‰Ù¿bo
+d©‘¯l};¥ZòM«yŽÏ‚ÐÛe´Æ;Î÷kßíªêÂ×¢èCsú?êÂr؇VÚýV.K“.ÅÍ"ûUg§ ™áön~ vµ2Äv gè"àÃ\ôAm»)Zÿh”RøÉR¼.|y÷¹'"ˆ*&–ç>™#xr§cm¦Æö0žœn³‘=ǤslF&~k2E«jlþ¬ Ƈf„ÃLbJ&ÆRXc6¦KnÄÎäÖ¹˜O"êûðΕ¦#{äÚª|^3ŨÊ;è44Âr1f5)·g¼_ ì(1%Õ
+rÒŽ½wÂø’>;Slêô‰‘5s¼uÖ²Å#&ëA¬!­ø5çÈÔúÉÂbªªF%.ïîÐ{ãRU©ÉàëNyÐÒ6½/ÚÓNEg“É·Û¯êÏò¼hžNº–Ž¡]Șùj©<}crÑ¥d­!]ìÜÎò>þ ÞÄ ÷{€m6"ûªùø@P¡S†¸s}'V%ó.£zùˆí]¡I^(ÛùÌ6…–¯ƒÑ|4âsæþ>êYÈ-Ï:´¢Ù2åÁÅs(×±@¢ =}Åæ—U·n6 ÈBC¯>Ç!Âû@u=å<²—1i=íÉú=ƒ-¨òZ—ÅM ­Â4÷–@tõJæv‘q½ãû´yç¾vr«Ï„¾VnEø„}j*7Si‹{=‹Áï£!æXàý1±J ='»Ê`W¸îÌÒìì;ïD}Âv-wŒ$ØM0½(ðö¨ÍéM$ÀzCç§ 3ß3XôåB£
+°œâ‘1é#V~Ö¤›½hBñ åùjtw“bsYŸ´5 ¬˜ºÿ“,W²ýÖ»X,+'z7ÂàOe~a.!dÊ«+¼˜å¡ñÊVóÎçõîú…*>3 þ»m'¯¼ŽpFTYDº9HÁ†“lPËÁsà–Žý„Ä&ä’ÍåìƒÔ„¶“MÊBW{a
+œây[ƒËu¦YÚr!ƒô$l³Ø a£.†þÌGƒaW]èPj©"!w¦k?…Bm$¯œ:#ϯ˜R¡~+Oø0¹`5ÌP(ÅÍé=vÛ „ú"þÀ‘—Ñî1+…¸Ý¸&ߘ óÚ*-‰Š ”8ÕÐYNÒcŸ˜¾üJìsMQj[F¸‹kzéú¸ä(ŽÀK¹öëÎá½ gnä@@m35N-Í˨d²äí«hV]¨Áà^ƒì÷¾­Þ uŸ÷ÚÖ¦k‰-¾·UÉ[~¡‰è%?Ôé·SrJvı}Ñ™¾Ä=3¯rêÅÀØ›uYoaQ•L}F¡©›§ü¡à:Ežir¢,sÊÜ[<z˜¦öÚwR–o'«èC=Rp3s* £_Ë•Fª!Ñ ŒLïЋ˜¦)§í>¸©¿ÄG€ÇàðÿÀï>Â6SGÄT¤®I;@|&ÞHJstÊk=Lig¤5è‰,þm!7ÿîág=ò"Œ
+<uHîPe£C³PÍ2EíäÁ|ËM ó«QX³g9(bçŠvà‹÷µ/’TÂèó¹ÂûàEÔ’÷¼¡¿J£ºV]CG ;f¥/ÁàL­÷mˆª©’’ùê#°ð¯¸1¹C‚U=è3TnÌó´sS_vçahîÖ5ImŒ=_²ž‘•9–ãÆ›Öo!|>i÷.T+=a9?wô²ÅùÄ˺éN¡¼‡Q²¡\Ýq.¿³lߣ¯ÚÌMú‘á£óäPêç@lʼnT
+¨JUŠÆ•ý¿Ñu3·àp G„‡ùbÃéÏÝDŒ%çwì´¯ïª9áÌ ó5SsÕþ†ˆKë†Üœ¼e}Vô™¡)‹$?·,V§¨$Uã½cNùÕTD ½³#éˆF»œ±´Å(EB‰w%È {|(¬3-I™¢m8W‘r…XÍe«àÞVLL¥Q.*Gõt¹IÚ¯±™^_Ø“’ÚÖÈûR˜Sö «îÒžÿk./·9Ï•ÅyÊo •ÓwÉ×°ïJwYâ‘ϱî¸6eÉÑœEɈeósS}¯E±X8‚ÕË#¤y 㼟KuEüì£!o´öUöä”óÏéŽÃZX©¨,M|eÍóÉÝ)ƒ^»D¥?O­Ü]De×a$p*£<Ôu¸-‡•²·HÈÁÉ'. JØ QíH2³&šÞ–é{IênÊf›êòËŽêõ0]\³Ç¸,Y|egσÜÍ–Ø,’ä¥à¦¥\ÂO°ÌA%hP ŽmÀÙ3Y'Ä]ÄhÌýð±ÕÞì²›ODPxþõnº”å“]ç7CåÎm gªô÷ËÜÆu“óm‚ 5 :ª4kíusD󰈪KÀs¢'·»^Rå”XÄ ) >M“£<Áp©E^ˆž+vxE$¶ÆöÕ¸œ eMÁ$ ÷Š¡|¨•ùìü–îøÈp¹[䢧ªT«-ĺ ô{~Êfª~ý WÑ8æôQT“yi¬W%>ùàw—3+¶ë‡IÕæŒ}'Î '>š! ^ËÉ´¯ƒT%¼àn=0Z€ÞOi°nŠŒƒÔ'ó'~
+\´)(ä t‹hß÷çuÌîÈÕyêáTÅD_.àÞM`¦_}\_i¥ê#k?×ziÓÍà‰Á¼­zñ)90¥7€•ØIgx¶}/b
+(Ñ-ì@¹ÀËq²<Þl™xüú0·¨gOyP} Å¥\’`ÀxªÃÆ°6‹9)ü<»^íéîä>ƒ@1è¥ôk5 ê¥5a*ìH¹4}YÕ #|ÿ§¦}ý68w…Ëj*6Ã㸟QmŽECÁ¬œ“§ÄƒOoül“³æoC’rR>s”Ù°ký“Xâ²Tþ--i»ê‘7`ù`/N…›'¶1 h <þS°=xÇ4î×ÚT¡ëÛÇÍs=@· 1~_¶ý)î;ÎnoŸ*CHÖÏÄÒú `^¨VY©êKŒ·€’ÃN±ÍÉÿ£†-$Û:5š›B§>™ÌwÍ?
+qÒ¸#q¹àÞMn¢¾ƒ†ÇU­ÛòA ö5 îQ¤±£-•²x^€’ÙtÉ¥óçw¸_Ü ý‡ýZ;Ô4ò#qó)ùtƒ/UåÐnp©á„Ͷ5ž‚B²W  ÎQÝNk›‹v<§sïU'¦J*"Ñx«xóoŽú ¡…ÁÇ••×ÕqƧÇãç‘œ^¬³“RöéEhæå)ôd6ºØ¦Nr ?â¿®¼Ä½`„ˆÇÐS#£‹c†MéáßÞÀ>RÝNf¹h}ù)æ_Èt€½
endobj
-703 0 obj <<
+957 0 obj <<
/Type /Font
/Subtype /Type1
-/Encoding 1344 0 R
-/FirstChar 40
+/Encoding 1915 0 R
+/FirstChar 34
/LastChar 122
-/Widths 1351 0 R
-/BaseFont /ORHGST+NimbusMonL-ReguObli
-/FontDescriptor 701 0 R
+/Widths 1922 0 R
+/BaseFont /BYOQTK+NimbusMonL-ReguObli
+/FontDescriptor 955 0 R
>> endobj
-701 0 obj <<
+955 0 obj <<
/Ascent 625
/CapHeight 557
/Descent -147
-/FontName /ORHGST+NimbusMonL-ReguObli
+/FontName /BYOQTK+NimbusMonL-ReguObli
/ItalicAngle -12
/StemV 43
/XHeight 426
/FontBBox [-61 -237 774 811]
/Flags 4
-/CharSet (/parenleft/parenright/hyphen/a/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z)
-/FontFile 702 0 R
->> endobj
-1351 0 obj
-[600 600 0 0 0 600 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 600 0 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
-endobj
-633 0 obj <<
-/Length1 1630
-/Length2 15731
-/Length3 532
-/Length 16611
-/Filter /FlateDecode
->>
-stream
-xÚí¹UT¤]“%Œ»kቻ;îîîNâZ¸»»;…»»»;…»Z¸ÃÔûõt÷¬ž¹šé«ýy“ω±#Nì8çY¹’œXQ…^ÈÔÞØLÜÞÎ…ž™‰ ¦¬¡hdccd
-´—¥W¶·5ü5³Ã‘“‹8™¹
-rp²ÿëaûûK¦hïìâlâtpüͪ(*þouºX¹ü“ÛøØ›ÿõ4µ7qýgKÿÂþÒüE]Œ€vÎ
-±ªVõ¶ý^Nc_ñõiܬ槕Q¿ÑŠÔ+«ñïPYŸÌôZ#Ûõ½¼6SºßS7Cç0ÂþD¶X>ªO¯Æ¶aÕl¾JüÁøÒŠuwßùöüh¨ÁŽ7n- ª}»›ËÏì¯ò[ùwµ gïèÕËä‡× †¸ºŽïÛ­IZR » ˜Yâu#1¯› t,’‹¤×CMMW•M¬îÓ–$IÁ]•Ð}}™ß×(+X{—üÓHï=s]Ô½í<›Øáb57U‘Ct¸¹# ¹@ ²KCúFúØì¸5Ö0ë
-ƒŽÊ©ˆtÝÊNõ‹æíùu§TþÝ4F¯ä‚™ϸý§:Ù0Ìîz2.‡8Á¤¥"ð@b¹ð:Í(o`Ô¿kM.Z’#ï£2GYŠnplwÌÙm݆øf[8³")Ý-Ì>ØÐÀ"¤¹ú,ï6çš#±VEÿú4Í ÙTÙ ƒ˜êççX}×¹F; yh ȱ½ýx˜!:Á<œ?-p©yó>sd³aEG2 ‰iħØä¢_,Ì:ý¡ÒI“
-È ú€èç“.ª¡Ü^ó!Ozü(~”@½ð¤Ê¨JïŽ ÷(ù)I¡É’!Ë[í¿7O’0 ™(Öê/Êó#?ŸòtssÕï“wÏgWWÂù;í
-ivPS“ ÙL+¥6º:]ø¹à s¡†U²;nü[Þþ¥ºÈ…\F˜+6ØU«Iæ´ÿµ´*mg_^ú3Q;.~ÄHB/׌0w=>>b¦u¨„Ê>D_×$,?z^ŽÄ'dð1QèQïþ®Ä‡:RdDc]ØS
-y­)øM˯ìý>z¦ÓÁ‘,£¸º!6ãã
-d-ãµ!2AnXî}uM#Ek}ÚÛÀ£>ñ´0¥š¥b˜)£9Ëà_dö%ÐþÄd'~}?
-<$Œ^ƒ™yJŠ³Þ·|f¯¡_XÍé65È‹‡xȳT#¢Ê›c˜Fn²äjvb¡"£Dñuô‰ŽÔ7pô¨Þ3kµ¢ÃgnI\Hý•ŽxÅaÙvè#Ýü½ä®ªª Å9ñD“‹.š¾S2Àôõî”a½)m¾Úò~€ûó …â#_ôI\§êë•/»šžÇ¬"ñI4/á°ø¹;øë3  ËÍÄõ?X"M4Óþ0ÿÔžóë:i·áèÿ„X µOTª—‚ wgÞZ%•ùÂkéúq¬4Ò7&Võ1;»:牦¯NªÞºŠÃ™5ÛUÆTŠ1 þäX›V­!ó™!*N4 3cÅß^uu”ûZ¹b«îÖÀì䱇R©ù)sÈ3:ð¸$®ÃÜ}þUœEc—Ìuø
-ÌŠÚ ø,Å@Hˆ¹´z$¦“¢Rõ„¾®û£6pzñŸZTyûÈ2(†4–²7h®GœÅ‰Ý?5ëË€ 7m›TÞQ¤‚+̇ßG.¬¿sŸ‘7¢ÉnYFV³œÜÛQ$yÄE%û²±Q´…P”‡¹°ÝÜï…Žžb ÿ _0}}rÅZ¥¶ š¦K.…¢ÌUkÎÖ »iÖý MÒwÎûÃä˜ ‚ÊPÁ„Ð’
-ÒÀ^Ò6¾©Þ°´äÀÏqTÑíö® çŸ$@ÆOo‰…¿§ dêVMäáêh‘´B
-ODµóš\ÕåQÝ¥Út‰f»G û*NèlÂò;Ö× y<n‘G£4°»HÆßy ᆣ§…‘ÙÊF -x/þ %³ znj·<Ÿè„­÷ô í ‰ª šR˜*¯xM®Ì6`C¨€qÑÂzýÖóçÑú;þ¨#f\ꊳpÉôâˆ9£ö…¿4ðÕ«är ã%MKÂê·³©3[¯ïm©ð–J)”úகç'ï”oéa} “S\±Š£zÿGtÀàØ
-µùœw¡ƒ Ì´ç+;ž"¶ë¦Ñ?doû‘ööb"!äMeßÙ°°XƒÛ "b ±-`OX‹1Õû_µ²F„ «WaŸï£˜@p+ëakqÛ€ŸÐˆnYôbôóºL¨RÌaóå Çfh#-!”„pe·EŸ¥ìªäÂh-lS–Úq•—;`âB=)vÎ?{wÙh`U“m1Q2X—Y˜õœj‡ú[µ®æ4öZ$DT›ß°Ó5'B~´)2Ï#*pãŠCñ}t¬Akª#òô%ä`)~¨ä½{ZXܱÄÃÇ’@K'‚Ú3Œ…¯QÄüäYÁE›kÔïœÖ€w»îTð³'aH»xÙ^ôÃÛ²ö³›úRÆŽæl帘k%Ǧ‹ÀŽ¬ßkN¶óš×„~Yy¬Öåwã;™¾ex±xª}Î fÖ†'ñg%·”Kkø“
-ü…ä”÷FT‹K¨âŸ‚øŠRʲŽ[ Ž_n™N>ßÎ2rWìÐc”r…£ã‘mµ%Ç}6 Z_æ6?ë¦VS¡|Y=!j­¬å ÎÿùPÔ¶ÌÅì€Íˆëb޸ʮòu[É¢Ü%f)0ÅÊE6¾7ô§N«E[.©ß<¼ÆÓ,
-ë®o|:o•ÚœÅSŠ%)Õ}ø=™)WÜÔµÑ;¦Í“Øøæ“úm±a εVsJvö@K£áûç(BÂ^àwðg®Ð‰'cÃfBÇ…¼"(Q¦î†÷´sø¬kÿåõƒk¤3N}óx=©ZÍg´¼˜ù?¯…šÉ€—\E¢ŒíoAËLÕ‡õ©Û¹FCcËo÷³¸Ïá€Ò‘îÚ~ÿü…On4G!>Ü-[·,3!E‚VQ¥H¤HÿÇ°
-+¢±'£ë(‘gå]h’ v–i`PÚEÞ…W‰¨¹úmõ'>Më³&#kÃ^z’0†i¹"Qrå>+o ’BP,ºðü R¥ ¯0˜÷—Ü]ý°ùc‡’_´6iY"ëf¶á=µŽpe îìI‹vfê".Ÿ£ËæDáišó„TýL-k,I•:ðkÃæ&ïJŽáóÆfø ”fŠ×Mž- æ,Eˆ,‹bù8#^à0T§L’‡Tvn轸ÿT,5 ÷S> +‹o7ëX¾õ±“¸K«¶CÕTå)#«:
-W£Ì8DB¡ÏUÿ,”…œ'‡n#íÀ‹ªUI“ƒè®œB 
-ÎÓq$Mö—YêqH$Ã…ýuQóë®_¡Eë´½ó: `$ËÄÉ•!‹‰@3^[ůiF@êU›ÈxcmÄ*kâ\yýqj_¯*]U|ë•ð;š:Ýc¬Qz
-j*
-Ô^Óã¦6¼ÕìÀU\{~t
-¨2e¹ð={f´Wdo´@°£Hüd·J ¬‰+z$Õ²Õ(;Vœ¬~]1B\ØLäë{u*ûä èrƒËWƤÍy^ݘ˜Ó\2Æ,´Nƒ ‹ù}Ì3Ý¿Úû|^žM‡Ó]¦
-áÙœ´7S‡zõ¶lܵº"+7Uý dÎÞ2jèá+ ÏÊ"eåc¯/äcà Ã±m¯h:ÙÙåUFñì>Ä&ûk©³=]§¬¨ßîaêÉv)£°®4Ê +pö–fÛ˦ȃâ²o•LdšŽÍV?H%ù¡¬éBi©WO.Gßæ@X¬Ù¬†ÐøÒ‹@jGxô¾±–rƒŠ%}ê0ÿB"jì 4
-cyÑ=—Ó2ÂÊnüžÚî`Ìëá(å9Úv˜t,‚v¤©©äX?r—ýØJH¸Œ›Ámòƒ å’†ðº£Nk9'~µÕAœ Xs{cήz§O9M‡GÒ§]I-þ3‡Õ6Œ°€ã1bµ9ü»:ˆŸ¡
-ÝtÅ çÊzȆ¦ÏÇ3œ—5”Ö<ÝÊU½‰bâånm
-l_:¾
-ÃY_ÂK¬ìüvE\aÐNJðÿÞ¹nèbWo@ü7•öÙ58±£–%\É^
-òÌ%_K ì
-w½Á-Bõ?ïmif‹:¯ í² ŠÔ|ÑŽé.QØ l(è®!mW´»âŸ˜Å>2adQ”ÄpO}UŸN†}¤‹—çäsê2„|97pŸY^½VSz¯‰*ýsŠüä͸Î=¶ù Á ;ݽZ¸k²[lC)Â0ÐÐx·8äý=ÊÕi~°‰Œ÷æ ¦j>ÝÏ cê ^´5»kú¨Û ®¢ð
-Õ8§¥rצT~& ¾}÷+Z?/_Èà£w4E+^o:g’,¸’/f‚Ò MüFœ;xóÝ †—Åà`öÇ‘y´ºù‡Ú÷òD€Õð•MU‰¸ÑµEh&¼¤(ÝnVŒè.lX@ÄôÑDvx™ƒïˆß†)~–E ËKNæpר0-Ô§(†3øÚ8»!¹ þÚY‡Lcù°ô4à 7¬wO[(V›âz'O]’ùÌ1Ô‡ãMÇ‘+¹Ù “}ï`¢7aj?ýÇËš–x¾1ß÷»0Á3ðy—œbHey‹é¶ßí“£…™âa44•bô|ëi¾«!Öø±w€fïü@åÀuƒwt—œû,a—žeú:o¤Õ”]aXS¹/Yv¶N£oúƒMUG9–П9XoìÌ‹eó š_•·pI^Ç|B/ôÏpüÊ[®ÒnvÈp×6Ó¼îZ™ ?¼ð`Í‘‹…U¾£
-SUŽDŸ˜ƒpj U=y(Ž~{×R'¶7UÔG.!ÜÃe®ÉA+ðÔ±·v0H­7)m(pÍ~û%ƶ*¥â9êÊ<¢¨›]`Òël=šV¾ê5³ÝF2…2ÀG›±‘ƺ»8Öñ‡%…x‚©ÙŒx&rq],`Ïcj!¬¢L›‰‚ꌻx
-—”tšJ°7ͼû ›¹yéÐjA0/Á ³ bHgnÁ¯'Š€•é?d+lDVmË$;6†º—u™ 9>üAZØÁíšw`MíÙÝF:d”ç‚y³ñ\fË_3e4S
-CÔ„0XWÄQ(8@XKp9ätñHkaìÙ¶[öƒ!׿oT_ N1;aµ<2WN¤øùÕBãAqÉBa@PNYocYÍ\Dç™ô’žÓ …¸ßëö ¡^uCGd¹êU¡RÌè>áëLúƒ¡¾\‹û¦_[³$$ËÓ#¿%,8Kú—ËÀ —ºé?ðZ;RÝèŒT@¾ïÝ­;s|ûÃìÓöYÊ[(T©ž™PLýMJÚ§âÐ×:®C:”P¥qg$)¦)šp4 kÖÀ§B´#¶á×çûsVÁ²!ÁÓ÷ú9ÅÂ|5/…}Ù¸W6:mº“Q7Œ£{PØUA%fBë*N`s´B1ÒMO‡b
-„v‡‡²˜¯ñ! +^×ÞJ{u¢õˆ8Æðl™GÓÉ`S‡„d9ªsiã¼™wnÌäz3ÉÞ}­ì#$ؘŸáÇ´.E‘Û<œÞ]oÀ×}¶À åd“‰CÌ®™§jÈ{ò3¯÷bƱÒÂ$·+6ó(¸ÍÝ%3^E‹Y\~Òˆv/;˜˜ßï–ª%—âŽ.’
-\1$xo«ñ—«zÂH•`öè€üFt©økbL"eŒ"Y²ÚcQ½9O£ÎÂ&&¥- É3íØ9ýz^–‘¥Áh†~‘Ó_ˆ xÃOZr@‰Uâ #1Ôq90½dò«§”-˜=H\2†PÅ^äÝ9jÿšY ŒÞȃ°Dêp4?¢ð¢F y™;:š¿‰þÏ]Y›vÎý12ÿX߶ï Z˜F‘ê+¨Á+ª’³HÌ•éq·¥óþê— S¶^5nJ,ŸÐ=ØâÄàѯÁVdÙÑ‚ýWÁ^‡„5ÐÓJ<;POSgkÍÅ=Û‚Çj^i
-`‚Õ´¶È·ŽÈ:ã‹ 'ê#&nnv ¿qÿt”êÄæ‰
-ÝKž*gÍ)âM3íålÉ+VÂRa°xÚ·^Ôp«=„j°®¡HQÑ:8CiZ[
-J(˜LÝ
-ÐýÛ¹\g|Æ\ѤÇ/1—«ÂzwîP|MF¦‘ƒBXOèȪUŸâD b³N
-ªõ'M˜CkC Ú„àŒìŽŸÊsÚb‹t&oYy•G%œ+šÏs/'KS8°È¿œf‰_­³(V›tŒðI'ìÚ
-]RÎîà]­ÄÖÔ6h Rû·@3¹9 ¦–P. áYä ’v7êÀ!çbkú26«&¶Ýs8ðd·XåëGⲶ Í
-tþZè
-, ,SÄ ³®Û·Q–Ú‡Ý6%€¹·„SCTÛæ0nǽ]r U¸¥Îô ÿ×7u)“q›&Kñáè×D\Oì!Hç‚íÄV¼²¢8‡èä¨ÐM¿Ê-ú o<öž¿þ†îܬ²;¼½:èå9ô“6s:Þ$ùÛ õ}ü9ß[™ÎáÕU=u[h†J ¯ã®`/Ô Å-!¼:G% …R ¾"¯Éç›Ø…¿{føšÃw²rT(Ú<e?
-ÅŒ ò}¸‰2íFz¡;f$Mµ÷KvQJ~4
-ug°{ŠÌ™‘ùjǼ­Q>ýR Cþ 2U9BS×û¨þøDáɈ‚œmhºßa¾Eí¬ÇCøw[fÝQ¬ê_1ð¶
-㧣<¡žH4Ðé;7F9y¼Ì§@xcד;çUæõ<+sühUÌ-­F$F=©Åòƒ¼»vQº%‡Óò0j1±dÉpQfVë tFçÔq!›5V(ð¹s¼Q—6
-E WÎ^ÌË#ÅwÂWÊö‰·²mý$ïãœ9ž"ãabH¶Ë'B÷Ô"žiØ¥±AËݧå—F‡(È-'ˆÏÕ)ŸÔ38ÝH—ð¢9p Ï«1ç•¥)³Ðûí4&P"tœ{#§ ˆ:’úa@û#¿½ßsÒ¢ñ4:‹â¾%lÊ[PLxUµY¾L‰à'v4ûd)ÿR
-·ãtÛ”I67 ˆ-
-ï3º¢\ïLV´m4ó
-2c
-·î:LH,rÍ̘}”©”ÏmôwqDUp˜¢¦`ï³KÜÂM‘C¸2Ò¨æLëQ{ÐC¬,Ë•ºõtv@þýï$&|Gh­–yšÔ=•€LÂ×þ´9QÞìž/ú¾dÊO
-¥$y{o/ºÊ…-â^ ³7˜ÞÌu7î×æÕ]ÞÕÛ 7K–ö Llœ® èBÉ0ä]Fç Ã.Ȇ•O‘J®B$¨QLJ ‘ IxÖ-€I¨9
-ý +î$aÉÚ ¼MÚÄ17œf
-µ…¬÷TýMŒpqlî^²²jd»¸m]
-ÑL=&†ØÚ稺Y²?·SjJJ}-ôäÀNT ftŸ s %–þ²8—NŒ ÷¢—?³¼B¬ýÐã&~1$*nGTÌ1÷>¬œå4>‹šÁöm¡Jv6õg/Š0¦Î2¤׶j*ž™¥Ißëã¼é¤Tœ´g»ìr¦Âé‡Ô{vÆP>ý$ez.´r™Âòêc>«y.AžXn7ås"p.w¥Y¶üÁVc°rÆúÄÇ’QN¸ÿ‹)®D?â1œJŽJúwI×9õ €ž´ò3–\æsNçAS*Ö0a gîêv¦EËÕÔª
-ÃÕ³5šQ^­šõÙZfé©4ûå-Ie U“®é
-šÉ,‹^Ì*hÞÔ@k
-ÙOâî¯4*ÐHÛŠå«<Ôš>OïYò™ì˜„_ó×Kßž6ÒóÕ¹“äÁ;áfÐ ft°‰]vÁsò¾x¯»?N¶1…þªYGtìmÐp¥Ó¾ÉtZƉâ‚^¬ ·JHëƒÎE[+Í;þ ØÞ_׆ás·ÚW¾}Â]Ϫ'ÅOÍÜ“Ë£øЬããêd7 ¦‰0Fªkº‘*äýêLk¬ÔE¦ÜXÚ@Ùà#Œ]ËNÆ›y³?}/Ø­ÚÝö»µšqÁ§‡šMO×ÒNП
-î€þ™X
-â*áz^.\¥„!Á“{d¿ÜÐ#ü
-ïH
--|ò0¡÷F¢$ßñGÊÌká{ËâÈÍL–±¨ÀËäýŒÛª‡k[£·3žÐ îF§¦¹äð”Â-kû4•5}Â;²©%Ÿêm&øɈ`r}‹¼ ÇZöŸNp±Q†}É |~+±Ú<¶Ð1öŸm*ÌCÃ!̤A©„=í«(OÈnœ¥cã7äG“dÊ}O²º¼óçžê‹T&Ý&ÚpÎZæ2«æ\Y=9xb• ž/PʹK¾âµm@0zõI:ì›`ßAhÃðæq¾g{o÷ ÖA;{Õ`ÓY£º\zÒUuxVè3óxðÛ‰¢¢3Ø­Vb&š m¦G3I §¶„¤Ý1Ž`°Êã>(•X‡¡=xô´¸®N×›ì€èLb”ˆC‚yÆ­G‡^ B[5zÜa¨(Ï:R7Ñ ÎœHü­b^ÏV.»(…âKY×÷¤M¨¬y0rôYÅOxÞœ“Ü‹Z¾ƒ4XÝáJ[K/pêٱ傥‰žeÐh˜8ÎS×R]öVa’ƃ|Qh Ú¡ÿî>†2v£O8xÍÕHØ媚:_øÓ秜ØGÞ8hùõáyQyáíšßål0ÌÃxñ¶ât× ½<•W°Fôä‰Yä)«Ë’%¦H¯ØÑä冰<–ý&Í—.!l/C2CÉ›ÿÃ’iWMvM´a¯à¢¨ ºÛåòÏ’«€G¯M+ëèr(“
-÷z¦iB‡®”wufX]¹©ô£~n¼N-ã1JtIà³7–›fãm~|GË×è§õE’N¥h­ÿÁ†‘ÿÜÖ1„ÖZE”BôÎ&ÕaÁðÃ_ç€Õ¶ÇÍX¤kÅǠĀ%_, Å¥oCÝÃu´
-ù¹ñmá> ¬$=Þp™i—à
-èÝŽòN½‡©*;€5'®­¾¯lš²^~ÍPó­œ1ý®Ëôƒ¹q[½ zÊhwäºÂêáG: É:JÌ7ƒ…?ÝÙ¢|³D2˹})ÔÍ4槄ªF?Îaâ[×’©©eÛKúyÛÜÞX]Ÿp w’“?…Z$­ŠîÛÀÖ¬^ù¶ßu›¾3ˆ| ÚãUi`TîjRÑÜšZkôúŠW4*™º´Rþ.å
-HÇ’#Ñ6aGHÄÖËvx@³öÀþ­ÑȪ/áïba·DI)Rá n®1.ŒxÏS[¾¼m(ß¹I$á(Á!Ý{æið¤ÆÙßuuòûk?–ÿ”_;Â2u9ifï› ïéÞ.WË,ß¼I•r
-·Kæ1š3rÇÖC´žBhŒ/ 7¬-éËíâD™Ø¤Â½3ÇÚô89 ÝÁÁei?ääï‡à)gLÄÐ'ЗDvf¥#|8Ì{êc!¡"M?Æ"Wfßîé5D¤EÕ,˲üŠËÜzät*VõÔ„òp ¥ö7Ñý
-º¶ÏŽmná›Á¹àŒ¹ŠF0„éY)Åšá«Pñ‹6œ0`z)ú…Ý«Èg\¬<ÐãFDQIòl¡_¨(¹XÀÄ.Ìšú¥ÎÛÏÕèU—æâïJ[èhÜîè{”iÐÍî6®"#çÝcî]©%¡î!û1Bá¿^î:ê'\>•«wz¿Škb0 ç®OøñÍ!¬ªc!@¢ìp((‘åÏPCæàüùËóZü;(º›´Ÿ…pSõ‰Ô:®‚tÝîó7å²¥_!ÅZm¸Šý¶¬Î´ Eý¶5 |JZ®DÊC|63^âaµ'ÐϺ)ÞÉßB Õ]¯žZ$•OAž¥€¥·qàvlàê±xh¯ØŒ¾Æ\O@Á\àqc– $úfX›ŒMÿºÝâ Ï—_~ÿ¥Œ;Ñþ™MN¶í/–ÌlŽöŒó bDTh‰·K,¹#To-—Ô‡ç·ÚÐÃ>¼—‡rùˆÏР$&ú"„Q.4éÎÿÖ¿v¡  QXʽ֟ÿžÍÆZ¦|Ï?õ•òL›ï!u¶øZ†w^ vOT˜ÿáKKîŠj*ìKía·iØÖ+TnÚ˜.PÑoÐV-š°ܶæ.Uä:MP  6J·-hé|î›õJãH”jh·UÜáU4|‡†Í ÈlŠ×=F|•Ž¸RõË’ŒTL<“À>ó‡Hk;ÐØú!×½‹~%g E´·P”Úíf×$Aœ¦‘Gþ°u†Wý‡czfb WÔÅXÚ´Ö\ü |+B›·ñS€­)è7RD¬ós:?y‚Ã-r]þ ½^ónv-Ï]/žVcà·~6•ažBÖ eÃH¸ïòYr£ìË$³°^(„*Œ©cÈ=¶1®waÖn÷ >¿ÈžQSÌ«¯UßÍ ™?œ
-Ó2±_,¬0?$éýœEAíÓ!yyÊ$ð¦Ïœ6{‹1‹'®[+\Á‰3‡ŽŒóàyp)BèÐ ãk3¼Ý(ì08á^,Ánœÿÿ‘^‰{zË0
-PпÜ ¼ST
-þè»ÜÔÕòø9¾ŸØþžÅe´8kô;_¿÷‰³RªLϳ÷7÷rÏ’XÈàðÆZ
-ªjDÒG@œ=ù¢0Vþ23qð8@R‚¢Sx†€ÀˆQšk>Ö˜IÛ»åÆnÕ@ Šœ+7ƒ¥ #xA&
-V°î2»“u=œÕÏ"¨¡ ¥}ŨRpÔG0Ò|Ëÿ°Á÷v¯×ã#Ði¹j3ÍTâè(3Z÷†]ö‰6$áHý.ù2rä"Šñ.Q}Œ[ô(~áa¼ô|·g7LÜëèi GÕzBƒ¤ìò°ôÉy,<ri5¢Ó<øQ°–"ß@X1páJ9¥œÜ{5ÖXOù!Òâ™DŒŸ-ƒÞÒ{ßî|¥Þ‹|õÈ”…;°ßUÃF rEþ÷÷>£–¢€%ÝÞû.îcäG3*Ùºr¢ê.ûÝS²Z°¶¯Üi𥰛‰àò"ë8׊Ê[¬oœæiªÈtB!N²Ma3_#”Ö‘3?z25Q«û%Tb÷‹ºðƒS‰\ ”Ë`DðÌø¹Õ"†Ò»K$šù‘ W»P-$Ô"taâ5í.§œi"2a îÎEg|鞢³‹O-,Œ'²Æ¤ùp|’Ì”‹Ò7rž´­‘€µ‘‹Üä!ðvƒŸÖß0ÕBöy\åqýXkÊ€XƒÆ;my»”(~aŸ›{á|±ob’ØÏÖ­Ùxœ=†¤…` Ö罦(h ö˜85]‰„C¬…ù×UÎu×ÞÃ4
- ?0
-tâï¯tãq·˜þ?pÿ?Áÿ'LlÌŒœ\ìmœ¬áþô_ªendstream
-endobj
-634 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 1344 0 R
-/FirstChar 40
-/LastChar 90
-/Widths 1352 0 R
-/BaseFont /UIDBFP+URWPalladioL-Roma-Slant_167
-/FontDescriptor 632 0 R
->> endobj
-632 0 obj <<
-/Ascent 715
-/CapHeight 680
-/Descent -282
-/FontName /UIDBFP+URWPalladioL-Roma-Slant_167
-/ItalicAngle -9
-/StemV 84
-/XHeight 469
-/FontBBox [-166 -283 1021 943]
-/Flags 4
-/CharSet (/parenleft/parenright/period/one/two/three/four/five/six/seven/eight/nine/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/X/Y/Z)
-/FontFile 633 0 R
+/CharSet (/quotedbl/numbersign/parenleft/parenright/plus/hyphen/period/colon/B/C/D/F/N/O/R/T/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z)
+/FontFile 956 0 R
>> endobj
-1352 0 obj
-[333 333 0 0 0 0 250 0 0 500 500 500 500 500 500 500 500 500 0 0 0 0 0 0 0 778 611 709 774 611 556 763 832 337 0 726 611 946 831 786 604 786 668 525 613 778 722 0 667 667 667 ]
+1922 0 obj
+[600 600 0 0 0 0 600 600 0 600 0 600 600 0 0 0 0 0 0 0 0 0 0 0 600 0 0 0 0 0 0 0 600 600 600 0 600 0 0 0 0 0 0 0 600 600 0 0 600 0 600 0 0 0 0 0 0 600 0 600 0 0 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
endobj
-626 0 obj <<
+879 0 obj <<
/Length1 1606
-/Length2 15226
+/Length2 16237
/Length3 532
-/Length 16089
-/Filter /FlateDecode
->>
-stream
-xÚí·ePeݲ%
-…»;ww(ܽpw6°qwwwww/ (ܽpw—ÂÝáÕwNß¾÷õ¯îûëÅ[+bÍÌœ#GæÈ9#ÉwaS;c „­3 #3/@dcìâ$og+Ç bgm
-øk䀣 u9ƒìlÅŒœ¼
-’
-tüWƒ¨ÿ™š¿$ŒLíl­=
-F6àß àï cüsÇü¿bl@Öÿ›èÿ¨ü7Ãÿˆ´³Ñß6Ûšÿ•‚™‘ùßF“Èhúälb03²þÛ£ÙÕlMŽÖ [à_-ÿÕF
-ñ½¿Ý¡$ý6;›˜ ½S‘F‡‡9Lq®÷#7ùºÞAæOy«Æk™¬0\™òã)àÚŠ¯Põýè_°ÏÈ𸯪+WX½À4qW%¸3A pÇ‚yçNјŠhÙFƒ´¼òàH«Qûv¡;±0p•]ßt’~xd,Š‹÷xÂÍ6m$ˆ¤bŽè›a»èýa–Qº ÅZCE{˜Í¸V>$zytgC¿ Ëûž~^üZ΢ë—'¿4vÌ¢€œQ(߈¼ÚóE$9>RÛòvJr —Ž!V•Qê-¦  ç]kˆ«#L¹)N[
-Y'L
-Ml%£:Tid„‡
-†{z¼*†ÆO0RÕ[|+uØ<»×xB–)ûµjÃñáÛTK!ëßP.GJ¦ šïHídÏ·Âó‡8ÍÈÝÑìᣮ¨¹)KÔ«£" [ßáØÓz'f?r÷g‡ÏÁ­õûd„» Ë}áY‘’¡žRÞÃþÛÈžiuMÛqÁÞÚÖ:ÏÝu)âì¾
-´mg!™Õ[º±dúrTýÛ·àÑï;¾Sh4+mpæN#{•x9)Âv]²O_ÊÚ"¸g)ˬÀ ó6ÌúäT¤q6`Ü,ÎÄÊ“Ê.ÆmRúuZ}
-u¯Ôeø9‰ùXg©v«½~ô¤™ÎbfÓ@ËZ€'púÎfjûµ+4Šð9µ?çyG Åš2Ã>öá¡ èÓÍõ‹æ©íq½j]F4ÊQc &ÚWÊ¥Œ!¤)Ô¡W;êíˆkúë¥|ÂO!xËl|Ê/"Ë ¥Y8Þg™t‹}1ü¸ê²áüs,écbDŠ‚<ÕÔ&0S™2(Ãmz\Ì#wÔJ$G”ûsuQ#JöõÖ1Œsoæˆ •X1K÷·XøZ°˜©T†f zUàÝô¤˜:%)=ÿ¢NýÌýßáB0$awϬ&8Ž÷SMÕ@: ÿ÷6²±‰ðJe Êq»‘€¿Cø# /ÒT ÚÁû­B2cQ˜ãSŸ_1IãÛóù´P$O´›ä…™±<œBn|\©žêŒ.ymõ¶9ŠLrd¤¼]‰m æâ¥ËNÛ” CSÿ
-Ôw(ˆ)¸ôèg¾ÜFþRM–”T–VRƒú¡âÕ€ 9«\æÁ r˜.°ׄZÎAÆØRöuaÓ^z¾A}É €1X•¢Ä<”BÅ2Ý)×BöÔÚó–7L}ƒ.DMZÖËçÒÌ¡sìÕzÇ<ï§PÙpK`Û¶—
-d„½-˜vNªÊ:&¬.U~ø
-S–2¶ò¦,|Uº•¹åÿŒ ²]d§ûHÛ±^'Óàrê¥Ñ'Wží¼IëÛË­lžœ‹¯‡ýôÊ0àU\|¬¹.wÑ`7ÐÛå/—êâY쵚ûU¿ð½@'Ã\Û#ÿ¨tÓ"¥ÍSûã†ÖÑ Ö9X³*¶?"D'Ö ótÉ‘mtå
-6¾íè†i#¦‡¨#d]™P8-ÆŒt8ñOÑÇ,«ñæ¿V´Dze< xzÄz
-ÉËh¶*”zT© :ê%Ë×úì±m,0¼Z©“`Šì£ç!(ÐÖ2Y
-<«<Æ;ƒÎdä”4éPйë×¥ß"á§KHe
-¬Ÿþðåg¿ÐžT1‚ŒÙ{§ë³÷<¥·qÒVÍïl—ÎЕÑi„¦¨DäÒ)ìW¾V “{©¬1›
-ºs„ŒÍDÔTQóÖÉ_+y’‡2„æSu•P¾1YÙÑ"®—tI+Œ,r]  ¤'Ü~ÙŠÃüó²-e–´cOKswfÞé¬yòÒƒâÌ’.ËLÿµ_·_Ú•bȼ±ÞõŒCⶓСš¬©%˜î­vNBÄ3Àu®*ó^Ú£e3ÐWE>qßiSgb`ÑÞXpœõ ú~0èu†£ÆBß^ ¨íHßÿó1p}PŠÇ
-ÿ¡QÁ{þ­
-Pä±\7Š‡òÝÐBÞz¾–ܶ<
-hÞãBÚ'¡ê{üŸ[gq«JNi9ª J¡ö–”ÍÎBÚ &eš"¡„™G
-0ũ㻢×JïØÄæv
-®t·Té„Ã}5§¯kŸ1öÖ¥¼?Pe;ö•Pö‘rû0ï}Bϼ˜\ˆÉ6ù·ÒšÏ¹äçMI9!Èèm)L(ãÌSŠ›öž™{ÔˆV"X¡…-’?.ESö®žªAÝP! j#HA±}…KXžÌÕ§ÐÉMŠ[¤ã('©m»Ÿ>¾+­›™Q…ºCTmr9ðn«!dØ}û\>KdÚžïËeš»ùØã‚„À¹b¼ôd *Ç£GhU×¹
->3;J¦@ÝÀ¯ÓrZþ@)%È€Êz¤a¨ädèji|µ€) eãCÊuÙ.ƒæqô~l»JöUþ ŽžØóáxf‘n#©[6ú<—¼FL¨Õ‚¢p¦áâþòþttÁo¬‚¡:ks_V]º¨ž*Yº‚ÖS,"ƒTæ{à':¨²Ãêﳓ+xòä½o»äß(!\Z,ÓræÁÚÉŸ ð µµV$n« BA†lmº'U'ž½R›~nØõãç":E›çÎy?ž ‡ ?CÑ<,ê‹DÜ(8Óv}å~õ ìòÙ¼ŸêGF¾nƒU„­]¢6¼ óÈ¡@¦]¹:@¾"¹&~žûÔëâÈm!Ê ê½–B¿™—´¢´
-]éû.@U¥”¹7n0B¹TñÖ€•Ü’ü=²Øü;ApÊ|,êºJ CåD…rÿ}œ_PHqÆ»LO…NEt"†‚©ÛAѲ‚÷&¾½&WáõÔ7j§qÝÄ´Öoºêe--Cª±G.y–æQ12Ò7C}Ϥ$)S¢›#qò8R|ﬗT%’„`Ô‡>{|ÓÑ(~‰M€ì¡öÔõ| µ÷•Ý RÙŸ¿°xðÆÜï$xÂ1 ùê”"B/J#_“ÕK`ô!™"WX¥ž]58 áqA8Rkªk7bfRCèç`…oŽRÈeé'¶ ‚©&#É;°õCd€nzc¦}ϛ«ó~×€#\K"™qø$â~FÛŽ›–‰K¹Zð®=¿Í<ÍšQƒT¼hçîuÈÞ Œ&©ò§=&—àÈjóAŸVËpý~‹wåhß\">ÿĺrÁ I~¹8îÖ²Øeçmב[~ _‡Õ)Úùá!¼Gâƪ̣}^jèÍeìGHj{FƒÏDI‰áž>ç;Ž; :«^/lü²ÏÜ!*‚v5Bw®vªz‚/{¿É!Ä)Ý_Ò½,0‡Ä83ËqPA¨ÏÀB¤¬PA$.Z„^™ùà À_q\E¯§nT©E|i¢jHm¯©
-mO´ø$ZEZ»ß÷êSùâþqÆtd±ã±ïäœ1·+}pyÉi"¾!¼ÈÓ‹ÞBêI†¾y¨‹5Á·n¤l¬ î¹2íib’-þa/mBrZJ¨g“mˆêia1éØæŽÌQt¡ÓÆ˃¨
-¢j)ü™pÒŠb÷"…í¬LÅí^²0Ôô{k>— ¹§ ‚ˆàêÒ|% ýˆëã_d;lEO㷳ߗœ×Rfå
-ZcÁ²Z!å5Zn;£°¤Êîž4Üb
-“â7+:¿ßå²p€‘ßTbºLJzù:˜cÇZŸQyØCV`ÔÖ .ý\ø£é¬—Ò8~û§v Yg“ÕŒ1…·ÁÅzýãÚWÕºÌÚùYÞ‘G½ µq€¥Žh” G ;èXîÙ7š%›Š K–YtÙ÷¿q;Â*ò¾¤ÈfRʽC@Óz†¾>ÑRKíóðdêZ+%{ <V6KiH|žz:]6•Æåý̧(j›ÀM¾dxÅ]©äh1=[SîKØ{²Y¿×Û3fãï[4HâÀfppï}:´$ŠÖ‘1 `â;Ø8§QŽVê’ÝýIX† ò«ˆ¤üYL^R3‚ŸW:o»é9¾5¾æÃÿÉ#¡ÊSºyØànJ¾w|fjvä|ðý®PRñgž‡°¼äÃ!Šì1¬è¹Ø”9qζ 3™u° œº­ª¥?™l*¼~þ²[q)7Š–%ñ,L­2Û#Šôï[IÒÖÆÂJÏ®B*öç¥6ÙâµÅÀìÝŸ#zç*ûlãoô«âWýr)¿/©Ê»êrBIö…Úäé]›Ê®ß@¾ sL.ƒ6ß!•}º‹É÷E‹šÏrW¹ý ¿ô¦®V*sŠâʨîø»iaŽv|Ýj0=Ø$Q>SÚ¯‘n¾€ûà3µ¨¯¹|Ï‚·#ø2òJ_×Kà?ew5²ò!msZYÝþ³Ûš6·—O,o|iVð”@DOXå¡gg'\ÔQUáÏ‹wƒ§ tÔи7uû]J8IÓ~«]Õgb+©‚±ë­õúZ÷0©ÝæöœÉgp£è½»Í¾÷QöÅÒ+*A¶3M{#ˆ2¡éŸ‹\®þK§Œæx'wÅw÷q‡Ø™³G›Is%ößÕlÕ×ÙYó$;ƒ"d™ˆÞ›3™×Vc:DŸ!H™ØºASöò;ªÄ‚3:¬§µˆ6· ¿+><Æögn% ãïcªKZ¬ ýÒEÓý°¡©
-oöw¡‰Ç÷ LN(Ú–Ç•ë|¦ÙV0f†BckÔ/ÖözåÄò«ÎMüPC‘&§¤sâQOŸîì?`øá
-u€2DZT‡ÿan<øF¢àƒK#ÒÞxpÂä_µB…•’Ä5$(Z£½X÷˜,Çn=F„I1°Sk€/ô¿Ñû’-Ú%6©`Û/XwܸýŒPä°X{]‹{ÁõIê=/uµJLÒ "nÏÖ9 
-ÊnQu}±”ÇËÂo¾ÀxÂO¦ßi“Ÿž„Z”ž¬ùáXßâjøLƒMw®ÝÉ¡þ‰à0߉òÐaàð1͈o®ŒKÔ2û%걓ºîöC·wÕ‹Þ«WI±á‰šæN&`­†[Ë~©à}ã‘ë!–{«-ƒÐKÜQ>µÓ™ÚHh[“+ÊäŠw˜Œ~š ‘o;UK䊋íó¢/¯sö6†>ûþøM7f“wcå wÛƒS^‡ãIÔˆ·œ­‘‘O¡"è£á²N´(*–ñYaZÿnŽš
-/ †¿
-¯)$QF!ËêbVqâ!Š–i× ÛÔáZ4 z³2„«#µùjÆa0Ž¢”½¦wÝ̳ Mx¹c"ve·yäÒ0Ëdao† ˜’|¨äÊÎ |ýªm¯;°”`È$ùúgH÷ôT¼‰K6lºæð°1I§Áü<Mø—Ùî¹A‘†*›Ý´ß4èN]ÐL:òs@ˆv.BBÓØ~©ç0ϽxØȸŒ§´zŸÌ¹1lðhSe@¦¹Kz˜$Aˆ"ÆÀô¢A $Õs‚ݸHªêmªœÒòûÜ™\ð€Èª&¿o¢újt§ã;»ô°Š lñëÒñLÅ –ÞÎÙ ÆòÛÞ¢bòê/Èá‡@°‹Ôp;C¹@˜T¯+,OëBš—UÒæ7v¾µŽó"zÌžƒu¸WÖŠŽ®‰Úƒ6äfôT!m¹dÒ«?¢-gÊsŒÅ¿î•n!yªWƒ¨¡õ…*‚´Û˜d®Ë’Àî¤a‘ð7Àãk¦·nÖdsÈãMU„¼Ž8ðA;²Ÿ‡–œGC¹éâ¿q…”½ïyB –þ|;kßá4\àç¹òNJes æ¶3 ìãdœx1y¼\ø<µè¦>°¯Ì~δ¨ñ¬ &d‰tñ‚Üè>øŒº§ðTÍ”­µq¥|rüꆸ´åxùòr¿jÖÑy„æOä¬-d‘Òä[ºz@z6>"Ò(K)+è¸ Ê]‚éÉëß-Z¿¹ùÁßP£«•O ?.Ÿ7©`ñ §„nºn´ˆ©AÅ
-®K·¶M“‹PÐ-øeóù(,•ÐqšW×,׃ññ£™”¦£W…á觇²H•ª£ën“¼ºUÕq/ßíÇ%–Þqÿ J†tù›á8îe p©SíÊw¥N¶oéÑ!í3ày<Áév…‡~ñ¦g‰ûÓGÃPûÅ•'ëyçÅÙö°ê"б2¦<N[—ŸeD·^¸Ï×C2'!ðœþ…`—åæõ¤Ó.Çiæ’,ÝãI~d¿z`4¤‚+õë5e>¯ge&ü¿ˆh8#u­÷$å†7 ~g¤ ÌÓj7#)¸"ãbø=ËÈÓF7mõÏx|)Ê ¦R+ËY'¢Æ‹f¯
-é0;êÈÞ šGû)¼ÕÝÛ•qòG­‚}¢v7~ýUÌØ{/ª//¶£@¢’BxP ?×㺽v/Ò"¢³¬É–²7~õ¥-°ú¾Yâb²4GáY±Þ\ÛêùÑò:u|?í¥LTj/Ïäœän”…xÞN[³Ö´Yg$<o8ó!¯S庅{–¸¾£“7Bb¤ÖRƒû°)©5Õ‘ 5e'îäuõÄ]ºv&cÀ…oÊÄ8büR š?òré
-GZläÞ¢Åë6}oÛ,“Nxúœ½™§~ãIf7Ù,’y®KuT§Ä‹óˆÞˆ:‘¼ '³é~”*=Ï¥aæ½L šá(ˆ#}AÀ·åÖ•INø™Õqy»±ýQÐBþtSè³í¸Ç
-Oùl_t>»ˆ„Q@·z×À!»Qqf¢Y Îë"Ìãì]/©¦pš¶¢þz¨´ «E¹f‘SÑ”,Y¸!µx·?q¼ÀRœh·×ÚâOÐ`8 Ž÷PÚÑ¡lŽ~ñ¢ª ”HÓVßQk6˜qØ `?'7Àw1²£;Äk§ÕùI…²­™e£
-ÁÊýŠ{Eoa’¥VÖôJŠD¢VØ+çòêqgkSÃúæœÖJ!¾íѹ ‚§š@.¯¡?4÷k¯ÆpHmÉK HÆ`ÅÀgç»C~\þëÔƱ )m®ðrô©:ã.ÓŒ±þ(pôs° ¶†Yi†u1`kîxÍræN6Ór§‘Ó¾‡‡8êaì%ª?áXhu*‹e²ö×VÒôbÝMcÚí .ä Ü SߟýŠw×ë±AV‚,“gBsEû&·9Ó3÷–òÎöÀ¥[Œ»ÆT*UD-.ô€]¨ô€–'OWsá€TO›¦õ`¡Š»Ù†ÖáÂuþ¾ñFl ©>ØNRȘa»CSÔ—Ÿ¶†ËÆÁdõÜBx½oÌ«·†)Ô›.hþ¬ng¬ûÛöVhNÁ4ýÔ¦zçŒi=÷·ZÁ¸ö‰ÝbáÂóû=™‰¡-í§ç)Cm=Úy«ôÇÅ“SwCðï—9C$~™¤9Ï …Û‡_ÚóWs¸ ù0.n ' ’8_JùïMæ­üÝRÄbI’OîÚë;Ãwh¯“J¬J ´Š^kû³ÅJŽm™ªó‘'i‹lÛüŠßGÀCÿçù#K‰}¢orL-–cƒ9MºNöÊ^âæYj—aíLY&.þˆf$Qžþjõ0Cñɇ\›€®ì³¼kÔ42uR0Ó…µöµ©k)¶¡)–—Í …‚‚Tuº—Æ6°…5ÚÅ(˳«mÀšÇÊõ™¶Ôî^H™¯Ì¯ò,µêiÝò¸:
-SþÅ•ù°?UÆh´Û Æ~‹Ü­³µ´FŽ ̽¨ ÷`2±Í¾ ø_ÑÛ¥¥†%º%B\aáPbs–’´¯xÛŠÍPßí"2¸'\sïa øçÑõØê
-ùôÀ®ß`&„jsJ·ÝqüÚy»©N¨ªÊ‚a '±ð¾•ìýʤhö\êøÔ<{,üág`™ÁZ±Mãêà7G¤¢œ‚ñ¹ÍÃ5¼tÈŠµΔࢼ'}ÍÈž›¹cU{œœ”ñ’£Ñ8þ» *\þ:X)8ìÆäG4k·D«S ½ </psð8M´vÊ#'®È?Ý(æDœ&jž]RBqf„I+=µ×õ;˜AüÂÛ©4€…Ï3‘«)Ã`&ùÄ.3Sª[‘¾vÒE&Q†üÕ¤Â3$H˜3ÈX)Òö
-Ûfãu¡ÀÐZKÏ¢ÊôG„“ ?î]¢ozNS¥•oNüÖA797mÄÚ¥âFËë
-!üÂlŠÏY™Vß‚-#õÛ"òæ)ê§4|÷4û•¦Ç\£Ù.,u˜XÞçAO¯é8h‘$?³DUŽ$ÐN—ýÀôZO¾h¹)8’]íPlÒó!ÌÖ¦¾óí3„@ÍÿBkjû"qJº„‡›áûÛ>Ä£c¤ùÄþâ<NI×–áä‚b…&yK`à3r€ ‹¶ôfæX:„¡'*?§ºnQ~ÓRÙüÌ¢÷­¿Ãs¦yÞ$Â9{¶Å*+'QÅö*§H(ð›xrPßÞÐFñ`$•†ÔXóþÈÖxÊ ¥ô*$ƒn%Õu{¸‡£Û"Ýft /æ.;FÑ÷·ßà9èf¤û* Ž n5ˆò§\S¨ƒÆ+’Iñ$ÉÆ­ãЩ$ÐÈ~f›hD"°[Ir·»FªÁ>ÂnÆmp¥Z[ÆóžC|ø{}Í°†¡P®¦é§
-@á–ŸŽšó‘ŸqJB¬Í×H¬íÅ]¦mš_-Áµd‰[…©ÝG}kÂ'†¹ZñEïJ/2Ž¿I¢Û¼Œ;ÀJ?ЗXÒ²se¥[ñԆص–3—ñ>(ìí,¡’Ó7¿­o­Øc›ŒÆrOã·¨Ó½¹`­Ò^¼>¼aˆË;hŒ¹ÿÙÿå`@HZ a½¥×¶9‘àÕâ¡[Ü ·Å’Øß©UøgéQuz`@ÝD7… 6˜^³&s %qßÕ±%zs‹É«I)Œ—þ[~x4ir:ÿ•Ä5¿‡¼c@'dPí¼+Ê-ußvxØ€F
-‹˜>cîÕ‡¬òš¢úcÓÕVAcB8‰à–à3†(¿Ÿ->2$§‰#ϲf~µÉOR¢}Ì^Ô*ëT¦9Ï^°Q¦òÌ0Ò@§…×õ™Û¡f}O†kÞÜ9ìFÄ«òwÛÍbµËØq„ÂL™§ÇÙ宕NÔuKJL:˜Ü õÚšöÀÎß
---˜TÎÁ?åשּׁ~Ig.äs#IR³1Þdà0säÐl„ë¤)wÜÔC‚5ZêD¡˜A|aK]¾öQŒ)ŠÑßÛ¥fÜ-6wâœÌn¿Ô‘ëZ¬×ñÂe²€KQÊÉ!qäl†ä Ã;¼Â` ¯ˆ«Ýjƒ"àFd’(ñ¹%Ð¥å Ÿ¤­:ìKÐÙÖ»ûúj?ã0GLÝå/—‡ÕsÉmtèŠ7@F.°vš\õ`òƒ_¨à@ó+ß­'9/þ´îQöñ;*œî~¿ˆ\Ý‚°¥ù"@Ãw¥>
-«ñh²°þ;f&õÏý tYPXÉ(ÄÑ—îÿ*ìRâ͋MI.riAÛ³eBapX,&L˜”FÄqOÕi/zÌ-JîÙŽX!|½ôÔ{/¥Êl“”2êL¦›$ôéy¶r×òèt A3È׸„–MT•˹#“Ÿ_«ê±C˜Ä%3(ØBN®fMݱd[ï0i®§¬Þe˜nùÃ,2†•³>Q~Eó“l¤Ñ‡d¥K
-È ¿X¤ô á€S¥M†kh_v.ÊZ°XY–×~dŠZ£þq z3„=pÔÍ*SÈá£.rYÎ8xz¡ªm:è«íƒÂfkl®õ3V°yÇݪ"|pA´q+K¯ìñÄ5ÄÆòX”ñ3³S“K¸8”Xgúy6VœOÉÒÀn‹|@aµ»§Õÿþ\1-óò$jô½·Yâ6IÞåQˆÿ¨Û.†î†!ÿ" Žíë½#kÒŸ@nüšÂ.MV5âÒžpɾT “L$*jsK€kU3P"¢÷ÇÇ‚“\e,Ѷ™ßUeÅATIˆ¼Š#DRÏãþfž‡ïDŒ4ùä;¬«"_u´©+E¸8å´•È.a«MçeÉ™¸m»ÝbîBß_S¨—,ò5žL(Áœ½¼«lè„OÞÐë³,­ÜV"éˆeÛæÅ—¶‡~,¡¸ŸÆü€¾µ¦gq8¿¯Z‹—Å}á/Å'laÿ†SÙq³t‡º¶^H·âœNwÌútaES<hpFEž u‹F,p?º°8*ü²z"¼ñ…>«¬¾lfœêð~,¯±Ni`—…Ïg Cž@2|§ãÓ>ú6.ûW˜ï>µ½Ø“M¿+Ÿ $g;µÆñGïÞ—ÆøE×®Ú§qkERãÒÆc{…ŽZ²ÊZd;_Pº· t‡Èû/QOûIàÏg»–%E:)‰7‰‹zz÷Ÿt¸ZúŠ
-É9û×ÖN¨Ó©Þ¶Gn‚‰å”÷,Œó¹ñ:Ÿ5Å=©x¹=Z©¥…»Qò‚Gc]qŒð_¿³—«º'í(åDZþ´î€J®­‚Iç'«_ßÂ:ŸÇHjDõlÝå„,©qØ` G¾¬†\È@éø¦‚œ—éܪðX¢ÈQ<Ñi8ºÄ|#ñ°Åò­õ›O(m£mŸ8½7¸r¯já—"Tày¨ Zì|AúßPqéí [ÈÃù3Vìlî¾ ™VÉlb¼¤.ÛžF ûoŸJ¶ô
+/Length 17113
+/Filter /FlateDecode
+>>
+stream
+xÚ¬¶ct§_Ó%œ¤cÛøŶmÛ¶mÛ¶Ží¤£N:¶mÛvòöÿ¾gæ™u¿óiæùp­uª:»vÕ®sÖ!%TP¦4±72³·s¡e¤càÈYÚ¹:ËÚÛÉÐ
+ÙÛ˜
+"bÿæébaèòOngË¿n€½ÙßH{c×Jú—ï/Ì_¯‹¡¥3ÀÅÔÃåŸ\F¦
+IŒ‡1†
+ í:Œ}V
+T§:jâV6ðë>z1ZVª=àšì™ÓvÓFÑÐ54½ú!§¶å9A6P0ð®+MG¼bê¢Y‘ßçGaƒæ¶Ë V­c3çY?â!_¸Ù þZk
+ÍdÖC÷Á1Ðò“#MH}:²ad†ßêÆ“5½F•çJgbqà&§¾ù4ãèØH ûù”ƒyÆ<˜^ÙÎ/ÓnÉçË,³t?P“©†œê!(‡n'¼|HøúøÁ“fQ"Žë3ã²ø½6<‚QÇ?#^vyì„Q!³P¶9aíˆPJM”–Õý´ø5mœ
+ ÄGìÏÌOÍ!ö®p¥æh-  Ìp d‘ÕÌê0Å‘N\dǬþsÐòa[” ##ŽW”å$‘ŒªàãFAžiXã»âÏ4ÃÂÕüàm÷àÚ(3Ÿ)qŒ_0\¨pZ#rûº\ÊF/¿«·¹Wë08÷nQ±¬,RjU‡"vÈ—7ùB7ôy¯GJfô[ˆì¥/·“ÂC
+†ØŒÌHÜ—`¢o(8äÉJàÕª££ðèÚ>¡YÒ{§žæ¾òfƒ†/’€môú¤»AËý`˜
+q;w¾æûD"'š0@=÷a#èQÏ÷ ç«î³¿k^G6ÊP ó'9TʤŽ!è§ËéסT;éîŠjè¦~C OÃúHm~Ë.!H!§[8=f÷‹âƒ|Ýt۲Ȁú!"L7wðÍV¦Jq˜œT#pÊw„áËàçýÚ@ZRÏÇ&—~¿w
+bÛŸ=ÆMF"PÆ‹C×™‰X1±
+AUä]<·õ—™ñÉ*1EQðÎ!A&åÔ@x*aÛ 99¬®
+ 8"T¾ «¥Ìˬx"-Ô¦[ð=@%ê⨹µAÇ!øÑ=wàûàÄÔ‹î3ížl4íõ¾s3&êš)\l^ÒÌÄšÍQõlëŒoúÞƒ´m9EMé`:Áóñ8ÕÇ7d@8‚f¸Òá`
+쟖
+Z€«¬_Žˆ9¶Nž9l Ú:Î\zäÏYÑŽ>}8êÕ:¬ÆJywkPÃíñÖ¸ÛJtÇlɬº‘;H•"@ë]P•½ƒ¼+æ%0)¨–úKÎ3á¯>KAÍHjú…L’Ÿ[ŸÞ KI-?<š ØQAŸ@éÛ™
+be2d5ÚÜÃ%Ìœ&Ø9«a7\Ô¦ï†F#Â#ÂìÑò#f¸E庲¨NÈ<ê¤yÈ(¢õœjŸZ^á&#Ø-•¤§q^Ñ+!d®g¬~3ûužíNO=³“Øý.E²ª%Uâ Ê1Ô¬}+lF†b ~ö°®–V¥Þ;ç£]£ÕKï o-K‡_JO«×<G«ºøõªA%ÉÙx¥³ºVšÈÀöáÅoˆ{YæTA”…Áø"ý5TŸnH®om"ˆ–Œ-Ç:Æ#Wj¥G]§îHJ,¨Å14Ü×X2j®éP„ðÐ0t–›G'3¥PšS/—]†"ÃdC·2|¼ÛC»ú˜8¥ŒêKÂ&ØHHU„.×I²ä’ùZAøý9‘ÍP&FÞù˜•Ü+Œz-«Žèc¬Vd½xP!Öœ-lÌw«5¹6‹yZÄX]½!­_68T_̧–K*)Ü•\€ þgŽï)—°t 5DBv¿, UÂo·P‡Üô*¢€\oz.;~ATyš#^ìs·]ÔUû(\’$D÷¸%ó»LeU™¶†þX•ùÈJ£j}kEOž^–d˜°ØÕ¶2"ÿ",£Då“pSì c;ûÏjr[­Vq?p úB!µ÷픞„œ{b?eV)”Õç‹Ÿ³âô7Ë÷—*ï„=„ÜBZïH_SHbűõ“O2æU®‘¿
+ƒ+”{¾ÊôóóÜ–oã<j=`Seƒ
+àLÿCîCÒê¸wCŠYøqxþ:Üzø65|Yúö ½uYN²Æp¿ ý"SëPy!W8½¤¡ÐWzFµ?¢V¢²ŠËHí’qn1Ux` º(9žì7¿P…óU@U¦6—z
+xa™ëi†µ'°'cÏæ͆ђÃxt }EjR—ᔚöc ’ËÎ(ë‡Ñ#ÔI]†kÑ›(‘…,·:®þ&q{iIÿHR[”ÅO—ÛÒßc,n7!Úhœè”>}yä¥GöÐ
+Â=ŠÚÅ׉_ó/7——1»—¬û¦£K`«¨àrøY±|Gõ`È=ÃÖápDÏŇ`™ Ý’(ÌZ“ Röâ.¨ñ”“¬Ù’ŒZ  eR:Ž™Ÿñs͉æ„DuaïkÕOSA`«ÑóuÎÝU'VAŸý^RõÂlyÄspèÈ^4ô—Ó$¥?ÝÛõ„$x¼@§åËÇÅÛoÔ$Z\—¬O„Z]È\(‚u
+8-y¨u'ö8÷ó\9b€Btï1³‰+/áu?ÌeóBjŸ(³ÂMEAé¬%»…> :þ
+aÍ×#êT/ãÜp·$3x»f' Óc;‚“ZàCq‹4:-žørf›B!èè‰<2©ÄP¶¿°wFôŽ.¨S:=<o(vY\×ø]l 6ÃÜX2ÌçJÕºûë:ƒ €˜LôÁ‡×V•GÒËôaq!´ÏU¹"õ‚WÕ§³o®Ç¦ ’êZæf3@¼eŽY{á>ØܹDñF-M0î’s%
+ÑÁQ|®gšnîòøÃ>_adÿæþ©£ñ!Îò¦_ 'Á™Œž$\­ ÌÓ ÞbHz¹×szrP'ðÌïã];7wÿ]@Ë/c™&ïÑj©ØMËùgº ˆàRŠ*6?á<Q±¿h9“µ›PåÀª;g¼¿Weø§eî¥Åu¸<Å]f†ß½ÒÅ{üÚEG2kI2’‰aªˆûÃׂ^µñ2€Ž¾‚ºeTR.™ã·”sÉ„5šT“ÃpÏ ÆJa¦s#
+ˆ¤ÅúÀÌ^wrËMbvÖºQv¸”ÀÕM€’û•}«9»\û®­µñ¶hý(t =Ð!yØôѼèãL[±I–ºîîfÖ ÷k6«6Ü´‚W·
+ú4.Q¶É;X¸%ÝC³‹£w1¹G[è£ëWc/hl·÷­-Ò 2[Ÿï«+Çë9?èAaOc·to1b
+'úrxxÅ¡®bâò¡¶(»EìæF‘ÚòQ2Ž'™'y•Û%
+]L­÷ú0bK„‡‡sMßTÕw÷ˆž7ÛÄ1Mˆ2çµZ¶‹h/+׃ùgo•Þ#(úyék)@;4ð•ôò,zfM?H€H€Q,Cw9ø€†¯Æm·;8^vWâïƒ§× g×Õg*¶v£2ãˆ~½s
+:ï5€.X¯N¡Cx™kãºÇ6°=T¯6d‰;͇W.‚ìeœ1Gx²MÕkÍÇ~¶]
+ÉѨzJ±[س¡£•ûLç}Ÿ’8QŸ†žèóÇ8ç°ŠÁIZ‡6§¡Ã¾¤ŽÝCkÀ.`ƒ\oàZÌZkif»?“䀅x`mH;ÐÒSVÅÁ°¸€ÈØ%à’ŒLN•ÿQ»Ž>19½)içíö q€ú#ó¸adã|-‘³÷ $ç¹%@»µÒó³gx«ÖŽ¾—©ý$œ.¹gL<§ÍòÕõñ7bƒS¢£éj%;"Á2k)à"ÿx×9=FY‡ŸwjçJ’Rö‹$›¿a,~LoÇôÚ«Ñäå³8Y}òç¢I6EÁÑ«ÿ¨œUX¬ÍÂ\>HnŠNß–YÁ ðV
+t /˜~ü;™nCÌ’}8êÂ)(Û8·ñËq]>\=n;‘:NœÞãË2hk]yt5Ï2NŠºœ¹ìI*œšuÚ D.²QQD‹°•6c8r…*Øê Í
+ÉJ2kç¤%o72mÝIËKèo5šn$éÒŠY~èp™î/íy\mT§ë4çN²j ÆjKSO}Óé†6Ñ gô]æÉ•\Gu²Ô2%LzI|’µ–ʽ۳:½TÇÔõöãOA©! ·\x,{"ÌF‘Ýwz§ÇY2­Îž•OdçÊúÎ`/â•<Á³Û9ˆÖˆH!‹¾Ó„ˆvŽ–,ÕõMÄ[ñ«Ïõ^‘9¹Õ3Nr‘17'rùJÒ¢î•"bPŒÆ(#é˜ÛSˆËZZƒ•õuÄþà35<¥¥½::ãÞ‡ ®™!‚oš”,~"‚\ÕU¿{’áYAäÌ(q«Í€Šµf­Ágß‘ãÓÅ:%§££ð¨±ræ'ô*"
+Sdü=zÔýKò*<gÙ e
+ä’
+tmQbà¯mq™‹Ó™Ãþ<}~µ[$ ÌE(-$Â÷p¯¦Ãk"†½®"ÂÔÑóM¯r=PUÏ£<z`YOû€Ñ¶¡éœp¡.¼2#ëî=™j'Îgª±Ï†ÕP…êf
+ínø‡ç¨H,d10PP ñÌG7¼_dêÜšÃjSX[‡sò9 –øî}J·tqü´óįö±jFˆ~å^xíVî°¶+'žÔi¤‰Å>Œäç(–©N'Ù¦7ÍÌu<TF[•÷EÔf± ôÒðÑ¢­äj›Ü!|íó€t_ŸŒ&âɈ%Ðóm“õC#¸\!…øí…§kÃ+襴aÔÁd–ÈÀáFbÇä‹ù­™7,jûJ<Îy|»£Ên§†“±S¸J[äA°óc¸`tÈË u*ÉËšÇð)µßŒÒšŠz̤¨ï‘Yq«@ ¡ôÒFó¤iIl.¼3 h뉵óØ}ü„qÓ~|lHþèDY YnCè&Ì´çAdúsÀíe*ª¤õ
+-„xUdÛ¨û+õÇñ Ñhå3MLÐÌg•¼´æ´[Ðånd&N[I³œ9u»Ž;h‚¦h Ã&±v¤ðcý‚Æg[ÙÏ©R#*
+ñ¥ØDˆƒ¥™Pþh÷ioi1ÂÿðïîÅíº”a¬M(añêâiùà êÌ‹þîÜ0Æ«ŠÉ,zÃĵ:ûc
+‡ÓÕà¦^=µ®ãF–:%)Wmqf`чÃyÜ©˜¯*Ò2|í~ðµÜæf˜wÔªóŽ6‚ê¶SÖÞ¹†öJya×
+§[ªhÃàz\^-B }‹,Kþý×nc ]O;EÎÁm±dé¹cxá˜g¸=%T]ãë÷\†ƒ»jïÑÅðdêÅâºì´Z>»M4–‹ÎUìé´wâ; 0eÑ©€©KE*Ѽ—`0‘Êêk6_í „.‹6wVv>OÜ€@w¿‹Ê«ˆüŽnËé(Õä^…õšjóFkƒ^Ù*® cJ#,ÆÆß“Û§FõçÆÅ¢Ê ôó¶‡aÞx’)ïB'ƒ=Z°?éuÊiŽ% 1~fÌ3Aù/A€NÖß  Bl‡wÜB+<{ÔÄŠ €£iÝìG{K¿/è~¶ïõÄøìϥʰq˜X†bÝ>tÇ^hÜBÆ´½¾[â.1óÿb´$&ÄæEU¢láa/ëÔ tï˜Åpç7/îEbØ…> åÅ`YךŸ"3^›r¿ê‰Š;ÚQ€µScÚï|Ö%Æûêæ%ÎÖ@äR›„L19ÒíQa[ˆb}[2"¨œIÍžï š‰MÅîùÐÛ Ïü.ùœ©e‡2yÇœóé(-å5Óü´õö ´6¬±Ãþ<v‚sÖ£Ù¿1
+(led7)ÒÙsýœ¨p')ú¸ã]ž¾Îã»:N2àp6,Í×ê[®¿HÑÇn€R±PZ“Tª®¼Ø¡!Û$aìºï&Ĭ½oßlfS,åµ¢ÚxµÊ QœK;cå›@¤W?陉éÍBËzîrè& ’1i¶üžÅ…‘ŠI3w¨)§tÇœÅþ>Ú™D;Ùäþºˆ_4×}‘ZQ%“›½™·]+ŒO‹àZâÃì&äÉ›Ã.²]ÝHŠöç˜ÉuÜPè95ÿ 뢗ÁfDZbŠDl~r’nü%n†MmÂ7áC¢†æ‰‰b Msû¹(ŽãŒ¬--¿ò^Žö垌½ª»1”Ék^-ý•‹Dúft^t,¦£®ud˜'½ã0"©1oQòŠýAÕؽ6$-0,µy±ZdR3cÛ^„OKoÿ(r¯”Šµß‚¢ùe :3ĆԱhº¡³Œº:
+¤öΠ"¦ýŽ :B;«ø&&c€'I”…Òn|]ãh¥ƒµ•
+%‘åwÕkïvm—wàpÇJ¹¾U œ÷&“³oP1‘\œfr;Š|Y[âéÂn†ö¹ë °¾LTÁ¸Ÿ£d«ãÇ­!5ñ樹õS^¤X#Ûwô¨$c#Õp×RqE.84A•„#ËPÆ4UÄ«SÚíÉ°ª\bÚô„ÑÑ`“ÇH­0åɹr,_QwæÖB“VŸ4 O=“½´†?â;ežÞ¿(‡½
+7©¨—.q `~K±
+¯3}â ›ÛÉAj¸*óbŽ$k3VgzØOÜæ*PÛ=Idi)~*0vyÊî
+9ŽJ $W‚`ú­ýRÂ#Ëí"?æ’²†øo£q Erl>íÏÿˆ!!(šÐ (ì Í^÷H®²€Â#½7§”dËO €š>Äá}¿½8$ 4ûÝJ—ó^wÅý $-Z Ç;¯'ÉÔï{œU¡f
+Rs2$Ñ%º‹ë!nß%BÛ»C)uv÷'\ó&6Éu¨ë=Ôä:Æ k‡z½ÌèœýU9S/ƒœþÀϨŠïw1~µ0D6Y+e»øݼF‚z—P÷«údoÀ· “T”,û«ðrJvº™‡ô¦ä‰_q ¸‰¸Oñ>Ëz0å™ð3ü™&UK&g&¥Ä²è÷˜‘[zÄ KR"áš…ÊŽ®è/¶ß~+˜àÔó†pJ§ã•<êw­òöViåhúyufRµÕ–4êåp\W a ‚Ó\—B
+':o´ù]9>áÉ¡-Ö™)yãXp<âo_jð½äÂUZ帥þ06_VnO¨nórzcúî×Õ:L“5uþ¨8Ýi÷™¦»‚w®P€RJaa¨êé4 ¯a²¿{LÑ™B”³è\@oE…Ð;çA‰ Èø,È+”qËájŒÂ¹’dV8G³}cÖÀdâæî‚^.ìÍûÚ˜ÿà>*Õk …ÇÄx>2øµ•_&9¯!Æx˜ÙG"¼ï*“¹±ÌÝ»á‰V0D)É¢‚k‹÷ž:å ¯P4û
+Œ›?yUGáõcç’£Ä %³¤™š€î°®÷šTYØô
+®V´:cMG  ÏÌR\Y^( [#¶æÉù´*Ž|J¾¿µ°æêÇߎR/ð÷hïšý®dèÍß!HŨ¦µ—`èHÜ Ù•õiÒ¥8Ÿ¢—"ƿ첈ïæÇ`é"¹º’à †Sð’ÞÈÏ–<$¸Îâ‰ã
+y#K×2ª®q1g¬›“‘-öæÙú݃ÓIÝFÍ×½Mx°<?ÑgýÆ kµB-ÝNlr¥A¤M/šÅƒ¾Iµä;5÷£,Ø¿W‰`ˆiÈäLJ©x’ ʪѾÓF/Gc à"Ç»_¹,Ó¯+¢¸&lwsä`“ïS&®ÖyGpˆ$9>O cׇK2ºëAÆö¹Ì,b šO)Ù˜•䪎ۖÜå×ïLlˆ¨¯Ø:
+:^fËër¡ó5‘ª‹ê(foC;a'¥'Ô'pq84«Åq†‚iµ‡„
+¤¬™·yæN¡ÒÍ=Ñxhwí‡Ð¦-LêÅoR„µ ”3'ÅžŽ7vF£¼êb•r1uºÄ…›Ùaml³§W·áFIöõ»_ìß±#EÂp¯Î\R8úrî ,¸©n²o‰¨¡2V;ëÃrÁÿßþî [gƶé¾ï—OžBË&í)Ü\ù#ûÌÿ7õ|®æov·E|’ïÙ}…I%\ÜrŸø¥ 7K¢ì´v,_Zµ¢e¥ÐŠÒyÛÕíŽ%_ÿœ÷ãyìÍ2#íO¯Ö8_^{ñšÃÿ9ÊçC'±2]ØÓÔyÕáùÍ)Óç©X÷\â~¡æô}Ù’—§Ëøby³Äó{K9ì™ül“íÙtß9³äí2Ë~ŸÏMÖYYzࢄ°TƒÎŸ8ë6‰B9ûdIF†Æ{úáª:OãÊ.,|©–u‰•Énãk“9u³3zX&jîû7WD‹ý î9“fGÝÏòTNo½ª÷À’Ñž3(È'Pôè§b/©ˆóy§?nIËy¶ÚH©îš©ÖšÖæ-×¾$êMS|á*¹áö±k¬«¼+§Yå–óŸ}˜á·ÓÂ;œ¬ëönüÍ¢°iòüêÕþ™6íŸLÂ6/èžµý±æc‰][K8–¾‰KQùiš¾ZnrKb]Ÿ:ß˃ü—ü¬²´o\gl­V“Üèãë]šwó¹KÿM“? ÌÉ{EÝf3Ë…¼×Q©‘éÏÙ¼‚ýCÒR¥Èk_g-äM·´ÊQüµõ­öf
+רÀäœÔÄ¢’üÜÄ¢l.
endobj
-627 0 obj <<
+880 0 obj <<
/Type /Font
/Subtype /Type1
-/Encoding 1344 0 R
+/Encoding 1915 0 R
/FirstChar 34
/LastChar 125
-/Widths 1353 0 R
-/BaseFont /YXERUA+NimbusMonL-Bold
-/FontDescriptor 625 0 R
+/Widths 1923 0 R
+/BaseFont /UFWDEX+NimbusMonL-Bold
+/FontDescriptor 878 0 R
>> endobj
-625 0 obj <<
+878 0 obj <<
/Ascent 624
/CapHeight 552
/Descent -126
-/FontName /YXERUA+NimbusMonL-Bold
+/FontName /UFWDEX+NimbusMonL-Bold
/ItalicAngle 0
/StemV 101
/XHeight 439
/FontBBox [-43 -278 681 871]
/Flags 4
-/CharSet (/quotedbl/hyphen/period/slash/zero/one/two/five/six/seven/eight/semicolon/A/B/E/F/G/H/K/M/N/O/R/S/T/W/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright)
-/FontFile 626 0 R
+/CharSet (/quotedbl/numbersign/plus/hyphen/period/slash/zero/one/two/three/five/six/seven/eight/semicolon/equal/A/B/D/E/F/G/H/K/M/N/O/R/S/T/W/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright)
+/FontFile 879 0 R
>> endobj
-1353 0 obj
-[600 0 0 0 0 0 0 0 0 0 0 600 600 600 600 600 600 0 0 600 600 600 600 0 0 600 0 0 0 0 0 600 600 0 0 600 600 600 600 0 0 600 0 600 600 600 0 0 600 600 600 0 0 600 0 0 600 600 0 600 0 0 0 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
+1923 0 obj
+[600 600 0 0 0 0 0 0 0 600 0 600 600 600 600 600 600 600 0 600 600 600 600 0 0 600 0 600 0 0 0 600 600 0 600 600 600 600 600 0 0 600 0 600 600 600 0 0 600 600 600 0 0 600 0 0 600 600 0 600 0 0 0 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
endobj
-623 0 obj <<
+873 0 obj <<
+/Length1 1620
+/Length2 20127
+/Length3 532
+/Length 21036
+/Filter /FlateDecode
+>>
+stream
+xÚ¬ºct¤]·.Ûv*I§cul'[£b§bÛ¶mÛ¶­Ží¤cwý¼ï·÷>cŸóëœý£jÜk^s^×Zë5FQ’)ª0›Ø%ìlA ,ŒÌ<
+o(:¨Ñ_‚ä¤ñOFuØI)Q’¬¥®‰Í:T\+kÀ2ñ´Ò(ÏË2+­Ô»Ð]é¾çAM¾×Q­?A"tto¯$ÏÊAœÇÛwÎB¼ã¢ü1lþUxq¨eÝÒäöt¼d"$ÀÇŒ‡™M ,tEÃ2g§ö“0ACª•ƒÇ“IyàbLżê|c
+ )/úh½0HéZ=`|K›@?ôî3Ob¨cËL<Bß1d÷h•ß$™§”±ù¡î]C¶Y™GOýú!‰ëŠ.=÷«Ý¹½.oÇ°,½ƒšt­¯”3sƒÆÖ®·qbé§0ŠÅ°ÈDY~–iÃøu(Ò˾‰ªæ³?ž cŠÔbdS7sYð§>ádÍíìÉQûcz‹þú7¾cèü¹$ Æ>2Í%—¹ß°%F
+>@í£dJî'¾T¨WÝ– ’ÆÑë«úþ®@Zl—,P* ï™7o6x©bäÀ×ZëíùOרc ‰^à°HY¹ê¶]¼„qGÝx- $v·úyüJŠÑ‹lüwÝ„ze|5lÇ¢‰Û&^^Y†¯d¤å¸=眫Ø'ZðþžQ.,°#p¯ü°Éøù¨~j‡|i¯ÖÍ_)¢é<-ëqHb_Ò»S3‚4~«Ò/²Jú
+ó»kœAUyÑ® D‰<aº/Q߆W}á{N·râ‹0¢ž¦¸ 2üuŠþK!Ìe§óç-õœ_…Éæé&·öŽtºö›)×öÜÑiÞÜ=39^TùyÖVÑúA`›Ë¯“Š×1³[´³Cr!F\YÔT¯É$0¹âv¬]1¹â2õ¦2˜÷¨ÏQï<^™2ÄH‘,Fð«­ЀöÕúSöËö$§f@ÂÝ}7EŠqÂl™ûÑ0†R
+CùV¿·¬žg&>ˆ„’"µpVk_í+t·—$ïÒBhtçß’¼`ª-‘C†<l®I4@‚ŠÕÆ6Ã0;˜‚û;>Èù}îÒôƒ¡OQN¢¾hÉlÙ‚¦X©ÍÉÃÚ-ðÝ󜚮Ӳå‰f]D–„]fp`Ý
+‘ו‡ošDƒŒ ¾”¹yÙÚ<1Þö÷Š3
+9à Ù÷:Å„Ÿ\ÉFlý¹ŽNÁçµ±½F¥1¢{1I#ù#gÐM!Å&Ð!ùf¸¸<:â‘[Ç‚êÞ—dx²UÃü9‰Åm³{¦¨F®Aº/b›ƒÞŸ&ŽiÊù0ÆÊ<É{ –3Á—)t;¾
+I…ÆÄ8á J’«2ðÚÁF–û†t÷+àK‘D:rtËSα£³ÒFX°Y¿ƒw0¢ºãÎo‰Õ"Ú-P¼L>Vš˜ñפ2 Ynîë|CVÞZsZú Ó†x9„ĶU&bNž\@š'üýlNÔÞû1ãWÎèjöE¡¬¨ÿI1©~´Ç)¨¥P#çP&¦B5ãrEò¬é&ÜìPÿgÖ©‘ŽrÏ3ä5ë(h“‹£66q¨ JÄ·­ ï|à·Ë Ç#·û:[‘úìƒîi0žì­ÎÚoœ*3ö8¡|SgrJ_ˆ·¬»TáZ‡%{ÍbË„pøTþÃiK¢`È$Ñò-ž— r
+g}%ž¿<ÿš¦¢§y>ÕdsŸZˆ—ŸäØt‘ùB<*Cuù­ Xò4RWJY¾?Ôse4¿¦öÁGGøË=1nI6ö>â¶dxøÛzÀÛö§úø÷^`K­™u ÒZ¹$gMÍÍE®Ý§R‰³› |~Π;âIךÚCXFçÔ[ "9Û
+%Všy¯Žç½wd`õ\¥
+?>Lîw\_¼__º‚+úˆ—Ï*×5²,Üâ~‡
+ËGBÐ×4$<]q…x\6_ÌI_ϱȸtÓ<< ±ã[ôV(“K—ê£hAÑLÿžƒ«±î«k”“Á™-H¼~„ÈëRtàÆ;ê¬ԧОSŸ«,Ä>x›ºQmMΠà¸ÀöH|’MÇD-2:s»ÁK¾jÍ)yu$–©Ó:ž•([mq!+GŒ™SÞz‚PùÒ†ÞjLñpö«Ys%²Ý¶p¬z.M[›t]Þ§ÀŽKxÀKPų½×ÕêL•ªçLý=à'd{ì-¥?Ö­#†‚­¢E^+#6#– ñ/–“õ­ñ¼ÍTñÖ<ínÀZ‰/”Ú8Y2ÓØ/gÓAÓ›øæ±,dx
+v]šÑØ}a(ôÉ:eÝX!±«AÏ[–Ž×ÊÜ’ÀæƹƣÞ3a‘^£ãxR°šË\ì2ª<2€ÿŒÍmxÕîQžæ‘QáE‚žÈ¿¼=±HF,ÃØðªÊжÌ>Èü]¼¾Ø¨ÍqZ\Q0³“×-|/SS´æ;ª? [B«˜jÜë&BØ’ÆIRòu“$€„ƒƒj°i&ÝY³$——½å£
+ç¨÷i ¼%0¸)xëõdïIG•&Ž¿œÃtɳ6†ž7|¸.&õ
+ -ΈŸçf™ÕÈPMC°3p§î¸eÚìq²áBÞæh‡~ò¨,þ¶¢Æ®¹ÿã
+¥;Kƒ{jPÌCÛf¯¨“Ø£_:©Ãb*¬Ž–Ôº°AïhµûÞÈq‚F΃a¹¦Ô9›X´Öò€)t‘ÚQPAng©§âÏíÿ4»š†ü˜©>¹I¡Îúîá
+-5ù\;³½2>V®±*T# +
+@0‡cz´ëðcL"¸¶©ˆ1tQ mhž7OyÙK/=mŽ1Ü´iüŒÇŠ··ôŒÄŒ%¥”v= \lB­×9Ɔ½‰ü‘“WŽÄõÝ©s;Ú¾†øðýa_ 7,Z±jg[À6¾bV¤ÊY—qá=›TLÀTæù4¸©ŒZä¹xæÇ©D S7Aof„ûoŽ¦¹¶†d¬Å(?# Í”¡4÷Ú7©¯;˜Ác%$P„P|¹Ú“k½T˜dpR(áæÓþ; @UÂŽåo.P
+·?å?«ì:º;rº¶;(œåÒHBÐUQ%Wy¯ÇûcEàÝÚóÌãÁÏbמgo@¦ð­q´ÔDÖèÈ' )øóÁ«ÄhåHø*²ï›#™·ZÏYHá( %Òïg!›µ ß¿ûW{|êõhñGÆq¡ÄL»»o–DTèd·ºãú±‚e6D²]}~Ç¢jé‰
+S(xÚ#oÓÜõç ç‚
+¦cô)E}dðHÓœGNoj<]Sç¬<âu½âyקûU7Áê­²‹E«¤py÷á8'ËÍibHö qT?q::جöì(ݽïRgÝý>^ØûûWM€Õ}ýÐ駋–Ê{ÅóZˆÔ(sï[6ìÂO ‘zü
+I³ÙêéÇ–T©-˜R§5߇›‡þÚ@ÂÇŒçoT§÷uf‘‚‚Ÿ£;?®IÖB,$ÊqªG¶vÚâ¯PIJ •£Æ»¨(¡àœ•SÕ`RHáRp·É/i¼™É6rƳ¬È»ÚôÊvökU;]äW¸é­ysV†$Z k›oÀëãõK„ö Î£ æe*|LÞ¹*p¼§}¸ò× }an²éÜ¥ºÏ¡öÚò´Ú7dîyˆg9ÏÅõð¤éFOdtã’ý‰,5FYrè¼c}í¤Ná§à:†KÐe fŸvE#Ÿ?Íю˪̘ í‘0S(Ó¿£ME J+dL©¬¼I­ð^>|$½g'IàŠ´?"týy0ïù4=:9W8ùÉÝ1Õ
+6AdQ›¹Í,>N)¥Ò©ðOã’ÛÍ·o}ŠÓ3U¢ªõ3“ÏŠC…}àp)Æó¿a™FK›ó+ •W1{‘¨íœiNŒZ?¿~Ô<îZÛ×Áˆô~ô}“IU?û
+^ºö*ÕÊ;â˜<\éæjB† :æ‹ãk‡o™ùžËýtaA=« ÓÔ'ŸÔÐH•ÄN!z^“«ÿw¢ëKËÌ´«vߪý'ZÎØS³_-Ÿ!¡ÑÐ9†˜­yƒ±<`–ìÜkÚìƒ8˹‚®UF¡èýÒ¿äâôëO‹¦3xª©‡ì†°b$pãÀfN2rI[ ÷Ð`-IêѸ\\AIëÇz£AÅ ;²;»¬·Ó@sûÑ’Ðë"ø ,méG(;vø™Ùd×"|‘"¦ŠÄ`྅Óé‘«¬óõlýÖ!|t]Œjø0Š–¬¿Ö¾ª0Z )ˆM&çEî+É÷Éœ GÌ7kʱ—Ed`X]ŒÚE•ÀQd¸À'D5õüDU°p¯)+7sZz Ce´–
+Ý)k=g<
+ýÀ”å•LâàÛìàwD#XY«yû¸é ‰zp£^àž¡°óRÈÒˆþ‰B˜D²¼¾Ý_v|˜÷ÕìÆ”¡v’S|*B‰ã˜D#ÑŒ¹N7uˆ'ôx’ÎvïNEy-‡UI 9̽Ç|iýB[}¥­ Ó¨ÜE>T ”;pf4_·Ñ%ÙøN} T…—Äï÷uĘ¿”õ‰¦ûñ,Ri.ï
+„y„ÑŠ<¦ªòÐYtÍþz`Õ4ŠMÇ>f·ÅH3¯ð(±…¼]¨!9‡çߤ–šà›cà
+è°ƒXC#Ä1ž7róѧƒ†1÷‹þØ*:½Ý
+¾¬üš"¨ùᶓ°P ¾¢®tþkºô¡ßs˜8ÁºÌÈ8õc°ã9­•Qæ3EåŠü±¹ÙΆq«¿tÔöÙËCCY^"fDzJ
+ÛnÂ÷Ù'Î{ü®ÒÿŒŒ®AiD–Xg‰¸N
+Ã2k}„‡Œ°±hd7,=½åÒp3{9 uN4Òœ°T—£b ؆F–i$ïó‹'p‘}¾Ÿt¥™´ð^ɨ"3±Ut¢¡zx²ØÆx4D K¬ZógÜ–z‘xC6‹]äÂØý9&yóï³t6?ðÌ"%
+‘¼FøCAÌÑð}>€¶6‡¢ÓVÛþ\ý di B´«ÙQ¯è.Ç~Þ‚´ÈÌ=ìäm’6yS$ý-Ñ¥ª¶™)P‚´)keÅÃvM¡Gã¶Ëe·5%¬_ØYûMŠKÒ}ƒ†Œ8 îÕŸÃl5wìóµ Ô<öÅ·£„²3dz’œVÉ ÷
+ žóø.Ñ°\éd¥(š˜>¯–LãPÊ  Ôš3,¿Ô16še¤³Û²˜BG»OåÔÏæ¦_ƵW‚®e oÎP×½'”@ç×Ò KLýº-/ÞJ[ýŒxw]öG8förˆVƒÉcvÄþh;Ìšé£è‡µŸõ!qîL¾Â mÕBÇïã@håR}ºûür†¢'rû⣖í5qq!Š¥¥¾Üt¿°wô¯µžQ8É@Œ‹«}Hë%‚Õ›E1TâìGäìï¢vF9Õ´½Öœþó«õ‚y¦
+°YN0ÛæxôÞù¾•·Z1#‘pÐG)œïò±ž{+¿ÝªjwÒ±E©áš=P´Þ7±ÙÑ[7û¦“¸NYYÇU¸yd
+¢ˆÉd)$± ¶Š¸[a# :‘ÁÜ.‹ÍÉü7LÓ„(èòGÚyö é안øžwbMŽÓüÇÞNËe?ZÎÂfRc¯PÌeš²ªéQÚ"äI8
+4Æg÷ÎüôL¬¾¾Ò?Âlœá6_±Â؈u‡ëî$àÝÌ;ÇDpBÝu¢Cbî›#13º;Ï
+*‡Kò·¶‡;¼-’"+ܦ˳-ý<ÎÈt_üöYëÎ’áBÁ‚¡$üé©Ò.&>Ùe¸R¸¡3›Áÿ]u7üaÌõñ.R8‹zAµÓãvnXLûçpYTÓôª['ÒøUÒà=|¹üº*ÚÜOAŒ/–*CØ ¿?CÞêh67÷ Wáïx,V½ªŽ_RÆò^/H–}èÈ;‡¨=+mä káÕÊuS®ÉẇNbnN’²‹Y)êctž-yá¬JHw‡d`‹£Mó®úí}KÕ4¬«–!øWù…sYÚá•MS |•Ð§D Nß"æµdYDé
+Á4õ5’KÄó}†#‘.§­¤‹R‹«
+õS—¸­oïV‚•¦x{ì—?]Ž{øjA}øé{¶$õ†BÇÃh>/o†"U¹»ý´P‡SkwUçn0þ€8âàB¶ü¾F;u¶pL)#–à
+}c6!„L¹âP’{ƒá;D¾dçqí¨ˆz`Ë2«f§µ­])ÊFDŠÜ›/˜[öÃð"§Ê^wHZÁ‘³"¯oD{¼_7züä5àb«;ýS@$ú¡W °²ZðDò¢òuÙÙ‡W{fMÞ2ó ¥I*,~…Ä©¹#xÖÖŠìz‰KkVßL™E›)¹‚¢ÞIXbÄSóùÈ»´[N[lº3íLX¬˜üçw^@dqór
+G%vA)ÁÃG¬³¤f‹o¥¿ñ`Ý­LF™óVõ‹ÔK‰óÔÝwø`ø?qŸàÁ¨Í tj@®È<a‹÷÷äIFÞµåüïñõñÚ1*Oîc=÷Sï×Rf•«xh¡«>Îê3cçÈ
+ž(—NÑÄåi¾%¦Še¿€Ù?ó‡ Ÿ›o†`ƒbîª0Ø– õÚ MR¾
+Xá…<§õ0ØC"ôñŸjè(–ŸÚŠeÂÑ_{Ú#‹p7ƒLìÙ5`:ì¥~Áì4«¼„?ãL®Ý8Qó\‡,OÇ™ÒÀ;ŒmhT Î§µVÄ! ¿h¥¦ž;t*ê¿ôŸçq !·Ë,·*¤Z…ΟÐWŸ¼T‘*”„6C‰:(ç›ø9ÖɵQçQÈÔGæǦߑ_<Â9ç×YÛ­ÐÚºMîƒ3u"JL üüÒ¦Q#ÆV_©©…vYTóVKYðçæÄÞU™gÔ»ð¼ òù‘Ïz‘Z(ßC?¢1Ý=žâD®jŠR8€‘%öøg×Èži2v»n›„¸MM¢t QdÂ*l%–¿‡RS7ÌÖgj¿¤‚<ÿWßÊ}#ó9¼ˆ¯†eç^™êgÞÀ Ïõ#²z:Ý¢
+Ha\»¤ÿEH Ü„Ôçì¾f• %bA¯üIÃvÊ¥lPsw‰8º8Ö­æŽÚz1IÝûQgÜûØÍMw­©•—#ŠC$=ꤡ ºí=ŒjâwÔŸD*/ÜÒdêÅÎV
+ž‘õ÷¦ÝÔÆ.3±õƒ¤9ù]v\_17OnS{‡71¼ôtÝêÅËCgû!Ìõ’+Ì\\j·Äž¸,1Èßß62–e€Æ§¥ì¶£þ&kL¿ÜêWÎc½aàJÚQà&AY¸Úãt¼Å+«8•õàZõг…V|Òœ½ÅÆú¡/½99t<g¸`^B?h¸Ç0Àûµ©¢ûOÛâD¥¿¸ÆŽAôÅöŸÐˆ"&üÒÙGZ‘úáMŠ÷1Ó.Ø›ÉÕ
+}É6¡©†þÇÈE…<ÊP&öÌ>sDõbÛ_ÇÜÛWp vµe>‡ÿö²fßé(!‡°~i0bkzì¾ÕIä­ÖÙ²¥©@ œæ‰R&ï…Ãi$|i ׶Π³ùòR¥ñ-f —ºŸ æžæœby,I꾟pXðØ©»›¦Æ)bF°¡K·b¬H‰ÌçubØ<A¨õ¨Y*ÓIÄw7y èÃokSI‡&úÆΤ Kʱ¯¨/ÞQwŽŸž±“&×í1™>JŽ%Yô¶yX}<¹ƒùÂ3éîe›i0Û~4f$­z6n/¾˜z¤ðvÀÓx$×ÂìÀˆæÑnmeõaàtçTŠEð­*>÷ËMÉCJÁ0Ýg¿WæWk¡0[(ÃL(”ÂÁÒ/;í:1J ÛÙÞ¯£ùþŽŠ's
+†‚˜!Y5ª¬h›Âø
+’9„©²Íºi=ÿ¨nuþò©­'h¾N«˜4Õ 7<±–¹ûIíÓö†÷Õ=Î)iÇN{À$dQñãTË0¿‡h¹KÝçµÙÚÒ9äóÌèÍï@¢ËG¢ $éðfKvHÀÑ:ÓÝ&îûAoà `žŽ“DGO?Ìd¨ö3ìŒ Â̪i¢ì'Y"-°ö-¸™¸O-õÂ5¾4¡Ã­š6rMŸ4Éì’‰üË¢¸U9F4Ò±SÑU-ÚÆ
+¡à£"Ð,‘gÏKîD~^ººÓÜÉ/Zn\Æ$ÿM­Œù–1ÄŒ)Á×BoÅ£E[âcQóh¨X*úêÊÒO>0”ëw+ÇœðaÚ¨F~¶zñyþþ{ ‡gS(êá9‡&IdÑX2)Fžb¡8ÚËp¤‹PX,Gæ(xõš2œS`º faje‰ªh.,w¤á«7
+cLÇý2 Ža®
+L­ysŽ<q›é;u %ý¡xCߤi67k]|Õ•ðÓ*‰I
+Ñœ±îÙª Zˆ¼¿›7Ã_ÆvN¹—Ks6Ù\£÷ˆ[wåÝ4
+Ò ÝzI6…®uê+¤S9ü$±ì
+³î^x½«nŸN)ýŠ‚Ÿƒ.Îq:¢:+ùáŽ{ÎúsX~²‚e–yÚÊYTº¾ws!kœ(IÛÌÀB(ëÊ#’ØMëü««}d˜D2è9 ‰‹â—'Ì¡ø´ïƒšÛE’,6bOö O;fôu-~_Çxð¿7¾ØÄ(Òñ÷í/Ú݈9?’WÛïµÈßFgùè`æ}ô}4*¦
+…3© ¤ô1.aõÂ’ AÜÿJ&ªƒ0E|R*ü(ô¯[ \eZ¢¬ ÏÑZõçú½á¸sÅ%¶_,sEjìœÌ.®Ü¨llüqÒé;¼ô½ë|i*VÖŸ
+¸Kþ­Óp’¹«³>ú±ägWüD³É÷?æKåÖôm#|žZ¡£ ¢Ieí "b0G`½t¢n¢J¯q¨ÜÜPé¢G08mÜ8Ùªç µÝ¯Ýã¤ßRf§2e±;$D/Æ&.mÈ—(Ân¹\çU"S#Ð!=7±æ
+’Š±à÷+ÐáËú­qJ®lHsIw¹eòª zDëÞªÔ• NÚšO%ÒçÕñr‰½¯=W¸Ë„TF%:uÀ䀙2º,~u‘\ıáýú”oC}xù‘Žq"4{‰
+@ûÅ#\t£¼ó¿º™/K®Ÿ±UgR¯H€d~È
+a«Ç|…Á|e¿g½¯ }ð”uT©ûa3s+³Ì¥•¿½ã1KÇ×1¼tþ~¸O`Ë’tyQ[ýÈ—M!›ªo®J¿¦½Á'‚K›ð⊿Sî|ÿ˜û\WAƒ#‰Å9Žê2]2Z³lp‰Fûû–†ÜûO¯†O &¤ ÜDpªV¦8ï…ñ™÷óìº è™zgØùÝg¢‚5¹’-É}P«†öž/£y+¢rC*î‹#&ï]:x"v˜rNµ4¥‹|ÓWíJû`føZ1mü-msFYîÐ:8[Ž–?[¯+v~ôðá²› ó&pÀs–K‘v£y¨¤}Üšÿˆ÷[â01%¸.cœY‰]j˜ª:Ç¿ùö:Qqæ!åµ¾©ÏÁÈégƒ¡¾{£6jÊÑõ({ö;¯`ôô«î½A$äÆä¥=ÿ7<‰†ÐZLLSXëFŠ}Db62×,èÿv;=›#˜‡Ãc(íˆFrEƒÎUA7Á¾ºñ°¤‘ïμ Ÿ³ËØ 0
+ ·‘—Vh/†¸MƒD:•ÄÇNñü°†•:#Þþ>PLÇÒwïÿQ5GbÄñ Òû¦ªð@` Ìz(iVþÉOëµ6 ‘
+³ãÆ Y§u ïèœÙ+èï°9¤- ˆíRUöMxöOþúíú¡ÅsC¨3‚Džú›„àyEà·£¸q ›—Rôd}ŽO± æé[ÞÄ™G`c·§;[‰^L–çÎ(Ön^v轈î½—’‚IA?‡Zdߦx¶ë‡0Þê5/„·ï0iñUE°—,¿"7ZE"Y÷­à ŒçÂëáÂBG¾8˜¯§µ#êÂ^ êa¹bÙø´­b÷VîæלuHmzæî
+P̪è¥Ôqõ D·Š@ÞDzˆ‹òuçöÿäüfN?ag>-šŒÊM©a7šµjª)Ð¥0c1å˜Åêž&¶Á0®ï¸‚«n9¯ÀMæW )õêP&°C˜Ù‹÷¥J@eôOqðȾÿçx˜¡ù3ÜÏú\åušà$å·=„þ’»:0¥äí ¬ {]Û7°PPÎþm1ˆ’=pËvÑ18Zµ±ˆÀºrG»%±6.«ßÌ¢8Î8П«woZKÉ9'çêí#úG—ïj²X+§ÃšP8†»Œݸ¼0J…®D“-ýf¸=_U0óA­ú¤‰Lÿé-àK‘ú¥Ïã&zŽ^Lqêm²ù›_º´~æ9ö$ |òÔ«*9k+ôûÒ—eL€<•Ëu¼É]ý v¨Œº_rœ!¬ß§Ìèèn"X[,#ѬR;Ry\³¥»VXÀƒ±AA+w
+©õŠÊ»üyž+¾û™%’I†2£mÞá­¥\÷¤uçó:µš¥WbÕ‘¹éˆ×h'¢IµCŒºÛ 
+JÎtŒa½µ~öB¿çn 8b¦”W»VŽn$èÍñ)4Üê¤÷VûËÌŒ;µ•èN ‰R£ËÐŪ§ýÿ×>Y¶5( QD‰!%ÝHîfà¨Ñ9º‘n i’"]Ò-Ý1ºKÝݵ÷þ‡÷Û}îùçÃyžã•”4|œ"ïñ`Ûý]_€ßÿ¼Ý²í\£$«:ê¯{¶F†Æ»lìÏ3¢?ÑL$G@Öóå×vmôãŠ#Žª×°tή4ËFIñê\é±¹†òã–ÊcLÏBÙðn¶²e™i¤ÿs;<¶ ¼ÿñÏ7JŸ¨ie/þ5÷“FàEZUuç!í¯îðœJMþ•³ŽôÓ }Ëß–~¸
+Âòé€z{JE‰FªM Û„u–æG0i ž³ÍÀ†^µYkúzþ'ôÍòH¬n“È([ÒKFR}ÿ^÷ôdk
+±5b$ßì}Cd%#vﱓ*š°ßÉ ‘ú°»­¥8hñÀÜ_Œ»Ð7¥U½2f
+b›oÒm÷ãÅY…½jãnQŒ˜fýÊm½­ªm&*þ8”Èç1|ñ˜a¬~– F‘«•¢ûÎòXQ;( _ÆSI0ü+p˜ý&á¸$BF
+ý1ì_v#ZâÍ,µgªìVØ
+*‹š@i‰úû¿ž8ëäCî3luRŽn£ÒsbX‰É ýÚNã0Lb£?yrK—Søƒ=ÕˆáÜá@Æ žÀlþ ¦Ã<˜'•AÅ87gñU˜
+Üxäø›Š•XGŠyº'üá9vµ,Õ½OÓà¬KÏýØIC`­” ¿¸9Âò§é¸ˆ ßcZ”Âh.RÕŒI8¬_$òfIKmÌXró–€àÇêŸ%Ŭg”ÆÂüˆßY'ºVR, ¨B~ ÐÔAQäϲ¯u£s¢€Ý_˜Œ\@øt-ò©Ÿ’>ö‡Q÷FÉÎUŽ«l$Ô.ËW(¦8*³Ÿ{>B7@ -7쑘ôy™Ù7º!„³¶ QèÌL}*Ÿ$‚WVÉÉ®š±Èñ×´//2ZA$¼§¥ªb;>~T6EÕ<Õ¿¿Vj3ps[‡Ú[ë #.JìñåY¯ª0ûì©'™„±ŸµQÖ8}Q¥ÞÒš½.HÒý¤ñ‘õ$=¨â¯oñöaZ]‹#6ž/¿¦Ðô¹e¸ÞZ‹ÇM{ªh= Hp¿œ¦-Õôš£åežÂúz‚€ÛÆ«ì(Onû÷söQY²æ‰Ï&¡I(Ja]U›-fø´Û[ˆÿÞóݦ6vº%š.[Íá§KpyJÖˆàêh2nösjJ,©VŽ&EͯU¨•x9øW+0éOžÜX‰3„\
+‚¾¡ÉzŒ:s[­+ž:[´‚r 7À«_ó熈ÑFÂ2Õ:¨Ù˜-Aè
+œÆâO­Œ,Eß÷;XM«âU†æüìeçÎ&¾¸cë2“.D£T«h8&Ëe7nV"ÎCøpÁ¨Ö# }&_ot-ç2ÃæXL¦ºŠðï"’‚Áf&ѭ탔w¤éʼŽE9Ãê¶Y|t\dà=_©Ÿiµª¯9ÅÝU5½<}âoCʬe±É·mQJ_”–õx-ºDïä»3¦Ÿëï"‚_
+{8þFÑÇæ–éì é–sEcø ôc/ ¥Xne­£ß Ip’XÌ,X§x©oÞC§C7}yñ8㟑KÓ•F<Ø—¶cÚùc§>É÷"ÊåæÔYxVì#³í³9y«bTjýé‰NÜáù„…ªjŽ\«WÍX!Ì[Ê뺧b'ÞŒÆ)<$1ôÊÚ[,ৠƒ@ŽWÃc3/—°WnY"¬Æ4áé[_Šüå–#xÎöf3I¹[V¦;ñ²è2f’a_ÏãX;q)ö&Öö4FØ…È÷Ÿ
+=X¤9ƒ:Ø•ñÒ
+†*Nñ(ßc“À“
+ÎQÓp/6è~
+ê™ã2ú»‚îY$óµÉ•­ßª2^IÑPYm3ïÜÚ×Juý¼=ÕùÌ~9Äÿ 2©”pmPkDÉ Ç¥)DcX¨Ù콘ûk*+ÇMCÆ{Ù´~­Íµ)²è5¿¯ÅL|yÿ1ª5u‡Êëñ÷Òc9„ÍrU ¶óBDøò3TyÈ嘙 SzH1ß+`Îð¶+§`½°W5Ó㎎²ÁÑÃiÁ™,÷ò}cýö3!§ïÒƒŒ‘Pu aÛ›”Ë tòÍ|T\ÅL,pÈBHðì9çÑô)8H-úäjj*ê=êOŽ
+Œ†<\a/r¼ˆvÈxµfíÉCvP€ÕóuóföÈy§Åm4ÍÛÆajùlW¤JÕ4pñûZ¢Aÿ6Ñ®–B][¢µš×´B©®¦Ö
+åUÔwUMõ»gÕ"&
+C•Á&ûA×"4ÂÌ]iÅ Î|,›ž(mÍ…pêÖ.‰ý³oRŽÕ] ¸kŽ¬¢PÖ¡ZÛZŒŽT2Ê©‚pC¯–dô.Rn®f™7£žØærðk®–-!OõŽž1t¿9~‚ó–‰æ·q¼mxYæó”9gK’}ÃÜÕè×å HéÏAf™\pCÊˬM‚._óBâÚjq À¶]qL÷‡ Âa¯¡n—ˆ›´¢('â¥&Cv­pñf–¿‡OFÙ2ö
+# ð:øF(‰¥YäsäLèÆùxÂJßÓ%ÌgæÂîˆñe:‡¯#0®ÿëÊ»3¯‡óíLM¤\“wŒgßRkHäŽÅ_KØwÓªÂìni–ŠØ± ¨wŠlNþj sßÑ8v<o¸ÞâÖ²ãU8^ë|Wš
+ÆúÁÿ%ž†ëÿ öÿÿsK¨«»³#ÔÕûÿ
+endobj
+874 0 obj <<
+/Type /Font
+/Subtype /Type1
+/Encoding 1915 0 R
+/FirstChar 2
+/LastChar 151
+/Widths 1924 0 R
+/BaseFont /HMLXEY+URWPalladioL-Ital
+/FontDescriptor 872 0 R
+>> endobj
+872 0 obj <<
+/Ascent 722
+/CapHeight 693
+/Descent -261
+/FontName /HMLXEY+URWPalladioL-Ital
+/ItalicAngle -9.5
+/StemV 78
+/XHeight 482
+/FontBBox [-170 -305 1010 941]
+/Flags 4
+/CharSet (/fi/fl/parenleft/parenright/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/emdash)
+/FontFile 873 0 R
+>> endobj
+1924 0 obj
+[528 545 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 333 0 0 250 333 250 296 500 500 500 500 500 500 500 500 500 500 250 0 0 0 0 0 0 722 611 667 778 611 556 722 778 333 0 667 556 944 778 778 611 778 667 556 611 778 722 944 722 667 667 0 0 0 0 0 0 444 463 407 500 389 278 500 500 278 0 444 278 778 556 444 500 463 389 389 333 556 500 722 500 500 444 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1000 ]
+endobj
+857 0 obj <<
/Length1 1612
-/Length2 18545
+/Length2 18467
/Length3 532
-/Length 19457
-/Filter /FlateDecode
->>
-stream
-xÚ¬·c”fÝÒ%š¶Yé'UiVÚ¶m?iÛ¶]i³Ò¶mÛ¨´Ué¼õžÓÝ_sûþéûýØcìkÆŒ˜±ÖØ›œXA™NÐÄÎ(fgëLÇDÏȳ°1rq’µ³•¡Sš¹
-tüWƒ(ÿ™ª¿$ Mìl­=
-ÎÆæ
-âª*B4ÿy§þ+Já¯öÎ*ö‰ýRdíLþ×â !!;w€ÝßHÇüƒÀö7!“Ïÿ!Û¿`˜þk-kèìháÐþ[2#Ó¿
-ÿÏ­tÿFÔÖØÎäŸYQv6´5ù;^ÿËðÛØÅÑñ¯ªÿ:ñ þŸë :è4†[[¶3æ¶LËLw®ÅΞÑîïe±/mP)*ð¯¶ëñK ßå¬0x¯ ¡oœæúlóX:³ÿ8”¢þ=Ú‹eMÑ“
-¼ÊÇ÷!¥ê+@ÝúÞÁNó;A¯1ý\=ÚëzQfB‹Qí÷Þ¤¢’^É;ÁtÇG˜ë?Tþ¤®þdOöH¾Æ?ëã0;QAÐj Ïο'üy¢ê¹…ì;ģɉƒ%çv…@üåïƒÇ¯¥ZáA•Þ„€wÛ~ýI¤Þí¥—GN†Ki#óª`–¿nÛ.óž ™ÞÎÏ“$ë(ÑzX©u3?Å#˜4Í9—ûµáB.ê„ÍÓ„?Ô7kE4“ ]O8üvCÙïîUkSMýÚ‡”»02£ØYZïÖuHÎH7áR‰$ÜjïD"$m|/Ë·K|ZT7âí質9—1ÉÕu¬Íü¦@ÖvŠyÚÄVhØx+20%3Ôt£%7!AZ|®èÑá{åÚG–PîóÄ¥¡ _•öÀÐXªÚÙ"³ ò'y´»¸ ¹Ío)8[”Ì—3 !œ,ž Ëh!k<Lûëlà8Ã}Û-­â4Àó4Ôe‹nv¡èÅ@ý+ŸÌZÐF£hˆ¡ãû¯ûæ??jb¹ÊS‰cjŠÞFÆצ³Âyxã°¢õB;^‘átlYéÇóžHü‡ ­Þ´Ç­^†‘À=‘DÌàbx:3pî=Æcàˆ#£],ˆqGÄ®ækŒ
-ýH£f»Ð–Á™œ†ƒÎ ïŽ Ó“Ú|#9ž$’|SâðWßmMQ$T YÕZQ^‰žPÛLR`ð!Tèþ|Þ„lãlFOª›óS¢gc8FRîÍéS?ß°ÌÔl8DNýÞÉl¶›Çyøúä4Û­²LŒéK ø¢Õê’4|EuœÄï´€Þf
-æ¤ÛÇ ›¯„P¾Úû]%š¬
-Ö“[ÂçÀl/êf BØÄKÜøÉÃñ¶2ôX‹ÃN5zMç|.òÎzÓOOÍÇE‚U4·qÝc³F^´×hiû™ïrÔ7ŸûÞÜiÞÎàì«Jðàq2ô½}6cØdÂ#}!Δîvýl"rz{N¬ ì+hnY‘ÓŠ[{«j¯û£–¸à"öÕÁFX8(ßË»u¬2òæN¯¢8+k#;Ú˜—ŽòøS¼¼MN2›²¤vÊGxoF¯û¿Opâ *> +Â}î‹)X¥á˯½éÀÌÏ)诪¼vQlšg~BY¾”2îO Aʬ1ñ'µ”ýŠÚx ìÊ€#4x×÷ã{%èn\W‡ñ:6¦ž?üòÔQlð`ÙÙNȶº`K ƒ÷:%®je;•áO¢øÎx…Ö7‡µý£¡1ë^Ãcö›ò¬O!aQ¹!ÝB–«W\Äuç
-5ðž»f.1ŒYæ´„Ãá‘"4ÎcŸË,EU¥LrèîÑÇcÕÙéOé²,VRËËŸRÜàÕž\a±ežË`˜4úY)îðw™™“r‘Spfµ8#Û'O#æCw>ñÆí͸ø!«<Mm¢ÐĽ“‰1|¹Þßø Ò\yp‚Éß-ìüT‡Á*pMšp OḊ\ׇ~*äGXû‹!Ø›úU£¿B}‚4%'ÛîŽ?a’‰<ûÍîúû91â³µ\fUà†ë³å`®• M_Q~nÖ- KXã©^ê×Õ8xv¸
-é³òb®_j«#ŒÖâ]3}»âeŠÃIé n¿¿‚îçã5ÇþΣr²îµ°ôà¢V)M÷…t‘#¾!©¾EHi3ôŠ°|6µ`{$áDü‚Í#P—sð¶&9ÂVÁeøÆÆ$zèÅáOD9îò>ßçùÅÏí#æ“n.g|·@úDúðé~[Ò$i>Õs+ã_ƉyÈÑD ŠhÇL +}_'ûM¶G<@Æ84;ϯy­%×"Ÿ•äþx5ãÉyiÜqBìú0‚Dü¸°Tû»VOr…<îƒQg´ÐÚþŠ ïZ?/€Ü ‘Zd›”¾Z ò 4¾˜æíFVAò•¡0\Y‡Ž áµÛµpí¡•:VlgÝîÔ`úuÔ Qa Z­h
-Íqÿͺ›WR:„ºYO
-ˆˆt¦ðZ¡«·äJ}GðGw¨[PW[ñý^×Ç4.I<§`Á´%ù~ÞÂéAH2„)hhä,È˱’-MQ~µou«Âç¨ßn \sÖ‚¥ÅË
-&ap÷‰…I
-ù⬡ãqï~Ì2€ˆ.©à3z'EšØÃv1)Í#ŠË"m#]<èõ[©>H¦¿÷˜_BF:˜À­Ç˜A¦‡ˆƒ <çÀxP;o0دC0Ãáa½sÄÅ#FŽÈžøEk‡Õe(|M—ø·j¡ U™Jë`‚¶[˪81ä NÌ3<UzŒVs«9]¿¸ï›SŦ±N†7ÎÕ•GúCM Ÿ_Í$Nƒ&ÂF…:(¿‹~G¦Pfsˆý ª43 “…míLûò±eÔAºH³ªi„CgMj$ŽËÑ×
-~ëã'‡3ñáF³k«é*È™½"éÿ±2]j©óÌþé7@¢-2~jÙãæ*HLx­–ó`£ŸáWÍ y‰ƒAÌ–OáKžšdˆnëB.ç¶JBDÚ2Àó"v8wFÓ.ÒæÛ®³^,‡¨…s(Eù9­ qîk0
-9S~€ÀoH“U#R©ºz‰®²óîiÂ÷3GœgK_Àžd¨ã,EgV)È¥|ï¾ö
-1¡Ä KƇe˜ø…¥"¦ºÒ·f©J€‹¡L`qجòvüðçìçþ–S­â ƒ³ö|T6‘‰†ˆïÂØnpe…1c1Ä\k¾|oI_¤7t˜V/|åbªeU"óVu<Áƒ¢±“ZQ ´›_;AR±B©µé-;¸àÈw™~` $seã'_™ Üøm>{ò¸E ©X–°Žù¥™^–W`‰/–,0¢%ýkèOšÏ£Â¯&Yñ}¸x+°†–RÊä€}ž§w˜rQ"ˆ•Q h=­m„²û3éÜf çÔ–kç¯À¶ Þ¥™GTÑ'z01$lÙ—ü\¨"j¨ð”ôl··Ð"¨ãy0GñÜÄÀ53h7iô1‡ºz
-‘Ùi{¿‘–YÃéÃ=ìd„Æ ºcpêc£Êôï°óy‡Nã³FÖ]§™RÙw`Itqî©j‘›|0ñ~%ðÆèg2!­Ž:¾~¤;P¶fãÝ*g}èG‡ðî>(´`á+Ñ ñ øøjÂ…©=çV©†À{‹ªßÃɾ,˜ÐPhFò³2Š7‘Ò®7¬Â|ÜK1ÊJ‡Y•å‡J]؈Ÿ½
-bJ¤pòg“îjä"Ó—Fvø)=VÄ=Ÿß£eݶݱéÍIƒÿw[áXNY×òܪygÑvYÏ –?,О³,%{çלPÈ‚bššŽ€è-õÆ+ÔãŠ-ãwÍ,‘[½¾iÒl¯´Ò}‹’þ¢rñáÍÀ÷ô¿ë%B?¾@žØú"ÌŠ¾6 qœIú6áË]—E´"?GgÈ,h®éÙé“À` 8ü΂Ö;o(dF„ùæà…Œô3¨.ôb»êT1þ.C^.ßb¸á׶xÝ>8n;ÃéŒè¥$Éî]/‡h²HåWÀöæªía÷"²Œ“hFu×G<£¢90hˆF±ºæQÒðxeû²,“óšòã¨ñ•;3Œ¹¤ÐrÌDøð\;ÿ¹çRub6DtM™p`?Ò¡ÎŒ¿Æ¡wy+Ê€ÜÛ- o‚P’(^èžDž¶€±^=à[BÜÏ‘Ž(£ßÌ?‰{ÁžL2-*F"âòŠüq GX¡1 P³ì/h^w[ñé"d:IÌ<¢÷–‰£¿¿=N4 Xm€ê#5ÂS«>¨ŸZ†eÃù•0îô-}-çܾ ;‹—="7ûâkê)¢u†L„Ùý‚GTŦˆºä¼O¿ÒcWTå¿©ò¤¡64]ªÕo"m€751Ê-¹"yÃ/ÑŽ¹Á÷c,„šÚZ^Ÿ4â„•<G½–_ïBåµ|‹¬8ž^%~YöBAAž®_°ÕéS`;µïQJYÚ6ÂMZü\ã¥| Á/4vC‚ŠšC›Ô!˜ds¦# _Î#i³×K
-$|Q¾´ó ¸HðC_ÑF­É»Ðn°*§)¾&A¼Ö:œÑGMòùW®žÑÙÖ?ƒ ïw¥“úDëHàp\°*çxÝÎûý!©e]£ôë÷øKœCü,„Ù<âd/Œk… ¶ØÇÃ`Š§Å$6D ¥Bš‘ÔìnË2•n‹ï¯†VxµÕb}†NÛnâï_r#«¾µ:,ˆ\óXø8ÂDV/¶úŒÅ ˆñ†¶¬ô².©„l^OâçäJo:¿ÜÇ\pø·¹ß±>‰§IR"[ }î–çÖ¯¼]ƒiV1WÔ€JzýŸ±–æÈ‹cNy5åEºÝ(Ð|¬çpdÛMÙ+HMa›ƒíi2Œ(e¡‰‹wôïü‚,‹¿†ŸÓÅçÈÏ?nmpR«ØpÎB–\ºù0ÍÍS»–Ôc z_¦%#¾Ä±²äð"b$Ke u·½fð®œà¥‰gtas§HïsMŒö‰ŠÜ˜³ðv—Bv²'9°v0'QJç¡ Z€‹SÆVÆYX¼rJ•Û¼xÑôííI—h£K]ô¿µ´ùws1Ü©P—­pö`©ÑñGk¡í ðÕìmHSÈBPmôŠ÷. ‚nœni׈Ž³ ¨ÅØY^Ô¿´ˆòNW 2D
-­r±Ü™ª}mòW÷Ê™~ Zøv
-·"×`9í¨hM«v1 |"=±n4ý™'¶‘µ1eÒqü"-¢èR™9 ½Ùì.‚Ÿ ›7“5T\2£9Ó’FZ “Ò£3žšÏ Yé!\'¼}­¿mZÎèlF’Ð’¯¬<DÂ%Ï7ó屧Š–¥B…äF…O÷¨ù|?£ü|udgî,B7ˆÇ8êT0æd­iaµpê«ø ÊBðñ/î„âÙv¤½­cGcRaeŽ»ÌqÀÁÐÔ˜˜ù"ü¤øª˜/—E$_ñŽÿïɱüº ;*o¬N'îíg6XP³ÙE1«ÜÃjà„/V®Mxy.S9*!èá™
-?$ÚçÅìÈÈ\5×E›×Ð*z";m>TXõèñ÷Ÿˆ¾Ø&)c¥dƆ
-ûÙ°‰’‡‚ßD¹±…,A9…x|Âco7ÙÒÈ]'v,!cµoôQ¤4ÑeÔ§`³“ÉêéƒBHÊR8s ZªŠX7’›vƒøMªf[ $WÇ#`­Ž‰qÕy]%œ$h„‰whÀrä ¦R»™pvTR«°€ãÚ0e)ãdLpX€‚.Š-ÜykÙPXô.™®ôÅp èÉ*ŒõB?úÒ=·ÿècØ1WŠÚB—÷¹!p ]å’4ï`¶czE®iª€Þ¿lœaD‹7F×Öäf`ŒÝ7DP"‹ò]@™lº¶x# žèKFFÍvc¤L)ÏÀy§V<>^Á­C|½TZ`ø¹ÿæ@ˆf‡ gùO)«
-üþBQ%®v^KLÆbUÎÇœ½ÂÁŽƒ ì¸ÀfŠ³þÝ|u€¬B³g/s_Bp1ƒPúC‘ŪR¡¹Ö»J¹Æ5(Þî¾$ Arüh¯šÎW¦ÓJzÞÍoá¡—–‰¨/ºxÙQ¶º¯'ù\¥cK.×›!æF#ø=¡×*aÔõ]° ðâû>|'3Z‹:óÄZFþºDSºùšÔZIîÓ¦[ÓäÝdU
-?Š¬üX’q–hL¢8ÁßÁ¬X±,=é~¿iƒ¹¥ÑûCœÊþt ßÒ‚ÑÈüPó½Ü•÷^­}D»~óÀòKïÜÞ ¥<§²„*¬R²iè«jt¢ÿ!dâû}ì˜n
-ÿÛ¦øtsgË›
-üÏÌrô7.a¤¢ ~ùšmsäÅ»@,¦'êCã?œT­ñ£'r'©Ô2:ïœØS´ºÙWv9¹S(V“vò¼£O„ûPÏ7¾½ ¥Pžy2ϼ­•Þ¹ù]¦$!*‚òG¾:µ¡=8IÚ{TýþQ9}ëßAKuà%\ÕÁi
-+Ëèäyeê>H5Æ`Ç—ÔjŠÓ&:_â¿3½kÊ¿›2‹µ¿/y¯á<éýÏž ÅóòBæŠIþiAb~ÈH0´ÕEõêjC~åeæKU.ëÆ€ØÔL üôž‰p÷»í2-F­…M°ª":4gHÔ­Ž8¹Χ^vø¹îd%K¨ó©_QK¿a\mß:Eô¿”üÀC¬
-Ž¡~–>–íÀùpñÿ4øÚÍ1âøÌJ®ëOhóBçc ˜L'cÆäÀa§Ìؼ–©Io€¢'v‡ áRÙk ¢€e€‰g/}îOœªôUßdœÌŸ[>Þ$œas³Ø¬¹@ž=Š¼FÙ<¾¨³¬Æu¥?B›ûm¹Ë¹‚]]éãJJÓ.¨7°$Æ Ñ÷Ý’S­v|—¸A ˆ:ùÖM³€bÇÙ]*­‹J†Ñ-èzÕowJVîbqVc¬¤–ñà¶<c$‰)Ž±ÍúõϧAÌߣˤýŒ]êán_´­3©E)~g9YFŸ
-y”¦Œ²(?ŽO,âì N»&9Ä'Ùôô]ø1—”–ÄíúJVßÓê*Õé§Ca$ü²j9èhH ²Á¹•Zð×K®Cùïyù5 –~"¦hmØÛò·Ú¦Â¥iü–+†ýî‘f^êTL4û ¥®Ó<I^6Bþ^wÕ^AééÍXó
-ûf&§€bªEß:ã£{ºÑÝ
-Ó¹{±hµ%ЈBaÂòZ·&Ƭïm«¦úå]W~íñ®˜3Oqd68Áwm0Ó×\ Öðž‘‘Ì I~|;¡ì•[=’ãécN1"<ÎÚbÿ¨u`B”i^„ç»/ü}ùšt´åù»k³83Óð9™Cw¤7„òcòz™6iöh„véþF™Rµ.ð<ÐuØÈ
-*A£au¥b3î‡æâ¢H?X<@Üs–¢<?Õ Å*ˆ¦.ïí˜ ÝAóû˜¹‰é»NdøtHÓ¼DþpøÝÐlÒz›ð^-éarŸEŤ鱫BÛ¨˜>’:á_È$·©õ©Ú>”L#mõ0îW\Þ^'¬aþcÛøïzaÁ6ЕVjÍ™ñùÐêÅm©‘Pƽ"x
-ÔVŒisß
-±UP3ç²Øu@tbÒ©m÷銶YÈLfFç¼Ä5ó:Cu³J"nÛ|ðaÖì !*ΰ(AîL­(‡Â#[‹áT˜ ³ñψì מ$åGº¶Ý•~X[Ý|»œŒ²ÊD8ã4¦À ´\0p¯RI«gDuŒÒ ­»÷(ý9PtçYž(kŠõŠ0^(
-kf"7íØ„'z£½A̼™
-v q‡<³Èj+ñ_ýÔÏL$?~‘¶§Ë×ö·V¥+À<Ö¯$Éì°õ^õ/€ÕGГõÙÉXZÂõðÏ@°Sr3òûÈes,ð‰L[}lÝܼwÛf£­|½V‚f$•æ›QAf:|çöæ©­”ð”Þ[—uÏas‡¤u¥r©î]•J¥›Í“—¶B‚KÃè0È’Þç;$“r5—=)kÚkd_cÙ=ø)ýÃ#7BÖQ.ظÅl§î”ÞéMd/±Š:»ù‚-*!ï88Ÿ!{WÙ’$TqU£f6Þåi»fé:VkÃX%~Êúîuoèæ gZDY°žRYíóc
-Cõ¬i79Õy@ÜÜÞ.úB Ÿ¿„ŒHË•VR¬¦jªÊ}ÐÂju›Iæ-”m3Èd¯êwõ¢ 0£Ÿ§Ês*ywÚÝOòKëô±.èm‹ðm~”´YÐe¯ äŽ!ShÝ·áJ¶µëš4ü;Ð\'+øCˆ÷Nògc烺æªóe˜ß 0aü#ºa¬_«lV׫ A2•÷ „ :ù¨Ú²ì¦ØšS™&¤¹Ô‰ÛÉCR·OÓhöBiéúÇð_±TõIñšs£ø\ºcr±ô Q¿1ÉîL˜í‹º6ê4eÝ>†lCVeöîè]ª(ƒP3~ôg[ÓΤ3¾2ò9¯µó'o>R 1 x  È‚BK¢Š¢¢¥¢oDh÷AÏ ¡c-«º–bæö¨”—VöŽ²óAZuž e“ìY †‡¢Ö•þBèfL=…w>u¤[!âv Ø<{á 5,ù²‰ÅŠ$ӸʒãA%áìPáÀ# Ö%;£Ån-ÁÂz…@“˜œ!
-h¨ß6üO¨¸
-{OubÏÍzTÖl`#¬l}XµÇ ÄwŒÐ×П:’„[?¬sUTϤvðݶS;ã¢H¾VkÝ»süm¬‘æY¿@D5ÎoðZì¾=°÷¸e³÷|à·8µ©  7OÖ hõ[¸†7‚ÚVrØ?„/Ç,ʧ Y˜‹úfØÇEprã´c2¡)† ™9D 0~ü2m/A¤ k;©oGâ” p¸âlK ó™ ’ÓÒ=%*8|K¾ÈÉóÑèöõð›Àö§@æ†å¸¬Š©‚}bFMu.ZEˆÝÄ¢ÚÙ¢ÝL­Àýb
-ÖÄ«fRÁT„Ýiæsž‡»ä‰â:-`r .—¢CôD½ø2 &BY* Ï%¾«4´Ÿj°{'Û«Sˆ’wsÑ*I
-YHØËÌ¡[x
-t~«ÖZß9ë1“¾Å¬•%ÚsýiPK댑c—æXšE·±R¹[Ñø3 þZ8ð ¿>e1D+v~ÄÖL,è²<‚˜JžoEˆ3F–#{G8F.‰Ÿ]Ct)À¼0fÄ×ì+ü;hΨçjë3Ò—æ þÂH‰Pð‹Ú)=!êD8€×Á=-…áL[ÆÕ. ‚èbŽ |,Wî¸Ic( ñJ&—ñ~°êpšQÉa- éß Jvn ºØ¥b›R»iO –¸sçä!˜8‡Ã½&—Þ;ùlíÄtOž§z
-zÞªgX-*ÍÞ§=ªïOèæ„)Ì´Mí&
-ó¦ e£÷¼_½ì¯Þ'«ë‰¦ªÚ®À‘ÐMæL/ÁspÞ·ýƒ°¼ltª¶æDÛ1³E@hÆ=œ¼‹âa’“‡É‚j›ÂEtbrBwÛÁÓKÌÝg¼¬ož&‘¼2]7±Ý㎳l¨iHTÕ$’ÇaúÉKŽÝÏ‘è’ÄÏ•á%%Dû¥yƒù
-Àxc늈'z¬¬ÊÝõ:“ìèÙ×L_î%ʲfÌb®Déò~ûºœ•¹{¼'ço;Šûx¡ø, n‹2–¾k˜\ø:"ËßMÑúsË ºü˜4ÙqSæ½MŽT Cs¹´.çºY'wímÁ`§„e{lÖ°–GÚjQ;¢ª'r×3f8K_"ÈÛ.×ÇçåÚ–Ýòä‰\×z[µê뽊½«%6Ê$ü‡ÝA”Pî©âL¸X#¿Ù5[º_ýOêÎZpJëyq DÅëK¸A8»!Üü/!zd©OÏôåá°5³ÖxkRöÞjQ\xun(5rӻˮ
-'ÿmƒ4¦Õc¹R¬_}õ“Ù&ÒNÁÙÝxüÓ¢g]DÄ_S¸bèþûW3}l(iIÙn¤ö aT $&êó£ˆT'ÊÎ*Ýñ‡B“ÆS³;tŽ•HñŒ'KÇÚ<äKœ“Î š’ÕÒ} Ä= õm’ÑÃÂËÂìU/¹õ¹Od5j9´1$êÏJa©MûH¡M|°;ƘìŠñ
- ÅpB @ómkÇDœFÔ5FS{÷ÑJaÔØG¿Aø
-¨èdc dˆäá8b”Ê%xüQÌ8K¤N>"ã-ø/¢xÍûÇú’\ÌŽG\–Þ!
-¹óŠÚÙ‰/‹mŽõšl(£!¹ÚåNžJ¦÷­IG®Ä¡Õ’á9ªÀC¤gœÛD+3‚ ââû^m#wN]ŠÂþ´ÆF£´¡”Cûu¦‰3®˜¢ô¼v¾
-»VËñEpÕô&£÷Ö{áo®ÎéèƒÀ¿ŸFýžM©&'jªÙIne%ª1œ5-«ƒêlÐÃÛ–‘9ù%Ôpv±H*•¡1¬{ž›V¢°Ê­Ó†U¹…f»šY‹ô#TRÈ(¿BKŸÆlݧßdÌøKÀ%ÓÚHG»P%£‰ F…ü-‘ÙÙ=µmÓ>&îðcQQû(\›ü{¸S]¬® Gà/¾!Ôdå!Á¥žgý>×ePka¹ødí»®u3žYDÅy©Ìàé'E=rbM`/-ó7*¿Å"(ýƒÑ¨ iÀ)‹}úÖ/Äo³4ÀÞD–-Pˆµ$‰/O#]¹ßh*³7ã\Š=ÜÿD÷¬ŸþcÓ^ÉYK4æXªL —‡ƒfô…BÛ÷)H–—ñ-잯<V£iÌ]*w°5 ¬]ÿL=~Óˆ¯ËÄlH=ØkŠzϼÂ麳„‚’°÷¡‚ìøÄyb6WÿÒ¢¦ÇG0¦|.ø“µ‘†+œžžïŠ%\_„t7’)OñôYÚ›ÄLݺ»Àþö¦¨ÖÂï²{·ÕU[F»qÊ[q‡)oÙù¾‚ÁY6ErÐáko{ƒ·³3`Ä“(›²7v¬üK“€X÷½Jæ›Hÿ<ýO ÇÂî¥$L° 6%çÚfì"Ìš’¬ÏSÐ×±•—§$iÞØ"«o­œ ¹5{]hZ;ñ.­\7aŠBøq=¸^kJŠ‚ΙÐVTE7,gˆ7dW¼ÝÊ,~«àé•ïõ„ô§B$w§€àš“3 ñ+0”Û ØÁhJϤz„é!û u›"(Š÷#·J:h†I·P)ÄÝÒ‰»wÊþˆ
-©Z·Ú3ÛvKДÒ(ó°gc{W’¢?ïÈHÏvøYÙžh ðó¶R±š/²ÙmÃ%%Ú½>EØZ—ZQÂ$o¯¬û÷–ZG9ÁܺªlÆb<qR†²¸¨t_*¶ºZ ±¯½D¸ô¤€Ë­”·JešˆöÛö}]‘ ÉþXÛ@>$ëyV\ÑËüOûØÓCËYŠE;§³°jàü¨ ×üzHøØä/vOn%Sú] q#ëйêO7Å' Âm¦hh8j•)~9äOôæù!q,;¡íåL9®Ù”Þ{ ~«ß`̦Z*Ç<Ò{éaÚÍŠ¹qf£Ø}P\Ôtq"¼øˆ±¬´µ…™;ÔÉmv<–®kàଧ«j’Ò±w$£–#Á³M¬\ õ`Ú¼sUßšç\”+zs¬¦Üô˜±D–m6¾9¨C }äD‘îŽð‚Û‡ò"ý@lÆtnZJ¯“.‘x¬
-"ƒÒdjGFpŽ@ì
-úv®\mÌúìºò¨Öw’ ý¾ÙÊvX%Œ3uE4/
-BæéU§Xû'íl4^lÄù~ç¶#+p±<
-郙^Y)§ÐûA&¯l˺„è,$.ó¡ú[7ñ*“FÙC† ‚ç!;e£0 Û Œ¥ŽAÉ¿?Êi èP$…m¡ß_W X_ý’æ7Äd1‹ Û~ô¸ýtQ^Ï­Zýà~¹_ªœ±ÏwøP+–ÒV&!EúµRÐDL:åB°HÊ>uç—4yÓš¡×ý÷#Ñk6/Ï3o½±ØÏÇæ!½Ù5D'DÌŸÄcÛŽ{î
-Ï5ØRo™ Þõe·-ËÉy}´§FªwžSÒ=Å|FUÄRˆZ® 2š HÚð¿Ú¥¶®›a©UæÑ(|ƒe‡-äg.–”ráîAEˆ²¯ëšîÅëÝ,›êÐmÑ_#’"HZSÛ]€¬ã >Gæ´’{íabI©¬4¦7?AùœK£Í®ê ¿ß¬ëO¬r ©õ=¨^ *z«d,
-䛣1ש°Ð¨ïpÒ`°uÖ7D¾jؾÛnÕA.J>àhp´Ç'©|öŠWwѳ½uððëÒ0j8/V™AøSAøŒ¹1Œ{ µöï–žpÚ߇¿>8àOÖEKõ+FT
-pÉQFÂ^7`wîö˜`Æ“Ïbun²+M ~®-è7:ªÒtqBvÿî^åõàVÉšåš
-ÉBäL!ëlcCŸ*ÀáéEn‘Tw¯q–ÜâšùÒŸ¬ß°1°M†Y³’›šï™
-Â_žÔ8 Y¤8ÐD/ ZƒL–WîT¾¤ÍŸdÙ‡ÌßÔ 7Dˆ1õ“­$ï$àˆ^âëHõû†è!jJ³ÁöùµèÇëý;
-3àկǸâ{<ˆ¿ü–—7úë˜ãæŒÚ†Çf¾GÖ3wúRýêg¬áàW8² [åŽUP ‰’*3ŽÞ'V,é·Æo¿J
-¥P‰7'໺ÜÆú3×ìkË•6bÜíx~Ö6äV¬O²yž¶ïØá¤L+XØ,³T#ØÑØÃ<¹qÝ%oÊÈÜ5X
-ɳaÒÓ~`Fs:—Ïl•*šÄ‹§SÌYµt3âØvàÞ\;(¿‚—`xÆ¿À»G»¦†ü!Sê1ïì°côÜ¥zVõE¤‚7_ÕW½ÿQÜœÿª'÷üèÄ‘6nès}áì©pƒÞJqy•ïTí·”FÛOÙšÑ.’Ë OSòÊ›¥OcŠ Ø š¯wRI:!g=õ‡›íd”hˆª¥]C&m@Þge¹¼bó 9Kñw-À”
-U4"´Æúaæµì§ÿHý؇ƒ—£g$ø·8f£,a¬$O›Ä}ß1ôwí_TÚiƒ£é\HÔºn´ К׮>ÕÀ>O Ðá³Áô"ŸŸ7è•P~èÌ»Çà–.Ãj¨Â”Ý|±›$D(óԇ­®Â%b3¨$.µøÁدŒÚ.Ý@ò®z†¹œ RMli—²žO#QwEƺäê˜åŠ(íEÿ?ìEão^Ñ•îm³ãÒš”µïY!:m\.µÝ‘þÌŸàAˆ*] sÍõé¢bø1 mÔˆ©qp¡\ÈøiQäèË‹J GקÉ]…ÚáDòuË ƒb(M±êÚ–ÅçŒW¸h’¥nÆ!_K¡%(y
-€
-Ýà™cSœNyÏÜçïÒa2•v£<#Ç Âu€i⌺ðCÿ¶Vó¼Ò E}bëWcçúíló|Á¦ÌêÉÅZÛ\ÿ*h´ËJrBÐì¹òÞ+0)˜J„?˜¿Òê°äÒaöq_m2ÉŠk)°—hîÓdͼR)'":,U¥¨Ä¸£•çÖ¢«^
-ÏxÓã sâQÐe -¸“¤¼Ð¦¯ÿ¨I—y†rñ âåýÐkõ‡ Ùˆ§.\ü‘v•#i2Ýé”$§&›BS‡Õöб‡$­Y¢´dÃ
-d‘\ÝxyÛ>™éþ
-è8º—Ó¶í ˆ|óž òòV­ôd"Q<<Ý+gÿRÌÉRˆó‹ó¢®Ëƒm2Ûš·;$~PsFzííy1v½‹·"ð†TÔÂò~꥕üÓó„lc^žÑèCÊônÊpÝ´|ˆªìRÅ¢ó2
-€Mòb¾¨¢¡Ò@oæ1–%Hy.¢yœ?.µÜrn’¦ýTþËp¨Z[Ñù4£ùÉøHáy#I‹H³Ñìµgƒ1ÜrwõeB„?–ɾjŒ¨o­[½Vµ«”3PTcÈ=,r“?s0•Š)¡:Kô+®b¬Jå'(g³c?8Ⱦ<χôÇųÜÌÑæ°…SvU'µN—œô­ÜÛmiG˜DÇîÅQ’  øV|Q´iåÈ-(ýP¬1W”¸s+âAÎrlÜxHÔ†Dû# ù®„ZÁ· åVÆ çâ .uþ&̺©Eµ V­Ø|„èèKo¼¸N69]ô?%µð¬§Ðå:ˆGI ÿöm‚‡i”yÖYú^\ðÅå㿾²Þ«Ù`QÀ|§ªiÏð<{ºDsäÔÓÑ©¾6è&`£ØWJÜ“ á+¼W|S#3L¦+uÛ­é`D²ûdh·¢Vd‹Á+Ð{³"oËÿ ¦xôÿâ$þŒì”ÕîÜ\D`ˆ}‡Ècƒ‰Í†\¨Z.©[Û†î©]DåD1Á˜DSM ¬·¾Cå:-¾éÙ¦£™hj9
-[èJˆG)õÈDâU˜¯QG^D:óçä!5çÞ«Ç
-eæ'ì7ªdícîèhÌ0ØÝ”}tw¾Ö²ÿü—6qj%¬y?xš`*OôzŒ–•‚mDÓàìÜg¥¹ª|[w¢ÃP0 ¹æý3ij ¾naTû‹¨rļžË[àDù· ‹Ž¿Ã
-bi}j2ùs Ðÿýo»”¿Haâ)yòcþHóÖiš¥6aÚ1Ÿ‘œ°Rm8 ß8§%óùäN ¯Â øÿà"@û¸9c‚ü}1ÞÀÿ
-endobj
-624 0 obj <<
+/Length 19384
+/Filter /FlateDecode
+>>
+stream
+xÚ¬´cx¦ÝÖ%Û¬ø +¶mÛöÛFŶTl;Û¶UÛÉ©wïîþúڧϟ>ßûºî51æ˜s̵ȉUè„Líâöv.tLôŒÜ
+Î#óãJB'‹'EÂ2^ÈÓùú3p’é±m‡–^ù;Ðëw¨ë  ÜìB0à’»¢€ÌFÈVóçC'EÅ]Ë“&Km,wy*qLm±ãÛÈøÒtv8o _V´~hç+2œn£Ýáxþó‰¿Ó¤õ›Î¸õË0¸’¨9\ oW&ÎçxL#¼#‘Rd´«%1î‚øå|­q‘?iÔl7Ú28ó±óðIpãYÑí aFR»_$ç³¢d’_Jþ껊¤ª›zÊ+Ñ#j»i
+ >„*ÝÓçuÈö0Îftð¤†1%z†SdÑwÒ½9êçkV’™Ú ÇÈ)¢£Ý™¬‡¸yœû¯O.óÝj«Ä˜¾”À/Zín)£1T§Iü.Kx‘mŒÐÕÔå^ Í©L$xÜ…æ¬++túÍX†Ô339L(æ¢ñ*hZWâÈÁ·T+~›_æQŸãt©WtôÚ¶Çѵ< Ñ »fùÜd!Ä[ÉW™¹m0ìÊz}̰ʥ᫽ªÑdÕ°–˜<’¶8æ{ñP×"¦Þ&žNOØ*Ðc­Ž;54µ]óyÈ;ëÍi^Z‹ž+jhî z'æM|h¯Ñ23òÔןû><é>.à«Êðàq²ô½}•¶McœØd"#’}!.”öýì?Dåõ÷œÙ9VÐܳ#§•¶ö>VÕ_÷G­pÁEj‚±pP(Ê{t­3óç~_FqUÕEv¶3/ç ¤xû˜žf5gKï ”ð]Ü+]õSLð â )ý¸GV‚ûÜW´NÇ—%_{Ó…™ž}§¿¬öÞE±m™Iƒ²z)eÜŸ@‚”]cHj-«ˆÚxýÑ GhønàÏÿJÐÓ´®ã}bB=<ÿPᥫÔèÉñ²²c}Ξ@ïý›¸ºyì·¬@Òw
+ÆK´¾9¬m–Ʀì;MÏÙoÎȳ†¼E„DåFt ÙnÞqW]+ÔÀ;žÚ¹Ä0fÙWÐ"NLJï¡qžÃøÜæ)jªeRC·¾ž«{ÌÎO?I—å°’Z_žBHqƒW剈çz.ó^äÓÏJó„¿ËnÌü24-çý άgìyÓèìeÌ|èÁ/ñ‹q{³.~È:_K‡(4qïtb _¾÷D†;ßN(™ÂÒÞ_•p¬×´úTÔbÈm}(M¤ Â&@ÁÁÌ¿ýê¤99Ùnwü“LôyØv7Àß™Ÿ½õ"»7\œ= p¥ldöŠ’v@¸Y¿€.iŒ§vaP_ëèÕYè&lÀ^Ä_„¹~¡£0Z‡wÅôí’)'¥“ºã
+üºŸŸÏ›‚Wõ<d=àraéÞU½J†î é<W*|CJc‹ÒvèaùÏԂݱ¤3ñ 6¯`}îÁÛJ˜Ôü9{%·Ño“Ø¡7g
+•:D?IéðBÉì/$/hm5…ÜëüŸßÁÞ¿,‹{¡Àˆ’
+
+Íõø;›WV>{€º^O
+ œ ɲ+ÕÚåÏY÷V¿*r†úíÆÐ-w-XF¢¬p&wŸX„
+_Ó#>R+r¥*³DilDÐqo]• †œÁ‰y¦S ÊˆÑni³ ë—ð{s®Ü4ÑÍôÁ¹¼ôLG¿¯á÷¯ÄiÔBبÔ
+ò¡krNÚ
+åa‹êÛÉýÓŸ´ý-ç_vJ/ .:óQ9D¦š¢~ cܸÁU•&ŒÅsm
+½%}‘>@:ÐaZýði”ó¨ÖUɬµñ ŠæRLje¡ònAÝhI ÆB
+¥ö¦Üà‚ÿEÆ ÌQŒU\€|e‚roàÈböôa‹@J©$,aóK+£,¿Ð
+_<YpD[¦bè)Ý÷A±¢YNb.Þ¬±µ”29pŸ·Ñù0¦œUŒbeA Ú@k¡âÈñL:·YÂ5µåÖUñ£=ER÷”oiæUìÚ“Æ™ÌU [î¥ ê'5TxJFŽû[èO¨“CWU0'‰¼Äk8æÐî2ècŽõ ¦ž2}¨q*Ôc.pÊϾ7Št S~Mac^í¿ èeéJá?v ]›±wtY`~õ¦„ˆr, ¨<P«¬ ¶ò.Xaœç`Ž#X毠ÆlPWMcÎEÈr6p,¨ ³“gg µl‚N0êT8ï–{Ëô˜ÍmwÆ‚ÜòbɇF%¿»mÝ.n.Óg+O£Þ‡º¹¥võ½^K¶Á§ñþj1-–±óMJ‚³¯yd¢Jƒ÷ÝÈ8¨Õ Éw#¬ï`w%º¤ \©ïÆŽ8?y܃¤Ÿ'TìE¶g6»-QƒÚ7@yŸpc¨¶@ÏÙáÊ'ò°™Ô» :iWýÞô^^©ÌP:Ùʉ4GÂCe*Z£:?ß*íÑŠS,`ï¹&~=QáAn£¾l3`0]‘iþ9ö[ÿD&¹R–ˆ%êa9G m€¡ÆcÅdr¾ô*𑘮Ċ[ℳ“ra±
+ð?% ÷’BÏÛ›­Ù‡¦_¡,Ðqv]Y4Ôýay½’¬”¸=ŠÖM’œïa¬ZÇb~ÆA¬/$OXݯ€°I,Ø!kÀ~Y2Ó &!sÐö~#5*³3€»ßÉ AôÀà2ÀF•íß-2äà÷Æg‹¬¿J7£rèÄ’ìæÚSÓ& 6ý`âûJà‹1ÈbBZu2zýÈp¤ì8ÌÁ ºQ1Éþ0ˆáÛ½WlÄþ‰¯L7Ä‹âOT触ôœW­ï#¦q 'oô²`Jó]+R€Q¢ ˆ|t“¼fáçYŠQQ>Ì®*?ìRîÆ~"~öaÚè¥óÆ”HãÌ&ÝÖÊGºd,ìPz®Hx=»¼G9ɹo{`Ó[?‰ôXãZMÙÔñÞ¨ûdÓvÛÌ •ß/О±.%ûäמ~—Å43Ñ_êWhÄ[)Å/îš[!·yÓ¢Ù^i£û%óEåêË—‰ïpÛK„þ~rŽ<3°õE˜}eâ4“ôm§>›hEaŽÎˆYÈBË'²Ë7;ÐpHÁŠÖ;o$lN„ùæ茔–Ô~
+Æ㜾µ¯õŒÇdgñâ— èõ¾ÄšFŠ¡X½aN¿Ð1•f`q¡¢9ßcEF슚Â7õ¼é¨Í€j†C“›ƒH» ãÄumŒJkÞƒhþðK´Se^ðÝ+¡–Ž¶÷'aïqog&„ÕÄ»pyÿ"Ž—w‰¶ƒpP—ÛlMÆØNÝû÷(ål[‘fmîñR~àû®!!%­¡ÂMêL²9³Ð/—‘ôÙ«%
+m¢üß«†™¢EÖM@ùXž,µ¾v…Ë;•,ÿFm|ûÅÑ+°ÜT´æUû~Ñ_±îç4ýY§v‘u1e2q¢­bè•ÒY¹ç ½9®OÁ‹„-›Éšª®YÑ\éI#mFIÑ™-gE¬‡ôn>~6ß6­ft7#IhÉWVî#á’ç[øó9RÅÊR¡Bò¢Â§©ûRü¡ü|uâ`îú‰nqÜ¥hÂÅ
+[#ÚÊféÜÿVùA•àPÜÅ»íD{SÏƤÊÆw‘눃¡¥91óEøI=ðU9_.‡H¿,êÿ!ñ+×êëB,츼©^$ƒ¸´ŸqØB$pAIÜvżj«‘ç|©ˆJ]ÂËs™êáP Á/Þ P?}¶'uhW¡k1šKU÷€ºyIeÃ׸,gÖ“ü ¶Ÿ¢ Ö”B¨SˆgŦß*öuÑïwTõw)•Ì_‚úªÓÔÉ3øè•0PY^·»ô’²ÒŸ€Ôsù1ï/ó²=]ßëÀOá‡DûÁ⼑[¨åáºêÐãYGOä¤Ï‡Š¨?=EôÅ6K›('36V:̆M”ܲ|%äÁ¶åæõ ½ÙtaÏ$w›Ø±‚ŒÕ¹Ö?tB‘ÖB—Õ˜‚ÍI&«O¤
+!)KáÊ…j­þɶ‘ܸ$`Z=ÛV(µ:k}BŒ ¬Éßè.ùÎE‚F˜x›éˆ,7JÚ`*µß¹–Ýçðd¡’^…œtÒ†©H›$c‚ÃõPìàÎÚʆ¢wÉÔqe·؃ž®ÂØ,ô£/ÝñŒ>p§¨o!tûœ’Ñ…P.Ióf;§W䛧
+éÊÆF@´ùbôìL¯Æ8üB„$³)ßUȦëŠ×1ÒቹeeÕí6FÊ”#ñ ]vê$âãÝ;%ÖKu¡‡Ÿû?`„ivÈp–ŸJÙTá‡ð~Váêä·Æd.Vç~Ì9(ì8
+ÁÎ n¦¸øãßÎ×Ê)¶xõ2÷%3gÜÿ´\U.²Ð^xWG)×¼ÅÛÝ—b%HŽíU×ýÊr^ÉÈ¿>ziˆú¢‹'e¯ÿzTÈS>±âv»¾fn2†ß~­A]ß
+/¾ëÃw6¥%±ì¤³H¬c¨O4# ›Ïõ¬ÝA­“ÂáùÝ|c–¼›¬öÝÿ{ö~,É8k4&QœÐQ0V,ë¯ ÿ#Ú`nDôþ粧ÎáZ0Yu¿»Á]ŸÕº´«7OLaÿŒ®í½PÊ3*+¨¢ÁjeÛƾê&gzaS?Š±ºàVm”äšÔîc¦Wk­­ÜÀÍÀŠ(ÈÙŽ»È^ÉyCi‡Å]²D*t<‹'6MñïÍu,*ð§™åèoÜžÃH?,j·-o`1=R¿ àˆ š<qQu¶ÅžÊŸ¦RËè¾saOÑêåœ_ÚçæM¢XOÚ+ðAŽ>îC=_ûõ& ”ByÝçË><óµUùät›‘„¨)ûéÖ…þÂIÒ٣ꈒÌí[§
+®,£“ç—iø"Õš€xv^P«+M›ê~IeùÔ–S˜1‹w¼/ù¬á<é?ç̃âyû! Å¥žZ‘8žï3ŒìôP½»Û‘†ßĸA™ùSUÊz0 6µR
+#¡ÂF¸õ ³1=ÈJçfTnh!@?¹å#ü×KÅ4XÆ©˜’%`o+Àz›
+—¦é[ž8ö»gºE©s1Ѽ îC ´†nË$yCØy¼Þª¼¢ò㛉ÖröWmØ©wÑ”œLm ¯'¸ß4Èìjø¤œŽ©~íìDã,Q›’Îci=ø³"£lÙÛ'˸9Êê
+Çf¡— Rªeß:ãƒG†ñí
+=0‡Ç/ÿŒ‘´‘ùµÕn´?ye8`kõõm‹4Q í¹ÖièÜ&ZèjÖ–
+•äJBžO+ÚƒÄòÎ"«g®ÄõS?39’°Tvd(Ôõ·Ug(ÂÜ5¬$Éî°÷^ö/€Õ™DГüì³—µ²‚1î˜à äa.ð•Ïá\à?˜¶þغ¾~ î±ËA[ù{­ÍL*-0§‚(Êr¤àñá­­’ô’Ù[—óÈe÷€¤u£r­é]•N¥›ÍW±F‚KÇè4Ì–Ùç?$“v³;-kÞkâXcÙ=H“añÌ‹†s’6i5ß©ÿM ïü&º—X
+ES…|Ε\À³«0Iª´ªY;o‡ò¸]»t«½a¢?esûºŠ7týgZTE¨REýóc
+CíOónrªË€„…ƒ}ô¹6¾@ ??‘¶­”xMõTµÇþ ¥õê6“$Ì[(ûfé^õQÍ¢£¿—ês­yOúmù…MÆX7ô¶eø½Ž
+aƒâOӘܡïÐPG¶¨¸Š{õâÏ-ú÷T6ì`#lì}X…šu'Ä·]ŒÐWПºR„[,6yªj¤wð„Ü·S»â¢H¾Vë<zrìmæÙ¾@Ä4Îœ®ñ[í¿=±÷xärö|á·¸t¨ !7O× i Z¹‡7‚ÚWr9>D.Æ,˧‹X™öÍpŒ‹âäýˆÓ‰É‚þ>LÈÌ)v…ÁÂ2dÖQ‚6ø®ý´¡‰K>Ðñ’«=5Ìw‚H^[ô7Qáá[ò-@^ŸF°/¤ß ¶?27,Ïm]L5ì3j¦{Þ&Jì.ÕÁínfÓîS¸&Q=“
+¦*âA3Ÿû<Ü­@Ðe “Gp±¢/æÍŸ
+?§‡èBya̘¿ÅOä(h.`è×åÖg¤Íü¹¡°‚Ú9#!ê
+D$ÏÑ#=…Ꭼ›}Qb'Ž5 |,wÞ¸iS( ñR&ñn°úpšQÙq-ШFvf(¶Ø­j—R·é@ –¸sëì)”8‡Ã³&ŸÑ;ù¶vŽb¶'Ï[3=oýkX=*ÍÁ·#ªï)ts fÚ¶n“N•ySȪI—gÞ¿A®¢÷Âúj¢¹:„¶ûÇHè&s–·Ð8ßÛþAX~:U{K¢Ý˜ù½ 4óNÁUé0ÉÙÓtA-‰]ñ<:19¡§ýàñ¥æö3^Ö/_‹HA…®‡ØþaÇŸÙ6Ôš4$ªzÉó0ãô%×þž÷XlI2mex‰SÑaiÞp>ªxmkí–àvÖ”Õð<…bLï NÕ
+Ã:nBXMëž?Q­QÌàóGën 1Võp¾*Ë»sÉè¶qÏpeÎÃH_¿yu8\ä.~ƒ2ÁÉÛã#áæOå Ïoß¼·ÓnJ‚ít ”ƒát–%ô}H:S¼ÙÀ?£U:¼î˜+qÛyÀ5ͼ·h!vm RáKŸò2Þo ÈïqÙÁ‡Ápe-ÄUÂõÜ<œ)J^T¹lŒi…xöpéù…(V"7
+I+RPÞµ1pï’›jÕZdw|^z Ïi)—›Õ‘Á…§t—Ë:RÖñ{w}HÙòп
+Œ´OÑ!Àq´ïѼ²‘j JпAAºçôgÃìd‰Æ0è^J#¸©÷YAª×°îTó¢ˆ +Ý Í̶EÕK]K#ûEÅu¦‰CB4Ž?žb
+i"9u2’V"múN‰aõCr*\O…¼€Ÿc B&ïEö°}Ê¢4]û$“Íœ¬ìùë$&/é’¹¯Ô 2ؤœ„Ñ»ÿcQ÷s'õƒÞÀ;dwܳíØ0“9Ól°/›ìÞ‚’ñ‘eë#ÙÊ⬼þ œLÁ*ºµ}|ƒ¯]wDq5UJNÑP§ËŸÖgˆÜõTx¿&ÓákAc­FκD§õ삃G ŠxrnºWM‘üè€(Cù^Q]a{IPžËA‰>ÒNöÏç$á¢]uÅ@ï0ï;Oÿ U-m
+OÁª>+7JN,¶³-¼1ÃݘÅâ׋qrÃ2Ñ7…ÓïXòaa ×ÃB·>ã\wC‰eÇóNw;™¤×d H[Sy2N³‚vßzÙ7ë“Ý%\›;[ÕM>ѦâÎßÍá¡c'…,jx³Šõž|¯ J,š˜~œtç¿Úá:ƒ“;0çÃ¥ìŠ+;O@— íZ€]ÝÇYQÏ šCúw —´ÍMñ2
+!èDU]IN‰ž<ÚhDž˜t‡±‰h¢
+â ¾ùÿIý½ª¼v.aÌ7@Ýñë[$¾™Häž"p—Å…RÂv`­Êc§­Û`¦¾lITöcíûËn0[ÌJõôž†½;øKâÆýîMëcö~ˆþKü§;m£ÏÕÊ–Wb1¯—NxÚ«îtzc±-ŸyN7k©uQœ±Ó&†ëMÍ"ãEu±Ûù¨ÂpÛQÁJ’õ‹_ãµj&ô%A† RhƱ?ò)û#9ZžõÝ‹®Áµ‹mb¨hº=¯´<ZpŽÝGÒ[?ž"ëò‚er‰as¦)Õ0w´w»WÖ.EÄJÊ9Š#6 ­°9üxÁ¡‚  ó<B-AIuÍê¦uʮхçŠØ™zvtJkÉÑÓîãDQøúçnéêÜ|²Øü’ÂK X× Ö°žPvžŽaªu`ÅÔtpñ7œÄàeKJ×¹ýöqŒ¬g #lÎO…ß-–VÀ½î§Œ\ƒ¤»$^©}–!¾'5–Þ4$K¹Ãû.Êq¸E ã`Ô
+q2=¨YÓ$£2
+¨¿)Þ-ò×8ú¾ÂZ0yëýš3óBÉzó‡zèíТìkÌldµµxi1bIDÔƒ VþŒ7CŒ?LÎkp‰ÃãS¾NŒ0Ì´fiäz³ÄäJ‹—ƒ×ƒø¨m Û¾°^Òë7Ô!¡% Dºâs“k2F$
+tAؤÆ1Í«åY`Êö¡9Q¶$çÐŒ%@ùÿÐ>”Nê’àl
+1¡»¦Ç%®÷Þu–T{’zð…D#8®9Ç£Ú¿vR"éº<•|îlƒ¤MÉwV`Gªªõ[‰v½I’¯l
+I5Ø‘ý¾s]#¦¹ e¡¸ßÐNtÖ02àvÍîPá÷—¤û@°÷¨qn]”ê·_úÝôéœ_J`rŠµï0§›Š²áÃkBÌh V|·ÐexRiÆ4­ñ®Ò»ûiAdÿ-¦ž”Ë®'ÀEñ¾Ì'í%8l
+ªå´$ ´¥ØSê¾:Ž ™ âí"óY’xñ!#º°¨!7OyØ2ù@"iPEP,ÃJèéªòÅÎW•¹‹Û—ظ­x±©È˜ÄsUÇU¨œ´Bω¬â¦H🔙 †SÕ‡·<”]ÅX~‚ ”/Ãiõ¶¦‰RÖçéßÒ!®E.ä/dï;K¶‹ÃR¬
+J¨–/–]&áÄdã-˜]µµü ìªò¬_A®Bùyæ¹ÞÛ#sÊɤ”CÑzHóý˜Ÿ*¤KBMØ4Rî èáç s
+Õ-ÃMÅ[!‹°cr7 ŠsÑoU­¸ù¦òíóâíý¦V|ªâzË‚ ‰úzÓs Ogy¤V)
+A†Ê™ÏvVgå7Y”Ž $¨×Ý\t+o.G^_Ëçï©hÔµ°ÇŒÅ¼Ó/°’³ÔjüÇl6Œxƒ’9Æ<Œ^F8uΆ×?†xu$FôÐ3¥‚ö7`Ì‚÷tèz¿Ò¼!*7zç@àzsùPW`"½¹æ"Q» ´œNtXêAý,ï}NÐ|^“«Û³‚x5‹ôM“TyâqBj{{ÃÝBO2)Q#ÏŸÏí¥–¡gÛÕŒo‘ Ìž6“µ–œs@D'h]¿Ó¼±.Jkë,G3ÖÄ憙*XîRáHÚ»Øì|Ó™©¥ÉÏ茇èXGÐ*„æ
+÷D¼§~‡¹(‘ŽctD›?Æ´"ß$r˜Þ[ñÈšûų5ÉýûÁ/Ôžb»as."Ñ>Aé´X~4`Z[B|¤{eô-|óéòþã.bP…›5½áê >nŠ‘œÉ§â† ¢­™21‘*S½¶¬'.:F‚Æ2ïôk>®u‹"4cÁYû¤cnT¥4þÑ°Ô=﹌€ºÉ ÓípòÁ,ÉãÖ:ƒ/¿þ‚[ ©Àßr‡âg/¡óÁLC9í}ú®¼­žÿ¯9¹dHú¼:ÍFÜüÝf…-Ù[ýRû_oÝÕ ÎMŠ­"RƃHí!Ý^`|£} þP;¼š&þt1c,oäÑâj>—÷·{_56Éï.CœÝ¸ôÉ«yIœŠØÓðö™;¯$Ù¬1øGh÷¿ß
+ ¥æ†×²?¡*!%`†¾sÝ+h>Á»Â;Ü·˜yl.¼j4ä*²”cQÃët‘>üàë°CÕ,jȻХ²ù1Î\¿³àh À¦OA·âè6!în#{T´¹Úûç‚àêáA~c{9Û3­Cdœƒ ñ-£VM¹šÀc#t:ŽîÀü›Ó•_˜çod¬ÁØ/OÉõmJ>á–ÐÏ­‘狧$Y¾¤†0èD„ þI Õ{c‰öò˜À¸‹ïV&2}‰*T1À‚G!$¤ª’Þ5%Ø+<É ÞÁ~1°•Ój8ž¬‚UK£{¦»ØÅNd-5½=r¢W$ANp…$5i™ºgöàŒûi¿PÁZA¤ÜÆÌhó† ìéà s Æ«âÖ~–^Zhh\.…K¼¡¢²Ð ŸpÌ» Ž¼ŽÙ5MYóÞU-atÙ«Œ–xªñôu‚~o`¹lWŸ Éïµ@Í\Öbž»]™¥/RÛãàëW0Ÿ@ü¦izgžxñÀ.⧧.%T^¬”9Nÿ ;Æã—½ö5awÔ)üÝöõïÕ£-I&ߥ±'y…—žÀXß"žÚ7oô*ŒD:`Ø\:m·K±jþ0›`æ¶ÐÏ4¬”*xýÔWÁŠ`ßbÂ6aÊzÓ:Uç?fû"Ôôý‘GÙÐrÔÂöŒ²ž£²èô £ðAŽPW‡6\Èœ7 •±øä´äÝž:ìãÄ
+õ¹‚t#PcßÕÑ/&Ø™
+k0͆‰àEP«t¯'øß!q‚Ù½Zó ÷ó¬AP¿a0qt.z„×,S¨æ|«–­ÐhóTŠµhÏs°ÓÐÉ–»n€h­vÅл:N^”4Ôù &ºÊËXE š´Ù6ý?íÖ÷?ŽãÀqgeœ-+3.IV2“âDÊJÆÙ{&¡³ÎÈΈKVæ™Ýg:;ªwgwgœ£8ã}öù|ÿ‡ïoŸÇçõ<~=n¼Ú¡`(?®ÉLÕ³Ÿ¡þôR‚Ív#®ÚŽ¶m~Aö´§¬ð2ĬÏ`“\nCØÔòóæKÙZ ~:§pñæç•Ñj2~Ò¢–tUˆs°‡²Ô’Ô*/.éÃéXÓyb¶©¢d‚éý¦*´ Š9íJÿ$«F`™GÇ—ÒžX°©ÊCÛßß
+ç.pÒ%o~Í-¤6L-LŒ} Bv£ "Í°íÓ]`Õim"¿Y…éÉQÚB>Öž÷cÔ£z> (]<E6ÿd껾 Ct™–ÈŒ¸_ R‘hdC§¹0´ÔCþï‹™\Rr,ò?u'Äc$„R$ò‚Œc+•꬯*tòLiod »Žº
+^•ÉÓÌˬ6`¸½G¯;¸ÖâJðN¢yÂûOÔˆôïþÛ¨:”²É±Ýͽì4áÈd¾}sNKÑ&}ù&‹°’š¯ˆ·Y:PÏ•Õ4­5™Í²]ˆï×ÕøÝñ¼
+ÐÁ]Ý@?H[ª~T|ü[\._¯Äû†‡Ûm«~â¿Î&]“=æÉ?”b‘Y}…ö†®²žb&_˜Uá¹#Q\´3|°/›øè3—3:@÷×D„} ‰n7U)4žu¾_Ù×)Ó¡;ÃÊg”‹îÝ{ÁåôÑáÛ‹`ñ’\+ÕHïì]
+ËdQ WþðãéH… —îc‚·¶Þ‚©Û’£RÄ’bݬ†G’+lIáCªw¼,Í*¬¹EÈþ YÑ•¬Ñ‘­Àº%ÁH‡½@[˜
+–Á
+ŠßÛf_ÿÞÛ
+7{–4 pÎušóÌ(Ãq"»Ý:56©"KÑ^_Á”Ùw#çãHJ~1g<ujÆ׺ݨ‹¯ñYùÖn;“[ØŽîXo¼?A¸5IÍ-╯#¤”µü
+pÆU¢ûß· à2b¯½V¹•‹ôk
+KÒ§yçÙW9ô/˜µGB„Ý À¶ºSsâ'⃥—GWýè¤Ø@ níVM£YQ|¸óØ`”~x·¦äe·=­éšJàľ¿ çò£‹²6“a~5¡FËŸo=q9¨tÿÉ-äš —ErÆÅŒ½](©DM<6FZHf]Á«·ÑÈ?ÕG[>gùhH¬t͈Àd…>cÍ}una=ôp]Ë‘|Ý-ÿšÅQERv›0výšGñs€Ýi,¬v®dR¾—“UÊ(af¦Û´¼9&M¬@mšäK4G:Š¨'ÿ(Ž|ªŸÓ34TDŸ`umÊ¡;>ÀªáÓ ï¶ì¿Á×jÃzþ´õîÜî‰kæ%]«Èó×rL¡°þ¦Võ®ÅÜý®Åºßý>7Gm*þLÈ•UüàÙkö†öM#Kfró–²ÊÔRŽ,˜ OÝöþizD}uÜ>©êûâarê(v¯ €ÏS­i¹á®NEƒÏ#k–ûnÆw—’Ûí¿wè®]öÝÎÒ
+ØfòC9’¨þ1â°'Å:Ü$–oKòs×ðlÀ[ŸÔy>ÖÚĪÏBÜŽÀ,ÿkOù]d´I $"kõ4ïþûþ¶ÕÞ¢„´~¸|`ãÂC_iMTã[rLölÒ½«_X] ʦy=Ò˜úÖv–6þôO‡ÛžXÌÐú°D´e¢=YêMÅHºEr'ó MˆÎ‹vYÊ$ÿdƒîvQ€¿!4X¢¤Ó2(uJíÆj)Â7îY m¦ÎÔ.µ«ZÄ ×Ĺ'd*oøö²™êLi+îÜú™9àS¯
+Muà™C}
+Ó 6+Ø[É> Þ]¨W:£{C˜µ «x<Ä5w=¿ÕZLL‘1Ž,6ÑI½Þ  šMxã…Û”«fÆ~¸ÚUÍÓcˆÚP]S\ÜènëGñö_j Ýpu+,Ûî’±ÊÞdŠ ûüÕQŒà¨±—:àGyäç÷Bº9èÉÜ‘Oµhªày߉z­wL”ªÈ
+endobj
+858 0 obj <<
/Type /Font
/Subtype /Type1
-/Encoding 1344 0 R
+/Encoding 1915 0 R
/FirstChar 33
/LastChar 125
-/Widths 1354 0 R
-/BaseFont /MPGUTB+NimbusMonL-Regu
-/FontDescriptor 622 0 R
+/Widths 1925 0 R
+/BaseFont /XMUYIO+NimbusMonL-Regu
+/FontDescriptor 856 0 R
>> endobj
-622 0 obj <<
+856 0 obj <<
/Ascent 625
/CapHeight 557
/Descent -147
-/FontName /MPGUTB+NimbusMonL-Regu
+/FontName /XMUYIO+NimbusMonL-Regu
/ItalicAngle 0
/StemV 41
/XHeight 426
/FontBBox [-12 -237 650 811]
/Flags 4
-/CharSet (/exclam/quotedbl/numbersign/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/equal/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/underscore/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright)
-/FontFile 623 0 R
+/CharSet (/exclam/quotedbl/numbersign/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/equal/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/bracketright/underscore/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright)
+/FontFile 857 0 R
>> endobj
-1354 0 obj
-[600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 0 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
+1925 0 obj
+[600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 0 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 0 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
endobj
-617 0 obj <<
-/Length1 1620
-/Length2 19156
+742 0 obj <<
+/Length1 1630
+/Length2 15892
/Length3 532
-/Length 20062
+/Length 16775
/Filter /FlateDecode
>>
stream
-xÚ¬zSx¥]·eœTlcÇv%©Ø¶íìضmÛ¨Šm£b£bÛ6»¾ÿïÓ§ŸÓ}Õ}.ö~Þ5Çœcb¬µö¾xɉ”éM쌀bv¶ÎôÌ L\
-´¶³·Ú:ÿ¥øTÎæ@€©…5 ,¯ ))' —SˆmŽ›Pp1²¶0ÈXm€Ô
-Ë(gçü7%€êÿMe†ÿ>‘ÿ$þoø¿EÞÿ?qÿ«FÿÛ!þÿ=Ïÿ•ZÌÅÚZÎÐø¯ ÀÜ1
-Hk
-
-\P3ÏØ©®â%ª«Q¶°sy1*õŸƒð3›Wž®õ;7 K³y²mÇZÉh\HÐçãîäÑ|Àÿ´_˜D®á!)?¬oöër$q0>°±ÏO„<X)
-V¼TC ÝÐÆÕ»ýÈû]…:€n&)‹ãº}°Äk’…ÀUꜹþ®æSM¼^ž“O›@õò.ŽŠå†"5sÝ€ÐV›¿eXšÑÎ I´Üû‹#k•ÚÖ®§alaUÑbPh¬4'Û´~ô2 þy×DEã)
-É{<D¶¤ }[DY¶¤T­±ê-úcØ'Ÿ[z‘.J(›ôb#Ö¹_{—Újå1ãysœÃ
--0ñö® ˆ(É0fö‡óÁ0–\Â9Šüµn3ÿ>J¾™Ê
-Sò¹ °žô9w:%x?RŒ¾÷å9:…œÖÄáöýŠÞ‰Mb*x:lô -1Y+„ -0ÃÂâÒ
-Ú8äWó <'Æ–©läÍM*iÞ3E2
-r &Õ}Yðù0qLW*€2V:ãJÙ™³œ
-9O¥Ýò“O.2&ÀŒp&'¼(5
-r ØàŽ:—UïÃ3;&^ƒ H¾÷Ä¡@\³cöW¥ËĤo9z”ðq£9ÊÂɶÒ]èä´|Í6ّ͸;këá²êäQËÖË”W¯˜›}M;¦ºù“
-nƒ¡”CÓÓÚëíûDÌuU£–¡b½³i»´lÜUšd¼mîRiSgC¡-kÖ;Uõü§3ƒsèº(sT ØÔw{vUˆ?*?Èñ'f27ØÄbLà×I(~o뜫’°P/>³ŠÖ²,9Cæp6ª%"Sš¼ä¿Õ
-ý>Óv¯"žKa†­dLWA¤;a# >ûëöêÍ¢®Ú:¾" )¸-!Ó#Kþ=ñ]õû3¿fö™ † › [ý9‘3Q"mn±`÷Hé-ɦ ‘=]“¤GÇëÎ'*¨j ¦—œ1*\
-Úâ\ô3†JÌtÂD†‚V­¹˜=ŠÛXüh¬‹:L›m8}äœZ¢Z¥UŽâý“kZM<íYáʦ¬b”Žnhuë²fè@–KüT‚GÐ_2žŸ=\kAõÛ;Ÿ¹š@tå|#Žì¸bK]˜ÑÕa1%­• ÓÞÑÑgñ÷½«É®,Ï|ÒKp(À·ê»²“£K ¶z7÷›Xi!P0L#‹
-K™ázŠŽï“ÕOG‚î
-é5[¬xv”C°‹S=ßPWâ±Géšæ­iúaÒ~öäÁy o¿ µþ¬ís@q+@ñ›¯0/<ϵº¸gÆ+útÊEQ”§ÎOƒÉ!qÝãÉ›¾e“Ø;E†èÏð‘#VÃèlµÃwÛ‡¥Y¿ÜºDöâã§7™“m­*<„"É Sé0
-$¦äh]™!î;Ö¦xµ;5rÀDW’GT>—0Nzœý¼ èè8FÃñ;Ó‚ñ-ßFIüëJvë~-bñ¥=`°Êvýlö¸E‚æ!Äímâ/º=ü1Ÿ/ˆÍX)²È<w×Øߣ¶ã™÷‘/‘Í“ì%mFÔÈøDÉÄÄRߎpHÀÒµÎÍäŒÊ‘ "X9€ãv-Þsçþ æ¢ Ô'ÕžQ›©(Â8ø„˜º“lŒO!âàºBw‹IËd !¸_a§\ünÉýùâH ]«y8û"VºÔìJ\+;£´ñ¦LÖŠ ÚhHõtñ¯^v÷Ý}²p¬|ú•¾<îög—#á5ñ¥;QÛöNW³#M²Ž#í³?Ð_ÀöÐGR¤0\.%B
-À”ö¢+ˆÞ)Á÷Ð?ŽGíL€êd´-1ucÊÅåâzh4${Gg¬Øÿò¾Æʇ­’NÌå¥fdã€U{h%õIí®Ïyö¢˜Iw¯e,á#ooó§–Êù’¬°<ã5quèËîЂsºêJ&ÆŠÙÈ…_+LCi¬Å»oGö"ÑâÕ2þn¿ÆÇjPÁ¸:’¿¶XS0`ÕÔ*‘>Ø“}‹ÏÔ»•…w2øÜÝO1<¡½¹†’Œ8
-+ˆC:S¡€5‡a|°k÷gHƽ´)2t•§©oš5O}ÞÉ({9nŠ5\·iøH@O°·ôŠB‹#"—r;uî?Û܇X©>pŒßú’•SŠÂòq¾Uãt´} õåùb#1,Z±jçX@7¼ •§ÉZ—rc?™”AUäûÖ»+[ä»zÄ+G ÓÖ_ÍÎðv_Mól ‰YKW£ðÌ”‚ 4vÚÖ©.æÛ™@ãÄÄý~´¥Ôx+3Ê
-Wi7í”rU¾µ;a‘
-ž¾\’’‡†@™´DÍ_7w[}æ˜ã£1™dªÓfGÑïÙä’e¸¡cî–\‘Aú”÷G¨ùøã¿ÇØs£â‚|cˆ¶zÅr}¿¡5oÅ_¯ÞðP­2þYìŒR TËašÚuAC¼ ñÙEωt¸²ž5ŽèÖä~ì¢ÛœD³ÅD“Ùµ”êR/ÍbÕeŠ%Æší®*²(D lûUczﲎT““)ëûm?i&lëlëWà<ÛZ¸ýd´GS€•/qV N“=ŽÂÚ di¼fÑa2ð ú‰{Š›âÄÊRm!ƒt‘Ùé7p‰œ„—ƒs;ï÷ÄŸ¼Ý¬ÎQÎ2¬fqÇf!>ZSäÕ‹Üq{ àðŠi^
-Âhû'zO`Ícõ¤õ0P±rLYβ›G^¦È¥Þ#©ì
-ºR…ÒBnÖÂϾîÆ¿
-y5~Psòí>x7ªU•$峀ݪü´vƈ´5@àƒ³ä¡ïý’8JôF~¨FGÃü‰0¯jiô…q°…Ü€õRVË#»“é ¦mV!‹·ä0B0IÅOا$—Á4à¶]ãNáÙv™Ÿ—³#1z l»,¹ ãÄ5#\û‹zQÜ‹Žïi¬Ö#nÝÕ–¯µ(¾U¨“„fp/¡Esªjˆé^©n6 „.ëÖ^+"®ÏeV¾¢
-8ðÞaí"Œ}9£tÍ\ÿ*÷Ü^"ªs/ü.Äöì0_
-ØÁ({0/“GÖ-m«Ôá>ñÔ‚Üb¹ýQ»ðÖk¦«Ô«sö28¯âªV–Ñþ$JYÒ3ñî—ðZk‹w½¥·BJ¢?mÁ¢`g?%uÓÂÄ9§‰.‘älʤq+4ìcXä_¶=né£fóѸ5­){_Ð'Ëš”sO+Ú¢{~Œ¹#Ï\%5ɸ„êdʺÖZ²¾`•[%UP+âóJ¬~g½U8n( ö £ó·( £Hž7á$m¡D¹µhOëHíW„;hKÈß8φóú †H~Â$+·CO‹-yÿB©˜R"g[¹dIP3(EÙKµSÄcm%==„ÕÅ»ÀrpÔÕRÈ q¥6úà +Ú,ë…4|¿‚ ¯Yì-EI—m4’ªiE+D¨ZD2£BÌ%Hݼ³‘ö£~·ã»]bË 'ò|ŸÞtÿ½¢P)¯…¹'ÆÝ ±¿IÒ/)>€j¸u™T-gí’;l´Ë'ÿ(sQÉd#r¹ÀFá3€m°¨^LuRñom×7ÿ\ _+3‘ñ›‘¢Ä1öXá
-^õÙ´ bš:®Ý~ì
-fÂéN~aŒ?á°¼¦‡·®_"ÎI¨}˜ÇØöµ`u7ñ›9“p°”¿MûKJ¡m
-|•nýÒˆÚXýyaݯℎºé„J‰ÇI^}m èD„·_GN¢¢óÉRs±ì}o†|
-Mö¨Eçe€z§½Ð@ñômú³”ÞÇŨ¶¼+D쇕a<¯‡»A´’– ¦r³S¿ÀóI!/LÕ¯GK^X"âQ¸ê9µ¦›µé‹º
-Nl}MI{kIËJß.¿&ëƱʟ˜„èºã«mL²´,\…½´PνᆤyêÑc„MJ/›ÎxÎS,‡ñ4C«uÌJh[Ž0ïoZËëûo=‰XR¯ÒFl0JøÓŸ;ýQ
-0ª‰ø³»À5F%n{zY„v¶näâk‘†,¡œÊ}¬©©ÂåzŠ”Ý/ð)H\
-á ·óGÿ-ãæÄ`öS¢ç¤^wS‹6ÁŸ ù×õÍÔýˆ_h±rà6zó|:èX£«~c&#ôÈîhzó'(Z {+<†r¹P­®ï’8­%·´ "™[n—hsè7ßC'Üo³íV¤æYò›Aè| ÒHnŽµÉ³“&<ÆÔâA—„w#ŒNH
-üzdùp»ºÇºû=Ì3j<óòSàìlúÊÖƒÛf|­µæÎ÷eìgûÝ™0±H{4Ê
- Èo÷mxÖ ¼þÒ‚âÌ×åBÍ–9Nhé#Äy»Ò«Ã{ÄÈTŒMmS
-î:Ó¯+1³¼+–ý0§ŽÕ’Ä:[”ð‰d覹,J„ŸÒNE‰Ý Ï q5þ&ÃîVwmÌð¾ß;0´Œà0»’Âóüֺĩd¨¦M ; ÛMM;4²¡>š/£û3/r3¬Å#šÙç¼ø•èwW˜Õh)¡ŒòÏæ¼³öFlò„ºWR†é^mLÉŒÂ{ðsLF6¨.ûžŠè,¨êz¬·fo
-+ý¯Ü—Û¦@¼kn‡–°‰Ë-ÏvCø +W²žkFV옘r ºË^ø¸ábçvœ»š±¨K?u4ŽP ¢+‘ý—ÃT»¸ÇaÁéçytQ8árj”ôH¸ ¥²b®I5íÀù¼Uù¹Á[صuuH´éêìœHjûµ{Ã">gf'y»[8.¢|¿lA˜$‰æ¨èH!K¿»Tl]²Qã­þßI
-»y¼¯ÈŸùt:Ùå6
-ðš$3:ÁHªËÖx×ÊÐùŸ'O&©>“ús)pCŠê–¤‚埌Ÿ÷dðqøÌûúçlsËçÆÓðž_pUwôûß;^š”ûÀ¤à<“¤TµzŸÁDEdká6]A=5ìƒË "ûDMOò䃛½%[êÓ×*{=F¹"ï£Ã?
-‘XE†™xð†Itò ö~›sóUúˆ£©Ç“µäÍC]0𬼕”„€¢ ƒÇ‰?§×N®ÎA Nš±D¢¸Á1ø=Ði!íø'(ßMêá—ï­RbøÚá²áCPþ(¾8Lµ:$PøÍ¥×èX;—Ý­1'?¶dUou±K…wõÔˆ“x4êºÓ»Ÿ*Ä·"+ìiÎUk|º;ÀÄZ2۽̹ºz×óä€ÍÍÄø0]*bí ¹àżòªìš16
-¾9¡¶çÜ@Oƒ+'ÔÝ{Us~Íxeoèí×}ÔûhµÙ<rã.
-’/=ÿÀÔèÍD±Rî9œÓd -(‚*’NE畲é^:,SÄÔZR·âj ɺc ]žŽ’´’ø¶V ¬µ=yf§F>Cˆ!AÿqøL•z35G0ÿ3TxY¤ñYS“Ø»äOö–VÆÅ}¦×ºXGˆÈ° vŸ8»úŒgŽŒ‹´ëuZÛ‚ì@ËŽk¤¨éN“ú|›EILœpöêñïDMfG ÏSk‰úºÀWVú›õˆ< é5§ü”Kù iã“#OiÝcäM²RA+Õ\Òuä8/)ˆ3ôžwû›eÈëDñ9æ7 «³‚Ü1µóL8”(µåD:lU Ùg> ‰>ˆ“9°-A–ãÒ
-é3ž¬¼·µ9ŸœJ#iy£LCpøWØJñ¬fHêÐCÚ¢ÀVÑ  é^¤Ç‹oCÔ‰bêb΢Bê7A”$qIË5iÔò`ŸØLtuŠ·ÂÍ:Y‘¨:EÖìò¹fì…žÔ&Îœä? FQÈ
-åF¤zÍÜ-E¬%õ@ÄÄ:ƒ}Ñ„dœ­v4KÿÈ«Ùø€  ìîrµßõ¦…!Q<u¬:\ƒ| 79l‚MVþ˜ ªfç·„”
-[‰Wèûáù©>«OæI¾¶C‡KV;%Œä¨ðò%rÚàŠ™"ßj@d+ËÔ5z¢fvrÃÕ¿uõzÆ‘¼Å–=]çÿ êÌ ikðšv)ÝrrÊJ¸
-¥¼¢ÏÉyÓ½¼Þ2Ÿeþh
-,ÏsË(ÙÁ½Á.(s8…›oAΖ¤*êæî¶}‰ý'·—õ*ÈQðUXëjúé›úŸ8æ!õ5*|÷,ÚÜ­GïËopŒˆz´¾¹øãGRê òù«M³t³”–ŸLæ At,­c…Èc¾7]Aèùù¶£ÉN€ºÉ
-(‰ª¢û.t<bÎ2o;ˆ}¾â³±Ãã¤Ib$æ‘"­é[”‹
-Žìdh
-´D¨1a2(iégµ;x{‚7\©A0‚’yyáóäVv¾ªÙ Dâû:MTƒÔ’í)‘rrê7׋?, {œt˜O3q‡©r¥…Û”çÎÕÂLéÄ*ÝûÌò¦°Ã³·¥À1`äuÔ›¹$pÔ…RûmJ
-‚¶=ÆŽÍÉnù-4­0
-7{¢Wk¸»× 7µÇ†»jåË%‡‚óºÉ×E&¦ Ü¦žüâW†gÔ;7ŠÎ[R'P¾¿ÝÈÍèÒO¸L^¾óuYÎ6ûÀj/ÎHÌ5¬¥ØÔ¼ºÇ`jT!I9%f|°‘"XÝJî&3ýÀþz›&ƒ¶q¨ç¬&6ŽäåÙäcŒ˜L16Zó 61GŒÃÛ).1äÔSz‚(ãu—-ø(øi~pçrYÜ—6^ õ\𛪗.ü]øš1‡½}l¬]m:¯|¥?D²sWFÇç¤>§Èù›ýtÓáX  ö§È%¦‹òf5T]ĨX;ÝöŠÖ–» ¡Ç–Et0ÞÛ8ë%
-EU¸ò€d+uQꞥz²™j#™f‰«
-ÊË'5lZ)c®wŒë¦éCD(¬G©ãe²µP³´5~PÏi¶L™æd!ɱnO;Ë}i¦$²AbDµ[¶¿o3˜g³!©\#ö³FU¾-Þ¹ÿæí>ú9¤ 2áUÉkûª»¦|óíDIÀÙÞ@ ¡Ä
-»_C¶Mãl@â:}j·@Ý´2¥½Ú²•¿…à9SäfƺyJ-gj"ôøÜû4A±ƒÿ!=Ò]¥õ"/ïäl•N»"ïQE¨û]'œÌ¤O™|…KÄeЧXšcõ»³öûDCïJMÁ“„‚b`úÆĦL$ýš­Á­·™³4"Â-c ®'•–äÇvŒZ•RæêêOÍ/Ø5¾¥lÌÂïkiLÄ Ùf°k9rÆü³š#ª¿'•Õ
-052BÍ6¸~ëϬ*“Þã“׫BL^x¹bÂ~;ý°^0æè Z±!拵Å=>÷1•/µþÁ…Ÿ9y.×›kôÈ ÷=r¼†=Eq‡q·ýçžáБš? ÃMÒ ,:ä§j4rŒ E¸ÅlôÍoÞ¢‡5fBµþFo˜@ÓÒJ1xÚ>véÙ!ùl"Ô> <|qbŠúÇ”›_BŒ=÷úÖÏ#ð4Øvg{ÎŽƒ`#µ“‹ëEB1útȯ _y
-ÐV×p™%V ˜5ÞÒîm08ÂDyTø¤—ûAQe
-.Ú¢6‰Ài¤õ™qUÌGŒOËç”AÙ•B¯ß8¾?‡6Ë5yª4VBô@ý¹ŽIÉõ*'Çïy•Ãˆ>qѦB-z¿:ÙýW– ÊW‹;_ºdð° «&µ#h™8†ÊŠ®Išëmw÷ Xg =sSi§ÅÄ5ãÈôÓKB?Ó›µTÉÌ]~ð l{ü(Œs`.¦¼o]çè_“3x¼ê_’o9å÷×Z•“ÒêȨd6Ê
-$bðê0eN½™•â­ÉŽÓG2f*Um‡}÷WEySV8!#CŠØ§¯é(¥½óÁ9¿;-Z[3ù*³ôVžüzãa¬ïÆPcÑ
-‡À/Ä‚u‚’í|£.襡=͋¼ÉÄ38:¢•¡j-rç· Ã(¬¨ L8;çFû>´P]bð®NX1ZÅy.Ê°>®®ªŠ³F7”åõÒ÷ý!ù†’½²ú®Y ±¨Ñã?S×ü‹žÃÛ¡)ì­(­ý&GÔ‰]¾27t‡{Fn*+i{wBŒE0øÕ¹žà2Ý+y y#ÏnÕ0ÊÑókóôìN¹‘૬¼í4Kã*ìŠÛg§n4L”l¹{6‡Çá7t¬UË>_šS .u á¬r`<>¸ÆÕ>ÛçïWgdØô’Ö³2å˜údG_ÇñœDßzn*q×ZŠÄ ñ%¨ó/F‡Fb‚öÙÀˆž&Ú%5ÄíÔRÍüÊgfêûWže‘ÞéÒšÏØtôük{øÙ¿b©½× 춨q¯.Y©¿Â§k qçîW!öÏt£œìçL×ÀkèbmÝÑ:g=G½ÐLk·þçÛ#&Êßnø`‰†Á&·»"
-ž°ÍXVë/h$S¶ƒŒ:Añ¾÷TS!Ê!Œ?Ì ¢-®%ÞöjÈ3”\uèD¡v»[M¯ TªõjW,‘@4\2‚¦Ür²€$ðã©Ü“ƒ*íÙˆH%ˆŸŠEgó¨è©~°ë
-ýqž\Q\²Ã‹±ûÍ—˜lËûâ¸æ­p h]ß,‚Üžúòš¿Â6Í%•¢ð“;‚)¬¼*¡¹ÀÜ'{‡Éõ(ÍÜö\CÈWýÈîƾýÂÓË
-†bJ6¾öÕûžõpIËÄZõ¶Ãp%}Eœ7*X§ïcáÄOÊòµúf3`#û¯é9 vqñ„§x§p b%c»šÌØ7¨D³¤ùF|X1/§¬ñFÛÌxË./U­Åß4
-ˆ~_È‹õì盽ׂR¬£ U«Ö퟼¿52Wëýà9ZOÚ$a߶mO¼ësm@ƒÏJ>4¹5Êe3iöÅlê<$ê;4¼&™’ãÄÙОiÖÜtþùê;^1]öÐP½†Ä
-¨p9¹¸LNüÒÇÀÍБi'ëVên­_ÖËX¼L+UíZ÷¾÷\£–/ܱ šeý‘ne#x=XJ ±RúSô‰ÔÑ{£¡otdKaðĤå d@ˆ›Oàš595´ºà³Ù‡ꔨÒõ÷ÍvJH\µè&©)rp´T{þ-mñ¾äšuåžÏ(t6#=êåV§¨øBKFôJ‹„vÍCÐ’Ã
-¤ê
-¾Õx;xŽM„}ÌÅȺéf‚øL¶Ãpr6Ë(ÔTà£'ŽãáÜ–½‰Læ‰=¼’cÉDÛ­¡“â-‚¶:àž k„Τ/ýjº‰/®ÙÉŠaÑ¡&©£Î•4#¨–͸ÒÚ‹¦b-ùÜu¸ò]ΚÊi^-6Š¹ÇºCè×Êu} M={ ØÁj"¹/¶Îž\].¼ÜkYèä$U6“ B¤l÷Jß"bÈÊ";„Fuj§&0$¼ò/Äé»c†ÈÌkñéP/¾I”³,[R!&À$µ'¾?Á¥1Öaи¡€f(9 ÿ&œÐò
-EÉÃc9²ÎÄS‡õ<z™,ÿZ^‰»;ôAÃÆÓýÕÙRÞìÕËï³xvvZ6ÿ)~— —sÇéŒm¿ƒ)çÁK͘Ã"¹æhae™MH!Oî1¾ÂyxÅ aà…P£ÌMv]ZÞ…jTH™œ…ÂÍbdù`7ˉlO˜—K›‡h”¸%Ì›uŭ§ë×½'EÙ3ú]ö@ ñƬ‘aÊY‹^ȸ"PÙóÂ(¿*Î8³h[d)yLšOãg°Èž f:Ì>(.&{>AY›uS)/âȈ†óôi‰‹V<èXÞl˾)jÊ22ø~ÁU؆ҰfNmi%:iš~Vò]moòãªkYÞB5òûõêÃ4º8Tq$1òUé¼y§lP6Ö_ó½c^yÝø}·øš£”™ãD6­Ûˇ=Sœ/ƒ‡ªKȶº ‹áÆ#JŒ0âüØoÛÖmf¼9ŽýS&çùÍ:\Ã<ä¢B©"H{f¢y®«Ÿ· d¶uzýØüøD…ŸbÝØ/”¿"ΦU_³µ/!0?Ù”Ìa£zêÙëDÔH¿îBqi›i–Œ`HËöCŤÇLéòñK'oùºæ…–à@(ê×-[„rh–H~BV´Ü4è¡@O€h‚œ±¢¶—ÛÛ/f¦¨–‚p[—È"„ÇzúQòüÐ;­­äš/èN@öµÇ¶æwÒ$é;ÉYP›:r=Ñï9„EÿBx'aËdzI–ᵇ^ÕTä摨 ¬-Xœ¨ðoOòW<[z9sá›p ß:—¾Ûl~(æ„B²b ø>KƒSÐþ2•ŒûÄšåêx꼄JýX§;{B v
-
-¥&ôÙÝxK”ætªü«*Ã}Eñ($ kbAk²
-Íï!VS@ù¯b;8 ~‡ÛUgžƒ¥ÎŸ“ µ~ÑÆìåÔú<ÂŽ}¸K­¾jﮣj„Þ²’ççIYBÀõ<K®ß°”—ÚQ…”S" Ð<™—ÄÇÈãÚnÙûW-úÕ9ôTæ¹£;4E&x%v˜ˆZ Éô±zÏBð­„¿‘Á;Ž)ÎÈJ…5ÓKÚ(1d¾>ðœ{ûZ„Ì¿ Q>3¬
-®Ã±U ,m;Œê*§Éáèï 7‚§¯¨»×¹n[¡Óˆè¶bÌž þ$”ŸÏid÷cvXqh@ú‚DmÛâÄWÅèôsÃù£í«Ó:
-kÅAž—v|étå@òó0´U]¼Y¨ß©ðYôsÚ÷/þGûôý…ã8pÜÂÙqöÞÎ&ãì¬d22Îv!ãrÙÊ9#3ûçÌtÙºÌã"{dd¼…Ì>ßÿáûÛçñyýÏß^Ñð%¥Õ“ó/½Þx+¢ç«À:C_j=ä ¦DÅÈÖë8ÍT\Ln Íæ¹°†DŽ%‘ÍÐL÷ʵûYÈSEkþý÷•,¨8=ñt³Ô‰¦EP&§!ÉIÆ ÿ:ÚËítüF kû!®9:<ÚMÂÀŒOÅEàg€R&Ö¿_n›âTË1ê ¾ç·Ÿ[~òTýpD÷ni³Y3ÀÜ–ês¨½”‹‹Ôñõz–bÚzÍísÃú ëgša9ZlÈê_ÖmO‡çH¦ª­Çʬû%!#Ÿ£”ªÂ÷¾Ù¨ÙÈÕ•ëËÀå¾$1 ¹—bT!PÅÚhº¡Îî^Ôˆ6ëáÐr‡Ý£=e[]t×w“ãŠóùzmæE DƒL%½ó\}°¡·¬ÿ å„|;®–ÚRÑX
-3ŸÖrÿFíöJÞL–¿8ÁϘ/»«Ð,!DÇ…î<ÆiÊOµSÙ”ñ£ÝT²Ç‘N#èxîj«»åuûoñ:Þ֧׹‹»ÄózFê’½Tõœý
-˜‰âüÝTRŠ‡ì¶NòØ]Æ_Ó”i¬ŽŸ_úú‘Å‚¼K‚ΆÇSIÊe°µ{ˆ×Xsë(ÛÜT+ö®ë^º
-+ •QͲƒâ„Þ˜Ò¸.É Ôï­]Wpü½¯vëùëBåP•®ðDÐ8©ôNr°z¼‡ïæìñ6ù]“ó ˜Õ¥™ß‡ÄÂ9.æw™þИݺÓ
-…%lÜOÍßc†ó‰é4Ü´Ê0Kñ•ªA[lØAuâÂØáÑÂ÷>DÙÇ+ø³ûôëófÔÈóÖ)ñÄIw‹ªè×J#4RH΋‘¯¤ÐÛCé_ネņkŒKº·mWfö/… <å"èq:”$±öñå”M¸уÜVý*Ž¼ù餱Î- ÎcH“í`ן,¬ùô­O­@ ™˜À<xc´á°2Š9L1.Î33µ±¹sWk¨gç@B¯8ßô+£@™Èv~¾”J©“öJ°ûZ€•0ÉDjëœÑ¾õ0õx9(Ç©Þ8× }ñžûð» Ý<#ÃÛƒ®ºX6GG†ßd±œÎ
-lÅŸœ$f_dq_“ÉñøC–C'O§_œ„Í¢z™À7Í°5åAƒí`EûKࣃ„>­Ò„rÖ:«Í·ä—ˆ•Ö’"îJìK4åäNϲN^U©çuÃ̼ß!¿|gbTM‡H³™¢" 1WK‹pr)*Ó:ô}øù&X}¿³¼åð¡øúùDÊ’‰‰à†£/ÿ©“€óD-z°,¢L“4G{¨îwN
-Ã磵E˜±Ÿºùxünôqb ßd˜[<ÇfÎ@ߤ»Pª p§vŠ,à ÈY·“›Úˆg”þ½#©Ø¦”üëÈ`…>—âI¼¤®;p»ï“‚ºúÈÞ˜Ôm}*Ð÷î7zžôCDuQÒé”c§„Ë/οcÖ”N~?¾¨À¦Œâ~ Ò®QR__èeýrå
-@¤õÃo_U¡;¤¢æªe?Z*½¿ÚOæËͦcZ¢6zÓ*î
-€mK1”£»ãß:¹<f:µ¦V.sF»øÎN®õÎîÅEQ‡gŒ‹uà,¥vz­!ìuS,ñš#\¥€ª6KѯAÃIá)è˜SX1ïŒ~†‰<& ;Ã] zÜ)ZP=ëN¾Ðºg¼)Qµ°}¼>Õ˜z_#å *’Ðs,b½“o&‰ð]ÎÎì†Ò¬¦{˜±ãxÂZ©–\å.ÉÉq™5í—]Í_ãÓ~w X~˜½UÖ"bg¬%Ì—ÊÉbÙ¶Õ¾VÂ3a¾$þ—ì!íL;ENLãÖ[µô(ÁzŠþÐÞ :\¦oŽìÿÞÉðdþÌn¤j’Pïn‰“Ì{:}*PDvŸw*[ð@9‚
-Ô0a¸­¦û[ßÅräÛ%Ó\qŸž]£÷Àëð|O-FêkÞ‹³€'‰Qö.ÊÂTqëÚĵ¦Îš)RžcÀ¾ôßØDã“V¶¢Ååž5yÔL ùR„wOƒùͳ¬¯ãƲ¹ûx¥óuj2a™ dêMèaÁxö³]&e9õ};ªÄqÜm–íʳì $j´’V¢_yŸ¹6€W 3‚èíRõѹc§EsšN1}œÇ‹”Çžácž!\°­1£,,ᄬ¨\XMÔ›ÖÁ€DÊŸ&ë«~9F=Þ'KJk®
-ÀÝÏói<ÐÿiŒö?›ª¶endstream
+xÚ¬¹cx¥]³-Ûv¯ØfǶm¯$+6:ìض“Žm;éØè°culãëç}ÏÞû\ûœ_çÛ¿Ö=kTªY£æ¼îûZ”¤ÊjŒ"æ¦@I{WFV&^€†ª–²‰­­‰9ÈAžQÕÁÎð×̉@I)æ 4q9Ø‹›¸yZ@s€8Ð ÀÆ`ýúõ+%@ÌÁÑËdiå
+ ùËAKOÏð_–\
+ø›UY\òßuºZ™¸þ“Ûô8Xüõ4w0sûgKÿÂþÒüE]M@ö.
+`abû·Wÿ²kØ›mAöÀ¿šþ«
+™**À)—PHW£B¢ªU³m·WÛÔOrí]VÉ• $«ùqyĤ"õÂzŒf<0ëûë£Îðf}/Ÿí¤>bêFè,VØUd‹ÕƒæÔJlNÍo’©+¬OXÏ1Ï-¼§c-NÂ1ipÝ›í\AÖ
+úêì`uvdé,RHžê$žkK‚>&Y ¤ºÛ”OØ&â„o™kâÆœm§Ù WëÙÉ
+¨œ/û«Ð[BÒó´`Ûtä¯äÍN¿GfáĈHªýmVéDÇÏ“Ÿ”Ä÷¦Y_kÉóÍ+èü1pÇÒ¨åÁ³ñÂjD•jÊ
+Ga1Ã8‘¯YÛ«Ÿãн>½l•ê!¾™Ç”œ±Rš¶?àW'‡Ù_NÄåƒÆY4!aÔ„ø‰¥–
+/ÓLòFºVÕa¥¹òÞ+sTe˜1‘G·G]<ÖlI¯7E³±+’Ò=‚,Cš«OÒØor.¹kÕ /ÁÓŒ’ÍU±Hi~|ŒÖwÚkµqš‡~ƒ¸Ö£7ö³"ÄÇYæ…ÅO k_ã1fo4,ëIoböm5¹‹²O½k‚uÒ¥2ƒÞ¡úd‹j¨7W})“Þ‹¤ÐϾÑdT¥wÇ„{•ü¦ÒfËç«Ø™#K˜€Nƒh çuÏÏ%¢>ÞØXñÿàÛñÝ%rá§_&ωbksà£uÂÑj£«ÓEŸ
+ö:çkØ¥»ãÆðòvÏ5ÅΰÂÜ0p!.ZÍ2§.•`Õé;ûòÒŸ¾´E 'ôòL‹~­'"Bδ •RÛ…ê뚀ÄÌË1ú€Þ‚`0ýzл»-õ®‰ÑÆöø$·«|Â9˜ ühˆô`´6GÞ£h‹º¢:"ÎÙ;¾M¯_­µJ%îo%ÒÌnck—ý'y¾‘ýαšm¡‹¦ƒ”õíÞ*{ iwQ[™¤kžç Ë tîF!cö8äÞŠNßãÇx´ ’Ü!Ä’¥¼Ö¢¦¥Š—Î~_ó©àH¶ýÛ±1%Š–±Ú¹ Ͼº¦á¢Õ>ÝMÐAŸdZ˜Ê51Ýb1ܤɬUð/
+‡Ø
+ օݧ{ÌæßÖRáï›I“¬ïØÃ4†ºéd`ðe'¢ò›KþÈé•ëÀ0 xö¯´ØQ¤Î]åhÓJ;ZL½"7Ò–ñà|êTñÌãço2R°×%‚¬Xs­üòc–>`pȸÔ¢D…Üo½I[«4uÉG ‡äÇ]F?bo÷ ¦"1I[#– x%‡x‹¹žÆɬ²×Á>Эs*´Ïühd&Cîx3Ôà9‹œkMŒ™"SàÈÕÍŠL€''ƒ™C¦eòœÿ@ËÞÀ4:%½BÔ‡?Ö´OH6c{h¦5/çÕ
+5’QÄ„Qƒœqó™0=l­\αç
+¥×$á_~Т:ò›l
+Û…úMÚ„m>ô‹'Á†ž§MýO³qÎCÄ]´5CXá*\•MN£dtWî
+BJ!•l!~X‡’Õ É•aó’1Ë"/°E©ø!Jü÷™oó§KDMk§Èéw“F±§Ûˆ{¹g,˜6Q4²«lía¤WÈw©4q’7_úU0"¾B` Ï"ø?(±*ë2­³G€ ¡fÓêQXŽŠJ5úºîÚ ñ%èÐäíb¡Ê¡ÓYÉ_c¸p'vÿЮ/]·mÐøD‘ /³îwòŸÙ|&æ>¡®GSÜ° ¯d9{¶£IóJŠK÷9fã¢éŠ ©þäÁõ@ñ¼9xŒi,P¾*=cùüà‰µNm6O—^ E› ªÖž©ÁôЮº
+M2tÉ»bqJCgª`AjI@vr]Ú@Ö *Ó ä½è¼‰_‰ä”/ú¼æ/
+¨á"R’´‰öÆ$ä ÚU W=ŽgY·'æýÕ ±M‘‚‡{}•ÜÿöA®ô5±ò½U<b´Iïqç·3Áì\³ù«çsÿ^«Qº×I?^s2XÉOzG÷6vïáæàæiðŠáãAûÍ6ü‘îav-œ2æ¯Krʃzs_4/“íBào[çç3r„¸)_&x†·¦3‘ÂÓeX’9iÏiëxêל-9ˆ‡sA\U Û=$˘¹¦G ÐñSÅ¿%ÂßR2õ«&öòôtÈZ¡EÇ£ÚùÌ.êòhnSm»Ä³=£Dý”Çõ6àÆœêk0¼îSF£4pºJÆßú „c¦…QØÉG‹Ìû,\…RXÒ<5µ[ŽwÂ×ó é ‰ªš Rš,¯þþ’\™mÄT0쪃ó‚×sõ`ÃO4â„W…¾lï‹Ãë"Z2µ0lÁ¬{¦'( zñ.9_ÄzÎãБ²þãbîÂÑëwS*ú[­FspÛúÛߤ_é~} ‹s\±š“fÿ{ô÷ÁÑ#ŽÊ‡/°² V LlQ9áŽ%Ã¥€T… h(£Œ"Îå
+Þ_#þÍ:ÑdŒ´r@SÓ^É2çQ›¨ô]´à8UY¦âq¿½Ÿžj_'åm~²˜O±ö òà –,®ùé‹‘c^·Úû…ç C)¾ Êt%E—fã$‘P9¼žˆã4yo(¢‘d9mšjW˜/¢qge>KмÎf6ÞÎ'2¦g¯,5ƒŽh­óçü¨6à«ÈÇ
+g!ò)#îLI•eÇO~,EbÛà ¢.ÈÁî=íõÙL(Bćơ=²a~¡Ž LÌjSȤk²5ž€ŸH½ºFŒ§WiWམXøwÖýï… \#A†%ñ³‘Ë2‘j Ç´½Û¡õ´„P2’åíC¶²‹’³o K,\QÛ²ÔŽ‹¼Ü3WÚ ‰SÁ™Û3èF#ëšlËñ°ÁºÌ¬§T{ô?êu5DZ—b!⺂Æn9Š#M‘y^Qi$ë\Êo#£ :“ÐÇÏq`{‹!ˆC%oÝË|°¢’N½`^¾VÄ:z´ßÂØÚ˜Å,Žž”\uyFÌOàø6ëÞÀ…?z†t+A×ÜéEî>VµÝ´çröt'ˇÅ<Ë9¶]ÄöýÞCðò—|fŒK¨ª£µ®ß( ­Â‹%SrÜ3ÀðYÙ%ŸT<RÎm*ˆæ“SÞÑ-ÏaŠC!)wȨÊ;ý&NÀêpêüôÈtöÅ;ÉÈ]¶ÇŒQÉŽ_@q²Óa–Û÷Ý n}ù‘Ûü¤ŸZù“íÓúY»hy5}îê]5P×*»a$G(®‹uý"»ÊÏc9‹z›”­
+Qm®­.
+_ Hf³ÚU;ì­^º~ÁÀÝ3µ5é øÚ¡ºø[\Ù¡&÷Ú;Mo9E*Ûí¬ E Õm¹lê·šÒqd‹¸þýà¡xZ¯ïvô£æQ¤䨟JêÅcFv£1Xc:bv´æQ43ÜËg¡ã6jÄK¸ú¡|R¹š“øÃ÷N7œô±°ÆDL³ ÒYTmN`ÄÔŠÓi
+öYˆ=~åÇk8¨ehúRZ^±V<£‘x–@#”"s•ýÇÚdÔIðP…®÷­•úz8*uÝKœdÕY…®Ùð.Ó©¬á.‚ºuÆTaˆVÇñŸC—nXЫç«j”«žŠçµS¹ Í[džN–üèÇæz ôÛ¶IµWV€A¶šéÝØNQõÆ6W
+ÿ·^]Ä“†[#"‡6]”ý¬…Xí=ïóñhé¼ÜmÄ%ýÖF¢WÛþª†Úû—tµdý
+á;¬/¨`>‘DÉF•X8)RŒ(êe+QBöìøYýú$ø𙨗wš4ÉAÑåFç[/Ìï(=Š|ú11ǹÌYfFã–s»Ø'ú[þµwù|¼ŽÇÛ,ë¢39i¯æ¼Žõšm!¸«uEÖê†î .>Pr˜áËóOªbeå£/Ï”£à?cÛ^0ô²³Ë«Lâ9}IÍv#VSgzºŽÙÑ‘ðîàê)˜¶©£p.´ÊI*ðwgÚË&)ƒâ²oUÌäšH€+ßÞÉ¥al‘BéiWŽÎG^ç˜ÀØl8„¬~ÇH/«æ5Àc/ý
+q,‘ô¡ÇúGåKco IÛ³ø©‚Ž Nv#j»£)Ÿ—“Ì·‘¶ý¤C±Œmm§
+ÄáÛì‡VJ@ÂyÜ4A“ß(9,”÷-mZË)é‹ò8ÕªÇ+“lvÕcÊž|:"Ú!ý XjñÕ,NÛO¤y|¯aëŸÚaƒ™z
+ùΦ*-Ír»b3‚Ë1<]#°Õ¤pX%'Lèw²ƒIýohZrI ®ìñõQ„è1šØ—×¾˜I×ì —UHð¢îq‡G[Y(|#8°ˆ ¾«ü Ì¡"@áBÔóѳ{¾¨'™†V æŒþžßˆ)Iª‡ýE«HÞË]~@wt<ª7çqÄEÔË̬´¥!yšj½7§ßÀÛ*«4øÑ?rê9ðgÅ£ŽÈKj…4HÍD}LÂà=™òâ1å7Ü4S¨r/êö,m@Í H΋pø^T*õg´ ²è‚V e™'&¯F€™ámyÛvîÃQŠ€X¿6~pl“È3ÍeôÆ`âå=õïÒ3(¬•éq7¥sšçWÐ)¿Ÿ•µ®K¬1¿!qÄI b^B,Ësb¬@¼ ‰ja¦•0?8ì@?N©¶ôÚo s¬y¡¸TF3ÎRer9IÎÊè7?°0x?Dtebv
+"q‚x”Ad€Äœˆ®wÒ4°ÈJÙ¼­Ì8ø¿Wöwm B\ëê ìáQïÞÌæºÙ2çŠ'=|J¸^Ö{~ %ÒffÞ2*„ÿ¹UU£î[œRnÖûÎ ç äà/︊»æÕµ±úøÖ[²@“¬½¡Í—5NCCOQ~Ù/N»ùÞq¾!ê ‚„ÙHÔÚä5Ôû3õíya÷UTE‡3BŒýóGN½Ü‡ÄlXþÔGõ“) Âå§aow;é5’-Vy3Å„§J%™èvsQ¾ó\¥Æ0wW˜jS4ÂÒlêWbØ9z%ò¶;,_*EéÃŒ¯ïw1wÙ=ò^D%IßïÿèÀ ‘´ÃΉ™ûÆk¸ß‰y(@ÞqH·DêÇÊQsfT+Û©Õ©s>ÁK@BªB¥¦¤¹já»AÙSg(c¯Ì^¹Ÿˆ<H|…vøuMgÌ[¸åßÎ e7wjrò2DüÛ6dlœ H.)=í:{˜;œ5vrUå(è
+«°;‡5Î9ø%ÏçL¿ôw_†hÝ¥‰’ 6°V…
+^”ØD>#û|ïzïÔ>Œ_ƈP‰ÌäFY„“ðÉQ[ÜȾo £zsT¸8ŽZv?=ªÅHAÓB[LÒÒâvl.èÆí“ÚGÆv‹7"E‰†O¥Ojn(`²¯—½Wb°¡vs÷;îù+®{¿ÈýÀX°«§º½[ŽÓì1˜'½Û6ˆUÊYø“÷dÌe`3ºæç³¼6àHÅ©ÜÁ­ ¾ØÅú(n°ƒù‹"uY»¦·[F’¼3  J
+ÓdŠ®ÂlÀZ(”ŸRO¹Œ»“69Û€Ìà†ûŽDQäìUJE5ý*rÍ@
+(§[$$Òè,ŠÕ%%yÔ »´Æ”V°ß{Ó(±3· Z„Ö= (0ÜHnƒ«%1œÍBz;¦ßŽÚsÌ9û=u›UÛþígàÑv±Ú9Ž{â’®0Ý
+ø%IÆãа¬"£H_|B
+DÈôZ¨K~¡ºy±'§«š—˜Â2ZSŸÄ*_Žs°¬¿áüy­•4á’DˆìG„V!3ÆÓä.¦ŸõÒÀ~Yx²ÚQ3æ0ËÉ*À‚äêJÛnïPýúúx ëW11u‚:Ow aA” ^†’ÃÆ„fÚÒRW—Ø(˜¾àBß|d9™eŸÇì x¹|nzç¥üí’]áÍOúåð;={É—êž/Ý„x_ ?à^ÊÃxVòWû‚¼%uÅ ºs+§iTO˜²ýôˆí^êÓqFÆï;ëá[1IÑÇ@ÑIÍEÃÎXq{tUå½ÊZ$ÊÈ/.·Ë3¨-Î ï_ßa?›@ñÅPlTÁLþŒ?iy1s•ÂyK°€[å>su ñ-UXr§m;¨:ª•Kó£*gò¤Åú‰᪠Y&–Ì1Z°ÏÚ¬½ÙQ‘~r"¬JÅÌ`\Š}‰rí&–¡[@²¦Ú»Eû($:¥ºøeÖÌÈ|½C¾Ö(ß~™„¡
+ö99'(ÜÛG(#?‚iÎä²q
+[(†ºÍ öt bÚ[·ö-
+HÉU
+’7ø“’ðüÅšŽ,<ëÀ¢ Ò½è ¥;KY±7¨n’7qÍþL3Œ8Œ@×SÿCŠtv‰jáY²Ž¶bb»¸iS
+ÕL;&ÜÚ社Q²;»UjNN{)òèÈù¥@Ã:è0>nOG"ýya,.ÉàÙ zi™TÄë:q!$*nK\Â)÷.¬’í8>‹ –Éîu¾J~&Õ†»M[oȳ©žJ´2Ëxy˜3Ÿ‰“ýÖ.¿”©tü.ó–5”Ï8Až «Z¦´´òÏn‘Kœ'‘[àõ•úV‡54›»Ü,eW~o§5X9mó‹jœkÑ$'<àYœ@ªùA-G-_ÚmVó ` «ú„£ù”Ó¹×”Šó“$È»²™©CÕr1¹"ÄÃ$AŠíŽ)й¦?¤Í0HÝÅŸàcËÉ&<j ©C@×Þ¶ÃtH.‰ŸkèA™ÎÿÎ!á
+u­WfH´‰6çÈPG
+.g4“Mâ'M¦ï(ŠMÑ|éÖˆð…õ²›ÓĘ#5Ç´=È•ò~u¦5Vê£R¯/®£­óHÄ®f§ŒŠN¿:¿lŒTmoú_ ˆ[O»1Â̤§ké&èIN†‹v@‹þH,€tŒt¦á>Õ'R¥•K.zgóJ˜ë(+Á5¯2ìkÚ Ý϶¨Â[ú3Änè^ þ^×ÌæQ¡T d`v+f<ñ'yжj~›q)ž\k,°ý”škQí—½`µ‰OÒ«cìÔ\,& šîJ
+íiW‡ fÈ“$#Ò±"÷qHÀŠJ\èWxZ'dô•ÿ
+'î»ìØ•Ë#>¼ºê£Z*¶ ?fôÑ1sm%$¥ž
+aþ2rž¯Y"`¿
+E¢Ì®_Q²HL‰@Zá~fNS^ÿœí^®<+9;ÚyÜúMtéÔtßæN9ïJAñÀئ{½ùMÌJXQ—DÎ+vûÔÕ†|bs”F-Ë•§EJ òó8}]ÕzÙeRéÀd.Ly’ö|ÿDl>Åõ]Ãh­W[®!ûÄT‡‡ÞuýÝ!"ƒgúˆ.’FHD•‘õÝÖÚšgì$Ð6MNâjpx#2ì,y]®“ê™ _ŽwrÀ% Oqp¶,Ô†´}–úy.Ì0ØÖ³pßãOS*³ã‡ïwâE †ó0m‘¨ü…YiEµ ‹X‚EiyÂ’“ F/ɪô¶­‚´J´ž—‡@%aHøèÕ?7ôÝŽ¨Â'’J‡ˆ2LäÍÝDœŒŸh¸Ì¢±·,Žh¶è„CYö]Ñß´­úgmkôfÆ#ÔíÈä¡J¸Umßý¶ªæö1ãïÕâ•Æ»Å†-eQCÕsoŸ½Ø‰ Í™ªLlmwÓšÞ—Jš¶9¾!&5#é»~kÃÓ•±9wX§Mk‘ŠHg¥éÌÐ6ÓÂx̱Ùõr>%Cçñ#ñ“(ž¢Rm|™$×B\µÉ AvV7Áû¯…00À(ä1˵ÕÝÝK¦Ü¹Ù~éo»T9z˜~Yã{òÑ=Mq0ûJA «ø}/£1Äí«e—Ѧn/*ómF¿Äxù q¬äyJS*\€d­-†:¯Ø]yÜÔåTƒ‡¿øƒØE@ÍfvTü6íÁ2~lW=_xãSeþ<ùBÐÊÒm"¿‹g|£žŽ/>¡„ïn‡œ0'OK_5b«F¾ìؽ°`‚ýÔš´ú&¯Ï¸?`;ãõð æzâŠ×=k-"c ª)k¡@2×Ül SÕs'tÜ«f€p!Ó«‡¢¤H|ö‘¾×Á[ú 4ô‹ê9_¹ªÒSGUPâI%¸5–
+qQ)[‡ŸäW=Òлe~ÙŒB‘»ëó´#âý mω;y»Š%üŽ@D$zfªéA%OÕtØ9ø»«óu 6’RáÞŠxƒ„ï”
+2:RÒ]š¡¸\•´²DÊ™º´^-;nðÇY~þ0Ÿ1Í»PÒø¤0«¬}¦“?f0­úÙq†cŒ¶[ú¾;¶96Ø/
+P„ é*Ë~fûiöðÐÁ± y;§‹¸Ãà’ßÐpù<3A,
+HG€BÊ!´q<6õûœp—-HM¶Ýu'¯ýôhË)
+Ûs'&ÞHË¥Á§õŒñ¾QNç—‰Ÿ8[/»'ÚýtÐMs¾Z!Å7ÃFjA¡;Pì;ÎÓ<Ø:ô‹hX[ÇñxWÓ·MéxWÕòћӼaç~ݯJürÎÇû®³`ù²ÏÉF™m¨1£áú§U, Å€ÎÌ÷;:ÖÇ9½èyÄÂ1žìPUºÝS‹QRUib3íWëA(W×â“ÙÅ€µ†„äõ6ú¡Q{I–àÆ/Š†#¿I¨
+RW¥Ï
+Òd<—ñ*õ/^›žˆu“ ”Ö†´06f¾Dx>É3ÓÐ6 $cºŽ~{V
+´.ÎlTÖ±ð`­çÐÖátžë¾±ÉŸÜÖR)z’ºª^ Å}bû»Îd7
+Á~‡+Ò«‡´¬©Bcá#šUQˆµ»ž2ßÓ5:a]C>+×­ 7ø×B
+lwÏÍ ¤Á;e£“/~Å©ô6€bDPö€Àì5 ßhàdÓ'±1ãŽÔH®—äI¯Ãz£íFR… R꿧ù‰´Ôö~ZB‹µü|†šïs>vŽ(B¯)ˆä<µ¢+þ‰>wÓ*>‰v»P°ÈÒÕìn݇32B‰;¾}0ñ\d3í•©Þlýöu>Ø5¹¿ å'Všµ«7ŽìòÂn@ÐŒ_÷ u,c!Üy&iÏ6I¿ÓpǾ
+I3qn»#q.¢+j¨lx¥šÏw$àmE8L/ëÄŸ4
+i}ü8c©+V\‚ØH}Hȧ¿`$¾³O4Waˆ©þ«ùůµbâbõê¿Þ™þz[›aó¬^QÅç¿o¹59ô>Ÿ%{q‡óx§òêÕ/ ìŸ)¨1£7i-ɉ<ô–Îy×`áÌ~)/B,ÔŒÄ ’$¯üÈà‡Š} Ðqƒq\­¸Ôä9XÇÊ&Y Ä~ÛÙ?FÑ«âÖ7AhnzräÍç$"wÅ:XÞ#uq^ß>\xb1Ò»Ïtá6J•ßOõ;‹ŽÉ–a¨Ûß„f {âe# zP$ü®)И'´³ýyòÓûÕn&såÚd´‘ôòh0×Qš>™ÒsA”>2Ì„8¹º—£q}ªé·Lm¯‚Ódx¯N›GQðLÚþ‡Yô2V÷«½ 1±ÅµXè*ýõ ÷q¦69+ÛÞ¥Ÿá0ë8õ¯Ü§Xî´ÏÚæs>Þ¡v5js+¹¢ˆ´Qaïe÷
+á°âÐÑÄÕ—bJŽãû—"oRc¸°€~:ƃKÚX^ªðTp—£™#›2¾&úÑj±7ÊLåzm-5?ø± %;7Ü'GÈav&³}.uƒîãÑ-ÏAmixûÞ ¢²c
+MIª\ÂuTØjGI-gýÂÓ–GâydføæÅxÃÃ,oÛ.رÌ*_ùSÕúƒóØCkëÚ™­¨·>]ÙrÿÅ:K¥ÓS%œx
+æ¨5-lçÖwŠ?v¹Í“!‰P£C´é¹2üÇ6$í.ªM¬—¿òÔöž8ü¨=Cî<:6¤Ò*À8€Ëi¾‚’¬ˆ§eœxÁ7gSL¥]ü÷MÁl϶É_LÎ[¯>7‘~KÔC¿ bÖ¡ùMÙDSG„l,Ô±ÿ…ô4¨·ÕõvOój˜ývXÚ‹>N]'#èØÌ×!óþÇ7îð*xîG™õñÌþÀ!%aóЦ_èõ\{¸®qf__ÌjävU“j3ùêEo/ž4 16ìž-AXðIŸsþã¹ßZI‚–>ÛýNA¸­s´Kp‹²ê˜"ÏGx ™?þ³Kl\jß»¬“aÒۗ샜+€uÊtC—hÇîá•
+¿n$rÝ XðD˜t ÎõÓ…”2§—n„sÞmOÆ„ ˆ;²ÃßshuåU9ñÖ&;y-sõP~K*ªÅz4rnp´}ª÷œõ)RB—+«å—>¢cI£Ž¹w× éhz€Ì\mm £MúHþ×<×|Ìï­&‰ Ÿw³s£Üë+\?VË´<=yò‹ØH»M'²ñÑ67Cøoí+A5x5½·x¯'_Ë
+c!vÜ~óÓ4¶bIpµP]ãH^ŒúÀnkLßYßÙ„æÀ,•‰)tCœrÀ‘ Çi†Ï±m$hýÈn.ÿ¶»öO¿ªWÂ[–{OFChÓ'žWùÆ*6L‡1±’g^H]u Ââa3ð¸g@—TÕL_1@d7¾ùÁ“†µ‹Œ:…‘XF.ÿ§Òfb1\ÄñSÙ£Ö®TÁIS ÒŽã{9.´ v´ôPš_$ ƒºÃ™.T€Áj”¤RÚ.zàÂiXÎ^;-”ûkwå0HMKyÃûSc-‘tkâôk'a.*bí Û¶4ŠdÇ&ž*qÉŸX‡ÒÝÓä"c°4 *+9‚3£
+cáE¢Lg%ãŸïÁó§KíÚï©=ëg‡~Q)œu‘Še7@ô`­¥¡c˜„s2¬ìe/ï´Ã÷5ØI*·[ÔrHîD4;"«hntRÉ´c¬¥ŸýÝ„u å{ÿÁØ }hë …
+¯41¶{ºQµÚâl·Pãg;‹($@QQ~:ú4¥ /麞e„¼æª't“Ê>~œÍÆTÂ={š÷ÈcW ä­ë6Å͆ÇIjË‚¶{Al ¸¸ ²œís è¹”Lª £ÈàýÞùqœöÇ=*Y€þK
endobj
-618 0 obj <<
+743 0 obj <<
/Type /Font
/Subtype /Type1
-/Encoding 1344 0 R
-/FirstChar 2
-/LastChar 151
-/Widths 1355 0 R
-/BaseFont /RRZLIG+URWPalladioL-Ital
-/FontDescriptor 616 0 R
+/Encoding 1915 0 R
+/FirstChar 40
+/LastChar 90
+/Widths 1926 0 R
+/BaseFont /IZQUPU+URWPalladioL-Roma-Slant_167
+/FontDescriptor 741 0 R
>> endobj
-616 0 obj <<
-/Ascent 722
-/CapHeight 693
-/Descent -261
-/FontName /RRZLIG+URWPalladioL-Ital
-/ItalicAngle -9.5
-/StemV 78
-/XHeight 482
-/FontBBox [-170 -305 1010 941]
+741 0 obj <<
+/Ascent 715
+/CapHeight 680
+/Descent -282
+/FontName /IZQUPU+URWPalladioL-Roma-Slant_167
+/ItalicAngle -9
+/StemV 84
+/XHeight 469
+/FontBBox [-166 -283 1021 943]
/Flags 4
-/CharSet (/fi/parenleft/parenright/comma/hyphen/period/one/two/three/four/five/six/seven/eight/colon/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/W/X/Z/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/emdash)
-/FontFile 617 0 R
+/CharSet (/parenleft/parenright/hyphen/period/zero/one/two/three/four/five/six/seven/eight/nine/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/X/Y/Z)
+/FontFile 742 0 R
>> endobj
-1355 0 obj
-[528 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 333 0 0 250 333 250 0 0 500 500 500 500 500 500 500 500 0 250 0 0 0 0 0 0 722 611 667 778 611 556 722 778 333 0 667 556 944 778 778 611 778 667 556 611 778 0 944 722 0 667 0 0 0 0 0 0 444 463 407 500 389 278 500 500 278 0 444 278 778 556 444 500 463 389 389 333 556 500 722 500 500 444 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1000 ]
+1926 0 obj
+[333 333 0 0 0 333 250 0 500 500 500 500 500 500 500 500 500 500 0 0 0 0 0 0 0 778 611 709 774 611 556 763 832 337 0 726 611 946 831 786 604 786 668 525 613 778 722 0 667 667 667 ]
endobj
-607 0 obj <<
+680 0 obj <<
/Length1 862
/Length2 1251
/Length3 532
-/Length 1861
+/Length 1860
/Filter /FlateDecode
>>
stream
xÚíUkTgnõJÀ+Å€€¸
-æ2@ Š,š–K
-™FuÀY
-ߢÝõÀ^¦Í›¹.’Lˆ/’ì ƒò;õb ¾«±”P¾  ÉdbïÛ¯Àe›}&b!l¾ˆ P¨ö
-Ú$e `ÖÂÔ$ ìAHÁXæðŸ 2ÃPˆ `ΟaÛ7ðÒÐßáö¡ï
-Íþg…rJÔbBý˜™®êÙ¼m×ćº—ò}†OnûQC±–¶|[½—tªj߆×ûŸµÓ s>
-ý‡þŒ¿æexîÜá!Í1µ—¼Wq ÷~^ƒì{á,™_›wõ¦âª‚èFhoé»YhOUy0¡ºVq}TZÃÉRNRÝ¢ì‹?É(Éõ»ðƒÆ+’uYmõ¨²±¡»v.9h@<ÝUV~L›C9OÝÆÊ&*JhŸúîù5–*áœpyþËIÒë„®çZµ-2“R?zeòäT±NËëÍÌ̶A¯ù¬5RµJº§‰
-ä£îêÑÚ½Fúw:ÜJGô[ækØ;›o8‡ º\Õ‘ Zµš—l  ýrÓ´§íÖ% fÙic]ù[ ×d™ì&qø°Æ9ücꃙÍÞöc“Y4—¼ÆC ¡ò17úœÙ_GV¬ù¹·ÙP][{øTGg’_Œ»ùl›,ù´jrýö¶.ÂñY^'z?§»ŸÖê›Uè¬L,‹a·‡ÔÙ¡±¤ÝG³|´zä¼üÕA=9åœ÷ôÈÿáƒûƒÿ‰ØÕ ¡D¡¡¸œïþiendstream
-endobj
-608 0 obj <<
+æ2@ Š&X4•;*(R’É’ L P
+A@0¨P¹TZ)­`åb°¢àY#BAn¬\uÝôØ¥?wíÙ™?ó>Ïó½ß3ÏûóY˜yùèl$vEDHi€‹»ïA €D2ÎÂÂ…! í‚$0
+ߢÒÁ}t?Æ^›·s]$½ ¾H²/2 ÈïÕ‹5ø¾ÆRBù2 €L$“ALˆ½ï¾—mö…ˆ…°ù".@¡ÚŠB‘8ìaˆ¾ˆ Ë
+|¨ÒðK–Ó)}ôŠQºGÚWSÅú¯¦–ùgÆQ‰Ý¾øÈ„Tùª×6–#LEøÓùߨŒi裳ßnÙÚ3µ%¶Uï[Í8t¾av Kw½µÏIkó=´û?Ü€ìÒ±y¢&6÷ÆvÖøíûnL/¼Ø5ÕRÉqÖ ž‚fã9J¥÷0½ùžZuÔ=·Ö3­1@öÔ4Å<Ùây‹o™l:5Æ8ú·[aÚø»)£éEÓ_{êàM×ûï(o¨Hq»LÝLZÙò^mlµñÂ%Ø®¸4\cÔòxÿ/•`òµöÆÒ˜ePh~uŽé®§Qáß×mŸÝO?FÜ[uúà³’:…nW¨¿ã^KÆËv­TŠ»ôꌼ†wb”„³kﺳ»äQœð=£ï¾ö¬Æ¥{B®¯µÒ›‡Ž_£è˜Ë;L,¿:ðŠ¹²lµ¸Øjƒ¸øRÜh­ï(Xy³£| K?œÃœ`¦äp¯ÅÃ8rœc¥uÓzy­AwõY¹¢WÏT»O•e 4“WH‚øœ3º3ié^Þþ{µb7å&z>×hz_”?+EÎnÝ?ê§Ibžhy90n3)óÕ¥]ê,ñO6¶Œ„/Õ;ÛMçkÓËήU3•HvÛM†ÿÅ}¼‚¤,^Ôdʹ˜¿Œø}âûõ…!„Ÿ¢­ǵ[{²¦c‡ÝN–òž«<kªJM͈=Žc‰Ý!8gTžØ¦ZõÓ6¨ãОÓðØÌ#á£f^Zúžeò+NºññB Ïme>£+t<4ûŸÊ)Q‹ õS¯tpUÏæm»&>Ö½œï3|jÛOŠµ´å»ê}ì SUû7¼É8ð¼a˜óIèßôgü5¯ÂsçŽ iŽ«=彊˸ód?ÿË`ÉDøÚ¼k·×DWBËxKß­B{ªòèà ÕõŠ£Òú›N–r’ê6eü™Lv@I®ßÅ5ž‘¬+j«Ç• ݵsÉAâù0èž²òSÚÊyæ:Vî4QQ@ûÜwϯ±T ç$ýÅßO‘Þ$t½Ðªm‘™”ú1*“'§ŠuZÞlöÊlô0ÏÚX3(U«¤{š@ªãÎ>ãm»8³~“96¯óS&D;êùp\pÖë=ýùnÓÎ×¼¼gǵ¢“C… |š€ûêjÍi“0Ú}E`ù(±¶ õ¯;
+TÉIs›ò¯7”ï8Ëlòm~èp|ÝLã«+õ·•^æ+M‹zç‹+
+endobj
+681 0 obj <<
/Type /Font
/Subtype /Type1
-/Encoding 1356 0 R
+/Encoding 1927 0 R
/FirstChar 13
/LastChar 110
-/Widths 1357 0 R
-/BaseFont /BCYTRP+CMSY10
-/FontDescriptor 606 0 R
+/Widths 1928 0 R
+/BaseFont /YTAWBK+CMSY10
+/FontDescriptor 679 0 R
>> endobj
-606 0 obj <<
+679 0 obj <<
/Ascent 750
/CapHeight 683
/Descent -194
-/FontName /BCYTRP+CMSY10
+/FontName /YTAWBK+CMSY10
/ItalicAngle -14.035
/StemV 85
/XHeight 431
/FontBBox [-29 -960 1116 775]
/Flags 4
/CharSet (/circlecopyrt/bullet/braceleft/braceright/bar/backslash)
-/FontFile 607 0 R
+/FontFile 680 0 R
>> endobj
-1357 0 obj
+1928 0 obj
[1000 0 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 500 500 0 0 278 0 0 0 500 ]
endobj
-1356 0 obj <<
+1927 0 obj <<
/Type /Encoding
/Differences [ 0 /.notdef 13/circlecopyrt 14/.notdef 15/bullet 16/.notdef 102/braceleft/braceright 104/.notdef 106/bar 107/.notdef 110/backslash 111/.notdef]
>> endobj
-599 0 obj <<
+677 0 obj <<
/Length1 1616
-/Length2 24746
+/Length2 25061
/Length3 532
-/Length 25639
-/Filter /FlateDecode
->>
-stream
-xÚ¬ºSek´&š•¶Í•¶mÛ¶mÛvf¥mÛf¥mVªÒ¶}kïÓ§OÇé~êÛ3bþßÀ7þ±VLRBeZA{#S1{;ZF:.€ª’º‚¡¡‰¥½ ­’½­!௘š”TØÉÔÐÅÒÞNÄÐÅ”  nj1501999¡IÂöžN–æ.
-0±tv°1ôüû/˜ƒ“å¿i¸:[Ú™ÿW4
-å< (&.ÕÃè25)hTbp§bâßVv*—èTï/o;eÚ0&±º¥Œ¤8FOX5Éávדñ9Ä– ªA àÊü<xâË…×i†y£Ýë*ÐAlyŸU9J’ô(°ÐƒcÆœÝÛÞn e£U&¥»‡Û‡蛇¶Ôœ¥1áÜå\³%Ö)ë]ŸüHÓO6QrB%¤(úkè>·Sog´ mY²mÄl?dEŠL0ç…ÿœæ¿Ô¸Å¤ÍÙl\Õ–lfñm³lvÑ+bžþTê¢Jd‚þâ•*®%ß^÷%Mzú,yGºð¢È¨Nï‰ð,-’ Ó`Êá® Ø'J˜Kn árËÏÅ%?ÙÜ\óÿâÞõý#„-îÌC½Jœn)„¦Á‚…`ªXS“.ôR°ßµPË,Ñ?Ž™·w©&|!Ž|Õfœ9p-¡BÝÕŸ—þBÐ9’ÐÇ1#ÄÙ€‹ —i&®¼Úß= Ň’—cú²LcDvØ·÷GüS >*²)œ&ü9?·»b“Ä);âxˆðpÆò÷<q{¬œ šNبkßÄ^ µNú:v–ˆóO[PÐfkpÛìÓä…&懦ÅnŠNZË,¯#j‹ìeؽ% üî†A°ÜÍBÚ<´ iÌItxÍþSƒçŸˆ›ø¹C0¥ òym)¸ÍË•o¬¿|uM¦C¢˜F±uBmÆÇåIZÇëB¥ƒÝÑ=úë›GŠ×ûµ¶-ûÅÒÂoñ¨&N“N d—âCMwvh¿2 vYòj¢ W*œÆX•_
-£õ¼ÓíøZ
-ÅÓcA¢\k†Ø8+Ff
-%VQ&4«à\ùœÝ¤á×/)ul3ù‹—I]
-˜ã“×ôq¯Û»ÎU÷«V’5¯…ªì¿à!ôù âr¿Žò}( šâ*¥›K r`ܼÝWUi-ÁòCò=Jª”´z`Ë™A9ˆRzí†RDÞå·Zhk‚•µå‘Lþ©±æUñè‘/—R©ZC‰oô¯·‘²o$i¡nôóÁ¡L °ê„{e>«AtãSZøx®
-Xf’W9wðc
-æl®Ù¥èÝ}£AIS ˜çèÕeCkCh Õ":Êâ$nOn‰²î¬ü›T1†õPXÅÎÈ‚«Hͤ» "ä ‹?gìé8ék@Mdùi¿ÖšB\µôÁÍ•#з4Í÷–ç¹tÔ‚©±* ×£+!·_§
-¶Ãp¿I~!½æÀV(®Ž·SXF|3Áq‚åh½Ím~Û Xã3w™úN# ’ L>¯·åí
-D$¹\¨ q ìk[; $å;£W­>wFc)F%‚WF)ˆWJd½‚L›Me©F}qyY÷×¾+¼¸ç³óVRhÉ”¶Úþ¥¸â¤Æs¬[¶ÈªCŠ"ÔÛÒº:-«J™$
-&ÿ%hr½ÚoçLá3ï³°4:®ò¨ç“ë°×6pvh‘«F€Å*±‰ƒTêœWÏÁ ¼ÕÆÆ#®’Š,§~Õ\ÀoØ5¸Øgk¼ÁÐ<7dYiÕʦ|¹ªROØò5z&< Hú½Ü”B(îwâšÕÃp”Õ†A§êžé¯hï…‰’ªZÛeÃÓ¦{äÛ«¢ù}Ë÷ r8±PȈ½WhPÁîŒ ËŸ"=°:³zã>ÖP¼ þ-´mÆfX´ädÄòt´ÊD©Ÿx‚Ìr†u¥‰çP;õj ÓzužØ¼ô¦F "YµŠ†'–$Y5häâ<<ÄËaÚ![.)ýâfÙL¯s¡Føǘ…ÌÍ þ-KJþÎ~Þ(™Ø™ôi.xˆÚ’øÓcºTQ[ CN^|*TOû;¨:ãEò–NÚ–.›$Çòþõéº=òR€ÙDg1´¡øk¥Œ-ûÑñÚ”c šc²» ˜Ç:Øз‰ôœp¸Â®²:±÷Î PâiÈÅ´Vý Û9*k c-J|ý#$ e öy6?ãgÙ—šNÝÌaÅó3Z×iÑF?$‡Kd4Š:?\ôp¥ðYvŽRp¾_Ñ#Õaä–!/ ‰é6ã˜7(LáöÏj¾ŒÍ­†/Cz=ôõ7WxR„àQrGÈ(/èñ¼ßômãˆ9¶À{‹Âi’©±•f~õhi5ÄRX`²\ãYq ¥.ܦ|ÌFŒÅ6YÚ„ÊõiSXI?ùêT• ú×~Įrl„Rü°±SÆñŸ3„@]½[ÏŽýõ~_Œ r*Œ~Ûp’°7™õÇ2-û±ˆT¬8Ug>^-š=´é5Ö_¯¡oU,Žr¦õWÙª¯1Çû: Ã÷°ÝQÀ°‹klRW&Àüq-î¿\bú›!@ïÞP[þ!0¹ºQ°‚7hh`ª1 ½å4 èÉ_}~Ýz——7u~+
-3ï•r¤Ü×\¹û Hj±Z9ôÛšWò0R1öë<üëJÃBU²æ©6.Èj¯¥SB?ú%ig-š ô" Ózõg-
-»µmF È÷06úgûFíÊ%;'iòºó°0`Í0“s*aÙ¨6 xcAˆðÄW»Û_‡’è{õÖ¬þÔÐ…1‰’6j†
-­ñJñ¶LöP£4R'Ç¡rkuÌ [Xñ1H'°à‘ñ£Û¤Ÿ"‘m¼LÐAÈ{~íë£Q§³Î•‡\%"ÞÔn¿ƒKZÖÕxKiߣƒEÁÅ-\´!ˆ|’ w§©ÊB>
-âœ]qO%¦Ÿ™¼^–
-éæÉçz¸ùëS%¸ªB(\ɤP›<î‚jßuäF4gºË »©_}VÞoJ ¶Œ[†óOLÊaYë)¨vZÏÛR"ó†ôµ4¥%)eÈöüDÁ¥‚˜û ;Ïhúg(—óÏ>’Å“àýßYÝó±‹<¾l¨1y-i•éö`ãx­3ú Ø_š±ÚúÖí÷‚ï…(F·01æ?_y­|P.Êd<¹91†Î…9ÓÜVô¡ms"jHÒ+fkµnäPBüdI 1†Ý—xiµÿ„ík#vý$b{ÙVv)+W¦dŽò™Œ“Û‘VöJd•UþÞ€ôÓŠè7V!KC.Pw¶‘ÙðNF/åó´žœ0ºøÖCýÑ4söûÒcÂâ©Bü9+ןxDå>÷Ü%÷LèÐäpï2…âÌ2Ka .ÉfÏš=Þmi'ªn#Ú7}@G™?õ
-íY»7üTç¶Ù®©´!È©»5ad&- 5ìÜ° +@ô«³RbHïÚƾñäuò±›¿T¤;§ÑjÜŸ]q¸Kïê¥]6ýT½µ‰ù¦P°u"ÌÝ*p¯œ]D ÜZHÆ@Ð^Ä/x"sRCšSÊxVéûdzJãâeG»ÍwQE£5·ÕZ…X,ö²IÒ;ö]¦M~­ˆÏž˜0sßgµk¥Š~@ ëó øœt]­+
-J9¦êhÉ[Aºª¿é0C»òc²œ=µfÞš]E©I@˜üuŽomÏ z£ Í¥#¨Ûw+iu” 0Ðo÷
-v<Ò„O·Â¸‘óÓ¼”I ÿ´õ™6ŸÜ(Œ¡ˆ|lc`kÖ‰àøûÅ1õ”¾JK¾àÕ¶e8KœÛBTÿíü  ”«>ÏüoD2‚‰Žtý¯üW ßéZFTJ
-ú=úCÓÜYMÑÕÇÓ#J$ø_Ò¶jRbqš©Ÿc¶ G2Aê£ü/-Öt³/?¶Mº½´¯’yÖØg½h
-¯ìØEV‹¤uíw üÔ—ì{’ZÞ䢜çtÒU'àÃùº'à(>€µÏHUo-XY¾tCßNƒÿ4Éh³GoWøíntOï ¬°nû‚½—W´²éÝÌ[¤´*KQÝ•_ŠFãLX¥hš|=Ú«nµ;)Ú^Û×™¯ÏÖÙY ”ðæŒÌ˜vK€„ BUfC›ŠA…>¢.¬¶Á_BÅ13Á¢ñ-=Ÿ?£ n¦€!ܰ°›&re€Õð$åŒKúÔx`:—=T"Ðu¢ö­TL'ë;õ¦üÄsÂxë9"§¥PicRQ#‹;Ðœ|§°lèö„¨jÂÓSdÎqSdÒB¢´ŸdƘ4I{r¹ëKºÿ($ÉɯcºVUÉj˜3>…2==LN§p\zNO¼cð“6nX ‰·nLLgŸòåÜÖLh•ÒþÅnÞÆèÙÂÈâªôŠ«½
-Ò\¨4›± “ÙHIB™4ÍÀ4ÄÍ\Üidfùæý„³Ù••çÆLYmýNYv ž«:ÿË Øg$e*#åÕa>zÑ™çüƒä*:Šêþ7yl‰@,‚~¢X~cþžúÌx}tÚ´¢ºîÉàÄÛŒcšž+ÊšÝoŠúÆßÉ®‹¢Äñl…ÀD0N°E·¼C´N¨, –t3‡H±aÓpÒ¯a%é 3L„’¾— (¥¹¦H„»mÏM,§ðX© i  «›dý  îÏãAugUd=-– þ‘ýkÙŸÉù_‚ЋÜøæuÂ,ªëöW³b°/ô l£³'ÛJÒIœ(\c º¡ýkC!7¸Ëtä­¡Ã+Š•~O÷]IiÖΠ›éP?áSñÀì®sð~ÌÏý1¥âŒþVÿ~@à¨sÍÄô·ð³¤³ªˆkSGÄߧðY”X3GB„ üIj5ÓÎ2\J5ÍIÚáŸwÀ¥7ó>MÅÒð‹¼”%¤½÷Xu´tYð"wàK±>,Ö5:™Í œ'ÓûÊ Éïš$šPéÅ™emÕaÎh7‚¶»<ö]Çc6Ô}Ñ „yÛŒ×áF¶º…[`w$ù#¼FcÛ·âû²XG5wžâé[ Ǿ§Þ€ømõ §Q¼JfÐ2hÒPÙ+š%t q“àk Ó.Ói¥4ôÞ”³·P<» Чã'*€¯îËþ””ìôzÚðÔ…ÿ$Äâ¿"lTœÜÝA‘ãê…älOaW”æi‘?û Иñ2Z‘6Ü°7…úZê|Ôü9—Í#ˆ‡YE Bs þãÍ[ã)YVîUuä½”Åõ³κ(Ð{D¾ÿe»1i™ëã1­Öu®|ã\®@sW12ïz·mL½+O$;Œä¾mÉu…™ÏXF?y­ ]¼„a×7f(üÙþ×–ÛTÒ¢äÃùݺîÒ‰èhî`(\Äƾ´5–$ ð²ïOÖ*µóŸËÎñÆö0àE…guÉØ…
-‰Ë2„Ò,Å>Ô@BCRÑ;ueAíßÑN06»Øa¶Uy Ì;N.£ýÜõ¤4«%ræ›Õª6£eŒÔ:³WãQ2“b.[o Á!ñÀv è2¦ïü¸à|ƒ^TX§^Ã/¨ã*ÂÒ+pÙR.x¢d½tFšòo˜šÇÄ_°¿#Ö=£÷#ªÒ›»"ž<DAW…9s­,1ËÃUÀ€>/×ïͬävUÅ­oÈÃê`WI3wï[õ<;,¹X¬š£}y¨^%±¤õ©5µˆ]ôO®ej¯¯·a"­›LáÜ]¿Ä8ÀnÕ¨dà©PÏ[œ¢Auï9]m´~sÀŒËó°¬&¹¬Ú{Éóû
-oBší=Ñ¢KÓ·\ôV×±õŒ!ªEö¯î÷Ì«ŽŸ¥ÇýEWÕ’±mB¹_Š$X ¢Jª‘$â¨YL¿¸¶’Æ‚'¯ä½,ê¦'ÈnÃáå¨X¸Y;x*J_gÀåÂíìd²p\b’&“—®p×îšêà¬ìî—?í9{•¦,žýߟh-ã£ÙâYutX
-–Òê¸e$ö$®á-MÖFÅØ…ÝëöýJ|Kü„#?¥®¤ìÈ#‚!Óp'v%`qÊ!žÀy‹œnäÎçN—/+‹.Ì"¬ã@Љ­¢•ým·a•µ‰RÙD9oe É ¤› iHÉVb¿†Ï")Pê`ò]^€Æ¶T®†˜¿†§†- §ÅÛÖÁ Oó³þŒåeFXƒ$ÊS¸Ÿ¯÷kŽŠòÍ™fL¢˜šëʲF‘9‚‰_«õï+Ê‹\™¿¢úƒª¸QÏís‘ʲH§µÈ=ÉŽ±ÿˆ `#
-”—¦e•>KDØ£8ë<^=\üH93Ñ2W‡¡aàÚÃÉø\þAݪˆøZä¨"ú<¦å­O±gVV­S´je먌(“ïÂÞ°¸6EPÀf­ßÁ×zÍ°Ÿ©/†¥eÝ鳨7µ‹&‹öŠôºG2agD±ˆÀ|6Àí 9s ö¦€Ý1c`¼×멘îªÙHv-Ë3ðîß‹áü«ACrÔÇš¼^=YãZ¨ÐzT]'¹Û‚MÏì™ÓbÑÚØ»-Ó®1eZ.Ò+£¦ä5Ú×#í7h¿Øþµ.'ÏŸMï°òR¢ÔÂÅ+oê·ûåþhMí_W6"u¦ +&V“‚…ÞWÑ0{‚!ýÓ2üqô¨_š?Yob|_‡™ŠA«¼ƒKµËà<<ZõÛfeC¸–óc¬à¼/9Hoäcóµäþ3K¨ô•?[àXçOµhsë]§Y*“ëƒ5<F2v€²¥¼|¬r{%ÂSì(‰%ºÙ_üy~.¥ÊpìÅæGår›ï–Å ñ:‹&/ì}*û¸P6CC)+XÒ´éüÞGî
-k¯gÚ†ÃâI1J8žœ1÷‰òõNˆßñó÷¦ùèbTÿñÑ#¥YÒT§O¤¨ƒï2;º8Лȃ[@2
-”¤eû”/Æk„Øsã½”“ ëWÀØW-7‘ÙÌ“&Œ ŠÙSÕçY'9üÈm™ó÷úŒI»~Ç9ýɾ!ì-\Œ%h“Z56ys&˜a]¼g"ô¬ ȆOúC™])[EýtBNÊDThÅYI±£²ÈȲ&d-ëd¸q°t!çëìÙ:TÞÖj®›o/\(7B–¬ÆöC ýN²Æº‘”.U-'‡:1íªËaŸ)ƒßÖ½ÞÂÞë^#šÕ õƒKÖ1Ö1Ê5¾Ì§1v%áïz<¾6Í8eâÝëÁîÛA¿nºüzf½$É×Y…\þþÍÜ“O”?-,ʬ´<\ÅÇ/+«S“"\TÓÃiY+†Vz)üìZÂèNdM¿ã›–ó³›ÅG ŒkC\?™^QÅA±DNI»„Ï3›moFªõØœ€Ï=ö[´ÕNÅàRu4x}ªs
-¦}Õà`‹›µ/#’Êì)ó(ôŸÁ— ´fŒg§‰ßhð–;ÛÌsøV2Ú ƒšÚ!T³^ä´²i÷ Ðá©uó@‡e‘ëü“ý*=î<³ùs<¹¸~mIpHèRÕÙ>¾í¿oD÷"é†dÃåv©ùÑøŒ¿ ´Â§¸“ ÁO?%cÅùoÑÞK«›àc¾ƒLÀùKè:+y7H³àÉ×ÊuЪhCtd8ü;|£ðÐÐT/Ô2,uÉz˜}ôÚP8ºø~úàµL˜î¥1XÓ…çE'9ìQWKöu@a2ø
-}zˆ‹Àœë D1ÝÆ54­º +²ZW™jEá&+jJ”Nr·°ˆZNj“Ût³ÅDwû+gõ(ê¦ÎáߪYð]p‚'fNùä“#É™’UŠÉ }¯Û))âO]¨Üõ
-·. ';A^… ?Aǵä(_F%XybS¶Öiî™y6
-¼ÁjõŒ8^–ScŽ…O¥–"};J¸„1 8—šP£íÝFÁ[²òéMÊqT,ø®}«ó³1YQÍ‹ã$ð'ˆ[_ÜÚ üÄÜ¥l˜VX)¯4’ÍҌÜ)%èyjµý0Oê¼-ª ÄˆÈ¶wÕ:¢¢diËƇmZ·]„ûòB-½_ëd“8¡4Û=ѴúK(÷ãô×Ú±Žÿ!>:*ÒHˆÙÂWæŽ!B¸ýË!Aȱò‡âGù¸8íÃqWA‚?
-øE«µÉØó Ê\
-jGžvCÂÚ,ÿ»â.éø*â QÖlþØóR™äæåU÷Ù;[å]w”‘}{·X~=dðƒ½7¼—æËy©Ÿ†Lâ¦q4ÇÐûr4Sg$ØE…cø¢Å!q‘F8dS}gìY?èOÚÛ–¯W_ü'¼Î£A9nc?R¿p.?t3G¿ÝþBîÞ×prƒp´Ô¹ÓV«§í¯á|»¹5ÄQEû^Khóð{"²µ·‡ŸÎ²ý®0=ü½NX¤é}±·ÅZõÖRÒs,ûïÁ7ýC&¨ž–×ÁX‚f.ë½1l ú”0âu!–Œì·ýÎSÁ69¨…îl¹Z^îØÏhûiR±oæÊw•¼™"Çý„˜’Ј”.Ò¢; …xb“LôLiÇø}¤CÈú­¶ÈFe‰ÞŸ¨ùŠ¡wG¸¢%à°Ù寃áÞËÛ¯†žxÅÉts9ýwI©Ã¶
-­/h`p¦‚ùЃþ¾nA´JWŠ¯C;ÜyúûV¹¡zŽíx웋(ŸêªÞŸ2Iµ‰Vd“7%ÈL«X3u”‚Ô¡\•µñ\¨ÁkœÅÝõ×ÑëVñD`„<òú%#ŠÀC.-Ýw¿U©IAÍ\¿eXÕëʲ¹8¾q4׸¿\Éë»sø?®(P=2r±>¾)—x÷…~Ü¥3dn©å\Û-=âÁ_Iø´ytTl§w`˜»q¯eIÁ4š“é‚°§¹ô[K¬¯dV´ÏW~†å¬­Œ¹¶ø'Î_lûoú7³rÍÈ<¹*Î]?…÷ ù6°·ßIË)òzâÇt‡o$pCt$Ôó_dŽVè@2]FwA ¤‹Ð®Û€¸‡}–ðKÖ·'û~$¥Ï•*€‘þ~… º èax̢㒲¬ \ÏBó©œR]Æÿe´úx( øêådKi7ö…•Øà§l@.q]®É%vò~k5öwð
-$Uù‡:ƒ sŽßHQºš§p¯ìn©"¯‚Nux€yRÂL
-"a¹Âz£t°p[ÅH¯cAq˜h½>þ… ûsö¡i®¡k%lûÖ.›Wz¥"*Gb&øÆB<Aza¾ØXâ«‹\¬Ë#9ÜY »é†vÿò7]î½(\ÚŸô*2÷v
-°ÞQd›vèµw89’9.„[>;häe¸ c\_ë‘Yf`¢ÆZCº$ò5ˆÕn!Ûɦ æÞ¤sx½®ÄrR=*À@:×9ï+Û»%êÓ­fþ
-‚BàuÀT·n*ÏŒ ÜóÙRF”àêkRà? ™mD)ÙÊ$¾Ôô‡6õÆcíؔʊÊfú[áŠ
-‘HòGNè½W¯¸;¡Máן!ÒPÆAÞò?‘é©ú@ãß}{¿Bß”ZŽŽ2ÐeXk®ÍÑ=&"Òp¯.$Yªûïññœ´é¢q{ónÂ#K÷¼Õß,SÊ×z¥vçSÅ`/r´ÔtUnέ¯¥IàÓé´{y{õ‹¸%—ÃhIËÉ3”27—Ôë¤"YOK Ý~Lƒ&ºA7?¾ð."nzš+Ø´z'î,`J)D—ˆ*ª× OUym‚ `•–  W7Ð!p u6†Æè4âœêq÷9!¯³îÑ3T‘!?9šFÙºÿY %ìär9göó&ÇjÅ-jw­„ ‰µ??˜‚U¶†?3Ýö·5dœ•àÕ).b[yÀë53àí­¶cÄEw yQ}NdIF,kéAŽ…Ù¶`'9¨ÊðôÀϲ…R‹úÚ£?èôî¬lКZ6~N³{þVš‰Ï[Úp³Æz»œJ`Ž¿9ÉT¢cšåZXø»z4×Zul=Ñ6»p né´¿–KN
-‘IÜ11‡yÔÞ·k—J؉÷…Êy~Úµá*'t†&.{^åÜùÉuö×ßW_wûeð{2?X%KûN›ÏÈ‚œ={T;‡d}5ËŽœ¼uo{µÓæ®mEi7hRïáÈyNo0P2ûI8Õí'Üàü5FÈ5rjuñµãÖm´‰Ý5‘ ±Á#âÓ ¹~³»''Óm=^mÌ%°ÞJU#Í?çgE||ë÷£}HréƒÿàVŠD6åËÌq^CLwˆ|Gƒén‡ : 0ኽæïR _ÆV1†øQ/Ú à­¯ˆ¨`QN¿T7ŒÔöi@ÍÌ®åθ »MÔEì¾ Ì´®CÅ 8;mžT­í£J2«X8K˜èº­í¿û³1ĆQÈ}ñ ÄU â…îäî'&5«{ƒpF^¸G
-§ŠçÍ%Vš›)|CÓîÏ9vÉÓôpXRH.…]ÃÌ ò›øþTu{¾zÖÚ9p†a«hÿ Ž©æµ¨󞽘Q\5KñíÀعQòJØysé±–W?yj,S=¦¥¾jCÃYd…ÂNˆ£¶Y<oò‡Ÿ¨çÝ@Ð.F9-EO,û·#,Ó•5XsÉtµDXW¬,¨
-Л|:²$±pà¡Ô€ÕN4”Öè}|O¨ÈîÜO«„ Òðf^MÌæs*Ü”>HzŠb^Pkè¾ $Ôs1¥\ÂQü[ê`Ƽ$˱ÞÒNr·äæJŸ¾óáv½_ ·»~xu 4“õ¼P&;±¤Ï=ÓÇAÒógÁÂ_ |0™›¾À:ÔqE9®uÜ Ïqr„.aaéeõßÁûì6Ī/ÝûàtvˆË
-ªDÌ1ñÕ ò X¿äzcƒ>2ë4c"fî
-t­Q:ÔÄ|éòýÞ~¾Ÿ/:Øü  U` ì(›ËwzæÖÃÚS3dú@xN%jFîjüÚcZÂè) 8\"}Gˆö—}×ì0!ñÃ/ñŠFÙqhÕL`è_
-†ÊµßhÂĺ3Þ#4RÀ© “ì×›Q&êI([êt
-‡Û6Òú×ë_ ‰kYhJÛœN*A?7ƒƒ~åjØîZ€ás/ä MTÉ:¾ãÃÝò¦³NŒ²¹é+ <í|0N<ûDCÌ2@@Ð"‹Ržâ‚4g*%ZŸóĺk‹y™OÁÕ.ŒZâõ³Ø×7ö<üÎe¼‰å³À’Šp÷^ú…*˜U‚§äfäQÔÏF
-ùf¶Bïô;‹y9ûWu FjÁ ô…Õ2~pls%BUî-ÖŸ^ é”†ß‡‡Ø÷q‡×¹Óv*j9•¬ï®£"›ƒ~¼cR;ôÚ™ØÕà„°™}tkà>9
-=%?“Ž·ðV‰üì?´ë|ÜúHä/§ _«IæˆrCÒioìÓ€±•£ò¢€<'¤tuÌΖÌdÕ«eM~Æ4"žôüO= hTQà xT ^,6§EÈ'C’|“à—-ЗŸA4ˆ#Ì %ŽIù.e›Ò“ŽòYžÞd¶tvó]³ß Dóßã­ø®åtÉÁÚœ1qHo²#^ØšÀ&šÅÞÏÐç÷ZT,þ”Ç=… ä9ΩµWN0™­ §¦DÚ¨®–®«„¥Ä¿pzú6+ZTÜ=µ÷™{牞Êü)Úð8é=±¾€ÍrUW˜AÊ/>¤¡J»®_³]ï£çj’Ý“E¯û¡ ƒ÷Ò÷òÚkž‡…æxÖ¨u8xŒRO7#0'k¸×É ¦Ù3¸úó+Ô¤ÞLݤ‰LÄ
-Çžž–ˆJç\þ,ûÀŽF×T|©xöA4ªàJe"7³(ý ü±^|›üfŸ×Ÿ†ÁÒþÊ$¯«éFòK0Y²ÖoÔ‰ÁÁúSƒ`ÍjTT¨C¨¾øÆä¹<·}1L¹œ7óˆÙÑEÚäHµ×gÞ\ ] ¬<W­k;†ïXm
-QÑf+ã9@/h0i‘ý;뀽…Î ßE§YÈFCÛíù¡Ô™Ëþäƒf¾­Aö5[Œ–0—Úñ¬søKláÁ䢣4 0f\ïª]Ç‘¾”û’àY/q!œArÍ ò35K‡¯¾ïMئ½*KšNu°×OçvdúKÆRk¼NÌlÜÍegÁf<™˜×,O ú~’Ï@xm š„[àšÇ«—2£d!õÓÈ…¾„77z–Z¯×8¦çó3Ç:ÔíeS¬”÷#xY&‹º—º=tkÙ”œ¼À.€Ugž\¤†zç8¢ÔçZ¼íZJ
-ïGdÀvÇ@?/ÐÜF𤬨¹CêÔ÷úžD¨ZÆ ‹éµÌ7”»ºÙ扂Ȋê0É"Ñ ñEŠkhµW÷ oT¸t—‡÷Ú‡á¿ówÖSg6;Ò®Yf­1 ²4ñûÆ®-Ñ]£œœøÁêË.bð=ZÁ?Ô*·h2¨÷@f
-ÀË¡Jšu©öaÚÍærsOÎIñ{É«ÓΚh.ŸÂ0Ù®p^ÏD Dz~ZÚ¬ÑÙ}á HàSѯ‘G×µXt‹”úg*(7(ìÑ#pÊšAL”b71а••=ÉkæÎ
-‰ÉðÏ[SQOmGéQO”ùóú*sê9L¢ßcçý7Á.°˜XóØ'ð»h”Ëj*¦DÊsª:èÒMu÷´© $qY°$h“ÍFøñÙFÔV’È 3~ö3¾½þe§!Ö°Ù±íGaùÀ
-™¸8œîLéÅYŸÀ-é§àê… —+²’Ù7ge\!d%ÇçÙ /ì|F››WÀ3͆qD¤ÈúGüʯäŠ%dRºÆ(·½·¼Ð¦†¾…VšL>äÀº©–•ùh´GÉh¯úr¯PGáÒªÚ(_aœSå‹a‰·ê0Ù|ýP_v$kø£Yù%ùœ~‚:\á‚‚É–~NÖCIÂAíÕ]˜¯¿n0» «'‚pu”¢é·|õõ /@ҸȊ
-¥³mÈ*¤tZ®œf‘k™Qr‚ŸiµYéJ–“ríÃ;¶˜”æŽ×uqµlŽ/Í£ëûñQò3ÆNQé[!›`SJ9†v/ú9ï1ѹ¶qã~‘—:‹^º¨˜Q¥žcsö²¹¶tÃò³™AÎmé9
-«ó/¶õ<øvçsK³~¨’mxÒ£€'´…ðîðRûPȆÏé‰= ¢6X7º
-å‚3Ÿ»¶¥+FL{‘¥™É¸Ê{¦›d wE<Ûðöuª¡b~$.› o1PYyàZ°„íãq»÷ê6›Kw¨Ð@Òøm!p–wB¢ÓxÙpܾâÏÆšuÖŒP9IL“Fˆü“VðW¡˜N¾«5Šoé
-¹;~—ÿ409±‰z…:Ƀ˲Ïl'ˆÅÉO‡:⼤ßTÿŸg½0Ö‘ãC
-‰)`Ül®Èå©` —«dÛeö‚÷PÅ=õ>©k¿Ç“ù1UâÔÏÎS9¾8¦¸ÉÏh(óÛÔA»SmÖIˆUH~bóŠ`®õ¥P>ÊÛD²D£¾æ¦“³ÂiϸlZE¼ jJ2à‹£®£ž¼òÑÆ;JäüÈ»Iúâòã–øèÑz¸ ;4ýƒoŽÕz¿ÍnÑŒlœv»fºü±±7†p•Efí¤t”ͤêNy(IF(¼Á_ ¥Î
-’p6°’{çOt\AŠw2¢VúaMŸxJäÑÈ®BZ骿² rL?¯1
-G”=Ëò…#†Õ4ä ñK"´µð°“Þy¿Ä½¬ãpÜ-Ñ[É~JheæÉŽraaî%7UŸÔòŒ”1², ûWæ³Û/¨^
-$9mhoàpÝ0V™/
-ÍÔ¼¦³ÂØ´VEíRÔ æ¹^ hÊ;2¾'ºîGÂ"òåå㊻¥ÉG‰Ò½’ïÛH £-êí'Ee›_·á•žŽk² ȼ\éÑ,úa+¾Ð¡};½#&Sÿ¦á*²ôhP³Ñ¯sn ·×7o¶EŠbÎÞsî\ô·oÛê`
-ò‚
-â†tãÓˆ'—%CVÓIšb¤–§µë~ç&à!;°ë-GÂÞ YÞœÇê+ÄNä‚b|—AtFÄÅwÇóZ;žÌfíáLÖ#•«µ Zzêdí8žÁ Ê,`Pðª°àògqæó ýhí¾>¾ÆþPÐZ7“:®fìãèrÖΰ¦xÑ]Ôãa‘s~ç»+Vúšu\X`…À䌜÷ǧ”ÖÍÕÏîõ€4+3wQt1ûAYh¯‰/~òÙÉøM‡ô¦øÈ_—³•œi0!šœäjª÷yÙl±‚r€ éED
-蘭(Æ|(h„ÈA½®îÈGs%ÛA’Ã+© Ûb2ý—¼ŠÊÆ·ÍšíhÁó¹)[ǃ¥ Ôµ ︌2¾½¡'ÔÃ,N]¼tâÕå[²u&Ô˜?!&ôP{PÌóÀ´êì0Yͱ=·ºe ÖÁ¸‰‹ûyŽÆ»ZAKÕª}-¬þäs3C:3 ,»€DŸÃ#‡ÒÓ¼°Ÿ)þD°;·Zßj °’êp_$S¢¸=\<8âg(Êî/vSÈÍTõŒ¥¤r Ù ߦ8N‹‡mpl;û|~kPæiÀä?¦ ÁDͦœ1ÜwÆ#EÏ’dï"ñ`S¤!²ÒœC:lCÌô~}WìÙP–3")Z&ýn2ôYp•Ä:Ï~¢rÓu}²6dÅMCO¹¹6+‡$€'@®Mm`Å-º6V^¹SWnwFbJgG¦h_
-¼Ÿ'Ïû¨H³·Âë ä!ªEüñžë£?ßFïíÉs+ØšˆO¢)þç½ð²Ç’×QúSòiãF& v¬¨5ef˜ï2xœÀPÔk»ã±5ekÒ;Êx¿Ï•fa?E–õéè•yMhΣ ºr yìVáå09Âf ¹®ÑÁÈ?Lö²©«’â¾­^爛0è8ðvr·áj;øë{Yèâr¡_›LÐÎ<ë‚6ã‰!týÕÍ㳌+MÆ’$,ËúåIòrJAÏR§9sÄŽH:{ÇRÿ¹•FÜ]Šß[ñB¾ù[^¢Wu¸ÛE ¤89„Õ'ùêâÒIŽyü†ê=º—ÌÒ£6æžê:´:žåGëZ{<ï!ÈLãóUýÁ¯öå¾8)yÁ´²'ÛNWÃð#bžÃ««óXU›þ|>KÞ°_Ñ£(Z¯ûÞYåx™O÷6tB™W³ÈÊZ#Ç ¥Ù.W@£7eÌá=j¶ÇÅ[t›~SØÀf[Þ¿”8#E í´KlkäJIó°ünQ²&»ŸäbeɾdÅb«B˦àJ ³…PçȽ#ïExwö÷W+ü(3  Ü3ß¾ÎâÐ"¶lTƤ%Âç5™“˜ÉÍÌ|¢Î—ùªPk$ã4·‹r{$‹¬ä— è½0 ˜ã1–òÂÈm_—ö\ùfɸ…ìÄäƒïSÚ‡» '93!Åœ,ùÏkÅõ®“ù³§Z`Ì:v÷D)™éŸüJÔÙ³…6<åY¢'°~S渊ØNÝ]öËPNGˆÔ”F]g$p€9K†ûÐ:ÉÊÜ®f­Ù˜N£o/¿Ò§Ð+÷TìxÝgä—J.ì#­^Id—§jè›ð{O†>ÈÝqYãºUj
-Vèp ‡—-,9,©Áz*[5í¶V‰µ}¶ÔµNÛK­`TRøðôÐå}¼Ëº,5®¼S<PÍôŠ£˜8éà2Sr‰ÉòUŸŠ Z_â•RÛc¥CyÌi¼åʵ­cÞûCTò]¢6rÄO`3.²€’Íñ –ïË"hz PKœÎ5³SÜžb9N§’:j‘ŒOÆà5Å7¤i7ô¡¦h9i|žÞ£p¯/ÕësÍOs|“̇MÅD§á Ô@^wöÀ3VÇŽG@EšCµ'´­Yƒ®­‰(e¢ÿ_;óØ (
-Yø—E[ŒOÞê­žMnŸV¬‹Â¦‡Dð‡X7ù7RbŸóöo‚57Mß•y
-fkþŠP¼Œ°á ÀBŽ)3Nå Häš{¶Ç¦e(dŽšã-´‹qÚ¾óƒÿ’ö%©Ë!Ut™îõEÀ·ÅÃe§á¨õOúÄĦKßd&oëdã¤Lo›ƒ×£Hd—MÞj
-”ËÚ Íö+$hpýÛnü¼¯/Uâbõëú$×
-§´Ë¶ðp^þÄ—EÖþBÚfbwþLWw:³Èrš"þ¦UHF³ŠÑ9¢˜”Íf¬£­‚}Ÿj_5)¸palê
-’!c«ý”ý¢F)0ÀðJXÜ|—Y«N¯ÛØ¡ O1:ï¢f2˜³ë¡»ž ï¦Ì+‘L,xÂ9¢Þ¸rQÒ'䘞ˆ˜lÏF~‚æ—Ã?a¾Ý0YZùCÀQ/Èk ã4G“ç+Ž´,´õÔ§‰ÎŠ[
-gñc¦ÕŽ™¡Ü3€ä˜î¸î
-Nïƒ_8B÷Œý±?·¡R¨[œå7Ø\ë!“Û¤QIÜ](äãZ9/!;aßîJ7(d§¹.·òŽíÙ"ÁãP[½ô¯t*ë·ZŸÏu2ÖX¿hrG¢éùÞ¿P¹÷$plñbì%4ªÝù£7-ÿ¬eØ­uLôùôfŸ šZÆw¤–H9»S?à5ùö\¸$$iÄh±Àßj ½}æøè—.3’L—íçv"X£ÇŒKfd”v¿ï[}™<‹âÍÁ,Ô:&—â„)Wßͦ¿¾öHâ¨o·±‰@ꃼZe2Þí1›È÷2ȸA@/ ½Lj¡=Ø-æ©.ò&ŒÔ‘þObw æØ CJ\q¦û6_¼AÅèØJæÖ´ö˜Øë2ÊB÷ ©zhÛúXQ½îò# ETÄÝ*lÊ6×ÖOéþéetX%í$TÉÊȃËrrÙË«³Raµ'p¤›€®Þ½ÐüB:ËbF“•¢õ”«Ú0dieš†¡¬Í|iÄYõÿ6ü dòžsu #EËên³ø…>°‡&¾%TÅÄêâúÔ>¡)TÀ8ì2‹Rà?ì)œñÎJ“F7J ]ÚkúDG‰œ·^ßÂÑ$”mË8?äò›U–ãêw8”dR׎º™þ×)Uªžàa*Ç%n'
-5”û´¦LÀu¬cA‹æ¤(ž¯ÏúÓ/YNRZÕcù˽Ð)€¾¢_M\¼íöú£˜: l#¶Q_DE¶¶ü’yÓ ðL©NlKõß·h„#£3įÎ/Þ>€ºL&?Ê6æÂc
-sìm<ßò“ûöüàÏû@n6“$ZÿbáÌóå•h
-ßÄCù  6#11ß7ÎQb­Üc󨮎ê*„QÖżÿ°H<Z®º„O|í6LDôÏÀ€w¢Íðô¹é…éýL‚øU0?Å ºŸ4òCæ¦Ð\ øÍ ê¬EoDÁú‘ß{hÊä¾bÈ“*yb¢€·ÒËÓi_R½ÀåSZ Vé~ð£%ú’¯d‚t–…<xTÕ¬¸!ˆ‡(ZV¥2ŒÞ|Ò××&ÜÈSÃHX»x.ÌÔY‹°kDH=£ òivR‰ö‡OÙŒ¸É“:Õè& Á#K¶kð0¬Ï¯èCYý
-–|Ú–¨ZjVሠ¡~ü;È»¬«ójoœ ¸Ö’@·Î§,1ؾ~hW2Ѻ¦“sËRsIÛiv‰XCt”€™Wg$Œe0‘.Öƒg†-‰>HÒ¬jÉ4!™¢'±ßõãÈ2Jt°™ñ/£ºÌQ>Yý¤ª•IŽá’,ÊV;á._—7€yØ«UËbG dŽcÖ^]Œð
-' Œä××6nÕ÷_¨ïo=›öÊ`Êp˜—#aèôhëܺÂqá’Ÿ槆71|uå,'ÿ P w\=X•ËÎWB«¸¸ñ|_<­8Œ¥ùè×᪗é”|À¶ šÀ8Ýø²:yº„>¥‚x߉¸[Ð} °8}Ì‘™÷‘¡K³Ô–ða\“…¬¼ëDŠ±ýi9®±eËš€¬üKýÄ…ÿ ’"€ØSJqÎT.ŸêŠ—BRÝ„ðú“W¢@Ú(| í!lÝ4Ð:°ŠŸ-TËWSÞX“Bo‹ëÇ£’¬\U‰
-lŸUÄÙ!1îõJ k&eüù'Ègw¹Còd¯ "ýú{['^Ì3Y»G Ñ{K¾|ˆ‹-ï?1âɳZöQ™±šjA!ÏqÎp¦D9Ï°1‰æ—ßÏñšyªJ߇Àè€ü?±2àÙ°«³´~w¨‹Æ¢˜˜‘°vN*·nø‚(Y/¿åã^Uûºö¶+FDû±_HÿOŸ˜­ìw] \˜Ó—1é6+Û“†CE]Ïï›l¦Zh8{BÂjP1æöÐÑÕ2ÌS9Y–Ïð-Æ^èØi<<Dgø‚sÆôÅ«fðŽ Ý.YŒC›I@Í/ ‹.¾kÝA•1›Ä4%ù
-0ôCV»(hãÍߨ£Ø‘ôÍL÷ø¤”zs·/Ê·wâŽr²\„1íNkó³«ãI¢úb‚°í˧‰xªå1!Rxižÿ§þþ‹T66»”yBØ,[™f
-øm(m
-=ÿPA8¢R–Ž&}«(òý†Ú¯:¡W0Ì˽xÝÄPSUrôs{Ûžfk‹üYyü±z¢ŠÒn” ÍÛá’šúeäZ€¥L
-VwWØàÏ<ø7ýç»oG‡^pM‡yFÙæ^m<`ué$om2Û¥õ<¦>¬ÞÀÏl$Þ‚ˆgY\î·e]ø‡·‰í¤LH¨V_àó-AhRah—JéÂ2­ÍX\L/ê [ºÚ1qNd„Ì@­µÏÛ÷
-¨ë cR÷aƒ>½x™&¥\—Kº>VG—Gá·oT&Íe'\¥«Ð"9
-÷¿ÏTÊRáÕä´ã—ámñ[©“Ö¢ÈÕoÜTÔr³I,¨ìÚâƒèr“DÒk×.iOGEÃŒïpì} dö¤™È}-wÆNMÛýV«*oðË]|VN×ÉÄÐdIÍ]n[ìJ!&°žc,ÂÙ„~G3^>Ðb&b÷6›$¤qUUø[S K^“€“8U³æ1xâºòq³ÛÆïw …:×=€%¦¥¶äÄF·
-;*¬{Çšª(ÛQ„J54p0PÉ©Ámp®ïÅü­nmà,)XÓOÏs é£Ù™«ÔËÒŒ_È5Pðö_AnygÞP“%ðYYú>r~|vÇÞéÆvý ù4p¥v
-Ò0ÃøNðE»L`À÷%ìë±ðQËš/À{ú.-ävÓoo@W éÒ¯ñ2wCÍÈí$_±NÁ³æq˜FÔfTiu׳Ï5uò¶û¾¼l¼«õ‰à-Xˆ&½²æ'ù€ L©¬ÿÃÏBeZYIgŽïÝ;š!< $B…ýíÁXI±<ƒ”@hš³¬÷DP.·æBúþ­€dö"¢žHÀ½¦©e|B܇K É£û'c~{…±Kí!FfBýÊ>5—ÅË@Ge!¯{Óô^aÐÏë ñR@Í‹N„¤ú£…Q@â`c?èá»ä¦Ý»ÁŒ#Ì/cáôPä²´µêÍÞ=¡±Ÿ/Wgžƒö“ Ã]íµ¹š[ÊŸ 0t¶wpí,øß:œ Œ!*}_›Ï¨œ=ËCiN@“Fk(2‰Æ!¿Ðì´V•Á£Ü¿7š@×Ímãå@Ð$5ÚÜ´V+«ÐqqãÞ fÖˤׄð²:ħirmhѲP&#ãê`Ä/Û¶<Še´ZmbÉÒbÖ^ë€8ø2¸Ê-æ½èž~¦»¦¤¥ÕeY"é"¿èßÔÕB*Šÿëæ"#¼1’/EzÎH,6M¼¼„•ê­ÏĦ¯àÈí_[‰z ‹‹ì…A؈å~×\ñâ´¹êÃu;ÖN/CÜ~ê,NÌ“÷üÙ¿‚NÙÇûhü³Ù1ê¹VK
-#7k9+~FÑØ™¤wI¡Ý5?xIõMœb»o~—9ûn`Bâñ«ƒ›ù=—ì¨Þâ¡Ó=:R®Üæ±³§Ïýë;Ü Þ°ë2©p¡ÔWì (˜=ÝYr„9òç$ž:®ãBZ:óæ²È¾HwE>…T²;ëÐÑš?Eg:Ç/BóÃ"gwCšíYŠ+•9¨Ñ(©öþ‹)ÍTVƒ±Ù¹/žãÇŠp0þ 8RÌ×ó€€Y÷Žˆ6øÑþÆÈ]“aVÅ;6 ̃.ÊÏË7N
-×C&©ü7ÙÖì€ÓåÅ;¨Ý.ô©qF…0W¬tÛ€¸œ&Æ,0þ¯ÆÝx }B¹âáÃÍÃlr²ÁÿCPZ_>Y>÷ñu%ëÓTÁÊè@6%ë»î(_þOÒ[})ì׌#*¶XgËñ{u•8×€.´7Z˜gJ‚Hz Õ
-½»ôúaDz—\n T£î©Ãc¢@ºÍšèU#í´j,*'YimщA­Ø*–WÀ°;šQôÜø A¼ê.ŸcmˆD9Ò>#ÉôÅÿdUÚ¾ÞRÓU=þ”äê1ËPžÿRÇýÉžÀÂŒÇ7 ÉçKpÁ&‹ž¿ØßA4›DP§­¬ã²4äôCðQ?èâ‰
-i7Žk¯¢¦Vúìë1=:—1nÁƒd‰ÄÇbŠê€ñ-þÞ2–R–,*ؼB²:¦È½ WŠãŠ’Ïæ8ªóŽ[MTÄmëA¸Ûr Š
-®?ìÑÈ:Ì>n.¦„Ú…†AWy1ÔÑ3mÕ]}íËd¯‰Ïá¼!yÂú/1½º²6Ⱦž»(…è5ÅßÞ-S©-פlÝHÄÒÙ$øªèÿõ\ú²ÍÚBašÔCSQ¬?{÷Õn‚Å©"¦R꟢âLJ­ÿYz–œÁã5¡4dÁ/* Þ÷ÊJïYÁ³ož–yh\Y< ¼&ÊoKqÐfÜÚüà xÙµµÓÝO…+åb|ìý­Þ·â˜¸ :$eÂ]ä‹[}"{µËq:V¬yšèBA ¨äì¨Ú‚þÚVNF¼ÃÚW¨$Æý·qÝ?j¥W ж1mPe6SôóJÛõ˜Šy°·KZeë*X.º’Àm›¬*/—"÷Ë\ŸŒdõ}˜Æ LºŠ@/å>n®ÚÐÒHT‹ƒÌŽÆAÊõx$ôA.Äž@'¨ç‡š,
-T!}³Ý Îäýð†â £/=Åÿcvz#þ#k”ˆ£ÉÄ㻑„ì¿aÝ f…¼…$â”3|t(Ž¾4hléŒØ×ÿw®ˆ[Žë;ÕØ¿©í?O¶ÿ¼3–a}+Æj¹3Fm˜¸"ÝM £lçòþ¤VÊ I‡ §iÊßà‡‡ãDù¤‹¬…9þû.ƈú›£’à@¤=KTxçyO nZ[Ž/Bý®g\ÝÅi‰ KÖÒMýœÆ}jÿ+ë±5d7í:oæc¨‰€!póúŸDͽ†/Gªæ‰·ŽTï0î#E/ÃrÉM~+ À.…*ó'©oŒžã˜qÑàöB¹ÇÉm£ÅéúÝò‚9hnì˜ÕM~£Y:À¬ª|å_SÑ÷E¤÷Jåƒè@¸¤&_÷ä¾iº /×E>UR'UàÍm˜óµ¦•k`°¡«Íù¤@); sžŸC¦²áB?§°[RIx ¯‹‰"5ÌZ÷Æß•3 tm›Ð²ýÀ«B«Ïc”õŸj'Áþqƒt„®
-pS>FŽÇ_è|/ÉQ꣰–—þù"t5@Óºá÷Qу;vä=­íÚ[|r9>t4™ynÓry>lä<þ“ýÖˆ•ÑÓpeBïaÂ)&ÓôF(ÜlŽª<ÖÆÑÇÚ‹çÊ6B¹ìÎÑd¹p†¯UÝwŠø ¦šŠœ}J%æN.៷-Yg¦I&ÞÅoÂÂÝáòŒÖÝ ’ëüîÅ%ÙºR¹å‡fǼ¶øáSŸ¦RNëê·P¹ Žý§ RVª,ukªZž5ð°dã ê/z’#ѱ‰·V„ÆáÛ5åcSŸaŸ®ÔŽ½YŒg<^ƒßL‘àŒ>îâô?8}˜fý£Ö,<B"j·ÞþÓd¥Äi¬S7™ÔS*ÍpeK5Pàfâ õõxîxÇwe5¼±Ô;Ì&áwïY+wc­
-Úܾƒ•˜½j^ÇO³?DkÅÕ(„)¾áãO Ú¾À³—g´àÚÓ¿cŒª(ú}øjJ;ó‚à,*Ìhz{Ž…˜•K¸+;¨(®hn¸‡­1„•êP]Mõ,Nýåq,snÚ€©÷hçõÛEõ™™‘´Æ÷k²êMé`÷j¶È;¥\²\¯]6öÀ©PÁ•YÞ@DÕãáV
-¬|°½ûjãœÙwÝœd^fÈž€©9F<ö$¥½WïCåì<¦fg)½<ËÖ¶ølÝôÆ5Ÿº'æ¶âgà;ºŸ[SM +ý€i¬óJÁ@èaÀâøÌœMjYÜuòQþe³?†9]ÑðK…Õ\ì4« ƒŸëà‹½KŽöíÍ9YäÕí½Tí„L¡oů ‘ÃAQÅÃ[Wo¤,C5m”`~É@ëè.4[®ö‡ÛAÉðFŒ}Ñúò¤Îk­ç~ÜØëiµ@š1klî{–ñ;‹ ~.|xàyÁÏ·A|ËAþêòÅJ©‰dV¡³öî7“`g‡ÚÛ>}$ú릷;Úã5ÒÌZQø$k»o^ËòøC@„Çlª
-L€-²¥ø»¼Jîýý
-¡YÆS4{Ú0…b3ð?°äVf‹±Ò‚"©†¾£:iHß^Áa1`IÊRŠOÊGë½qPÌŽ3†aµæÁ¶ìêÒZ (¾QûÈ´µ*½TÌ~4Wl?tnt49$ºÚÉ-zs^"ΉTŽ ¿ÚLi‹¨'}ãN~)™ØËžIS–+×XC” œï€tsai9£–Óv4êø&O¶ê¾ùš\CV昃ÉZLÞRÈÇHýI½…àV8’ãÚ«#w}Ýá¸û"--xõôLd:ÞÂ9cœBŒÂÙ*ï#»Ã¡áÕô„u ‰¨Ù³)ŸáB¤É®…uÏÎÛoU†LÁÄÙWsÞ×£ö>ÅÉÚéH\"ü…ô›šu0a& † ¸V•Úð¥;T§’›î:¾Ð×'—LÕ=¸‡ Bí;`51&®séUÐœ`¤‘ øŽºT¸‹¥{
-Ð]ŸXêy‘ß²oÓ€$ð ;ñ^¯ $bМǒƒeR¨õJQ°~ð’½¢h•ƒöjtÁð’£ Aš–ÝHFþŒßæ¦>ù~~ÛŽÂÒ“]Ž3 Îk¥@\-`y-Œì|Šò
-8¨™€¢íuÉu( {¤”ðßÁá*¬Ï‡pr^!Þ¢ë0SQPVÆ;”M°(ÎE0’A æÛ£Ÿq E©¸›sFÍ5Ñ¥·¬XÌÖX;q¡{{ïHäP'Iðmå¨u葅ʲz­~Ì|™Á¦­¤Ê×춻r­ŠŸ2µÕГ(ÚÆDÕ Š·Ž¾Lb`Ån\a#ð-7ÊaÐ@ß™HÙ¶-dØä.`séBÈ‹Å(Óâ‚4æ/gËÏÂ1‹´ˆ¶êC-
-endobj
-600 0 obj <<
+/Length 25968
+/Filter /FlateDecode
+>>
+stream
+xÚ¬¸ct%\°&ÛvNlÛ¶mçĶmvœŽmÛIwlw’Ž:¶í¯ß÷Î;ëÎüšo~œµÎ®ªýÔSõÔ®µÎ¡ QVc1w4J::¸1°02ó4Tµ”MììLÌ­åTíM
+°t1qpûÛ7G€µƒ™»ù?þÚ-ÿ%ääâø7Âþ¯ï/˜²£«›«™‹µ“àoVeqÉÿàéfeâöOnWë¿n€£ÅßHsG3÷Jú×÷æ¯×ÍÄÚÁàôrû'—)`níêdgâý7÷_0'ëi¸»Z;Xþz€ ÐÒÄÅÜèêúæ/ö?Ýù¯:ÿKõ&NNvÞÿÞvü7êr°vsÚY0±°þÍiæö7·¥µÓ?£"ã`á`aþ»¹»Óú<€.ÿ6ˆúŸ™¡ùKÂÄÜÑÁÎ`´€cRttû›@ý§2ãÿ;‘ÿHüÿDàÿ'òþÿ÷¿kô¿<âÿ¿ïù¿CKºÛÙ)šØÿ½øÏü³dþ·h{k;ïÿSüÔþÉÿ#ŒŒ›ÉßVˆ8Xþ•ƒ™‘ù?ŒÖ®’Ö^@sek73+€…‰Ýß>ýk×p0ºØY;
+ŽæÿóðŠ¨¨£À—…“ÀÀÊÍö÷ɱ²
+"—x r[Hzä-ÙÙc«óæXÓ¬ŒQm í-½èÄEꋳ’øÞ Ë[=Yym ú¯®jµ|XV^hƒØrMYáX z2(—²ß6êX´oϯÛåzðïæñeç,ø¦¸µ©Æ‘W“‰¹dÖÌ!àPjBü„RËEW&ù?GƒzÖÔáB ¥9ó?ªsUe˜ÐàÇþŒ¹zþ¶#¹ÙÍÁ¬JÉôŒt 36² o­=Í`ſͽâL®W3¼:Í0J5WuÁ ¡.þkì9sÐêà
+YN¤µ(¦6;.2P'
+¥>®6Sô¹p¯{¡ŽMº7q'÷BSì\!#Ò ì²Ý,k:èJ Z®{ ?ó™¸ z$©Ÿ{F”§‘€
+–u°U×Ðü$~ßÀÝîÖпÄ ÒÜeuãónÃöÍZ¶ú««ìbE¢°ÙAeÞbdË(j~nZ¢1«…ÐÈ­^Óˆ+¹ýÖ oK²±µ>”/81Ó¹Ì%=ô'åU-Ól,õ]ð5Uó/”Á¤ˆ"1ˆÝeÛ?Ó˜ð¬*à0ŽmzŒÀŒÏ&=t°óv%!—°‹&H=—pO¤'³z}ïI¶×4>±Íi7H`,e ½Óí½6 +
+AZºM}eP„H‡§žÕ"Ù t‚aÜLæÝ@g¥˜£ !É ñ¯y€
+leh¯4³Àe ê¢$SbdxßW#Mÿ(\?'aS4©/K>ƒÝnèÔ„˜6¬÷Æ`š6Šg×!«˜[“wf×bRIñOð“-Gè…=lº¥ HYä°¾TÎ…k›íáx±µ,¶v.©ºø¢gáe1eX¹¢èÉUNÐÆlB ¹øªÓ>îmcxé+Y»èY»m)6d`÷*ÉfïQÔ]%1E¯ÈU¿o:ŽŽ×¥IÓQÞ†Ào?Ô#„¿NdævB!†‘$)ó–×KŽxv…@MkG/f,p}·S¤µÅ6Ó¥!2:D•V³âšç à6{RWx®í‚7ÈViµ<epŸ–h
+@uº@ä® ÀŠTœå’WÙ-ƒ
+ü;RAeýö žœi7Žsþ5ÒñIÓŸ¥%ªÍäyÈ°—©áú’P–*Fñ ý+QàKš©}%÷ÞlwQ,CÆ)=ž»Ê" 3£–LRw<;a!ªÌ(ÈfÊRb—­G¢Ö1…›òM E[ÕhtÂŒ¡ÈI"+¤½?e–ø1CÒÝ·Yôä<ÐÐ`üɲ ¨Î°e…(-ƒpÕp$ߺBË_}êçÓªÓËYkûùþZMÌî¬l¸ÌÑx‰ë<ÚÓO¾C艋BX\唽4Jhõüá7Ð2 qû&ŒÑúwÿÌ A*Öz½C¾Â1ÃÑŽa.g€ÀMnÓ“û 4¸=¿jy 9Ù`è…']X¦zý–(©È0NIíëk9K±FbêËRJ)!­ØÙ룰»®¡q‡¦ìE¡÷Gη¨-˜}U æ½ä)Þ…ÀÐIÞ3(bÝÔ¾PEPÈKr]å]U™ ¯P¶LEqòÂÔø,0-ɹêÒÇ*Ö6h=éŠKS;¬n±HüEp2=96éU-9¸ÈQÕŸED€éD˜ŸÑj+Ä´k#™ù‰@G&¿8Üü8ÆØ¥n°å¤ƒ+ŠK–±«Ô4Q6nCNTM´gu„í¢—ýy|d®¸ZÏƼ‰›‡zü •…(¶]î1í~ÑÎÇ œª÷ÇΑV1]F Ç\EØ%H2ÊuÝÖ”Œu}­¯¬Þd bÂÂy;²ø¥XO††̃(Hþé%_èTrzè©ùËE)`~6çÛí²|­Œ5ŸVàP”ðyj.k"äçeÁS ’݆-ÞÖš¯g[‚r›Qyv,ºgb£T ?ߺUÖb›Ç÷ŸD ~øàÉ`“ÈÇ›8b89<†9ìðf ÎðN>’)»êÉøñ;™Òa[#CÏW²p?¶ªQ¯ý®†[>x”©ÐCk`+E#UÍ‹ô¨Îi÷ÜGNà%Âñ§»}ðš´f•¦$ÊùäyþÄ5Ò¦”·@8¨âeô¾.%³­cË]ÉÑXSЄmÍO„X_(‹Cz>sñb}„óº~ë'_<m4ú-œÝ3¿Èîω—ßœQuŸé9îTHØ6cŽ÷©¯gdÛq'òV„mzgiüíEÀÆý¼\Þ›{èLŒç!Ãã—œ}žrT-¹rfålžðµ"zX€|29ö‰ç’
+j_ë0ÚCQf#dèÃ…Z®vòëÞ`©XRe‚Þ¶“ÆbCç_† Í3§¿/¼&¬+¥ž²ó܉ÈFÔïòÎÜ¢Pî)EïIÌv/Ò¨O­³¥‘—ÐSìvm¹=–¶cê×cý3ê« ¥_Ba>éUDžèß´84—5†¸ô´%Ìd¤`Dœ™´ãI|vU@^Ù96¿L>ô•‰÷äv ØŒr© w^>w(dphµ5³]‰´MäA:bÙïVp‰ WØŠÊ‹8Š„NdMjËñȚͪ~ÏÃMiŸ?oëµû/ªk·åµÙª“IÆ_4ËøÆ¿É·+­€:’1fîúmv€1Xût~?ÀÎ(Ö4»c` Ð⪗|•õચ¾ëU½OVp¥×Î[Ãq©«6 ‹Q½Ì ®îúÀ­w£c:£w†ôøo¦¬ŒììCz@ÆЫ®e÷ îYi׸p2w•º)Î,«èsÞzÇjKÀ¬ç
+õÁÈ28žäp¦£›ô–Yÿ
+}jÀЖ¦EöT'¨4kâùÁ:¯ k N)4m{ª'¨8
+o"®ßÜ–},2þv~D7e¤ÞZ rùˆgÉžà±3pm?ÿ,T
+ëîgÄ?)•Šl®/×ð£ Ñ]ÛºŽƒ†šÞŽi—é
+W7ª°å:)ª²‰¢Ò8¾M² cOšg<ºÝö§Ü½‘çÅåÍ×3K‡à^i¨g7ÎÅN`‡©™ÔÎKO™É·Ì~rf 䉶MÉ™\Sþü0[:Im²z?¸,ÛY¼[YØÝ T_ôöNÀ[ŠôAf¿/èçÃ4ÑÓ¤L3³ñ±•4Á„D›Z8âD¿ú>‡àotgç{°ÑÔؾєAåiÌÿpÁóI›úžöâ4»èÊv‹M~C{ôš*¾T8Ù(Y² ©`Wkf¼!6cZEËàxpâuÆ9ÃÐ}Óá7uCÓïT÷E j²DÎ"0R/mx„â/! öFkÆ™ÔøˆiD¹—¯ÒLðVÿ fô²< *ÉÄŽtûS3û nú>sF£Sc×Êå
+:ïزAøÀêPØ5Á2#U[øð/•ª€Ç»¦î” n[WˆLØoHé„W¹„ 3Ts€´<±_Z_÷ÈÜõž/Y8VÖŒ6•ñíZ(D{Ô~‹Šc?W-QQƒ¿QØÌt°•ÑNóPtz'æ_! ÆμMÓ²·ý *cëè;Ç­…X9Ï!øù©Ò
+‘"Õôç|ÈÈtú<®{ }à
+]’4ªLîl£+òöÁðt¤q©Èñ·*¾kÏø˜þ’3YwÂ~.u=è|›ËáAN@®¦§‹»‚=ÀôÕ~LUP|Ñy+cwFæéB´­ öQxÞjÊd]æ}ƬsŸ«ØÃ>S,ÔÙQ‰Î¿ÚiSFÁêÎω ¿k_rÿÅ&h&o”€¶ÚŒ%UʼãŽN7ùäøcÓc*eQTæþìvÍ`éXb4o01j}OÎW†lÙÿGµ“æÙ‚ßE×x#KG7Ø¢ò“–LÂBµôE9rÙv¶J?F0‰×…Ä­–šˆÞïXx»¼ûê|¶m—{·Ñc¾
+úÊ•REË »Ñr:ýYîËñ˜ ùII·ÍWæÎаD0p,yà›ÁÄŸþ!ÏêS/‘çt •™•œÌiÊü1
+>ú#ÍÌ׬-cRÏx_QkÞ±{Q*‡Õ™-ÝQ^+b<y6Ö8‘ê fkw6IŠ;R¶×T ?~¡˜5‰PdíܵzwZó²Û´ÄúóÓ¾ÈàÞË&Óéè’¸_É×_]m=‰ÀGÛ6=Ý?%¹!¯ƒ5i‚h1ÎZ]b îxÜítsÃ) ís¯ ¦¸­Ø’ù( ùX¤ƒ·`bÅßéµú€÷ð@l{(ƒ.•ôF|ÊÏñtK“MîvîØóŒ¬É¾»–Y1«Y£C=V<É3-Vêàõ0œ=ƒlðaqʡݘ’ Æ_p¸¥BøoU ¯)ÆáQá#ªÝ{eN†û9Î(ÔAïé~ýÙ0EŸ"œã|K¶êÅñ¯¸1pn»‚dNƆmU8'¬ÿ=ó¢`íuwÞ]½dfŸT&YŠ¢žnª ƒ“¤à„0‚Ø^ÚTø蓺›M×ü˦Çdx9&qÖ‰–Æßp±p3;™*–œ¢Ãêc Ö½³ª18«°óiÉpÆU­£@Kèçø÷'ZkÓÃøè÷©ìzF\ek9-‚rrGnr÷ÈÖÎf[Ó¼¨¢ž5ÇbÕJÁ%!’õ‘o²—r ÛJ(hô|ÉÝI¸<ŠÈ¦€G(Åa—›ų¹“勪âs‹(ÛpÌ2ÛýXµ@û-5=ÒtN žyJc¹fza
+Ê_ñŸÃ§ÑÔèõðnÏ c›Nê—ÃIlŸÃSÃÖ$ÓRAkP$'ÙÆò³¢lÁ‰“•¨=ÏÖtF%ç̾O¢- 8b(!O¥®4öT”Ä/-_0!Ô=èæöx)”ƒØåÒ‹ÛBŒƸ@£"‚8I#ÇE”b8¤‡O“‘w©O»Ž$Žç i'À]K-xzfÞ]üïË t͈á*(/ÅÎú0aOcº¾FÔ»å5úÅ+6öÎjxÉònÜX‹{˜SÄ…œ¶F‚máWÌ{ߣ$qum»Üø çqw00_PC^vÉ'ÌQ©‘ÙNòáyÃŒÁ_A¾*ãuΛíöùD«dºë4Q^)ðO½öa»þhÔ–õ³¥jÂJÕ¾‡!-²ÕÒOí±âT"´xâ±Z´5ó-ÁÀ̲ElJ›VŒöù^[úkJà•ñ¢^Hrï“Ί€‡ØïO§ŽoDEizÑâ¥/ÝëÝò@,²ŽÞK;ñzàÂ//+s›I‘"_«ó¿«h˜+É„éq é¨Wn4 ÓGˆ²¯%±_0‰Û ݸMÉŠÙ­ÆÏmp ³æu£ª1R×õ!^dÞX€
+¼/ú¡e“–NfoŸ=\îÒ.³p¤Œÿg Æ"‚­í¶K‘2›ÕýÞ ;¯ÀƒÓZU1Vµõ+Ê[ò0…=¶%Pêi~.½ÚdìÝ´j¹]ÔSŸzl]GU
+¹±Œ2e8¿ûž÷‹£Ï;ãÛéå¸D(-’PÑÎ šïXíj»<àèékÃrt1fà‘ìðÆ"e—_¶Ë/ZÂÉ™ K
+äÕAüÞ#(€ñ³ê[&H8¬ëé”//ð'tÔdN´ÖÙ–r‰»M¡Ù
+wp‘éõó åÑûkB“꽞ü³süyí)ˆ¨X²59~þ¿¯ï%v£‡"w‚é„0Í>au#§PùRà!ƒ’QNT>d⥄n0ßÊjš‘â¾BÌ¡„J»ªø›Ö)²‘¨V+ô1«éƒÃ å¹;ýÐb1±’4Î5¿[Pö²ù¶£sw ~ó#l
+%p<ƵulºM*sLÛVXë$„'+kË’Tó6qI[ëRÛäHJì TÍR70O!½}Ó´<çJΚ
+ . úBU*R‘VI*‰~­†:¨ª˜M]ªßö£ˆµ-‹•$ƒ@¹À\F?ÂŃ´æª]Ä$ÙxãÑ´ÕëìZx7‚\g¸cÆÃf¥B¸à¥9èkItÃGåÞd^jÕ·«¤ãæ€þIwÿŽ®„g'éÛµ­ËÿM5‰l ü hd¥}–uyR w÷º41]›u·ÎQ,f¢äá¶ÀßBû¡ýE;&)AD)Õh³rJ–¨À£=Ç.¨Þ‰@¹#VÊ–GG¢Ýþ…e§ì+Sõø*ë<*zÛ±ÙõÑ”ª†¢éÃ}ü Ü£?ŠquPibîB!B7›²L@UÔîuÆiHà q–^ã8ÌŸ>o!"="¾å[½†¢"SÖºþnŸÑ#Ëå¹¼PGËPÈ1Ù,E"ÇyG:í´æÎ÷0ý¹z$J¬xÀo„…:f±ð™µm‚éø¼MI"Hv¤ö®òÞO5.ÅpÔ]Iœ p±úJžœ‡]H—ý­Ø$çO¼ãóØ`vNܒЉ¼â†ƒá•Gñ™®Zú«²øá·(«†ù·ÿš"Ã
+RÈrdKÚ*Ÿ¤\*9f+2æúpŒËlóž°I¼/]Ù¥QÔA‰Ó€kŽ Ÿ˜¾›lq Ç¢ð/Tg^:RvGà˜H…ØøH{Œ“HÉ îd×_³,ˆÉ‰ÍNñŒÜ< xK t¸»8‹ðÿæ¥ ¡­Ë…ìdíº…£—Qá@ùš—`ãSYN§2GM(t–¨Ñ£äÌ/¨ñ"Z«rúGÊO‰Ï‰^²ã¦/%›Ý‚Ƶ SgëiËOC( :å÷~Ê4Ÿ.óÊnädy«‚c˜ÞÁýRSæ’"© Òó
+‘²4‹g…ÌÃv`u*“ä¹àð³_˜Ì) ¬}©øæraÙ*×;î;»›¼=nâ)MÔ‘LpFäµ\yå”àúËôá8Jy8¼ºE g³!DÃÛ#ë S$)ú3Åîå¥Èoéú'DæƒkP¢¾chL³`Æ /íËŒJ¥Y¢ß»Æ>‚Xä¥R”/…ÓZíÇô†ãLÜu:ï±÷"Ôz¯!ÖŸÈpì“;qª MŠ•…©• RÈ.jêEäÆ7Yã)Ì×ôVK„vvJñn¨éÀ/˜” _èÒ×E69 zfŸìˆjxSp‡M˜8 < }ÔL†­PüxTJÜÆÛo½Á9ÁÛiWÓ¢|NsÍC®ŒŸ</ÎKû˜™¨»††¤+â‚ï—¿°0Az{¾N©8Açi ³¬¤wkR3Ü´pÝ!¨2®É9Zdâ~WÞ¦]F=¢(XÌ™á\¨‘_?¿<yáå¨aŒ
+¢°cmí”(­¥ƒ¾sÕD¶ пû°- ÐSJC_7æšø^Œf鄺©sŸ·:%/Ò‹%‘o­moC>…üÉxÝô÷éOBÚ÷FÒ0® h@Ë‚kápØ[ÈÛýNm‹•=sÙló¶ÿ1Fä0·Š2ªâØg gyGª]¾úzÿÍUaÀ¾W¨Ï…—"³?þ¦«D·°ÁVVnŽ}ï-ôz`ȼÃÛú*WÄÂm­/Ž3*܈^ª>Ìš… ùfÀu*´Ó.£È“3O×Çï s/C6þÕRí¶p¿J Küh€GeŸÆMNb¼ˆPr’•‰5Cøˆ¨‚bͨÍ~­Ò´ü!Ù÷£@e=\ûö@¢
+!§âe0ÒwyëÅÄ›°$µ«‹q.wà6;}Ø^Ù¸í(R
+/÷¾Î*ߧ›UC·H®Ðû% 3†×÷<Ü÷û/š%=QÐÛLæ¬MÍÜ+‡¥B¤Ki¿ö¯ÎÊ­ÌNlK¾Õl™!ø&KJp® ·[éµ_Y&•í%óU¹«¿ÆÜ[SÁ>æÏ·7[8xgŒÝU抯#Dýƒ¸Ž:ŠÈnåU¼‰âz"דø ;“„FCϳF+õaX/b»á„3ÅÖìÀ=#>J…dÚJRýßS3çÊ”!‹)~¿@ÓÞAõ2?d3òÊZׯecŠWMi,ý0]y8yñq±§‚q€ËÉûƒÎAfüÆ_þS‹1yM±Ù-~òns%þwèO®úÒõîg¥h±êû4DÚŠw-fy^×Ü€‘â^|,Mo±>…2eýšÈ ?ª”¤™4DF’
+;å¬&¸P±öÊ‘>çÂ’‰#¢!jϧœuA`9‰GBÇæ§Of•
+wJÔúB/.qfQäXò‹›b¼¨)¸"Á,ÈítcG`Å«ßn Ã7&uù;eßÊ §N¬º[ü\™\7’M¿mLªræ‰1Þϵèl H 3Ý!r¥Z”°Î­T ³¥/EÐaß¹;™¢l¯:¶þUîÛû¯­R­é6‹@eQ¨z0Úõ'¾ùYÓ(­UY¨o®&lv4\ÄåÒ_ɪFC†ãñœj*?Ë‹Ëg~"¶!¡’Œ3ùþ:¸äë‚"¯=Ag ƒ¿| 1Ñî7öC$¾ù÷}†?¼ª¶~ǒ稽²ÄôšˆfÎ ¸<—a¯¸#"tÑcŒe!èË¿ŽŒv.ÛõÕzµN«Xí“Ý™ N—LbF8ÏÕÕ4PW¾>³»’#GÊdÔëè3*æ“YŽhd ¨ ú®šµ±¤Õ$ÍÁrR
+ã:I‘ì×òõð,°ˆ²ám©l×曼½€#«[*A¢¢U‹5Uí³õþ·¬üçápM#Ó2O(ñPWSxœ~þ‰!_¿ Ú»È.s5%Ú£30ÆÞ=ôÏI¯ÛI"[€/nAq‡{4}¼ã‘Ôþ‚š-Ò)p+ÐÞ„efTZ@¿¤˜]ò×=ždŸ…±@_ –{سÆS2{*Jyk/Z<ü–ù~õwo/¢l{„͘Ï]¦ý.ß®ªFÝ©e³§tH‡§/ Ñ™Äü¥u[Ü׋©$ŽáÄÄëã,UFÖ ÞåŸ W6Ëj›¾½7æF7ñ £Þçréq¹'Î0¿æÛVÝRR™$ÙÞƒhÿ7GÒvÕñ¤®ðàäeïËÜÛ
+FñÁe¿agöÓè7è—‹Þ|‘Ô7ßo×M…•ºW€‰¶•ÜËKïØ‘ƒÅ2Œöý¼iFØ6ùÄ›¦«oR²LAJ7Ò'·#0ÍÒk²ó§Ð(¤ñý'™_Ŷ‚ú°ÜdÛßdÓÙ+³Üœò´õæyxáK/ìj!T>‡ (FÉ>òþ‰VŽ-®yô yñðÙbþ]s¨C2òù¸2úÐþUû¶‰ ²DjÍÛ#) ÀT+PØûº(T!Mð%tÜÎð9Cñ<Üí
+xýövB¶è2bJ®ÌLÓY>=Vàr?,(f»«iÂúŽü›NÚ8ŒÖÝô¹Ëº„ 0Tvº@ý*‰’(ÿªÝfEBZˆqàÖ©À6º Wì¸Ö÷d¹C6n¢ BÔ*Ä"ßk° I6”V³6èô8ÖÅ.,O‡lÌÀ>“#\µM²õ!HèRåƒmcü¯º¹
+`ìgcxþôaÈ9P|ŠRm¶£Ç"`¡²'“ŠÏÖFMŽšNyÚT ·oe ¬5<Ã-Ö±Ó—µ»WC¼³l„†üÈӶ߱‚$â[Èš¨Vp~#B¼-Èä˜åô0RF~Ü~g™xò‹…že††f@)‘ 9!
+90š Š\ñ ‚³„tŒ¶òj´ÅåC–ZÝ4}iÔÑ™ÒV{ qÁ4^Ág×£Ö*,Úæ« Så=ö«j>n€'*S%:ÄWª˜w¾F¶I¤áýaXä3B¥z>Yø\I±DQ’Ëx嚌ý:l¤*ÊwAÍÔÂéjÍJÕ¸\ÖbÉ åÏ,ø06”6†Ã
+O†½Ð¼ÿìát»¾£â†¡þ½äÓå`K:JDm’êP4o變o݉4-gÑäê¹ð
+"ü„£ÐD‚oà^b±IÁ÷-‚áp,mÕ8®V¥‡ dØÆÆ‘ü%kû¹ùð· „·²³Ü¨7úüYCµ%Ýéï±³ëP7\ây<ìc¤LšeMu ©Úœ6²†>–\sý]C:8yB69æd‹)‘SbŽ)Ì:øL€ãŒ_`ùI˜-BN|ÇaD˜r>g0k&rIöXkæ ”V2øÅ/1™‡œëÓrÞ0ÊÒû#䳜Æg®BAÓK°™“„JR
+4£C!µ*•Ò&Ê(aYƒ?c4[¾›÷>˜SC_¢?5›¿+Bí÷Ð.« ÒëRÒ;_öç]bŒ"fT·Ó¼À»š¥‘(• <mÖ;ápú²49¡“<o˨Ô
+ŪpÉíÿtùátI
+†Û*üh»(bxW˺~CÅó¢”$”XxèEš‹ÖùxãÌ1I"Ñ3ÑÞÏAÏJbÚ)—½Ï¶£«S0¾ëºóXD¯fÅ(Š|d×egªZO*v oÛãÐX:_Õ'Ôi¿{q:?·Œ®í%Æ(͘¹ÄdnR‡Qo@N©>äš8<å¾ýŒ‹Í³Oˆ¾Ð_ô1ÀÀ‰)ó›sÜWȳgVšÍ
+qmÏÌàcEB°†0­æª/’/N?yœÞßþñ“—³qTј:8yA«ïïºáή“hÊÌ-€PͪˆÜÅeån²ñéf%$›Ú±“YnyÅ™ÝbIQ~_™¶oà&r8›[Bž Ài'”<b.DöD–;†Ã4~LOìj“¶“#x0Vªžúݶת^
+³à8Š/ÝËOþB¬ºc½NÅöT!´ìX£*Båµû9á+é!<« V™´u4ŽÌ×ýmçNËncéDŽ¨= ÑúV4HbÚ˜°2‘Ï_êÉL§Þ–67…uÒ¥SÈxÒé:çÏñWÎÏ’Æ"¾®…ßߌÍÅíb^¡BŽóá!³ ¢;ˆãñ 2¡Ey.˜6”•>‰æ9ÎÍôQÃâ
+Y6Z*óø+9#«8wØ|¼4N|k%;îˆ"äAçbJ]¸ø«Æ÷‚ÇT6„XLäÝñº4g]D9D•F¡7a‰çÚž‹”b|ÍeJµ+j¯»x*]vÍʧե º1`7`e‚>¹ë;¨ªì|cÄÏ}›åÎ/ÞoÈl‡ÀºñÂ3ßçH0èöÚ-(Ç…¶jÁU<4õÅ‘¬°Ë¯—ršWߪ ¥È‹F6j¢×ÛÀÌWñ­ áÿ‰M(LóMEÑÍ<¨í—J+„9ÙQÎ([ÂpRQ‹0CgäŽqd?§WE;wÆ–…¤†${N†³v1<«”¾SpN¸!6=ç,ÝK ¯Ê:ÞV+*ʻ࣢P†]ž‘5ÃÆFS çÚåÍzòøÛOª¨GîËiÁÌ!ÿ b|TØÚø€ÈÄ1e²{'U}f<`·AÁk¥¥Ç˜Íj~¨ÎVÈt®Æ „°¬íª´Öé k^HøÀ?5h‚LùF'öÆÖƒ&-¢]\<üòt"e¥1/U½Sõ‰c±Ç¸Ùæ¡®jè1ù£ÞÛyE9“Ÿ'7šÍ4l#>´ç`xÈ
+ l®Ö/ÏŒ…°ý<ãÓöxyõå\¤.çé;ãËÃÚöø¢·¯=‡T†QQ–2aŸF9¾(²™N™(Ô‘üNa}R·pf¶°Öz(Fý‡ù†=èÕu¬¡RòX14)Î\DJjg<¿­óÑbÖIÙ| 0RµR—¤k¨EÙïº Æ Œ¤
+í ³|Ïõ™œHa™€4ú@»ä/ú£sß·
+™#+.‘]q&½‹« hJ©T¦:Ó’Q!0 `9 RaÏˉ'·w¢HÐ\z”Œ>Fˆ} 
+sf³±jÍ2‰
+.\R^æ•o;gV;§¿¢¶Çù‘fbîI$c4ŠÕŽ"7%€NWãJÌö,YøQRJò Í6®Kä‚úärSÌÇB :¹õm°S·Î’!Ðu¤ žöºÚÏc!–ÙÆã|€TÔa’±dsXA’¾ç ß)ÂèÜ#rî_£Ð¦­ߤ¤P£¸$<™äE3*ÛóŸÛ¥§­ÈAì˜ Ft‘0í‚+'+yÑÔð¨èYÒº%?5Øe=¼\}­ù“ƒ%˜Â)%9EJªÛªùq2ò¤F×@Dn©6봼礜O}Â0*“¡²^ŒJ¶i€X°¯ÀIOS9 ×çúÙ}{¡Ñ+Ò¹)Ã%¥f2öB+è!ŠùIXllëòè&Ê­g"ë~Á:Ýö”:Ys§>j¤¥w- ¡/r*ÁÑ£¸ÏSø°‘³VÃIvõ€Eë#¬Ç†Áâ–1F$~„}â1;yV®"vÆŒ;gR~ S ±ÂƒŒlÀ hràE¨;:ÉÏ3ÔÜ>r˜÷ÇÙ 4upcñT·’~­õU)
+‹@Mcpƒä½‡×µ¶¡ŒËžÉò`™TîPm/dÉ–°ƒ,¦‡ú\‚јýÎIä›îs߯=l
+¦ÜÞ°éˆÝÜb_ZFÍ’L” ç“sÂgúœÓ›”pzŒÄ¦ðñÖ÷µfi ×V"¬O¬:·Qîã~®ÃZ4ÀD­/BEƒm»á®®²3ÖŽçÛwfÍÌÓVîÞ”fîmY’ìAŠÚ[UGÌ7¦6 V·hûBÔ@ÛC¥Ž¶;µ'úÓØý ‡7ø×âÕ„OÚ‹¼r.±|¥Tý±ŠLs”ä ¿Ìf¯Ÿ;ËUŠmK¢°õ©5Œg ½C¨îÐÇåª#¡L›q’Ý3R²¢?ð/™&ô=ÁôcZ4<˜Ïm÷êØz«ÈÇ[ÝB¢òMÿhäÖl§¹Ê§œ²íÛ„LÖ±x¸•A û™[bv¤uËE0?_|O Ô×ëæfB¿{§$íÅ©rŽ;÷6þÕµž:Ã"¡&§;*\U„jŒ§Êž…lÙ5̳HU;ËYÂD™0œÚ7Øl;½¼é1Q‚D½±—¢IíOùʈ¸ ƒ
+b´Îì(« £IÛ{jú»±Ú3í½ÏéÒªXÿ|\hÝ™#XòèŠ_^—7ÿlÅx$×ëËrÃKÂ'”?õ[õÉ¿—°QÓž¸}ƒ[ê!&1‚4AhLêåSÅÜ”qâ>XâîeTfO®\pCÚ ž¿òE?àã˜fB܇Žrm3eμW_Ÿ±ômšY7F­v Ÿt¨çÔDƈP.=Õ"tHKÆ‹.‡4›žaÑ!ƒêâÖ_Ÿ“WJ%`Fµ€:¬ä:§ÜI?ôw?ÂÚ¤¦ÍÛŽJŠíPúþeCiq¢E™w¢n;³‹2HÐÍ'a*àæíÅyî­øn°˜š¢Ïa2¯~T
+‡}ºšíPøÌ^Ì ã~9|t=Ž%ÿ©øóÕšÐûäâÿ×âÒöµl/îh¨¯šs±º×Ø¥T9½ÉEUTJ–@”ŒAQÎ'4XÏýv;—uS]Ss½Ÿ–ÈÿàÆF`‡ãŠé+f¤þ[¥ebǨ‹åxŽ‘Rñ°<1?FQkáÆ c¨üè#?Žþ&.-AöÔÐ[(CàÀ¥o]ô¯½þœc pàÈn÷Ž”óÄÁp˜,\’@|†‚”Ö$.DS`X¦a¡™ðÌà,(8‚Ùvãñix,?"xŸXéT–rÖ8¸–+ÅÖÚå{fÅÄ-(6¤/ÐKwäÙùd-ptÈÊq2?àÑ‘xfß|ÈÅŸ¤F† ñ2òjÑà9tñmÞ1B4‰³¯¥üúUŽäµš[wŸy<‚&üš 4ñ@Òà%GòV·žº·Ð.NRé´KóÙš$ŒÀùSN¬m[oðÝlˆÓÏ#92+úÇ?e‰×WÙ4Øê¨5 \ÕïÒ<?§yžvcÑþÞ)%Ÿ`ViWbù€ÂÔ™ :=[ŽÐ×¾¼f£eìáµ0ôÁRÀ×QEK0‚-IÃË®ëLÄætv±™«éÛ–Å:Ú–¸9c ‡_>6w¡íð( §¬íìàò‘ £}1tUüÖÀ_€>*'ø’ö ‰ ¬ü¤éÉ¿8*îÓ—¿i>À ÈÛÙa8mù‘º½lØÖZÝð{Xþ¨Î¡»c’P1¾  ©e«Fm¦6Ê¢øð„§£0*£šß—­L[NË|äm
+.ó)¹)ÛÍߢßÏǨ8Ë—ËîÁÎïÀCuR 5‡ˆb¼¿(ã S]ZÝ+ïa›Ò­ìÛ þk ª_YGëVâïbaˆèþmm­t/:ÅáúGÒDÄnB{²Ø?§¯1i¶Wéž¹5»/èzú¾éWƒb#½cCÂù Ž¶*_6Kªsálssy\½mQõ·]»p¾Ö´ßcÇ"çxÓ ÍËmõv€qËdíy T¬†eœó÷Éc†Uï»ó˶—«C®Sè»XlÔ
+ÓuÅl–Ä=§‡ÎóliŽµÏ®ß2@A7÷Ï4.¢”K{[s߉Ë&MÔ3V¤eå‚Ÿ‡´Ré8œÛçýwñäìÌR5BÜVxÚï 6þzÌ(î ½º È%Â3Í@½ºðéŠúVªI%°ð&ÄEf©¢Wÿ¹Föô"ê/-or@zZSö<Kl¾Ck:úw9FŽãqUk‰ oµ€Çï´ÓÔ¢’:(d›ØI)FQïŠ& Y‘5²ÀD¬ˆá'³ºS¸ªn0%FDCÛcŒsÏn[Ð Ic;
+›u*öctIñ¬'2͹Ù>Ëk»¿
+–J3ðMÖ Â£«ñH¬a@¯œÎÉ÷k®?s½la`²ÉÕÀ¦7"+GQ ‚ž%ŸÉ7­9µµøèµùÁþ‰­˜¤–ß9æ²ñÓ.éeØý‹Ýߺ™¤/ÇN¿HˆÓ$:°øgL¯Œ=ßÂôäuå¥xÅ…¥Ÿæ‘ÙjKÍiŸ@·©.å8Þ"ih«Œ›èµ8! õÔ1e± 1'‡+0É]Êò»l)Ú±©S…⡾q}lY™ø 1¿§M Ç“«¿¬Žíì²:RÆ0ÁØ°§ÇáˋÛA³†9´9\v~Ë–©aòîo=ù"‚êÆêë%á{3Ý’Õ®
+~J]áÿÎaËŒ¶Bؤ™¾oÍHÏ­¬„鲉®‹¹­.ê—ë|ù ç¾­0ðòœ³xcÚq ry×ïІݸë,«ÖÃïï¯&3sDÄžíÉþ¾,0ÂY†û44ßH¢3ÎÚ~%Ï¡]óŽî6
+à[†#NÁ3ŠfêvߧqëX¨ÍÝ{ûeaÖQ@ßÍ}kYzéB>_¥UÍ5îºÄ7‚ úÊU¿Ø‘Ø'+u7»ñ[–¶ûŠ†uVÉ„½x]oøŹpQÏò+á]ͪº9Äß—cÖu
+ ù=€«ªû%ýš²B»¹Øœp«îfq»sGTÌ•WÒ?–9´°$E8¯—Xð‰jU·«pž[…þ0&¢aoìÏì+²K /¹+9ù²g+,6@^›¥Î~R=Ïi</BÿºWÂÄV/Ü›åÓ<6e7—ûý„emP°{Ñ4{æÖ- Ò‹ïJÿåAŠ2õí¸D[˜éWºç~÷ûk]àÉTðÃW¶ jr¶n=]ƒþfŽuõ8Ö:¬¸áÈ[¢‡7ù«L·#Íö×4Y|€¾Sjènß“kÒünIçØ7¿£o(’‚&²­:ÊÚ1Ḡyµì{5þh î¹gz²r”ÑVÎÅPyÒŽzôÑ|NRgÀOn.øüFEÞƒq”ÓWf?l§:nÒú69ý… /Y:²}§Ç祲î¸6ìÜë7az¾3&4ìžþ°
+¬kr ÓÄÇr} u +Ü”¶Ü[§ûÕ–0>Q„…¾Ïr¶kµ3ç̼ê7âéL×»:2ýõ<—‡ÌŸb®_>-z˜Ú‹8„Uåg'²¤UuŽ€mvf»ö!úΓëJ›ë²pZ¾Õ9äådLÉ–í”° ªúªä7¡Ð>÷ìjFWÄÑNƒ\¨GŽÕïí¶ëÉ„+âëÐ&Ø¥ŸÊª?á°0²|Ÿ³n`³¡ñʆ¦„Ëz Çî'¾Ekåh%(m±®TQþM˜¼îÛè¬nBAá÷¨–Ðh½71ñ]6þ¹£Åa°–¨ ‘£0~˜ôD©iþÑÆDÉD‚ê²ÞÞ“Ô«%N×…b'Ýsãc›pC<}oC°éŽyÇQ{²œhöItßÇ`[i“ä«kì}Æ5bþS›å“?k{뇴ºý˜üyý÷Rfê·/ßËÝvÖ9ÔÍ!dôQûó!á@^Ĺü4ÆÃÝ9&^Ð^µ GÑKŒ±,&÷îd+z.ø!IÛÞYS¼A¦ùWmM,I Ðj€æ+|“¹o&ºæ‚´ÇóÁvÎý­4×V×KÏb¢ƒêÏq{Ó¸R!i0a7ŒQšbc©ä¤eÂy°X£vœsÄ/uÌ@çÀ1a}#¾:ÒÝIrÝ_ÿšÌ4@¸#ùO}*ÏRÈZ˜»âŒ§wŒbüíô¾0#VŠÈ´J†õ„ïcÈέ2r<ã;Ä¥4<R,IWòå°^¶˜/½o+JUøê¬Â"AG†¼1(Q|ÝIØZʾÌKƒÖ›þÖƒðÆÓ9Þa„˜Ì ZÀ%EÄPsÐ ’ñð}ùsÔr¬æ_¼"šØ¡ƒßa» /ËQ¸xV]ÇŒËÐ>
+)œÊÓTU×ÀŽx(S•ü+Õ˜ºÉhn6÷^ê->97ø_Á$k©½œð––RYö«GÞ.²(²Ó"ž,‹ŽNWa¾üê‰ê˜*×X2/¥›ád:"!1¶Ò<7_ËÖÌÌ.j'kí”6!À
+Œ8¼TŠRWæâ9í.ž©ÖYÈ‘€ÁÁØ2ñNæäüY4Lᯪ|˜oc%|äx±(··èŸWò(‹xiD,¨Þ Æ›hq‚³Ë ŽÝª±]Bž#¤@ZO¾Æäô«‡‚½}p¾Qv%Ár_`£Ë§ôQéÝ/èaÅ)ýS;.Ì)Û²ˆÜþÙx£›1kÞ[ª;µÚd¡oÞ°8[¡tÄ6Cí;lv€°D41¯å RÃ(´Öãí¹ æ»kr8ûŽ˜ë¡lêo að°åf&
+.$ƃÊQÎO/UŸöÑ$2yÿ¢Ì$¿ÓÚ£Ž?߆\M$]´áõ˜™! áÄ3¸žjIœè½ÛÐÞy ÞêœQxu«,Ã1RèGÅ}²¹é.*e¬´“gS_Þây\˜< ~Å`K ôsWJ{\|=eü¤yÉŸŇÐúšö©>|U=D6ÒB3iƒJ›ð"-©Yå?%ß+æïê¾Tp.ˆd)¿Z8âÇsDFO,L%•!<ôKæá%L)ßHõÓŸ¹?¦#ë˜<ŒüKð<ñ%§./½<T¹$‰3KD rÛmþèa‹±gy «ž |êÚY"enèiA/G.hŒ2i´ÏËJá©uˆ¯ØM. ”A˜l;E™¬÷¨Þü“:ÑäjÇu+^éX¼ðîQJ÷Í•ó~ @)ñ3…àVþˆÙî'‚¡2ËQþKéÎYšØ…¯Á”¥*W]LÔ\(}I¡-”’ηmIï]Ó'šATàãZÊÞ=\r¯…ªmW3T‡¬:ÆГýpR%TvŸû…¼—Ó¹ú½”Ï/ïè¦v/{½Èñúéï%7=A}i^…·qâºwƒiÈÆgÑþõ/¬ìÌwD¥îT“]CœxÖ@ý«kÙ‡] »}VLºÇüe6Ë
+ªÁ ¡1”ÕZÁ‚àˆ=ØrB =-…ü>
+!?Ðè‘ñ—Ådf¸÷•Ï±ÈÎcÓñÔw— Oq_/0òkxLu\ÎRýZ«ïüd_¥Á¾™*˜Ð‹ l^s>PWêѦæé—¸y5×yÉÞYš¼jli\aÄâ’šÎí^8‡/cyÜ}g‡Œôô_Þ‘òïªðk_öѨr. ã
+末vß,ybÓœrJHÅ#n}{iÔúìæzfï¦ÏAoéú2ºÞ¶HG.‰ùq6ÐóÝSdùLè²Ä­*öåpÑ,7ĉˆÈ,0šqDµqœ¸3O§÷—'H<q»’›êNœ^$q^åTÄ€3–‹(¶^„?¹Šy Xøì²Á¾vô¤Ù>†Ó¢WÒS­ÏGuu]„††TôöÊgäêÔ” 3Þ{§tRÌâdh´š[½*ŠOÍòÎùBVù¬šq21N{›}×~LܯÆù
+<>ݯ¥h<òÀ@"« ºØïÀ9ÉÔZɈ”òœWÄ«ÕI½†…*GIÛ‚þ!T¶þk„à •[“|<²…‹Ñ°â£%Q®¥/ ºÉJÙÅIM.²«b¡ÜÞ†1F)—½¸J ¦–oMùÎØ‹^> +'ø‘ï<¸ëÒñ-¨ÀÿPЭSýE\üïá—Ù Qš:>°ð"0èV乊žW,¥ì_ãÅ­hý$Ù9¦ ”/À|£ZÉ<ö–Ê‘(ÅñWµÀ]›Q8 ªN“Ã(~ö¾}:-]ÖjwÏ)áÅ@;ÂŽßQ®«ÊBí”èÚsã,]hÇb:Û—K)4çŠI„©ò>Qõvªaì0±0Ÿ!•
+@¦ðÛÒGì+œé;D“±}¡Ð—ž~µ
+¡?ôèMô©ê==зÔf®2 ¶‹Mªf4ø/Ó­äõGáK› ”ÜZÕ†§ÓSþsT:ÆF)¸ÛÉ=#|2õÊ’ªö\:`¤Ú¼îÂKÉÀÁw{m 1ÎSk¼¶`ÿ¼6KÑôüc×ýhºÙ3IÜax>ójÅíõtããl'‰î0‚à‡êõ˜BGßÅΦòF›þí´ºT\Eq©S1r551LñYADôìå…_ˆ²¢ÄZZ
+¶?¨žC$‰ë»y„kˆâŽL<±4–þõ /nKgÓÒõý-ÏUÔQr?S²QÑð²Ž5úÁýГ&Hë{R×î°â'=ä÷ hþp·~õŒBtŠJ©Ip ãQ¼R~¯ƒºý ¬ûäŠÂáWv}¹YʽóëtÇÈwàe"Gx þj$”mÂëeÎŽ¾ê¸µ¯4c~:ŒÌ7\T-n×ÃO-ôÖ›2f‹§+¿ªýtÀÎtnCóí/é 8¸(8–f‘¾á• ¾/¿ÑüØ»e±Ëî'ݱ՚Ûïccp¹é`”;˜A®•!XŠ$zȪ‘¬ok¡u㉉„ìJ3<ÛÝä%Ö©=< ÏÏl§Y©Æh—!H‚z6÷xˆ9¹Â0ò‹±ó§$ s«…rü Ýv†AÓÁ´ÜtÚµŠ1ÐæêòÃæ¢ì`§a´ß‘^dC>¹¦D"Šô€zÒìæ/AOÁ}`Û%þ«\Ø[ÉÖ…ÙuÜíƒi“ÈG,djCÕÁñU¥ý´ê[¥!ë/OÇÞ^>ù¦ýó¾þ¿XWm&›ËŒ¥ù¸˜1gèS¸Àys¯ƒB÷ц7”qýCIvcØV«Kçâ´ŸS”JÚ*¢Çõ˜,}¸ VV ”iײ÷8ÌÅ÷Ç¢D3Œ‰¸¾Út_/g¬"0ÔF(YŠ[fnMœñqb/'%€o¶úú>"Ñ2.~ Vú*¡qèÅ·@ò:ýø¯ô
+YEÄáõj64ÍÔŒfÄÒø„á
+³=Ö²%öËÿBy otµË{w>ÓŽei
+"öpfÂjZä—‹ìêéóäëêg¯Ìû=aÕi6ux‹²cVþ7èïå–5“ýÂòÐØÞd ¯$}„bV¼Ú[ë/ƒ˜¢1Rçµdwƒ/˜L#©dR£W¯¨™$m¦|¤$:{ý®EÞw†MÀOüáMtáäù¸ñ6a´ºB–Ÿ¬V¦çæy:yц”! –¥m<î2w¡X9-]Ü V®ÌºêëyG;ç©ißÝ;³‹ö”gþBØJw„h4û¿Á÷rŒx™ÈÁ»«<?…ÿ“÷Œö°3Þ#9fÉ$'>¨£Äm*Èövh¹—‰Œ8êÇ@Ú^o·tEër_—
+îj1q<„I²žI^L7bfD$À¢¡ë¢1õ%Ó8Ó "¥›<øp#sû½åÄÎœ ÷KןFŽÿePþð`á`eæêîôÓÌÕå?;|a­endstream
+endobj
+678 0 obj <<
/Type /Font
/Subtype /Type1
-/Encoding 1344 0 R
+/Encoding 1915 0 R
/FirstChar 2
/LastChar 151
-/Widths 1358 0 R
-/BaseFont /VGNWGZ+URWPalladioL-Roma
-/FontDescriptor 598 0 R
+/Widths 1929 0 R
+/BaseFont /FRWOFA+URWPalladioL-Roma
+/FontDescriptor 676 0 R
>> endobj
-598 0 obj <<
+676 0 obj <<
/Ascent 715
/CapHeight 680
/Descent -282
-/FontName /VGNWGZ+URWPalladioL-Roma
+/FontName /FRWOFA+URWPalladioL-Roma
/ItalicAngle 0
/StemV 84
/XHeight 469
/FontBBox [-166 -283 1021 943]
/Flags 4
-/CharSet (/fi/fl/exclam/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/equal/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/bracketright/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/circumflex/quotedblright/emdash)
-/FontFile 599 0 R
+/CharSet (/fi/fl/exclam/numbersign/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/equal/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/bracketright/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/circumflex/quotedblright/emdash)
+/FontFile 677 0 R
>> endobj
-1358 0 obj
-[605 608 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 0 500 840 0 278 333 333 389 606 250 333 250 606 500 500 500 500 500 500 500 500 500 500 250 250 0 606 0 0 747 778 611 709 774 611 556 763 832 337 333 726 611 946 831 786 604 786 668 525 613 778 722 1000 667 667 667 333 0 333 0 0 278 500 553 444 611 479 333 556 582 291 234 556 291 883 582 546 601 560 395 424 326 603 565 834 516 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 0 0 0 500 0 0 1000 ]
+1929 0 obj
+[605 608 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 500 500 840 0 278 333 333 389 606 250 333 250 606 500 500 500 500 500 500 500 500 500 500 250 250 0 606 0 444 747 778 611 709 774 611 556 763 832 337 333 726 611 946 831 786 604 786 668 525 613 778 722 1000 667 667 667 333 0 333 0 0 278 500 553 444 611 479 333 556 582 291 234 556 291 883 582 546 601 560 395 424 326 603 565 834 516 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 0 0 0 500 0 0 1000 ]
endobj
-596 0 obj <<
+653 0 obj <<
/Length1 1614
-/Length2 24485
+/Length2 24766
/Length3 532
-/Length 25368
-/Filter /FlateDecode
->>
-stream
-xÚ¬zceß³eÙ¶ë–m£Ë¶mÛ¶mWuÙ¶mÛ6»Œ®.×ôïÿ4ñf>ͼ'âìÌÜ+WæʽãÞˆCF¤ L'hbod*foçBÇDÏÈ PURW0´±14±´—¡²·1ü5³Á‘ ;™ºXÚÛ‰º˜rÔMM
-7µ3u2´(¸ÙXd,MíœM©
-ð|I¨
-‘wÈ»8hN‚ôÊà3/Õc¼o—eöÀ´ØÕN¦•ôJ? ðg»Xœ nÿP¸ ‘>; ø§7Æ£w#5¡Ôýº$O>ÿóL1<16:Òw>pŒK“MÆãOà˜‹Ë¯¥Z)ZÝL~Ó‘mÂ{ôÔ*’»RÆ¢)ï0=ã½Ég —\"nsYâ‚{s’?ËçžiE«vY«Ôè€9¡ÇΗ©5{ý‰÷r=Fa‘ŠÚòBLÖÔ—J|‚íuÿáq™ßx&™å2‹r&G-H.‹Û"]pYÝÝÝÜ
- "+0TjêkÉ™”“Œ†yF
-3o¡a³ ìR€Á ¥äËG—$5]Ÿk&”ÈÔ›îª7[ãúÞÛÕ3Üî2R×HŽƒvž>kMt]ËwE*–3¼m–ô»°˜(×5ƒ> ìÛ:¸øJ¼ü;xÏÙúãÌôÆë2àÑÞJìîKéÑTXŠ Ñv…—ÇP¤úJzöJèXëÈ0¨Ê@-œéÇ=$!áFŽÚdÉr ¸Ò*û3JE›1*-Yé
-5=Wx²à¶$_?äÑåŒ6i7ei¸pÄ9ÎA÷ H»æ(»Ñ4@ïêŠRaï†cû •cœ¦Ã™¸ß÷Rž¾Ï¬º/säæ¤Ux\Wx!’™²–
-ûˆÝ{Y„Í!\®©E.M.û¬BÛ)°÷d)”(Ü}LxÜž s1Ôú~ã^ZˆUø‹t¦íÝ]TV!ò³þ"«ˆêVØ¥ÅBŸ‰òc yGOiEåŸáÉ[1*‡¸8E[¹ähÕï9¸Z˜3q¥MÕ2^¾dŠ¼Da—ÌLŒû\ﶓ×G hàºõ¦‚Úr¤ïåXØx·à외[]tWÚ*¢å#îÑfÙ
-<ËnJ;ØW9EÛÛW0Òˆ¨š¡ý=OésmàìPr‚ž!at5nd‰÷GJ—‰ŽsÍï:¨›+|}]›2Bjr¹“Þ14Á© ¾qêE®l=ÎÙqXñEpõÐëLïgß* R-h^è¶ynªÖö«$¿1mcqm›àÍÌGm­` …ð×K𗎲©«t»­e‰åû—´´,‰#7Êc1^Ë XSú33<þÔ‚Q*¤ž´@·‹´ñi 2Äí­kÔȸ70ƒ@9}¥áejÎÐ
-d„Ü)-l ÕZv±uãV Ò‘ÈU¤‡éœÙù¶›náBFöR`i# VGö{Cà
-µ<ćI‰¡ÿ&)õduä.lõÚ…¾UF¯*뛦‡7æÛ–8*²I°m~¾9ÀP‹U¡ÐIûVó(B–)l;߸´JŸÒðQ]ìF¨ñÏ1Jò+î;©³5à"^Er5äg¶Ð ò¦.‹í5ÄéÄùm ¿Ž+[ñCJuM2Þ‰@¥q‘~+á Ûå(c¶öäÝ÷°œX³ þŽ8¾cçz° RŠžØàW+@U<G £»íã4k¨t‰ÜÕÏUcÌ ƒv™DÄkËGÙ’¤ÈÏC—ÝRÀÈcí¬–žÃMuk T»1ê¯c6n陌¡@3;måâò±ã3Î?jÛ—
-ûy›–C¬g›ë¾lñÀ¹>`q¸2'Ô÷éöu3GLiÖÌP‹!Œ ²ý}Æ>$íég“œáœ·íç‚ÖU½½˜.ˆU-”Y2„bIi—Iª@Vóàï¢ø=ú/÷!ÁÈϹ5ä`¨xÏb¨ðrŽeA¸ìö˜:0µ.m¦¸.#3 Ù\ˆc­t”àŒ´Ñl- U­™ésÿÏÕYÝ…žƒPòÝ×­uóÍŸÓð,ŠM{ˆêBCœ¾vb¸ÔTCR§dÚc¸eëq61»y«Ä'ù
-\®¨c­?šœö©?Q®ÉóeŒCÝ»ñ§ š˜PE˜©•Øõ!™»ïë¿x/ëí-¤Kñ1(LùË\1ñyBµ³õ¢§X‰¶ Îç°w¸­)Šë–·ö H!û!|½Ž(§‚ ÿ&W;©2
-çüø±Pu¯Žq÷¹<¦^RvÂà ÀGuOܶBžÃD@ ˆ•ŒVÇ8 ¿öýG^ÅÐ…ÂÔÜ’‚×4bãÝ#¼c£NðÀK%ÝíÖˆÓúÛÙ’<@´çªÜßp–oè°B/::â±Ý.û›QW3´ÐK¨Sû–Ab­ˆ‘¾IìxˆV©]ºü
-.o¥¢è›xÛŽ=m§<°·‡Ñ"a¿YDUrçÓ8å<Ñ綉¯àçËgX´½xD‘ WÕ^¤ú]ÏbݸDÆ~œiÐÙŒ9BWØðÅ
-ÀcYûÞ´Nƒ%„›#5ÆT½”÷ µ“)¶;ч*þý³mÃ{ÀÓš¿†xÙ:~rƒ‚æ¢p¡ÊOGÊ|‡{Â]D‡R—xdHi?¯e8ß#u0뫲ÒAR¢×ã“ŠomE°“Ž˜¹Ö1W¼V6­ºÜEÍ8X“ÂA÷M™*=´Î„ÒzÓôž½žC ©ÁýÖ v§”åfk &¡îKYŽè \ý¼üÎ-{7±¤mí‚0o….†)Ž‘TûáYª{è•ïÉ«ö»±
-!ä/woD3“*·â—þzöq¼7VwJ
-áèñ!r±Otž˜¹f{«› (‡*Qs­#òèRMc}çè–ßþî©vâl¿Ëñ{¸Q7(P#,L¿Omƒqäµ<­§5:Q™ op`[õ9†rïõNy’ ÃTñEs(ê”#„&ü¦»pÜlUÛ/æž@ûTn|«ywrõ¿-Yî€ÈôU`%vÑʽѠƒ OÞû®JxàuÕL¾ñ’Ã}änwJ×á L=ƒãMnižgT2älÕ§9¿ÜžYÄ'H£Öþ…öL=òlÆ4×…F”ÖÜ+gruǦÒ3&T
-ŒÓ2l8¨ ¦…þJoË¥Ò§c½}„B
-þ£ÁuâÖW¨ÌÜ|ò h0®&Ÿ#ñ Éúp覻Q ¢Áîjg”Þþ€Òƒ
-¹Œ'µ@O§þKlЭí÷¡‰ŠÆŸ@,Û—š·%¡°„`鸘\,˜3›}y§O’¢Av(˜igísø?/Æ¢ÉÇ1w«rû ñîäÐnfÁ‚ê;+êÙáNïõƒÓé2‡l §Áœúî„]î"¹àᛇ?ÉPl¾^·f˜SÊËq²æøÐuÑR™lkOVöÿ=išA1ØêþìÄ~Iȼ¼÷Ï(ÄXkÂç?[¡ƒ4"Ô <ºeYA/,vÈ•±%sK
-į´^ÑæJ4«KsGØèx8¤õH¯H{s‚Ï+³ûuŠwœ‹ä ”ã¶EÊŒ˜©øzV᫃‚³]ÃÎ+6%ô,ñ%ËZ"3vò;îÇšmçÊi-å:L~NY|Je™ç›¯¢ x*.º¾<Èzíòiw^ª(xw6ôÁu¥v8£½/DÕýˆ*Túøˆô´å˜ÜÍ-‰úøL…µ0[0îßÓƒíÅ·³nÜÁ.yÉ8vJvd;~­ë½cæ,²3ŒÙŶçŸ] ÊÞDx‘¸¯ˆpt¶n3õy(ƒ[øô¼}!µ}IDM /@ã¾#Á‹1éósùÉ©õZ˜F©bÓÄ$²>th mpÇÖ´i QgdË÷¯„â–œý”'÷t‰jP
-¨a§ÎßÿñóÅ,ÿÓÄ‹‡îRmÍAšMžbã÷Dý0ɤATédEü~܆¾Ë@¦KØjv¸ÉâU—xêÚ¢ÆhÉã\a<zµcé$§¥%¶Í¶pƒ¹&å}UfÍ`4ýÎÇ—Íþ–âløÑç%|·‹ùþ¾Z9}ÞEJS8M‚›¡W…U8¿ŒË$w¿ ¥Þ¬¬—ÞŸ9†êOw<Bì%ü®8~9):)AoÞ¸7ªü­ä«:jð²óð:±£Ù„xJIñ‰Ë¨X«`±eú~Ž‡÷ax^?
-!¨£ë¨…]–Õ•zXYáêàõ%\yÌ캶7Eiç0ˆY#@å¸÷}½Œd [¯)pQÓNøœhp‹]Ï£héFÕà5‰_¡l}ì„3\JÍŒ£“|V(TœàJÈ`/öç}¨³ƒú"-ŠÞÕH+áK!EUé_Œ{GÀÙð¥*®Ž±ä‘ôªýh¼WpbO½¯àXÒ´²öªºÕY¶)G¼—…V(n|rm¬6éC¢9q#˃r8|;Ô^Vü¡løà
-Y
-?ž®Ëm´¢˜^ÝkB°gmpŸÇhAÁ›ã+’½ ¦´ùCºìÛ* ¶‘ÊÌèmiÔYHjÈêo‘©ma¥î¨ÆŸ­´ºÁtPäšP¥i¢‰Ã Gö] Û,[wdbÕ8ì`Hj•¬F(!2"L<ý蔸ÙÌvØä_C8Z¢=|„Àh[œ_sbN~•–F‰Èå/‚œ69v98  ÛúIÀ[µ!w3¢ï‰=R‡x*’ÁÃ~ú!ñT™N c•Öd)ƒ—®²Å³`¤@À6«Ù â··ÚþóÿU±3«Š”ì ûe“ öà ;ˆût­án‡úÝqرØ9î]OÖăkp§OŠºçhÚqèìùœ*é4!QÅ]leo P¯° û(ŠpžOH;Àpn}XÈ&ùhzb}>-o1‚לä<OàÀ¦ @¬½*Ý·V†òh
-­F&bÊ_ë8$Þx£§Ë©Ã¤EpPKyuVTe͸H$ët+áÈC0ù“9©!I[ô6[ñãœöŽD)K²su;f–JîEu—û!šâ’ÿC4áÉ 69-úý£*ÁÅ-æu½!Œ±–‘©jM0™é'¨C¨Uä[,6ÒCé›@c=ÌÒ¾æpû³5meX†p>¥Qò{qAb0hºAxô¬eš–G¡ž« ÷·=³^þ•Ø;¶)îtŸ~FjÒÃ÷°&….V’‘bP5Çzj;êü;¼N–åW' ̓3Mçzª~®¤?ú%öRRl{3!¸ýGT˜òýªêbј?ÄOO‡ö?é‘ä4~#ÀLÝš7æ´n¢™hfì÷$¡Tk2­_+šçä[{p¿¥¦Ñ§t±¸s;Eº·øeÙ'ÉsH°]á#e­pÝÚB[NÖ©Ìì9ôŠ~+CK¹’´5vôÏ”¿§Åû$‚rq|xØÃñz˜¥-`)®þÙšî(‚–ÂPªã4·Áq…e•Š©™.\Æ
-·ò4«4é5Tò÷¢uv¶GÜL܈%Z š tÏÆY²éw*žw6Ÿ+¿ m;ÆèfûºlA“]
-OcòÖ†›k<²8ÞCà8
-?
-©çœ.Ñ1FЋd4èõŸDú½åÜüÒª»x+˜ôL½›’jËeÆYîÎ)}hïÌ)Ô…9Õ1$5zü6Åhæ¨dlxMË‘¥]ŽÿF„k§±œ¬Óš¥E]T‹æu¹ÓyEì±ûÜT¨&š(H‰Z­—¢ö³Ž½%ÒánôâÜë#ê…“ jš-¢Í-ÿ1¶ˆ†£iµÝéËõ¬õXbßÄÂxò6Q‡kWPNÇ<0z%ª$A‹\Âœð²j÷À®HÕ©”Ó"¡°~¾üós¿›éùÀ_íÝ 2mµ9ÐQ€’TB†@tÁTõ£;ËEßWEÌDÌ­ŒguÅ]gÊf)"PÆÖâ1¿í^‰šVÝæI×ÐK‹qùÍÐX ŒÊY€²Âú1Ž» vp9t#ûÎvCkÏToòÏĦ.ÚÒ Åp¥Øð*ÞÅAšàal.‹Òj¨BNš®)s\¬AØ(-¾Â‚`}¢þ•¿¹t€ƒ'ÚÞÇØç¦Á ¥‹i†Ö«nµðý“kf—P.Ye8ÚF‚Hôóž‚^AÅô“͉a'Ô0Ñú||{†aÑSOKn§ a·¯dŸ‘æjlšTŸxCbyŒÔí£ÝñÔMÊuÇiYðr‚ÐurÚëxªnø˜n©œ0’Ýø$^´' J#æ›<BR3o°Ð‚¶.×Ò¾²8tEiÄ™h¢x]{*—áª-fÓ´‚.$žÂÅà>Q[ÝèøyE˱éëˆî¯Gj(Ûïh>4±ï3vÇ]«×3…1Ox/n±êψ´Ph| \k±Z/BÛØ;n~ åá*`Ñ,n·¬§CßÓ5‚ó ÑÜßÃû‘aèTq«ý’„,é±®²ð%¨¸¦¸H™˜þ_8²ºlH,ÏÉP?2N'Ë¢Cs32Œµ]•Ôtf… p”-Ϩ,ùï“Û³É
-×ÝÀýr2`cÑ•:ï_ï6ësˆBª
-c[/ì¶}1?ƒ8»ãe§Tº¬lÊ£ÇÉr´Ð–†)ˆ?~%@{$û뤓Ñ_•LrH›¨XòÅz£²á‹¼££N5R?Pâ¦&+û•VÕ¯5t×PF¢×=Œ'SÙÖÆš•âˆ7”Di´ÔÍÌÐø×u¬÷“„Á§ïj¾¨Œ*Æ'mÓåÍF×™9j>"þ ªƒÎZ—©®›k²‚ŠÁ¨ùéCÌÂ\ìżÁ5ÉëòöƒlLÆ£Ú€víE• (Š_‡EW¹ÞOèIBai°…@Ôóþ11šÏ[;„
-mø-³²a£7 ™ˆÑ4yª¦” Š.éw- áÏA&7–æ˜hæØ-syÊýem5ÖÔ¸ÙR—¹Õð™$¥£–1u*Z&‰%6Ù0å!Ù$‡"˜«¸&%‡ÒæÖzMUôG+40\ëGBÝÍßYi”¿¯Ã„Ä€¶MõtÞé1ûi
-˜¥^nè ”íêç•âÎ,ÅŽÓ²:$!¨5]š¼ úuØÍÿò´¢·8“å‹ W"°ˆý¡VN
-Z„1Û÷ ÿêséGe<hˆ-r°-n®õTÂg “„ÖŸÜ9ëZšÀl«zÜ•k²¬•2¥‡…à§+3m¶X&Œ5Hãe,*Vw¢®_d÷¼øjdnÅ”ÍfreƒîL¸nüfI‚[xÓåƒ÷T%Í*pîj¦xKÙ•P¶d¤”¾Ò–f
-Ã,7p“o#ØxpÀÔÄàZ×LÎÌæ(4= Úö]’p×-¦’­×s0‰!±§² ;)‰²†Ó½zK­P°,v“)˜¼6=.½3Œ¥NN4uwÁçkŒÔi?ßÛ‡½ |#ÝIgÓ>³¾’!!\¡»NfM;–ù€y¾u/‰m_L‚{Hàéš41,³ø·YŠ†ÈEh+þ¼¡ÿ1ÿÁc¤Kw‰æ@áðB­>sÑX»ÒVücdåªïÄ‹5Ëb7½ÆR¥çEŽ[/Ò†Ôü‘Î
-)<=U|xxtp9Wlz7;B#Jk•ï*$¥:˛ɚ§rSWí»ü¾‚6Ƀ`"ëPÑÙ8f’cDÍ3UO°úOZ5i”ö ›¸¯Z¹³uzÏýåkÒªŸÆû‰Ô8è AiµåD¬Ê¯ÌÌ
-¹J)°•§Ù´0 ×)NÇv*‡ B×ýD:)‡‘>}†rB¯csÏïq\þ%2Òûà<óÐYZ
-Doµ~‘áNÞÍžb…ü÷ ­æ»!µ«u`º3漺ç •E ¹ùÐÇð”‚çR­¾m¹mì?£••
-Ÿ‚„¨Õ¯êF ‡Ü–Ђ
-z®Ìx"q¬\?™Lüú)#¸§˜y ^d1] ÀGó¥­KÝØL·);68Ƨ!i›Jb“<šžôO!™¹n-º’l$ø‚æiÚ Ö†/­
-ÉØ!úzZûE¹¡Ü˜V]‡`ü—½H€'cÝ›Å.æö–b:ßü3Ù ¤#sÀL¥ü­&(ÉÂËsõÉX›èœ2?hv†¿óÌïÀR‰¦Ý‡uZËpdÛO6-ÿ(¬:Im¨àXsièë³Ñ=Û:«OÇEû±êï)­ådÚå_n5~G¾¨íÆØ"6M=‡”Bä|àaá•$t&0c®ŽN,–zQÜ!ÙBþ†Ó -)˜¢½ëò{^¸ƒÞQ3@TÞù™4ïU½G7©æÀ7òyÎ%]öH|½éx\|Ýso§k5k„«º§8çQ]g®êWø·]`h §ͧÂUŒ 5¾yoÆ‘Ä ‘
-¢š~µ9•v7N€¨Þ„J‡ØÜwº€µ´íµ·S*ñ¦×“ç–«,yóîö†ã‡>κüXÎ!M ]ÜAÃÒ (V % ?9s6÷%: +ÜÃhë¹8±Ã2Çœ»Ädñ†’¸ÆbäØ\Ô&PèaåÜS~žE¤ºÃ•P³e}ŒC’37@Ðì=Cù¦9Ü°hcW7£v)P½¹3ùx%ì=Q M–ýHÕøÄ žª ™Iú+|W"ÁÚÑöq¿–‰c#}~8ÄldTÔ›#ì‚zŸŠË b8ƒ½ÌàÚ/V}zÑ Eê2eâ ƒÂIyP™!Âp@÷CxKŒK³óì>5A 3…Ê‘–r0صàŵ€?Ž=µ~‰l~lE½ ÚÝÄ>=Æš”,S ð–lö-ok8‡ªâ7}
-æb¶+Mƒ $(-TbaÄnÜÏ€³î¸‡ë7›KæÓËŽê¼`ËØ”!êQÊ—`µ{y±>Ñ:ésHçz¸$-©žY¬|ÄýÁP/[0«'ý–~õ™î!;Þžù
-Åñf!*BJpc3w”Ò¥õ½
-_¥êûRô9>Î1t%¿Y¯ÉIÍefæ%ÕÇtìÁS=·Û;éÇË»â Ófé¢òðÒ?­Ç^|cgGKgËhçÞÓüñæ³ø[ <£ªFö:&Ë¿H28*§ªƒe*ÙYƒ”p>Ÿå‚žq$®!W¤²ÉIÒᆘÍìôµ2'h Õü›eÌ‚¯©ÑðúÀ†\¯E>æ$ü¿ÁpnNÌðªÌyÝ„¤à ÈÄp©É?·~ºÇiÚŽÐYçÝzC£‚un`×HK`ÀiájÿP~Á«ÕáR*Uk(ñÞjóe~?r/]S7 éÆRúí;|@“
-ðÊ C@
-]Ç]½|ˆmë‹0µZ~Vy¾
-‡.Wƒ”½‘ð®¯c[æ±`¸}Õp{Ù§EÞ…lž=E9Yðuh­`‚ø-s™Ê‡¡Eæú䊬Ï›1
-|Éûw°©ØâjrÉHÒ,É‹Æ,CbE¶—»Þ^èFêÛ9¹çnx,9c¤œãÖxrí“Í$åÈ£˜Ð^òK~_“â¨ö «48
-+ÇRaçÉç²7[BÞºé¥4\faZ€T ¨ÏŒg"”¦¡9¨™_Ûü Cµµ’)µëËÏ ‡8Ÿ]ÛŒ±î}èÀ,??õbÒfÞÑ5MË$_ÿözÞ?=¬
- F]|N—éUÍQÌVá°ÊEšŸk´`ô—Y±fD T‹¾g뉓Äw„Óg"‡ÓZ3<Ýãýøð£ÈZžp Í M>3ίðåñ—2ºÔ7¨ažb8»×éŒ5!‰Ñ~þš‚ ¾dm>Ú¡³^óZ¾7±YijûvV +Ö²¯LL³fúêW‘¬ñExm íˆ/˜Ö39¢N1ÒŠyógõ4R–(,wV:Ív¡³)·…âÃÚx‰y¡þ3éT–V²`mÁ¦oA¼,×Qf*Å
-†ìÓg¤…žVVÔMˆ"óC>”-²™é=$uÖI€å°•p„ Ô䪀]ƒy€
-áSý qÓS¿ª†R.“=©Àô®¸å)léj“%ÕÐ}PˆJ®D‘é=œ¼™–Ïßõ‰¼ØÇ´:4]‡ÔÇ ž¤=ðøsÃuú³ä0A*›Â«mõß¿5Ä%#6ä@¾* æCàK}‡õdƒÖô_?±íÒÑaÑçpZöñj¤F{ªUpþ¶«EAHJÉûµGCåF=f
-wÔ84<õòN!…OÑÑ
-Ü*¢èp^ö}ÿLl QÛÊyÞò0æ[¢-C »=šK\ËÏ]E4ÈÐùëx´¾O^ƒÅZR=á¡ÂiüÆnnÆL´—tžú[­!ÖŽôbkÌ zøCt0p n€òA–Ý
-ÉÚëTÓ:ó%½ó»êó×o~EGvQw—a“Çu!à­ð|"È®]åû2Å[_“Eœ(Û$¤ú±KÊ'lÞ‚l¾R‡è|n8²D®|a/EÃÌ62ØatŒ„RàU`©ÌÚIËÅ«|¨8[d J¸–3Ò–SÖåä9òsÛétiô6jÅÍ©uÂd\þö|ƒ±¡]Ê7`WªŒÉ?¹´RÜð¤ukaØŸSñƒZÂì뛋ÂðÌ‹Wõ?ÕxZJKu`Ò£{žÉ‡?z:RÎ܃u™ÞrZï°æWð\¦ ÐÝB¯Ü$±
-•m›;ÆÖ‚N‘šI‰Ì>0åœ\×ÔÁrÁ–~¿ß¦Wp—|@(’ý$&hdž–mGë¿L‹a1Dx,}ŠÊq—›ƒEr²S¤ÌÂ*—; ÒžÏpòbÜ‚7§"suÊ–XŽ¢jÅVvdJ9e°ùZØü¢·±›¡6 Fj’uoß@žÕÂÏRØA£šÏè7±R³ÜŸC¿«=¬z«R(–&HÍéE×`l¹Õé<˧2&žù?Ñj›]#Èvÿ£ïo¨ðk£â„ÕˆH@ü‹õëE 5XVº[੨1?\ýbûìS£Ao!b1/ѳ§‰J<<×*½´—Ô [,'{11ÅÓät—«‹É«˜Ù½U,ÓF•€û?çIIïºÒÂëGS#Íç‚FÄg ñf¬"Gh€ãÄ.OÙ[‰]W‡BáSdSÔVÙþ´¥àÍü‚íLjÚ</p´žlÅ
-"ˆ§§³±ªn†QÆöš»æuðÕ¥L(¥âŠv0Bo f¢Ü{¸ïÛÖˆ,`,3Ìýá”H¶ÛçÅ×í,°Ÿ\ýýæf‰­_[äÙAL·É<ê}<òZYšŽ¯×ÎQ6§¨Ñ<¨ð¼Æ5¸¸@7:ë=zÎ0É /¢¡§ZGVv9ÏÞ9­ô%çŽüû΋tå1áy¨œ½¡¸­d)稬ª2Nš vï“ÞÆkoö¢@~¶Ï©žä­ö»cµÞð(’/gQMšÉcùüZÞ‡pªÀÖugâ2±tcÀ‚ûcâåwÁÀ‚û"”ñ3džQ0eƒ¸®#8¶W¾‚.¡tøš‰f@¤¶HðÀz+›4í¤?Õ_ù`
-W;«Ä‚üUh&ÕŠÒ¥HSnFi@YüáŠFr¹ûjØ©ô‚üîŒL0æÂú]ˆ<‚V!}–K/iú â uXoJ–{N4YcAC†ÿÛ€/i}hXxQ_²·vS|PIpL‹OÎÄÿ×éÉÂNâÎþ§%ò¢®#q=‹ß˜‘ëÞÊXì¸o^t7eˆ×WTæ4Sö0XÏÖYò€}6Ü›Z²ÈÄ]}rƒÌ:±l:# bkäÝ–aÌý·€®Ï:$œäDDöÌǃêŽO
-³š}±ômCa¨œs¥”—žÀÔ|%«¯bå„ÊÁ®U‰P¤ÑU£3ÊšØ=çäÁὦ½Ü j Ë”“0ÂÀ²Ú/ÕH«’º}Ÿ½'ÒôÃûψW–˜k† ô@k«Fì¨,çl÷Œû[o½­¯åÏ HQÒ‰…< v:Qñ7~to‹ô îÍñˆ”µÏŠaT'cΜֹE8«™É&Ö+¯«exÞÓIþ#êÀK„N¨à;=/mÒ,ŽÞ5êgné*š^D‡S "‰±­pÍq>Ým…’º>à ìöû×ÇãJ@zæxÕÕFW8^
-.@ ü,ñ“`aMJ!λŠ6N‡ú:žØ7y|‘Rä, ,²àMgBˆ·»¦8o¹®(QF ™³nZˆpZª„;¶ƒ¤Ää.«³:‹}ïþí¸<$ÈñÄÙ“†öú¬vdž“IF#ûeyùéëBCⲶtÊgìvve] Š|(Ü©½ÞŽÖ2Ç
-"IúvœÝ~ÙuÊ)k˜ˆB­±©R…Vd›}‚Áà,‰$™ØmŸF3S)pŸœOigRD['ù<пi[Ïe2rÃ2;í¢Ð ŸUATþV]¤·êœUÃþe½ø¹7ã “àìxáO¹¦€`¼Æ!³†…˜I®‘fþ²¸<Üzm7—‡£©ŠT›ä% €ȯ•“º»®bÔq᎕ÂÙxú§Åd%]òR¾ˆNa†PåÛ‘Ô›§­ÅË·o#=ç’™¦™›ý&à¼)g‘^%›Ï¥ ‘¹m8®à†aiå==çƒÀ¶ rAao¼¶5–‚ñbP¥C‹ð¿Ú7‡õJ@ÙƶÛ¶m³cÛöŽmu:¶mÛîØêØæù'÷ îì|§`M«Ö „í±-!‹°!Š£ñFll«šuÿ¶³àEl°è^÷ìQú)æ<3¶ÄeóçUU$…»j×~a»XL^äMΊþùýê㉃j[‡‡·CÄ*Ä⮈àÒh‚»¦QË;u|ºUw">,œ¤âÔ;û2Ùöí„gè‚s+‘뻹ˆ5' ò5lÞ¢
-|dà3E¹Æ:[qáÚ™£ò|Q²îî
-¦A½­! V™Ñ«ô¸õ!UÖ‘»¿ûZì´àž÷¼ˆ_Éx ºËEµz™ãŸæ`ߎµ1BT5¢S.t´ÕãGéÓª›Jfƒ@áƒüZ~9:מÊF&–es×A·„^_Òj:Š54e°ñ2ZÅ[»É8
-ïZgUñYÄÙšf8Âôd¿ÜÕÌ°ŠkÄÇ‘­Pöd¼ùCSÖèJEAPÖ6ÿÝĸî­$˜ç¥Ç§¤F§Íä0'tÀ¸í•kØ0-öÈ*¯X&ÜÞÎe0ª"Óž`1Ò‘ÿZJPé‰|ϪâŽëH¸Äo¯"0‘y‡Äúyú#gcqê‡ót}_/ ^ÈdkwÜÙíúòÜ×›ã“3ųʶe/oJ„yÍ,½ä!…‘NV§7S£dò=á`ëNŠ°›½7›.5ö_4cå6Ä}|3mÏ ‚¡há9é4Î…c ÄæeG(½¯üª§!Dî§Â‰ë%mëÒI¿lbÿr?¤áoÛTZô=Éé–‡™Ã¦…ñL22–ÏÔW‚b²’BžÕ”1Ó¾=ne AŸ˜ç¾cqaZ *^"MïpØ
-f‰ª^±Ü‹ é¼E..ƒ§úW÷#^ߥ3áÖøfF,þ­œ{L$ÆLÜ#b
-%Ue
-ÖÇÿ$»R‚0 °*kpC›5D$*|º™¼g®yÓà\'\óK[3;pÎH·û¬Bêš<\)Á\K¨mù*ªýùÂýÌââr¹é'É‹ªí³=Fûš°«'d<šgîcŠé'U ¾³ò)2.š9V×Ú›õgö#Ë£b@KÎåUÉ¢*@!ïXw·)2Íö«+¬CYq4¿1ww¾\ò.—Ôd]?Ù'œ¥”c8
-†n|»Aº§D f2=]SÞºž2])ø.¡st£%²pΉ“Wz6kJgýòÇ“ô‡a³ö—‰ù®9y3jžð:¯·®sa³*|Ë—~Þ²A'±j"‚a<tÝÜ¿cžB[ŸË´}!ÃqÛ.tÞ¯ÕŒ£ã¶ƒ3
-ƒË[ÓôÚ¯^dþþÂ()<е€â¬‰fL^:Q+
-*ç+Ë7t±;¶Ý¢ *%:‘Õ]=âï›Ëu'–¸bȦ•@ø¶$®ä“Ns5>7;mjo'õ£NL)H?”ÌsŒÈÔ$aËê×tPf\D:. 3Üí ]0ŒEFöáGÌåëd\W”%mÔÀàWíQÎ1‚Ôé^ȃÂgì/}™ïTJ@f¢”³ìr'
-Ÿ–YBAí¿†ÒŒê§äkÖÁ[„Xé„5ÔOBÌåçŒ;ç0NGGw¶;è‹q
-~êŸch]8-ož¨­`¤÷3oi>ýß" C¸ð*$4üÊVÊÇà-L>?´<²èl7“xxÞŠâƒsÌ™ú sŠÒµÅG
-‹I: "0²sŠ|¯ÕÁí›góij§6W]˜d Ý£,P•9Q¦%·Þ$,æv'){Ù¨«wÆ
-éɃSaåò5¨îŠ‘NK÷É“äQgÀeÁŠã*C†QÊú;±W¨+Ì(=ð¶ðr ¶}!YÏÍê»pD™Vµp¦ÔÃHã/°²\k‹÷ï-7•g;먴R‡:g\;ìÇiw^îmÖºÔ£…&ú§uâ@’åàº\s›eðV
-ÕÊz]¹§0Ë0Ôo{„ù9fJY?ó*î ^”ƒðé )U_‚)(ƒ+ |õ÷±íàõ§¼Õæ÷ãæGT jO×~ªØ:_†Üª63+‹êËí [ºšŽjJ½põŽÚìt
-®Çïu;¢¸a
-X§äÊÎ L‚|]BuKÚ ãªX›ŠŠji·ý ÜÉL5ÕvÜ4±bY(G¹Á©{»QR3œ”äï³IgÒü»IlštêÉÛ|ÃÓD ¬k{[Åi6Þˆâàô@ðww=ã›{Qúã¿TêFióLmò¤llÃ?æáúnÝöþÆžçètÒn¢³¯?>
-ukóñð^$r­…ùÛ0¬˜¡dâ,ö§éi¶h9PϹçÏX+#œá-1kÂ`þ73´>ÕÏiÕ€â9rµÖîÍu1‡[
-.òvŒÆ›ãWa°r՜ܔ`Ÿ}ö¿¯ÂýÛwq¹ÙïÖ”‚·0®„i‘%Áüwþ!W¤Ìëe²Ó
-¿£JÄäôÀÈ~ ïbþCñ÷a¼™V£;Ò9Dáö$hGSú‰</Ñ¥ÿ‘)Ƶèl["ŸV±N5Ò«m‡®ÆH©)§âÀ­ŠÐûÏIÐK¸ÖÕ«\U…ïÁ#ÅXa!=*ˆª]!ÁîÞYÃÂídï1šÅ|âe9}âF+$r$SêxÜ”d2Ä“qChŸMH•ÛaÄN¨¹kl˜’?r´š•mnr"CÀÂ8Ô@æõ%<"ɾ@#Û™ÀÓÞâ™ –ÚÈöÀ0ít­Ež”ïû´€šÚ¡MÜ™:ãZÕBL•wÛ{1+(Úéï³´æ8ÿïÕaÐÓ#ËãŽÑOE‚šy ¯ý”lî:¬¿_À­×þË=“ {E‰¶hvî~s2Ѭo¢Æ7u ñdØJü7¶ài˜ñÑ »[ïtQÅ ™ÅèøŒË;pÕKôÂãÃì³Ùì§{´3Óàr^ìI¹Úw°Úç)k%P>]À¼#A97±§ãÈ*Á¡atìm}¶—†mK•8ù6T«Ç}þÖåãÜxò`žüyþÕ\ÈqïN51FA1Â'Œ‘uôÐÅ42î²8ݕ沊° Fô„«Ô¬àCøb&åûlÅ
-.ô.!¯ ùŒl}‹²-ꦚ!Î(®dìQl’ç0(oih7»"âØS ~M¹û<w]óÓË»Tá!±Ú¢$‘6¢þ‚hx}}åPyOÖ”ñÄ.¯ºHƒƒ>¶%úÇõ+°jÐMᶵ=$,ƒ‰½=öPSÆO>ßʳqa—ïñˆëo"èäËÇt>U¦©Cði‘‚1åÄÀU±l¾Ø ÉB½Wiõã(¼šQí‹Ù».¬@Üÿ ÄñŽš‰49c̤HD–…P=ºÝXt>-š-”ã¸4•öv‰_1E‡1;K-ÏŽØõÆ©É-4iž æ5¿Ó³ƒæ‡ÈÌÞ\Ô†ë1tD‹ÈÄtŽËd6_EófNñŸZ
-…¯oÏà’X³`G ÊŸMjâVQ̼ó{?#ü{¨
-ÿ†%ôAn÷«Et_I^}Ü<&ì°ÄªäcY:/‹Èš 7Ôöyvcªð, +´Âpmê_oS´±KR*\ÍeãzÜ­ bfú0óz30s–ÙXsø1ðniȹ‡"/]vºrÊO‚0Ð4.²'‚çàž³ÖVŠ¢2ðm+ø«Ö°ÎhP_  P^ÉòâRý;Ð<Pyâ6°™ba]a ~”ÿ¬˜òr¸2–æj âÌi@ç‹Ù­b’“¿ý«M²ìÖ@o“ð)4âéØIM.Ñá}ó´Oqu#Ú­<ko²öžü °ƒ“2N%Ûk¥Žw¾_ÃÓ|·,xr»¼uÁ=…–/SVÊGã¬l¹`³–½ä{íi ¼X\n®^>Ä“œjÒ Ë&Oæng•Ûlý0kôÂ7¢mWÌçO5RŒ0
-ŠÇ½Íè÷å/‘:Ìé5b"=žOæýÕ0Z꛳Ùø¹'sä3âçDç&EÇ
-‘ƒúS¼×¨,î$‚Ñ¢±Í97ÅÖàb+𶡸5f‰ôÍÄEáÄŠ\u’ Ϲs?
-¸ÑàXÎRP*;Výt”ÄùYh.H­ ‘¦P‡mºx¬KÆ2¥¶­^’f²­åå¨t¤Ç´gˆîPsÐ;íÆžÿ|>w…Äv»Úhwò®â€n ÷¯ü×@(áÆzø­³Æ)±GÈû Ðú¹'»ÐÛºäz÷
-ªCð’󬧌¤piÅ2{Oe«pFañp¨“òK¯Áf¤wÍÍF¯×p˜û$ð«—þ£R>,ÈÃð2*ÍpÃÛ@Hd/¿«–e†‘[Ã~“®ä“Ô‹Ëq˜øeˆ ÛvŒëkmÆ{iâñø*@À˜BAY¸9“X±Än©StÞSÖL( J[/ÎtS> üÆ3Ý[מ¢ÿ}×yáõ
-êä;ã¶,¤ R††§t«É–¯Îo$–Nžù˜ªÏÍê;~6owAõÁf=c³½ŒÎF[Å„æù–¢ k¦ƒùœrÏ%ǨTá…äé ~BÖ|®âËGbÏîå ȲÆà|RMì^ï6QÌHè6 jRjôäßÄËèT[\ûâ‰RµÃÂ/H]\qfˆN¼fc*)¥Ö`õâÌ<ò&$´­†»€ËVÑ’oþ¤qP¥`•i«ìÅ“/‚®iø=ÃØ…®¤ ØH’‘·LŸwžðˆVßÉÛ¤Xù¹ ‡¸N‰UÈF)ŸùÍ/'!xx2¼yT.o|³ìŽò©ÏÍ#$£A:Â>§%÷ˆºjôyáÄÅ ïaÿa$îÉ·FrQòÖü›¹Ó+üy»¡B•oV”`¦Úv
-&®[öà"¥ƒÊr0—®£½ O
-‘pGÌœ'¡véÏ jËN‘D "jÀ=DÆ/¬?õKjNêps÷y Egð¸›âæÑÅÀé¸ eZÊÌÓÉj¸-•0Ýàµ%‚aÄ€%’'ðX ŒÞy˜ ž9˳Õ-AŠ^¢&‡†¡Äú¢|;“õ’ð­[Õƒ¼“x¦Ñëc-£V^ùéïÎ$W‚
-cd(¨[÷[qJDü­5›UÁï¦ùúª“|i‹DÞø£– ¶8ÐÄÎ9_µàé4dað@˜Ÿ P´¼jp-sð}Æ÷FþP³‹3ó#¢•Cø°¯‹ÀÀ«£“TK|å÷lfËZ¬h'B‘@á4u®°8ó]0tƒˆ‚Ÿ·Èr»‹•Å!¦¿Ñ TŽºéør:4xé"&ÅN Œ/S;8gw¿…×Û¦‰*™ÎûTáž “axe4ܧ•>³î@E ƒÉhª…Ê(ˆ·êÃÖ&L}n³‘ƒÉ1rǺj,ƒ©}j¯Ø`í}¦|ÙQì¼¼ ó.òE)KïÝ’|³I4.Î3qÉ-™ÑŽa‰~Ó»š—8Ãd®HÎù¢záá~oÍ•ƒtfž
-®RÁ1æ"+Ob´½ÞnšŸF±¡é’Þù4g?nhO)Õ"AD·â™¥ïŸÜõ׶auE‰ø–ßl·
-ØNB†@–·üa`laø¯"kÝ =“¿'pr
-3c]MŽ<Z!ÖYЙÖÄÊq̼RüÄ“xìqñm>*9Œz±â{¥ò˜r»¨A®€ÎVÝÁã¤þ칧ǘ¡O–•½¬€K™òLÞ“N¿b ª:"eä%‰zÖ¾˜+°¢ v¯ –=üµ{nváû¸iɳ5@“¥¼ ŽÀQEG}Ò="ÎÊg2¹k}rgÁÎaïÄbF2§«:ôq‘l5eúY[Ûh[Pz
-Õ"W›‚HóoHëg AÐÐYqo!a{In&Ýq7õµÊ´…B„ì©™-‡–¸ ²“ÑÉ@ùïå¿ûïz‡^Âö[ÏŠëN¥ Ê ‰/\Œ«6Å:ê×c·•©àÀ®Dº¶6?i&Ç]ÊÕ#¼Ð‚Æ›d¡&~ 1 ¬çúàˆÚa;ÙzðBì•9|ÄyôÔùõ䢕)²röTÇÈ]ÓuÅ…CäW®iCê««(LjS——VL¬'@벎3ŽPœ2sJƒWŸ’÷/-pxÇåjØ !Ã1WÕ3ûg¯èê­ø;øßïv!Çs8mÝ{¦b µÏTfkŽžý¥]ÂÕþÚ¼þ ä@’èQ§üKþDЃU³øøäܯ Éí£sfàb8äª*neð¿¾=à8XçRâÛ5‰æAD>D?¯[6ènºMeÒÊЪ“Ž\Ì¡Œ@\$ì1‰ìÒ%$¸˜¿Ó‚j)Û±œžhÄßF%²&â}–ž9 ÷»¸nqôM‘棆dŽà5<ƒ(»°äHd´
-ÿm“'èZÿm+‰pÁB"ÊÚO‹a££‘Úàÿa¥ÅCîp7¨Ûw_¬QOuü"’­8ÏΓX£ìì?³F£,  »«VH¤nÈ8ò»‡Ö œ»Œ¯WhHâÍQ6ååõ0bÞwþOäÀG•tÙAz‚ÿr½S{–§ÝrðÃF5'va¿ ƪb…T› »¬ñº´=:I£V‹åc¢pf€ÅFw”™þ¡±šç©‰Øô:î»:·€·^Ϩ„¯¶qzº QVàD~Í‘6‰
-Æ94£ë Fsf‡U…ÞpÃxò¯*N.sžuÒ7#0÷Óc‚HÕ˜ –âYph9ÅUG— Þ¿¯çÖëY:/¾=¶'·2€ùµG³<~ª:™HJë¸p”£0L;µ/$
-ŠÝØfxö7w÷Aꎎ­L¤³íXUòW³.’¼ª’;ÓÓ¡E"Så]FÞÉÊÏ"iòmþò¯Ñ7„ò—Ú+ÝظqŸKÓ™û˜Žz„Œ¼{R?5ùÁ.’ª–).ÄYðñ¡“ÿ’‡èa£öî3Mä¬8; O'ÂÒÃ{(:õ„
-2 _LØÅ£™>÷R¤½¼
-NÜßúú
-Lœ›Ê%…LeÌ¿+1Œ-•*ŒÂ0G70ýo2ˆ…"³ôd°Ç\g¶i7±ÝâsqLÆ7!õòîÏ¢{ßr%tCáòA@òÊý»ÑÕ*k„ï:qÉê“2²)]dÀÒ‚¸ê‚ƒL/j”ª®äQéâ a“H'‘±èñä^¹®˜%ö/ïŽö»Gž¤ò÷»F¬Píù'€.wÉ¢‰ç’‘H=¨>9ŸhxÓ~TÑMÖìÜ‘œ\nÁ¼)¬2ÂÆP¶R7wõ/qiÉ#·gD^&Ñ6JD»‡ùþþµ˜‹VÕz<ƒªÕ!
-6_mŠq'2~‹Ò=aFŠ†þÐœ²?Ç ¯Z¡._|;l[×OX˜àJÁ+QGýiÜZÉP&Yyf2—<²è•rŒG Ü75·ïá3òŽÃ#z‡FF⨾ãúF4þN¸ü5àcíÚ6P·¡“eä è‡Ék¢œu_KŸ¥°L‹*·éñ0MH¼CrœT>Ü㇟x FÿàRÂB_!äµi¨NÙ%$hâ]tÞ ‰¢èÛîûs¶¼ª=nù<ü¨òÁËY©ÞØîƒQKñ™ÆýgF==ˆ3šöùsCì¶G’Ð!YŠ WaðŠ +·Yà¾]ˆh‘!{â#iŽ»¤"”¯ùù4bwËZ¨X à2&£‘.¿l=b, ¢,Ùl<aâr7à')¬Í‹RQÜ.)ö2—.‘ч¥r×uü)RÖ\-Cà"
-¨{0öÊðeh饑@­s£²çäV>ÔúAœ¦Gôì©5W0!ÒãBîV\Êå6ÔÔëߥåíýŽá;RЭ$øžv(Ó@ÃICM«Çv¹Ì_§/# È
-ÙÌÑ‚§õ±Á¿2å 6ôw’ä{0ëó¬+/6A3C¿X ¬Ÿ?
-¥0©j T™¶„qÚ]¡ÁÂ'DY¸ ö.g¬Âñ¨û ;AJÒ´á¿ÔÍ­[ßÇHûaA@Ôñ ?ÍJµAì»tI•%[Ø­$ Òð³"ɾs™ÿ?÷€ÿ
-endobj
-597 0 obj <<
+/Length 25647
+/Filter /FlateDecode
+>>
+stream
+xÚ¬zSm]³eÙ¶]uʶmÛ¶mÛö)Û¶mÛæ)ó”«ëû¯:n÷S÷}Xkfæ92GÎ{G,RBy%c;CQ;[gZzNE5ykkc ;iA;kc‚3 )©£‰³…­°³ 'š‰1°‰##)½‡£…™¹3ùõYþ !0ôøÏÏN' 3[²ŸWk;{[çˆÿçJ&&Îæ&¦Ö&Brò²bäb²*b&¶&ŽÖò.†ÖFÒF&¶N&¦vŽÖÿ¶ 0²³5¶ø§4'Ú,''{#‹Ÿm&îF&öÿ¸¨ ìMm,œœ~Þ ,œÌ lzàlG`akdíbü»©Ý¿Ù;ÚýDØüø~Àä휜Œ-ì ~²Ê ‹þOgsçr;Yü¸ ìL"íŒ\þ)é_¾˜¯³…­³‰»ó?¹ MŒ-œì­ <~rÿ€Ù;Zü‹†‹“…­Ù1 &p413p4¶6qrúùÁþ§;ÿU'ÁÿV½½½µÇ¿vÛý+ê?9X8;™X›ÒB10þä4rþÉmfa E÷ϨHØšÚ0Ðÿ›ÝØÅþ?|®&Žÿjù?3CñCÂÀØÎÖÚƒÀØÄŠNÖÎù'%ùÿ›Ê´ÿs"ÿHü?"ðÿˆ¼ÿâþwþ·Cüÿ{žÿ;´¨‹µµ¬É¿6üÇC MðÏ%óØXX{üßÂÿ{¤šÉ¿qü¿¡H8ü4BÀÖìG zZú3Z8‰Z¸›Ë[8™˜Xÿté_v[cGk [“5ÿÕHzúÿæS6·0²²ý§í,ÿæ2±5þïÔúq:%!M 5ªÿóFýWœüòÎÊö?Ôþ½;ãÿ\üƒ"(hçNàEÃÀÂH@ÃDÏðsà~øp0±øü_2þ ˆá¿Ö2ÎŽîZ?eÿìü§øþk¥óß`DlìŒÿ™%g[ãŸñúOÃ?n#GÇUÿuâŠþõ¿ÝÄÄÝÄj}ÅΈ+Ø2ýw†szîÈ”°Ö@ðHˆ}i£rQ]¯_zøG¥þGmmÓ çW»ÇòûÏ#IÊã±>4ë_½©&×ù8>ÄýˆÛdlTÇtº¥°jÑ^7KÒ» š¬ôªÇûS
+Šº%`¸3LŽ7)ü‰] üQHžíá|ÒâP»š
+ÿ\%ý}þ54>:2Ü{Ú„M•IÊå
+KåïƒÍ§©R!RÕDzÝžeÌ}øØ"œ³\ʤ!g?5íµ Îk“T $f}QìŒ}}œ7Ãë–aI­zQ£Ø`{1®ËÊ›¡9sõ‰ór5úË<#¤=ø…ˆ´±36…è4Ó+òŽÇ¾a‘Ïp:‰é"“|:[5P6“Ó<M`IÍÍÍLÕ‘˜‡‰ŠŒDa_gÁ¡Ãœá½]é–§ 9ç8sêÓšÆô e¬bô:miØ*N±«z|+hytHOÛV77Ùa‰
+×Nä&ýâ3­çï²E@\æYzm¾~D9šru] ƒR¢á×0u+»Y}Îî+\·¤èƒ˜`Ixï|P>½«D¡;MMM¬:NNIˆ0þŒÞû+âÝzzÜðà\
+Š—€’»qt‰ÿß)âxô0EBå)¦d4Ôà,Y=2€Ä„ÖÈ=ðK86iÓ·½µS(ç óQôx;”ˆwMÒÝ\]°Ň„ŒŒÄŽ¸¼'Ž‚ŒHè¬|Ûd@I¹²‘E —çê‰xERµÆ[ºª–ØÞ÷6µt×Ûô”Uâ£ÀíÇÏcí—‡²áŠù¥t/ëE½N r…5õƒ‡À}[ÖvÞbO¿öxî3–^üX³~ݱÚtX”·úbÛ»Ze¦B}Dþ¡¥±{dyÉÞâþÝbæZR4ŠR`s§Ú1w p˜aºÃVÒ}ŽÔŠ'X7zÉ(S†Å£À¥AKÝÁÆçr&ì椫û\šì‘F­ÆLu×c¶X‡YÈnT<)—l%WªzÈ
+Ì0Lo”2´“4c×±¢»ò“÷é·%¶œìÔr÷«rOxRæ@oÑ[#OóÐY„ý‹UՈʼn%?¼H»@yÖÞãLùbùÛq÷›c}DNCýŸoì sÑr?áƒÔÝÛóŠJx>æ?¤å‘]ò;ÔHbÓ‘¾tTï¨)Âm"È|Ó\¹¢óCÁ†e`ç'(Ël-zÝÇ.æf ì„©ƒ5 /Â/‘˜ÅÓSþÃEÞW;mdu‘ýêØ®=)À6li»ÙæüÖEÍX»Æn–ç]6
+Ȇ§yð»Ô™6üÏ2Röv•ŽQvvåôTÂ*¦(?ç)m¶5”OVÀ#8”¦Ú•4áîPñ"!Ýa¶é]\yc™··sãAZPU6gbß+:*(¥Þ'V­PÜ…¥Û)+#®¦.ráýô[yÞ]²ÅÕ¦<×µAÅÊ|…ø Ý&Û¦ÖŒß,`ÄÆ
+\w­wñ0‹²R§ËJ†H®oQSÓâ(b½,íµ‚9¹/#Ýýo ¹|Êq3d›p+¯º>2£~ìîšzµ´[=1#„ãW*Ža†Æ4õ
+|\4YÍùô\VŽAò¡iÙœÐV
+'Œ†Ý¥ýrˆøœ]E ‚ˆó(‚ƒ+c[€Éj‹®¦Qíä¼_Þâgˆí44U÷“É;2–×LC
+JOÉÒ4WÑœž:óû\™Ñ™ïÞ! ×yÖ\3Ûø=«/Τ€çÞ¸ ¯æŸ/8ˆÇîc+Š GI1(yBª5ŠÝ
+ˆÐ÷™êq¥@ûÏ|åRøíçÒ¨Zqé1#.²[Â^%â”(:^ŒD”ÚPØ•/ð
+ÐJºN$†¦ædœÆak¯n¡mk5¼{n
+©.׬nà'' 2‘î3ˆ2?g‚Ó<ûeZ‘™a÷­6™'zOÁt­:ñÕBzÚFÑ£AjÅ6©²}Ôq”‹ðü¬fŠ™ðaNõRäm€É€e‰aS—š=ø„PD‹ Å©?Κ-Év“Ü*.ºå„í_óÄpçÂ’EJ-Mn’†´#Îó¿?JýjÌàUàTƒ*
+ dªÑ‹ï­M1–7°¤*’±¹+DÞÄZ·íøjâ?å
+”;çÙßëÀÓùÙ—8Ç!‚Kùz.Áøò¯Xñ€¯ÈHêKŠ\M(€Á½µBO8 çXE_æsÃYZ·èp6aaLÞ5f(wS;áKéªOÙÓzôx
+Õ§µ÷YÍÛž—™®Î燸-f: sôqó957ì>\Ç´¶ ¬C½}8$;DPì…eªì¢V¼'­ØíÄ<È“½Ü¾NO(߈]øé¦ÛÅr_[Þ*ʇ¡ÆËÆ<Òx ç˜î®l
+Ä’£×¬÷°zJmp¤0ZgôìuáÜí™ô!F…ªä Œb“Ð.ƒ ‰¢9wØhQÝ+âGùTjx­~wtñ».^jËð‘g&rÖ̹V§#KÚý®Œ¿çqÑHºö”Å~àlsLÓfH9áNjn£W4`oÑ£:»Øš^ÀÅK¥ŽÒúƒòL9ôlÊ0Û‰B˜ÚÔ#k|yË¢\Ÿ=*XˆÕ<d0 ¢‰úJkáÜ«mµuˆ„‘¯H`Ž6彋EÖùñïùBÅ«/hüî#Ô^†§ö¬i(]‘×Z]°&ÈC˜ìö¶ãíöù{Ùj+à€Ú‘ZQ[){¤iZ_Âì“à=Fº(s!:T KØ;XžZÆ#›DÂ,vÌ4ÐüQD~ô¡²ôå *×BêbŠµÊ´è˜:³pu þ§þ9rK28]±„»]Êö]– ÌiŽ rÆf§>Ä óRi× à¦H~&¸·—ϲSz…€ÕhßÝ0Ö/äH—Ì-Z‘m®Ûû <€úQ³Õ0zÒבß8r¨tIÏ'Õ`™@*ØÆ®@fÃ&€IѪ¥v%QÏ:®Á:.s&ŸëF­¤ƒQüʸúW ›_!Ò0sI"A4ªØ¼D×Ä÷¨C!n†Ñðú;+‘Öº{ýŠ÷ÊdÒ”üÝz/176ßÆÊê0l®«ßCヤb£s0 N­÷ä?‰ X! ¦œ´Î`ÿ¾‰$ý:Š¾]‘µß«kw#+‡üåj$P®¶½¬6>žæØñ^70•öKú€ø$ˆ]ïï­óÝo¸@g\³°G
+9ÅùbW<-—Ô9âEjRœáÖÚîö©ÝRËâG^ì sJ¬¾bíÇAÂxÙýeØ­ÒæÊ>•¸jÀ ,WÐs
+ñÝ‹¼I2ˆô|ß{1¦[y#²š‹9ö_ÀSƒæŸ’™fyf+(ý
+K#Îø/÷2ž;¼£§Zç$Êò^Mú½0)íN(ïó‘µ<‘Š6lþ;9ÅуŸ)Ðæ¦óF}»ºÐ=À¸¶V Û˜Å/éGŽIÌYW¯µ=·ŒìŶÑ;˜vìbs¯+YÈý/âwåáNV­&Þ÷¥0óŸ7¯Â$6/ ÈÉa…Ø藺¢ z|£>†²ª
+«Mˆí&/·}Î I Ø%΄%0W¦É·¤¬´{âI\5d§1ÖÙA)£7½¡TDƒÖcÆãM~ÉÛ0l4ÚÔÕÝ„ùäˆ÷)—h7¿d~aùruÖ[l¡F÷è\)ãƒ|<kz?D \]ò7ï2¤ÎÐdåÛTª³ WdDmI!÷Ï€S‚'#Q~ On )vE6ün¡Öi¢ Ó€(IIŠ?´ëôWÞbÚ¼%­ÂbAP­`6D
+–fçÚïC%ÇÎbl·Å$ûÄÒéæÅÇDÙdÿ
+Ÿýpô¯°0TO@,{i`·Î¶ÍÆ¢ãÚâ×Kܬ ¾yOàï–<ÀQ–
+ðÕ Ž£èÈp¬­°"M¸p‘)š!(´Æ[É⯻¹ÑòsŸûùWÅʨBP¨h Ù'“¨¿ ÞÞÀOԫøŠ½â{Ë eÊdëô¹Kx5QªÎ™6!â–­a˦½ë}2 ¨Ýˆð+0ö|3k³Ÿr™eÈ[A˜ýl\ÊŠ}óÃ\&Ñ[Ããóqt“´ú8ûy :µlõUñ®¥"„KЯ¬’Cpeªb•^¶¨¦oÀªs'ª¹þ¯cÙKñ]ùw+VuN|äáù s.…¸¦Ÿn ª4—&Ðøš{«î‹½±é
+uW–ÿðžZ—â9«ÞËÛråŠi~Û0¿<€G<æÀ›3¦?›(íPÒá“~šGÁqFëÝŽíƽHšJ+3"Ê«F…@™'›ñ‡îIŸŒ‰õ‰ZêÀ7Y
+gìзt@Š™+[Ñ3²/*;œ÷Q¿.ønÐDâ]ñê “R£Þ?*ã]£_×êCék~Á3A¬
+$1üf¡
+‰¾É%|¾Uůx¯¸;%ÒŠƒ}5]åD„¢J›œ)h#?yºâþ-^ø*#G„ Ú”¢‘üÀÄi;IÑÉ2çŽÌ/~é)Ñu 죯ã3noዯ78]P³]nÃ|¾g
+6ψ6o‘PBšP'̧AFæêdf?P0dGC×´rW›çB¼¼6&³SÊr¥Ü •¬SS‰ÓòñÞõT9Žú¼K)Œ\û)°bç¶Õ†3´$ZÞ#&†×ææjsmÂCf‰àS4XäHF Z”ÔzϘ(Pt
+|ÿÖc2›#á¦$'j‡ß|c›xß3ÃlÞ“”3Bm€Ü9ºš?¨
+LÈJ„5(µ
+S|ØHˆGð—Ã=>ôԑʇÞw1®V®Áç€R=äŽK‚uW—e“ 4¤µZ^ öçý†Ï#ÃÎDžâØmwp#ŸT-Œä{Mô§SqêßÑZ!¯È¥û;Åcï¤ág´SƒqÑq/V1aŶõrR€ñùòdfN51©é‹å=túúöp›˜Ùøfqû— áoœ
+#‘%‘Ï+0{—¹Vx³½û³IÏßç@ ›AÖå]d˜± ÜšfÓ 3.ˆ•Lçû^«ªwkFOpªÍm“é éâKL§.ã¬f0æµ2x‘$âGÈÛ~Í…†ÙgpèÙzœlŸTêŸß'Ah7‹#m¢(´â'Z %åÝa&˜P[&W)íýyÝaHÄrÇxg+Ešê»ÎÑû ^äŽ(úÖß `–ºr¶jºù7Yþsß›ûPDS"äÊ"pqšQ¦Mê´šsËÚ‰ÉöR'  )Ú0çöÌzlšºð•`^•¼ßÖ ——úq2‹ãqÙ•ÚüŒmÄàðr²ÉEh
+¤á¾}˜D'N+nš~¯Ðß0’ƒo™¬WOÜs:¡ðwaz;A³cJ©ÚäA çÖûÈ<’+UȯÉCvL¥ºøPô‚Û²sùô* ze-£Šü;2 «ù«#_š¤£s¾þ vêÄ‹úñe‡Î‡CØ“¨Ï>¼»,æñ’peàùhôm2’ÏÝ°MÍ[®¼¬Ý’‹÷ €"_o UÅôh£ ÖB57„ý^æÛT'kiWCEÏr§ó•
+©ØWÚ¿\N[Ž”ÀöŒÍ&nâáµ9vdµÍ¢–£¡!Šã5iAÅ@ñ/*w.¸Ã(:³›Åå×Î6îu1Ü3î᪾ûõW¤®48ð“ã‹KÓ^¥3Tòte:ëù`Ë"‰‹º‚p­,»iAX/†HÛ˜?äµÞ)RR«Y?êxjÒ/½)‚P8ñ“—»C>Är–BŒ!†¬gÝ@¯kîÚ“èNü½?DÆF¹U<þ5”I.:´s¾Ÿj-p“Ã䊰"ŸªcÂ#Œ:B +?/P— wég&åoï²û×!æ9œa pñ|Š®¥Þ²K5lïøŠÑ9„CF †ºž/õ¬;¿G@!íxc|ȹD¤.׎n^H$ßÄÛÂÓq]Èõ+É{¸i™’
+“*ÅûÖ€H-eëpg,eƒ|ÍaJtžŒ/dŒú*Λ¢ 6ºK2;”‹x'.QŸ[å ÌñÚ:ŸÄTß $$¯µ“Í¥¤·4UA
+~:Š0NÇŽŸÂy¨r“Ñ$85¿Aš«`!¨WÄF'*nNÁbt*Ú*¼ëëÂæ;ŠEôû”ÕaÇòõT~ÔÖ“S4Ÿò3<5×Ø\ÛJ´Æß&æ–“O=P©[¨P$“Óµãñ€ èiªš_`Ž.Šó{h/"•"v¥¯CŸ)-FßE¶ÛA<Ýï KF‡é9 ‚'ýøa¢4*$'=ÝèO áequGf0[éÒ´ò¢ïÑÞ7™Ë©4€ÐóØxâ%%Ì:¼ã/º.@ªã#)NˆÈÌaÀSt–k ’»´jˆ5b;¦¿J;÷Ò±C°7·ä°ƒÂKŒwA¹5S‚é%8.nN`ºê9_Žû¡ôÓ;Sæüê\g|¢Häae#§û×çÛu¦;¯ºÖÈÊXšŠäo+7×m4”°‹ª0Ýë#4åâ8hù‚˜RË9«»åì{°S©ã£›ªˆ¿z rª“ÊûýÎœ•VØÖi!z_)õ¸¨VS[i²sõq£Ë%®µe?åw«ìbØ-…97Á |Êš aü’Þ[
+4%Å5k£½02ƒÁw¿b¶8y<•«ápÁÒ*Á–Èp«¯,”&«‚rÃæG€Tëƒç¦£¤å¿”X{Š”ùH;_ÕZ ¼ë/i)ï1Èû£.5n仯ðå9 =)ÂéÌW%^}@|Ѧ{P`Áíea°,pS L§Ü”üÚ®Û7CÖÄbÀtÝzÏ3$rX§5Ø¢Pü–„˜jW~\\{ 7NìySE¼9 ]ºž½"„i5¿ÓúÅXôxBää\„“y”\á¼¼!‡k(MÂÖL]*/öðéžä§FJ{Y<Á&eš¯lõ‰Ïƒï…Ì‚+üŽŠ<Ù@9vOŽ’¤ä[RY·ZßUMZûp4–DagPcZ‚%V_©Þ\;=MåWÛ¾ÖG
+›¶ƒ¯ñ¦¯<¢—h¸E“;Ukê ñ
+J±&éù雈‹˜9›âÆæZue)äG $ LË#[|íÕϬ4ÈÝÕbO
+€£AÚ¤x8mw›þÖµÔ„±ßxèÍ#ºaýªU!˜ù´TßN.ÓÙÇ-É™Q‚«iy@ŒWc²8qá/øç ‹ïåqYw'`:ÓN·ˆ=
+*¥6©!bÆ¥$ž)ÈFå¨3Çx=H3/xR ÎWGzÊt¡Dc€Ê'ÒHD´öXM-®ÁöpáØîÐÌ’!#ŠÅø*ÒÕ Íè/<Ô¢8>§Ð†ó÷‰rŠeÀìåtѦ’ ¾Lñp m… U?ˆ+
+½ŽîÏ>¿ÇrøKKíùƒrÍAfjxy‘ ^W_ª^ø‘UŠäNGReÈ\®v/ÖVö†¶Rú׌hÉýy3˜Œßc¼b'óÑl«ð‘Ä›k,¢°§ƒ.ˆkx„Kªý( 9×^ÅÈ
+…d«…œ#£}þÂÀÑÜÂG( ÑhQ/Um+‹|“·^±OI$ѸÙ0ãÆVèþ )ÆJ3ÍLJ_ñ·ÿÑLÖ÷¥Ÿn­Þo”vÒJáØêqmìíçâ%Á­Ãcœ~ªzVÈ‘søqÕ g%ŽQÌ4³æ`£E–/T““?§púyÂå[uïлJ÷ödhºHÐÈÜlM
+Å s?Òr&Fd¿Ä6ë&>N´.Š ¦¾1:¹rP1ûØ——k¡f)ØdQmŸèÄI BÐä5Mþ¦1T¿`m[;­z!î_µ±=ñp)ä5^Išõ@ÑðÈ š¢žAò'tG<ÞÊÁæa¯šm-mn(Ø
+‰|¿"]ˆnŸ†GhS”C£ãžä.%^=‰Â žš| È%ÿÅ%Ÿ/†5¥ntnt I-¿ÊÍÈ.-ÚŠ
+˜4ƒ¿à†tæ-ws(›¢ü À.}!Ë•™ª^‘ 805D|~ØfÌWŸ½æ°›ã‰Å9ãqÀy[eN ù~TÒ€J…gD›¼à%HõŽN´W¤Vê Ü©&QXS²;^Æ#~o ÄSÙÄòQ¯¹Omº¿kÊ–»{.
+àé%.@”ØÀÄZPÑ}ú¥ÄÝØÇ<†,2xˆá+„P À:І¢€XH‚9É2¯!I‰¥“–mõ놀)ÓLvÒÀªÊŠ‘¤®­‰ŠI¾ž´ÀJ€-um~5SµÏ?¼‘ÞËxXkDZÎS§ꊿʥ'ÿâA“EÈz©Ltª=ø½¿ˆÀ¯’ëÊ›2{@?ï5ºûšõ¨N …&øºòȨŽ3HKãGš‹6hXle¡ïÿ–kMžÍMxßqhìàV…Ú¤ki1IƒË‹ë°ª¶ƒÊ9UFmwY¥YññW>èYM Ð7u
+Ç:êhפ­ߛ֙C9߇¬o“‚/¶z>‡”8Õ"¬pÔ"8f@xk©óí…f¸®söšË‚ý(†'ï »Úƒ½pLjt:1[ɘú‚ËHâûŠK¥Q¹ÞAH)†3W.‡å¬ÉüÖÀU7¹þ"ݨ²_mz$(®$åÔ^ÕìÊÆŸ‡EÄÆvPºÄ¤7/' ìl\du#vتç¾½ììÄ“QP‹qH{Ä$5ƒlíÛóyïd? 2$yá9MLºG%[!/J™Í2an¶ÁœÞOz~ØŠ9@5ꎥ;V7ÎF FsÕàd—ûãת?siÜ5$$éD_j(¯Ü‡ËOÒðBO¿šq€îôN»#.Æ/8ZëùkVŒè‚¹ép›ÆjÕGpéÎØzÇöÛI9´HÓ®"!ÕJˆá«OY¢Úîµ5¤=.J×ø2yØPK0úÍÙÃPI¼ ÌIñ$GÈ^˜ÆºÌ‚cý%úE˜òï„cijñ¼•9‹ž9Ñ’l{ˆ‰$ 0¢w¯¡&jjia>’4\¸ KDÃ{pÊŒ#?ÓA þ0›9 °ñ-D>"ª:c?ܺÚ~†‡^e55¸l
+:kb¾ÉLQÒcèâåSŠÛ€ …l±Ã{Y14¯ŸË#Y‘·IUHš6‰·'&:,q[ÞÀÑçºËÔg+ñA¼dÖ/LŒn”•ÿRÔ
+ˇ—ÕøêMCEýŒw·òÞPðÃ]ï-¼5L-§Ô²%\ðd*]®K¬qtmpMó¹{Â6Dm1Ð[2m¢ºûw*QÝd‹Q“÷\ÒBq¶˜™2<ôÜå `ve¹¿*9GiÐÍ
+ .ÓÐ']ÒÀ^Od°â®D—üå„,?#ÞWÖ³bRªv×èSž¼˜Î§ÁØ$ôÊ`mñ 2D=ón“þ´ÁžD㔹=õk½IPïÅvƒJ<¨±ÏÞtݘÍZ´G U^W0äõ¬’”¤¡ÌšÙ=JéSQŠT#’åOµŸ>]žAß÷åʇȆ³Z!“Œ®Íïå>÷Ô‹fÜ.å¾Ó;ö§h gXUãÿ‚yXÛ%…6,˜Ä™T¸«úÊ*1²ö°Ò”"‚ï3Y¶m"ˆ†s¸µÌ· Rþ;ÕõµU§é±8fŠ•ì0A¾Ç¤‘oxZ¼ÒÀá¸+ÊNVkú÷#$ Ë£6\4Štó V·‘D^2'lRw‚ fÈ2Ñ[£Ø߇`Ÿk5Ñs kÜË·g¤Ãs© ÛÂÍÝÍŸ¬B?1 |k6*yf¡3ñÚP‘|Büu+ÁËNõ8XÄôÈä‘¡ù EUQÊFÿµð¥¸ËôiÔ2¼ð`Næ}ïT´?AËÒiÎâ ú[¼5¿«-ŠCLÓÇUY$ÐÀéëh¤®WNÉJB-þ¾ÜaìÚvvÚT¤‡dŽò[µ>Æ–ø|sÔrèCd `¦Ÿü^†ÕÁÊãDÃ*ã%­ã»òýÏŸ‚«ˆ›óñÚ àfX¡6øvçŽÒ]©Â—ñV¤M"BÝèù£=&w>8Kºä*¯+– ¡ oèKᣵ4æx( =¾$h%H
+£VâRÑ
+ï82Ö&)°"¶E;Ü´”ŤUYvƒÜìVZ9M*­µjQSJ­)‡Ÿï@LH§Ò5Èþ¥
+½~ÒoÍdW)(Ö€çÜÀæP»€Zø¦ÂP³¢½OU®æ’mèß´¨§raäÓw@„&7ìVÛÌyå\çøiÃH47+ù׉L
+µQu-W€»×4~Q.£ÎÐ)ÅÈLHQ-Û(èÖü¥> ø|kúÜ„X`Ž×¾®º] #.ëwx+«;.ñml3ÁѪ۰çµs
+:Ê(׸B®Ó'=êû’ýeÅ9,†`óÙ‡{ß%€ª ¢0<ý}õ¬YâÁ}‹
+ˆ¬BÙp:©Ñx”Mî§?ó}¢Ø×4¹„“ùïüGßßaWGÄð«à
+«1,u6AS£áx\|czíR¢€oÀbÐ.P³¦‹Ý=Öö+<µU ZäÍ&zÐÑÅReu–
+[5ÖðÆê_ka‘¢Þ÷£ø‘*q¥=¡R4Ð/@™jÂHµ0M’$Ùþz„
+˜É¦p8çˆC¡·š•òÏq0ÞSGD¼ÆSâT2J¹Ôi­¸É½°½äA iÎáDµ9)î“>oâÚàЂ,®DOͺ؀¢À¨&¯¬±ßŸ“ãùí„í½O Ä[¢:&ßQC—Ýåy˜1ŸÜ¨^Nò`ϯȌ)†¬!îÍÓ¤~»,˜7Õ$á/°Ûº¤zé5"™4¾bø–ˆÛM]üè»o~E®5p‰ñðJÌs¨{•moœäÜ%Ö¡A;›<Ñíô¦óñÜý¦¦@=®Ð@ZR¸ôGv Ö}¬ÇàƒO³þ›§—ÙA´|:÷©‡ž™Ï @pmðïÑçñ€R Àw<—a°Ý½7#øSBG8-(v> Û žq<]ùÞÚÖÁPdöÙò @JÞâõ•WÑ2|¥ —Ê„s’¨Ê‘i% Ìî3² °6“NP&0ž>>ÀI2åOø®¾Ój¬ŠÛ¯)ÒÀŠÜÚJ8¯Öß*fzU;.ÏZÜ$Úùd
+×D½í¤»a £ªâ*¶‰ÂÀÜÙš*û(Œõ¤qÁÃåäÌ°[¨.xÔŒHhý {§ú·–æýy澡:ÔuÓçg¦¨÷œ4k ÜÀ=ñïElD+Ž9Ó{û¤Î=£n„ÉÐE:xª»n½†í·ô
+é4NÈŠóv É.Õƒ_Þn$`¬ÓÖ)<ËEŠþê°õç@‘q6I„òÝäŽO¦ù¬R²Ôg-£d–‚îAúô>l¿ 3)VÐñ,ÿ²8Änd2€ø»Ì@צÍ*€]ÉãhsÀž”nä¦(ºÎõ§ÕŸW‘ÉÒî#ÐósD–&ôؤžm<[ã Xp.7ôâ(5%ö‘ì>B8‘'ÇÏÉÄ-ŽM%f+ùo0à8}¤{+Ãþ/®ò ¡‹pp… ‚óìô½ÙW¬ÒCF8fÎÞßòä6ŽÓ‘æBVÎÒP,-{DÞBЪðß“úé,¢îN`:¹ ¾ÔŒ/™t>¯‘¾ÀýÝ«9Ñ>á…‡]`5TæÑ’zûvyWX2FüºþbfO–f§>}al÷¨\ÔMê—´ìù¥ìâVPÇsp¥²oøâÇШ›x¨³N O_Ž»N=𣳧ND˜ÿ«ýzZ¯@(5Ic{Çv³cÛ¶mÛ¶m۶ƶm»Ñ™w8wóÍz€ÿ~eŸYçÞ*D+_—‚#ioÛçT¢{?Ø Ï|Xž!ÃS)Ëb×ß[ñ_ˆ
+ï%,3”1•äœJñÙwG¯üûñšøoeüªyDhéNÁÁϹݎÓRþ ~¯›GßB‚\ÌŽ™;؆r•R-ŸEGT±ùø°ãѶ÷Žz ‡¤/z”Þ‰…3 ¿µf!KÜt[¢áqQ‰(¤Õþˆg§þ¬EÒudV;~_€dr‡çI;17 a £ƒžq”„)b±¿²‡s(…0
+IfLt´&
+¸Õ‰]ª¼ÖÀ·ü´¨ˆúWÓž•N€ÓáÚ îËè ¥·I­Ñ—Øü:k b-F”ÛÈØyŒÔLúcÙY># S·ÿý¢žæãþx5
+ŽsU ? ë{x[òq=4£øŠÉTññbEK'òmç±v§9ˆçì‘È$“CXcþ©\“±>ÊG˜m@>¥¼lX1 ©ô¸dwO AþŠEÒÖ’±Sc¸I/cK+–5>¶V‘+"zg
+*»åMì•¡p_ÐV—+}¤ªÞTžY!æĹ(K§i"üÇ(*wOzŒF®¯’«X`Ž¡ÿ­Š¢É
+™*r[¶Â—n³î+ˆm•€Î êËÜun2qÄi"P6h£.ü·T”•OdÉ_ùüånµ~ ‡q#$i5’2ÍçšuÛOÖL[˱ÙE¶IkQñßå:¢_é²w«®º!É·Õ7ˬÞýóÌlÒλª> ^ØH•€ þfuĶgŽÍÆm4N}Ò
+žº²Üà9UwgÒBkÙãƒËÚž½Gr˜u)Ôë
+èòÔAé›ðöÖ_ß5Xuïwo%~’KG`4÷B9MXÄ—›Ý*¬â=cÉwú¦¶­r±¼§˜½ïÙ ÌèÀXmgsÌ{ná>³.ëÀS±¾ü¾ºÈÙ”¦ŠQ®Ÿ6È4ȤÍzÚ9Ú—¦Å÷K\ ìkCì«›!ê;àú¸èy¢Å
+
+"¿‘©ÜŒ˜%(–PL•„àà}çô—ìd¸A4HVs_™c‚Ò„µÜÅ‘nÜŠ¡Vz*-‰To­”â 7*úï #{y‚íl¤â:n\Æ>‡áos.ø¨ŠsýE×õ©É¡Ã<äm¶ E±¸@ˆx²îkrŸËÁ}G=1ôƒNl.&·´Mf‰2À4îۯ0ö€6Ñð G¥í¤B§R“Bt•¯º%õĪÜ~ç$`XÞ(ÿ¶ˆphíÒ[, ²·wÄ.„ˆØeæÒ$HÃù”±åá<€;]vÛàr Öù›–ÞpuU“J¯ÐœA£½<ÚÓ¤ïõV1r¿Â¥“e8Õè7Þ)h(²¼Eð¥GðЖ„ñ˜WÒMæ _Y£õ‡æÒËfcØŠ¡ÌõCÒ0—£Û²u—§§äùp3¦~ùÌ[yÔ5!Áy˜Ý Ð-¹9¨ÉŠ%Q-} /DšC¦—jn¦%>HLgùh:âî…¶Bldš½üuô݈°½‹IÖ#o½¿ùði9žìtå‰ò2¯̉ê³æÖ®Ê2VÂ^­.îÔ
+ëÿ8±²
+òo·Ä‰è8²{ãqÍED§G×æë±ÆöåÜbùÜß°”\&Ü‘ù­òÏ2qsÈÆ°Ûy¾>bò´ÌOX(oÁYÓ‹Þ"4Ù†w7 «~Lé'ƒ]‰v }Oä8ÝMª)Ž–X’EÀ,3bQ*ÞWAš 0 N5<_8%)FľJVßr”[‰=Wÿ:¯&,o/ÑQƒ+"%N†êémü‡*VtŸ_-’È°”´sPàkX‹'ÙÊ‘FâbMüzyixûŸGG1SÝ(&¦F›Å8'Ç
+mÁR!/¤ïmYz'Úò”¦ÀÀh'¨1I ÌѨõéI¹;b ’@\Öq×Ü[¤µ*ýôF£½™ÃØ»ÚRqõ¶›0ý×nD%ŒãßÉ€¦ ]:bĨvÿŽ“U®ïqî{Ĥ
+Èù#†ð÷†(£ÃÐw¾áR¼­ñ¿ø; h@À‘Ä8~©Lp©™¦¿RÒtª3ª5/0Ò¡S0±nÍ&9=Ó ÷-Áz;¢IrH©3©Òpdl²l[‹}B¿p“šÌN2ùòw Д˜…¥UhpO· 
+FÖ—bowÖç'<{†Ëe/>w¤ìºO Óyf4,%[n‹¦ó<ÑȲ’Dø¯7XQ`õì¹;ðkgýÑt{D¯VC|n$è_
+5±)Ä;À†íkPAs~6wD¦l¹Y²˜'À&>)Ž:•„ΊÙtAʘxñI…Å©Ñ’"Vï·´—Á}“Ôl—Üœ2Ê?«RÙª¦» Ñ2ø¡†LŠ¶Ð*¥ÕùÏ•Õz¢W¯íPO!Zñšâ:¡••3ìv{´3:9¨;8 ~†»Gcã–XÇ*ؾƔrõFÉ×<ͤŸ”WSs¤ù€ûñúóRXÙlN|PLò4ŠÒñ£l8¯´Àøî[ë†4 Àñɽ.zšcF­{ý†ÄT¢¸ˆŽ¾‘Ð[™()ä ‡¦f¾ÆF£ðÝ´Z"gº…´>Ôæ5âµlÏâ,¥÷y”¦Ä“1Êe]#¾{Gš!ÓK±¾„OÍ÷¢ü¤ïï!Œ^{ßðÉ‘F'U0BBo÷LÉ7„ob¨AÏqØ5ƒ£&ÜçîYd5K­ÜeíO%:Ó 6™zD-߹̫\šM0
+¯'l­Õ_‡2›.vèKâÔ€fïø¯âˆÚ\ŸÙÊ¡òËà.¶¸iAìU„‹Åss*’ñªÛ
+ó Ë.ºÞJy'k<¬¾T¨u®rï p¦±2Äéyš˜¾Á0^øÓí ›H v,¥wó!éùž1ÄVûr#Âp_JI´¿4ŽÎ¸6ú˘ì{2{ã• <[—)¾Íj°xÔo~y‘S¿mäó¼—¯ùh§NWp¡Q2¬ð‚‰>÷ËgCX ÀõVUé³½æ·ÝbM†Ðñù6 kh*†4¬† ·ÚTã’#­Ò<÷òwHÜ2ÈAœS¼WR¬v"«¡™Ô1í2•¢¨¡;ŽÞuE@L ±Âà‘Œ”ª^4þÕŒl«áÇü̺-€¾¨“\Z™Òçtä %p´§”î–©ÚËjKûr¦ä¦¥Æ¢[~ÕÇÆ
+eÁ½õiÐGÓ8¿ÙñCÊI´‚¥º]u¯˜Ôjù -JtáBÊk(WI)Í’ˆÇ ¨kFîÈJi…Õ FS„Éãâ…—¹l;£—¬(¯cgHÖ5§ýUj®¦›¤ÞNX*1a"˜…J[å?x¯5Mï@ 7‰íɳ't"Mrmc §Õnœ€rÍÖÔ<.ïo°öÝヲk¶åÎM¾×ÅŸ“p40¶Y¤ÉçŠÀ^s ëµ¬d>Rõ~YîZ_Ä둹v0§Gm‡‡N®3çï7G$*›½th•ëùý¹¡Òg)ˆ, &ƒM€¶ïÎ3«yÔ&o¹Ù›ïu–ž4«ô,öZÎOkÜ÷ªÔD%«†Déz¡v?ò‡/óÀ; Š'?§îºËcšý‹Üè
+µ(à\èaª
+E‰7jŨi¥oòƒŒ:½úþ·cêSJo*>»u+Æ#@Ä«áb\[k!s&D “‹Ãd`È<HØò†T¦EÚdò:±CíkE
+j!H·îà3ÁE.
+ ø!{mž/ƒòZú+p%Œ«u–}Fcí¿ èýˆ/ì…Ƶ1>§ÌM)ÔÐ O%Sýù8½î×Ç
+dˆür4îŠ$#œ™/à·Ñw $–+3¸]Ì„5¼T87Å]ý—‰Ø¥–…ZPŽü¢ X¥Ì[šÿ8™XpÉþCi€ó`KpmMƒ*­y¨À&ÕÇ*é\—l¹ïˆü° xr#L?)¨ù¹kvü¯â|V{þ–aÀB$ÇÉÎàj`ñh›Îëæîõ­QUdj5Ë$k>7¦|©™¬âÃöõÚ¾¤,ˆÇSÎbÎ=¯ 6¢ŽIÛž‚2üúð?÷ò)CÎ|æ¡î0)ukt ùþîo#‘Æ$÷s‡³Wgª~„ŸÙñôÀԥ;ºaâlèQÌãæƒhË›ƒÌð`
+Z®§Ñœ8Îeä¾ÏFþ±Ã,ô\5ˆI.èÑaM 4Ž´mÇÕ‹èqWM‘±•î·egcØøí «\[þT
+¿Á…æËU¨—xÙLDÞsäÓš
+Iö×~pºóE¦f}^!˜tQ°Ù’‹ƒEäì>‰ n|'ÆV²5D9_äå‹7â̬FJvõ˜2È­ÛŒ’ý;Û£K¿>Z&ú‰Àš¤þØɉ,-¯,Yت–=–ÏÞáÆX8?¸#…m èÓð¥žçßèðž–u¤<5åÑwÒ6¨´ÍÔ™­×#0±q“²Qý‰±ÀåÙëã=¥—;1Â&<
+| f Ég¬,=‘¥vp‘·xMŒé‰_b¬5
+µœóû¿ µ§öÈ4¿À#è¸?§ß7LíXʳŒ”ñkÌ€Zî»vSLR‡û 4 ƒ?&4 =cwÓ™7mÿ­8 ‡L¡ž~šËmé0Rƒù]N9ÄO:;e0vÈ(©6‘÷ôŒ÷ÃæÓ=ÔèÖ‡7œŠ?­)Í'á ž àÇ38ƬpYBà³Â|ƾC¬D?ÖD‡§-QÊ(6ò˜¤>Œö)€*#£˜òDUdùªé³ÓvU
+[`÷QìÿY¨OÖØJæÒ2‹„a¤.‡yMÙB.½T›.¡
+¥í’bWWž^¿§M?¼ªßªéë;ëš<™áh ±Kñŵž¢¨ÚÆóV1îcÖOÏ "ž³x4tÅ:l¼t@i×uÅ«»‡‹Á0“öë]RϺM'Ü>Á™?#ÉABlž=fÌì…ïé ÚiózõÔ¨¿!…+°2Ô’Ýzôµ¥Îb—B
+y‘üP'càÜ^M#R°·ñÃ4 {LJ B«œ»×ën¾HïŸMc–9|þ*S5ïV®ñKãÁ“üvÚJ¦‰‡’à°áR‹ÁPKw©ä;ÉͳðåH-ºOÖ²ÉâØÉ*Wü—¼éýšö•p…+èó®a7AÔºº;˜âR·~4ÿÕ|S®‘mƒ®W•~ ©Ãâ‡}DL×WF5J‰åéØ|¨i÷>#\2®˜
+šÒ30D”€`Ÿ†§¾ç4}&1xÒ¤Ö¥ ÎdP•Ý‹$ȾCO‡Ù’jÛvëö?`C&W'aÔCJ•I'sŠFðìM˼k©¡¨»°+X ŠcAÐÀ«á¥£ùr!<s%!ÈbˆÀNÑ* d3³Ê6†Ø0´+3ïÍNYÀ8îj•ÛP³7Þ¨VäÎc=$0€Ž9€òõ «£…WCÒ¸1å Ô²9L±ž±~óŸ –äWÚyüInÐäöÀ'¼I3 ú]`+ò7vÃÝ!’ÔËö—k«Zœ–(&4¨j„¸`é+àpôxÿÅë«SüWâ$åM7ƒ[IZÒýš®ê~‚VƒÍ:Ø\é«…Œ€Øy_à£öý
+.ÈëÃ6‹û¯™ÅSßcŽ¾Q&É5 fd
+ön’“,6"”@K;\ÿŸÁüø¯
+endobj
+654 0 obj <<
/Type /Font
/Subtype /Type1
-/Encoding 1344 0 R
+/Encoding 1915 0 R
/FirstChar 2
/LastChar 151
-/Widths 1359 0 R
-/BaseFont /IZDQVO+URWPalladioL-Bold
-/FontDescriptor 595 0 R
+/Widths 1930 0 R
+/BaseFont /SCZMIW+URWPalladioL-Bold
+/FontDescriptor 652 0 R
>> endobj
-595 0 obj <<
+652 0 obj <<
/Ascent 708
/CapHeight 672
/Descent -266
-/FontName /IZDQVO+URWPalladioL-Bold
+/FontName /SCZMIW+URWPalladioL-Bold
/ItalicAngle 0
/StemV 123
/XHeight 471
/FontBBox [-152 -301 1000 935]
/Flags 4
-/CharSet (/fi/fl/exclam/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/question/at/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/W/X/Y/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/emdash)
-/FontFile 596 0 R
+/CharSet (/fi/fl/exclam/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/question/at/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/quotedblright/emdash)
+/FontFile 653 0 R
>> endobj
-1359 0 obj
-[611 611 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 0 500 889 0 278 333 333 444 606 250 333 250 296 500 500 500 500 500 500 500 500 500 500 250 250 0 0 0 444 747 778 667 722 833 611 556 833 833 389 0 778 611 1000 833 833 611 833 722 611 667 778 0 1000 667 667 667 333 0 333 0 0 0 500 611 444 611 500 389 556 611 333 333 611 333 889 611 556 611 611 389 444 333 611 556 833 500 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1000 ]
+1930 0 obj
+[611 611 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 0 500 889 0 278 333 333 444 606 250 333 250 296 500 500 500 500 500 500 500 500 500 500 250 250 0 0 0 444 747 778 667 722 833 611 556 833 833 389 0 778 611 1000 833 833 611 833 722 611 667 778 778 1000 667 667 667 333 0 333 0 0 0 500 611 444 611 500 389 556 611 333 333 611 333 889 611 556 611 611 389 444 333 611 556 833 500 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 500 0 0 1000 ]
endobj
-601 0 obj <<
+655 0 obj <<
/Type /Pages
/Count 6
-/Parent 1360 0 R
-/Kids [590 0 R 603 0 R 610 0 R 629 0 R 646 0 R 657 0 R]
+/Parent 1931 0 R
+/Kids [646 0 R 673 0 R 683 0 R 738 0 R 802 0 R 862 0 R]
>> endobj
-672 0 obj <<
+881 0 obj <<
/Type /Pages
/Count 6
-/Parent 1360 0 R
-/Kids [664 0 R 674 0 R 679 0 R 687 0 R 698 0 R 706 0 R]
+/Parent 1931 0 R
+/Kids [866 0 R 883 0 R 897 0 R 908 0 R 915 0 R 927 0 R]
>> endobj
-717 0 obj <<
+939 0 obj <<
/Type /Pages
/Count 6
-/Parent 1360 0 R
-/Kids [713 0 R 720 0 R 727 0 R 739 0 R 748 0 R 753 0 R]
+/Parent 1931 0 R
+/Kids [932 0 R 941 0 R 952 0 R 960 0 R 967 0 R 973 0 R]
>> endobj
-764 0 obj <<
+996 0 obj <<
/Type /Pages
/Count 6
-/Parent 1360 0 R
-/Kids [757 0 R 766 0 R 776 0 R 784 0 R 792 0 R 802 0 R]
+/Parent 1931 0 R
+/Kids [981 0 R 1003 0 R 1012 0 R 1017 0 R 1021 0 R 1028 0 R]
>> endobj
-817 0 obj <<
+1044 0 obj <<
/Type /Pages
/Count 6
-/Parent 1360 0 R
-/Kids [811 0 R 819 0 R 823 0 R 833 0 R 839 0 R 847 0 R]
+/Parent 1931 0 R
+/Kids [1037 0 R 1047 0 R 1054 0 R 1059 0 R 1068 0 R 1075 0 R]
>> endobj
-862 0 obj <<
+1087 0 obj <<
/Type /Pages
/Count 6
-/Parent 1360 0 R
-/Kids [854 0 R 864 0 R 878 0 R 885 0 R 889 0 R 895 0 R]
+/Parent 1931 0 R
+/Kids [1079 0 R 1090 0 R 1096 0 R 1104 0 R 1111 0 R 1120 0 R]
>> endobj
-908 0 obj <<
+1139 0 obj <<
/Type /Pages
/Count 6
-/Parent 1361 0 R
-/Kids [901 0 R 910 0 R 917 0 R 921 0 R 926 0 R 932 0 R]
+/Parent 1932 0 R
+/Kids [1133 0 R 1141 0 R 1146 0 R 1152 0 R 1158 0 R 1166 0 R]
>> endobj
-947 0 obj <<
+1176 0 obj <<
/Type /Pages
/Count 6
-/Parent 1361 0 R
-/Kids [938 0 R 950 0 R 954 0 R 964 0 R 971 0 R 979 0 R]
+/Parent 1932 0 R
+/Kids [1173 0 R 1178 0 R 1183 0 R 1189 0 R 1195 0 R 1200 0 R]
>> endobj
-987 0 obj <<
+1213 0 obj <<
/Type /Pages
/Count 6
-/Parent 1361 0 R
-/Kids [983 0 R 989 0 R 997 0 R 1003 0 R 1010 0 R 1017 0 R]
+/Parent 1932 0 R
+/Kids [1210 0 R 1215 0 R 1220 0 R 1231 0 R 1237 0 R 1242 0 R]
>> endobj
-1031 0 obj <<
+1250 0 obj <<
/Type /Pages
/Count 6
-/Parent 1361 0 R
-/Kids [1026 0 R 1033 0 R 1039 0 R 1048 0 R 1052 0 R 1056 0 R]
+/Parent 1932 0 R
+/Kids [1246 0 R 1252 0 R 1260 0 R 1266 0 R 1273 0 R 1281 0 R]
>> endobj
-1067 0 obj <<
+1297 0 obj <<
/Type /Pages
/Count 6
-/Parent 1361 0 R
-/Kids [1064 0 R 1069 0 R 1081 0 R 1096 0 R 1109 0 R 1121 0 R]
+/Parent 1932 0 R
+/Kids [1288 0 R 1300 0 R 1304 0 R 1310 0 R 1315 0 R 1320 0 R]
>> endobj
-1133 0 obj <<
+1332 0 obj <<
/Type /Pages
/Count 6
-/Parent 1361 0 R
-/Kids [1126 0 R 1135 0 R 1147 0 R 1160 0 R 1168 0 R 1172 0 R]
+/Parent 1932 0 R
+/Kids [1329 0 R 1334 0 R 1338 0 R 1342 0 R 1350 0 R 1362 0 R]
>> endobj
-1183 0 obj <<
+1394 0 obj <<
/Type /Pages
/Count 6
-/Parent 1362 0 R
-/Kids [1176 0 R 1185 0 R 1195 0 R 1206 0 R 1210 0 R 1217 0 R]
+/Parent 1933 0 R
+/Kids [1373 0 R 1396 0 R 1402 0 R 1414 0 R 1420 0 R 1428 0 R]
>> endobj
-1283 0 obj <<
+1448 0 obj <<
/Type /Pages
-/Count 3
-/Parent 1362 0 R
-/Kids [1229 0 R 1285 0 R 1336 0 R]
+/Count 6
+/Parent 1933 0 R
+/Kids [1439 0 R 1450 0 R 1458 0 R 1462 0 R 1466 0 R 1472 0 R]
>> endobj
-1360 0 obj <<
+1486 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 1933 0 R
+/Kids [1483 0 R 1488 0 R 1492 0 R 1503 0 R 1507 0 R 1514 0 R]
+>> endobj
+1592 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 1933 0 R
+/Kids [1537 0 R 1594 0 R 1652 0 R 1709 0 R 1729 0 R 1738 0 R]
+>> endobj
+1748 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 1933 0 R
+/Kids [1744 0 R 1750 0 R 1754 0 R 1759 0 R 1771 0 R 1775 0 R]
+>> endobj
+1791 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 1933 0 R
+/Kids [1787 0 R 1793 0 R 1804 0 R 1809 0 R 1814 0 R 1826 0 R]
+>> endobj
+1840 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 1934 0 R
+/Kids [1837 0 R 1842 0 R 1854 0 R 1858 0 R 1866 0 R 1876 0 R]
+>> endobj
+1891 0 obj <<
+/Type /Pages
+/Count 4
+/Parent 1934 0 R
+/Kids [1887 0 R 1893 0 R 1904 0 R 1910 0 R]
+>> endobj
+1931 0 obj <<
/Type /Pages
/Count 36
-/Parent 1363 0 R
-/Kids [601 0 R 672 0 R 717 0 R 764 0 R 817 0 R 862 0 R]
+/Parent 1935 0 R
+/Kids [655 0 R 881 0 R 939 0 R 996 0 R 1044 0 R 1087 0 R]
>> endobj
-1361 0 obj <<
+1932 0 obj <<
/Type /Pages
/Count 36
-/Parent 1363 0 R
-/Kids [908 0 R 947 0 R 987 0 R 1031 0 R 1067 0 R 1133 0 R]
+/Parent 1935 0 R
+/Kids [1139 0 R 1176 0 R 1213 0 R 1250 0 R 1297 0 R 1332 0 R]
>> endobj
-1362 0 obj <<
+1933 0 obj <<
/Type /Pages
-/Count 9
-/Parent 1363 0 R
-/Kids [1183 0 R 1283 0 R]
+/Count 36
+/Parent 1935 0 R
+/Kids [1394 0 R 1448 0 R 1486 0 R 1592 0 R 1748 0 R 1791 0 R]
>> endobj
-1363 0 obj <<
+1934 0 obj <<
/Type /Pages
-/Count 81
-/Kids [1360 0 R 1361 0 R 1362 0 R]
+/Count 10
+/Parent 1935 0 R
+/Kids [1840 0 R 1891 0 R]
>> endobj
-1364 0 obj <<
+1935 0 obj <<
+/Type /Pages
+/Count 118
+/Kids [1931 0 R 1932 0 R 1933 0 R 1934 0 R]
+>> endobj
+1936 0 obj <<
/Type /Outlines
/First 7 0 R
-/Last 555 0 R
-/Count 9
+/Last 603 0 R
+/Count 10
+>> endobj
+643 0 obj <<
+/Title 644 0 R
+/A 641 0 R
+/Parent 603 0 R
+/Prev 639 0 R
+>> endobj
+639 0 obj <<
+/Title 640 0 R
+/A 637 0 R
+/Parent 603 0 R
+/Prev 635 0 R
+/Next 643 0 R
+>> endobj
+635 0 obj <<
+/Title 636 0 R
+/A 633 0 R
+/Parent 603 0 R
+/Prev 631 0 R
+/Next 639 0 R
+>> endobj
+631 0 obj <<
+/Title 632 0 R
+/A 629 0 R
+/Parent 603 0 R
+/Prev 627 0 R
+/Next 635 0 R
+>> endobj
+627 0 obj <<
+/Title 628 0 R
+/A 625 0 R
+/Parent 603 0 R
+/Prev 623 0 R
+/Next 631 0 R
+>> endobj
+623 0 obj <<
+/Title 624 0 R
+/A 621 0 R
+/Parent 603 0 R
+/Prev 619 0 R
+/Next 627 0 R
+>> endobj
+619 0 obj <<
+/Title 620 0 R
+/A 617 0 R
+/Parent 603 0 R
+/Prev 615 0 R
+/Next 623 0 R
+>> endobj
+615 0 obj <<
+/Title 616 0 R
+/A 613 0 R
+/Parent 603 0 R
+/Prev 611 0 R
+/Next 619 0 R
+>> endobj
+611 0 obj <<
+/Title 612 0 R
+/A 609 0 R
+/Parent 603 0 R
+/Prev 607 0 R
+/Next 615 0 R
+>> endobj
+607 0 obj <<
+/Title 608 0 R
+/A 605 0 R
+/Parent 603 0 R
+/Next 611 0 R
+>> endobj
+603 0 obj <<
+/Title 604 0 R
+/A 601 0 R
+/Parent 1936 0 R
+/Prev 567 0 R
+/First 607 0 R
+/Last 643 0 R
+/Count -10
+>> endobj
+599 0 obj <<
+/Title 600 0 R
+/A 597 0 R
+/Parent 587 0 R
+/Prev 595 0 R
+>> endobj
+595 0 obj <<
+/Title 596 0 R
+/A 593 0 R
+/Parent 587 0 R
+/Prev 591 0 R
+/Next 599 0 R
+>> endobj
+591 0 obj <<
+/Title 592 0 R
+/A 589 0 R
+/Parent 587 0 R
+/Next 595 0 R
>> endobj
587 0 obj <<
/Title 588 0 R
/A 585 0 R
-/Parent 575 0 R
-/Prev 583 0 R
+/Parent 567 0 R
+/Prev 579 0 R
+/First 591 0 R
+/Last 599 0 R
+/Count -3
>> endobj
583 0 obj <<
/Title 584 0 R
/A 581 0 R
-/Parent 575 0 R
-/Prev 579 0 R
-/Next 587 0 R
+/Parent 579 0 R
>> endobj
579 0 obj <<
/Title 580 0 R
/A 577 0 R
-/Parent 575 0 R
-/Next 583 0 R
+/Parent 567 0 R
+/Prev 571 0 R
+/Next 587 0 R
+/First 583 0 R
+/Last 583 0 R
+/Count -1
>> endobj
575 0 obj <<
/Title 576 0 R
/A 573 0 R
-/Parent 555 0 R
-/Prev 567 0 R
-/First 579 0 R
-/Last 587 0 R
-/Count -3
+/Parent 571 0 R
>> endobj
571 0 obj <<
/Title 572 0 R
/A 569 0 R
/Parent 567 0 R
+/Next 579 0 R
+/First 575 0 R
+/Last 575 0 R
+/Count -1
>> endobj
567 0 obj <<
/Title 568 0 R
/A 565 0 R
-/Parent 555 0 R
-/Prev 559 0 R
-/Next 575 0 R
+/Parent 1936 0 R
+/Prev 547 0 R
+/Next 603 0 R
/First 571 0 R
-/Last 571 0 R
-/Count -1
+/Last 587 0 R
+/Count -3
>> endobj
563 0 obj <<
/Title 564 0 R
/A 561 0 R
-/Parent 559 0 R
+/Parent 547 0 R
+/Prev 559 0 R
>> endobj
559 0 obj <<
/Title 560 0 R
/A 557 0 R
-/Parent 555 0 R
-/Next 567 0 R
-/First 563 0 R
-/Last 563 0 R
-/Count -1
+/Parent 547 0 R
+/Prev 551 0 R
+/Next 563 0 R
>> endobj
555 0 obj <<
/Title 556 0 R
/A 553 0 R
-/Parent 1364 0 R
-/Prev 535 0 R
-/First 559 0 R
-/Last 575 0 R
-/Count -3
+/Parent 551 0 R
>> endobj
551 0 obj <<
/Title 552 0 R
/A 549 0 R
-/Parent 535 0 R
-/Prev 547 0 R
+/Parent 547 0 R
+/Next 559 0 R
+/First 555 0 R
+/Last 555 0 R
+/Count -1
>> endobj
547 0 obj <<
/Title 548 0 R
/A 545 0 R
-/Parent 535 0 R
-/Prev 539 0 R
-/Next 551 0 R
+/Parent 1936 0 R
+/Prev 523 0 R
+/Next 567 0 R
+/First 551 0 R
+/Last 563 0 R
+/Count -3
>> endobj
543 0 obj <<
/Title 544 0 R
/A 541 0 R
-/Parent 539 0 R
+/Parent 523 0 R
+/Prev 531 0 R
>> endobj
539 0 obj <<
/Title 540 0 R
/A 537 0 R
-/Parent 535 0 R
-/Next 547 0 R
-/First 543 0 R
-/Last 543 0 R
-/Count -1
+/Parent 531 0 R
+/Prev 535 0 R
>> endobj
535 0 obj <<
/Title 536 0 R
/A 533 0 R
-/Parent 1364 0 R
-/Prev 511 0 R
-/Next 555 0 R
-/First 539 0 R
-/Last 551 0 R
-/Count -3
+/Parent 531 0 R
+/Next 539 0 R
>> endobj
531 0 obj <<
/Title 532 0 R
/A 529 0 R
-/Parent 511 0 R
-/Prev 519 0 R
+/Parent 523 0 R
+/Prev 527 0 R
+/Next 543 0 R
+/First 535 0 R
+/Last 539 0 R
+/Count -2
>> endobj
527 0 obj <<
/Title 528 0 R
/A 525 0 R
-/Parent 519 0 R
-/Prev 523 0 R
+/Parent 523 0 R
+/Next 531 0 R
>> endobj
523 0 obj <<
/Title 524 0 R
/A 521 0 R
-/Parent 519 0 R
-/Next 527 0 R
+/Parent 1936 0 R
+/Prev 239 0 R
+/Next 547 0 R
+/First 527 0 R
+/Last 543 0 R
+/Count -3
>> endobj
519 0 obj <<
/Title 520 0 R
/A 517 0 R
-/Parent 511 0 R
+/Parent 471 0 R
/Prev 515 0 R
-/Next 531 0 R
-/First 523 0 R
-/Last 527 0 R
-/Count -2
>> endobj
515 0 obj <<
/Title 516 0 R
/A 513 0 R
-/Parent 511 0 R
+/Parent 471 0 R
+/Prev 499 0 R
/Next 519 0 R
>> endobj
511 0 obj <<
/Title 512 0 R
/A 509 0 R
-/Parent 1364 0 R
-/Prev 239 0 R
-/Next 535 0 R
-/First 515 0 R
-/Last 531 0 R
-/Count -3
+/Parent 499 0 R
+/Prev 507 0 R
>> endobj
507 0 obj <<
/Title 508 0 R
/A 505 0 R
-/Parent 463 0 R
-/Prev 491 0 R
+/Parent 499 0 R
+/Prev 503 0 R
+/Next 511 0 R
>> endobj
503 0 obj <<
/Title 504 0 R
/A 501 0 R
-/Parent 491 0 R
-/Prev 499 0 R
+/Parent 499 0 R
+/Next 507 0 R
>> endobj
499 0 obj <<
/Title 500 0 R
/A 497 0 R
-/Parent 491 0 R
+/Parent 471 0 R
/Prev 495 0 R
-/Next 503 0 R
+/Next 515 0 R
+/First 503 0 R
+/Last 511 0 R
+/Count -3
>> endobj
495 0 obj <<
/Title 496 0 R
/A 493 0 R
-/Parent 491 0 R
+/Parent 471 0 R
+/Prev 491 0 R
/Next 499 0 R
>> endobj
491 0 obj <<
/Title 492 0 R
/A 489 0 R
-/Parent 463 0 R
+/Parent 471 0 R
/Prev 487 0 R
-/Next 507 0 R
-/First 495 0 R
-/Last 503 0 R
-/Count -3
+/Next 495 0 R
>> endobj
487 0 obj <<
/Title 488 0 R
/A 485 0 R
-/Parent 463 0 R
-/Prev 483 0 R
+/Parent 471 0 R
+/Prev 475 0 R
/Next 491 0 R
>> endobj
483 0 obj <<
/Title 484 0 R
/A 481 0 R
-/Parent 463 0 R
+/Parent 475 0 R
/Prev 479 0 R
-/Next 487 0 R
>> endobj
479 0 obj <<
/Title 480 0 R
/A 477 0 R
-/Parent 463 0 R
-/Prev 467 0 R
+/Parent 475 0 R
/Next 483 0 R
>> endobj
475 0 obj <<
/Title 476 0 R
/A 473 0 R
-/Parent 467 0 R
-/Prev 471 0 R
+/Parent 471 0 R
+/Next 487 0 R
+/First 479 0 R
+/Last 483 0 R
+/Count -2
>> endobj
471 0 obj <<
/Title 472 0 R
/A 469 0 R
-/Parent 467 0 R
-/Next 475 0 R
+/Parent 239 0 R
+/Prev 271 0 R
+/First 475 0 R
+/Last 519 0 R
+/Count -7
>> endobj
467 0 obj <<
/Title 468 0 R
/A 465 0 R
-/Parent 463 0 R
-/Next 479 0 R
-/First 471 0 R
-/Last 475 0 R
-/Count -2
+/Parent 451 0 R
+/Prev 463 0 R
>> endobj
463 0 obj <<
/Title 464 0 R
/A 461 0 R
-/Parent 239 0 R
-/Prev 271 0 R
-/First 467 0 R
-/Last 507 0 R
-/Count -6
+/Parent 451 0 R
+/Prev 459 0 R
+/Next 467 0 R
>> endobj
459 0 obj <<
/Title 460 0 R
/A 457 0 R
-/Parent 443 0 R
+/Parent 451 0 R
/Prev 455 0 R
+/Next 463 0 R
>> endobj
455 0 obj <<
/Title 456 0 R
/A 453 0 R
-/Parent 443 0 R
-/Prev 451 0 R
+/Parent 451 0 R
/Next 459 0 R
>> endobj
451 0 obj <<
/Title 452 0 R
/A 449 0 R
-/Parent 443 0 R
+/Parent 271 0 R
/Prev 447 0 R
-/Next 455 0 R
+/First 455 0 R
+/Last 467 0 R
+/Count -4
>> endobj
447 0 obj <<
/Title 448 0 R
/A 445 0 R
-/Parent 443 0 R
+/Parent 271 0 R
+/Prev 443 0 R
/Next 451 0 R
>> endobj
443 0 obj <<
@@ -6829,9 +10026,7 @@ endobj
/A 441 0 R
/Parent 271 0 R
/Prev 439 0 R
-/First 447 0 R
-/Last 459 0 R
-/Count -4
+/Next 447 0 R
>> endobj
439 0 obj <<
/Title 440 0 R
@@ -6865,21 +10060,20 @@ endobj
/Title 424 0 R
/A 421 0 R
/Parent 271 0 R
-/Prev 419 0 R
+/Prev 343 0 R
/Next 427 0 R
>> endobj
419 0 obj <<
/Title 420 0 R
/A 417 0 R
-/Parent 271 0 R
+/Parent 343 0 R
/Prev 415 0 R
-/Next 423 0 R
>> endobj
415 0 obj <<
/Title 416 0 R
/A 413 0 R
-/Parent 271 0 R
-/Prev 343 0 R
+/Parent 343 0 R
+/Prev 411 0 R
/Next 419 0 R
>> endobj
411 0 obj <<
@@ -6887,6 +10081,7 @@ endobj
/A 409 0 R
/Parent 343 0 R
/Prev 407 0 R
+/Next 415 0 R
>> endobj
407 0 obj <<
/Title 408 0 R
@@ -7004,10 +10199,10 @@ endobj
/A 341 0 R
/Parent 271 0 R
/Prev 339 0 R
-/Next 415 0 R
+/Next 423 0 R
/First 347 0 R
-/Last 411 0 R
-/Count -17
+/Last 419 0 R
+/Count -19
>> endobj
339 0 obj <<
/Title 340 0 R
@@ -7133,9 +10328,9 @@ endobj
/A 269 0 R
/Parent 239 0 R
/Prev 243 0 R
-/Next 463 0 R
+/Next 471 0 R
/First 275 0 R
-/Last 443 0 R
+/Last 451 0 R
/Count -24
>> endobj
267 0 obj <<
@@ -7192,11 +10387,11 @@ endobj
239 0 obj <<
/Title 240 0 R
/A 237 0 R
-/Parent 1364 0 R
+/Parent 1936 0 R
/Prev 227 0 R
-/Next 511 0 R
+/Next 523 0 R
/First 243 0 R
-/Last 463 0 R
+/Last 471 0 R
/Count -3
>> endobj
235 0 obj <<
@@ -7214,7 +10409,7 @@ endobj
227 0 obj <<
/Title 228 0 R
/A 225 0 R
-/Parent 1364 0 R
+/Parent 1936 0 R
/Prev 131 0 R
/Next 239 0 R
/First 231 0 R
@@ -7388,7 +10583,7 @@ endobj
131 0 obj <<
/Title 132 0 R
/A 129 0 R
-/Parent 1364 0 R
+/Parent 1936 0 R
/Prev 91 0 R
/Next 227 0 R
/First 135 0 R
@@ -7462,7 +10657,7 @@ endobj
91 0 obj <<
/Title 92 0 R
/A 89 0 R
-/Parent 1364 0 R
+/Parent 1936 0 R
/Prev 67 0 R
/Next 131 0 R
/First 95 0 R
@@ -7505,7 +10700,7 @@ endobj
67 0 obj <<
/Title 68 0 R
/A 65 0 R
-/Parent 1364 0 R
+/Parent 1936 0 R
/Prev 7 0 R
/Next 91 0 R
/First 71 0 R
@@ -7614,1414 +10809,1986 @@ endobj
7 0 obj <<
/Title 8 0 R
/A 5 0 R
-/Parent 1364 0 R
+/Parent 1936 0 R
/Next 67 0 R
/First 11 0 R
/Last 23 0 R
/Count -4
>> endobj
-1365 0 obj <<
-/Names [(Access_Control_Lists) 1180 0 R (Bv9ARM.ch01) 613 0 R (Bv9ARM.ch02) 667 0 R (Bv9ARM.ch03) 682 0 R (Bv9ARM.ch04) 730 0 R (Bv9ARM.ch05) 814 0 R (Bv9ARM.ch06) 826 0 R (Bv9ARM.ch07) 1179 0 R (Bv9ARM.ch08) 1198 0 R (Bv9ARM.ch09) 1213 0 R (Configuration_File_Grammar) 850 0 R (DNSSEC) 782 0 R (Doc-Start) 594 0 R (Setting_TTLs) 1143 0 R (access_control) 960 0 R (acl) 858 0 R (address_match_lists) 831 0 R (admin_tools) 704 0 R (appendix.A) 554 0 R (bibliography) 1225 0 R (boolean_options) 736 0 R (builtin) 1022 0 R (chapter.1) 6 0 R (chapter.2) 66 0 R (chapter.3) 90 0 R (chapter.4) 130 0 R (chapter.5) 226 0 R (chapter.6) 238 0 R (chapter.7) 510 0 R (chapter.8) 534 0 R (cite.RFC1034) 1241 0 R (cite.RFC1035) 1243 0 R (cite.RFC1101) 1299 0 R (cite.RFC1123) 1301 0 R (cite.RFC1183) 1278 0 R (cite.RFC1464) 1319 0 R (cite.RFC1535) 1270 0 R (cite.RFC1536) 1272 0 R (cite.RFC1537) 1309 0 R (cite.RFC1591) 1303 0 R (cite.RFC1706) 1280 0 R (cite.RFC1712) 1333 0 R (cite.RFC1713) 1321 0 R (cite.RFC1794) 1323 0 R (cite.RFC1876) 1282 0 R (cite.RFC1886) 1262 0 R (cite.RFC1912) 1311 0 R (cite.RFC1982) 1274 0 R (cite.RFC1995) 1248 0 R (cite.RFC1996) 1250 0 R (cite.RFC2010) 1313 0 R (cite.RFC2052) 1289 0 R (cite.RFC2065) 1264 0 R (cite.RFC2136) 1252 0 R (cite.RFC2137) 1266 0 R (cite.RFC2163) 1291 0 R (cite.RFC2168) 1293 0 R (cite.RFC2181) 1254 0 R (cite.RFC2219) 1315 0 R (cite.RFC2230) 1295 0 R (cite.RFC2240) 1325 0 R (cite.RFC2308) 1256 0 R (cite.RFC2317) 1305 0 R (cite.RFC2345) 1327 0 R (cite.RFC2352) 1329 0 R (cite.RFC2845) 1258 0 R (cite.RFC974) 1245 0 R (cite.id2492168) 1342 0 R (configuration_file_elements) 827 0 R (controls_statement_definition_and_usage) 718 0 R (diagnostic_tools) 655 0 R (dynamic_update) 734 0 R (dynamic_update_policies) 774 0 R (dynamic_update_security) 969 0 R (historical_dns_information) 1220 0 R (id2465089) 615 0 R (id2465144) 614 0 R (id2466440) 619 0 R (id2466449) 620 0 R (id2467046) 684 0 R (id2467062) 685 0 R (id2467084) 690 0 R (id2467101) 691 0 R (id2467443) 635 0 R (id2467586) 637 0 R (id2467606) 638 0 R (id2467728) 994 0 R (id2467914) 639 0 R (id2467998) 642 0 R (id2468073) 649 0 R (id2468096) 652 0 R (id2468117) 653 0 R (id2468136) 654 0 R (id2468165) 660 0 R (id2468333) 661 0 R (id2468359) 662 0 R (id2468459) 668 0 R (id2468484) 669 0 R (id2468494) 670 0 R (id2468508) 671 0 R (id2468517) 677 0 R (id2469143) 694 0 R (id2469148) 695 0 R (id2470313) 723 0 R (id2470325) 724 0 R (id2470669) 745 0 R (id2471232) 761 0 R (id2471248) 762 0 R (id2471282) 763 0 R (id2471298) 769 0 R (id2471306) 770 0 R (id2471414) 771 0 R (id2471466) 772 0 R (id2471510) 779 0 R (id2471524) 780 0 R (id2471573) 781 0 R (id2471776) 787 0 R (id2471843) 788 0 R (id2471986) 789 0 R (id2472123) 805 0 R (id2472250) 807 0 R (id2472270) 808 0 R (id2472371) 815 0 R (id2472509) 828 0 R (id2473074) 836 0 R (id2473100) 837 0 R (id2473262) 842 0 R (id2473277) 843 0 R (id2473306) 844 0 R (id2473520) 851 0 R (id2473816) 857 0 R (id2473858) 859 0 R (id2474053) 861 0 R (id2474330) 869 0 R (id2474345) 870 0 R (id2474368) 871 0 R (id2474389) 872 0 R (id2474460) 881 0 R (id2474586) 882 0 R (id2474707) 883 0 R (id2475401) 898 0 R (id2475861) 904 0 R (id2476002) 905 0 R (id2476133) 913 0 R (id2476177) 914 0 R (id2476192) 915 0 R (id2477760) 935 0 R (id2478765) 957 0 R (id2478816) 959 0 R (id2479131) 968 0 R (id2479288) 974 0 R (id2479898) 986 0 R (id2479914) 992 0 R (id2482177) 1000 0 R (id2482583) 1014 0 R (id2483049) 1029 0 R (id2483880) 1043 0 R (id2483928) 1044 0 R (id2484078) 1046 0 R (id2485225) 1059 0 R (id2485232) 1060 0 R (id2485236) 1061 0 R (id2485538) 1072 0 R (id2485569) 1073 0 R (id2486536) 1106 0 R (id2486695) 1112 0 R (id2486713) 1113 0 R (id2486734) 1116 0 R (id2486874) 1118 0 R (id2487525) 1124 0 R (id2487634) 1130 0 R (id2487792) 1131 0 R (id2488012) 1138 0 R (id2488128) 1140 0 R (id2488146) 1141 0 R (id2488519) 1144 0 R (id2488625) 1150 0 R (id2488638) 1151 0 R (id2488798) 1153 0 R (id2488818) 1154 0 R (id2488873) 1158 0 R (id2488936) 1163 0 R (id2488967) 1164 0 R (id2489028) 1165 0 R (id2489356) 1191 0 R (id2489500) 1192 0 R (id2489694) 1193 0 R (id2489765) 1199 0 R (id2489770) 1200 0 R (id2489782) 1201 0 R (id2489799) 1202 0 R (id2489929) 1214 0 R (id2489934) 1215 0 R (id2490057) 1221 0 R (id2490369) 1223 0 R (id2490713) 1237 0 R (id2490715) 1239 0 R (id2490724) 1244 0 R (id2490747) 1240 0 R (id2490771) 1242 0 R (id2490808) 1253 0 R (id2490834) 1255 0 R (id2490859) 1247 0 R (id2490884) 1249 0 R (id2490907) 1251 0 R (id2490963) 1257 0 R (id2491024) 1260 0 R (id2491038) 1261 0 R (id2491077) 1263 0 R (id2491116) 1265 0 R (id2491144) 1268 0 R (id2491153) 1269 0 R (id2491178) 1271 0 R (id2491245) 1273 0 R (id2491282) 1276 0 R (id2491287) 1277 0 R (id2491345) 1279 0 R (id2491382) 1292 0 R (id2491417) 1281 0 R (id2491472) 1288 0 R (id2491511) 1290 0 R (id2491538) 1294 0 R (id2491564) 1297 0 R (id2491572) 1298 0 R (id2491597) 1300 0 R (id2491621) 1302 0 R (id2491642) 1304 0 R (id2491689) 1307 0 R (id2491697) 1308 0 R (id2491722) 1310 0 R (id2491749) 1312 0 R (id2491785) 1314 0 R (id2491825) 1317 0 R (id2491845) 1318 0 R (id2491867) 1320 0 R (id2491960) 1322 0 R (id2491985) 1324 0 R (id2492007) 1326 0 R (id2492053) 1328 0 R (id2492077) 1331 0 R (id2492084) 1332 0 R (id2492156) 1339 0 R (id2492166) 1341 0 R (id2492168) 1343 0 R (incremental_zone_transfers) 742 0 R (internet_drafts) 1334 0 R (ipv6addresses) 809 0 R (journal) 735 0 R (lwresd) 816 0 R (notify) 731 0 R (options) 924 0 R (page.1) 593 0 R (page.10) 689 0 R (page.11) 700 0 R (page.12) 708 0 R (page.13) 715 0 R (page.14) 722 0 R (page.15) 729 0 R (page.16) 741 0 R (page.17) 750 0 R (page.18) 755 0 R (page.19) 759 0 R (page.2) 605 0 R (page.20) 768 0 R (page.21) 778 0 R (page.22) 786 0 R (page.23) 794 0 R (page.24) 804 0 R (page.25) 813 0 R (page.26) 821 0 R (page.27) 825 0 R (page.28) 835 0 R (page.29) 841 0 R (page.3) 612 0 R (page.30) 849 0 R (page.31) 856 0 R (page.32) 866 0 R (page.33) 880 0 R (page.34) 887 0 R (page.35) 891 0 R (page.36) 897 0 R (page.37) 903 0 R (page.38) 912 0 R (page.39) 919 0 R (page.4) 631 0 R (page.40) 923 0 R (page.41) 928 0 R (page.42) 934 0 R (page.43) 940 0 R (page.44) 952 0 R (page.45) 956 0 R (page.46) 966 0 R (page.47) 973 0 R (page.48) 981 0 R (page.49) 985 0 R (page.5) 648 0 R (page.50) 991 0 R (page.51) 999 0 R (page.52) 1005 0 R (page.53) 1012 0 R (page.54) 1019 0 R (page.55) 1028 0 R (page.56) 1035 0 R (page.57) 1041 0 R (page.58) 1050 0 R (page.59) 1054 0 R (page.6) 659 0 R (page.60) 1058 0 R (page.61) 1066 0 R (page.62) 1071 0 R (page.63) 1083 0 R (page.64) 1098 0 R (page.65) 1111 0 R (page.66) 1123 0 R (page.67) 1128 0 R (page.68) 1137 0 R (page.69) 1149 0 R (page.7) 666 0 R (page.70) 1162 0 R (page.71) 1170 0 R (page.72) 1174 0 R (page.73) 1178 0 R (page.74) 1187 0 R (page.75) 1197 0 R (page.76) 1208 0 R (page.77) 1212 0 R (page.78) 1219 0 R (page.79) 1232 0 R (page.8) 676 0 R (page.80) 1287 0 R (page.81) 1338 0 R (page.9) 681 0 R (proposed_standards) 746 0 R (rfcs) 644 0 R (rndc) 876 0 R (rrset_ordering) 696 0 R (sample_configuration) 683 0 R (section*.1) 1236 0 R (section*.10) 1330 0 R (section*.11) 1340 0 R (section*.2) 1238 0 R (section*.3) 1246 0 R (section*.4) 1259 0 R (section*.5) 1267 0 R (section*.6) 1275 0 R (section*.7) 1296 0 R (section*.8) 1306 0 R (section*.9) 1316 0 R (section.1.1) 10 0 R (section.1.2) 14 0 R (section.1.3) 18 0 R (section.1.4) 22 0 R (section.2.1) 70 0 R (section.2.2) 74 0 R (section.2.3) 78 0 R (section.2.4) 82 0 R (section.2.5) 86 0 R (section.3.1) 94 0 R (section.3.2) 106 0 R (section.3.3) 110 0 R (section.4.1) 134 0 R (section.4.2) 138 0 R (section.4.3) 146 0 R (section.4.4) 150 0 R (section.4.5) 154 0 R (section.4.6) 190 0 R (section.4.7) 194 0 R (section.4.8) 198 0 R (section.4.9) 214 0 R (section.5.1) 230 0 R (section.5.2) 234 0 R (section.6.1) 242 0 R (section.6.2) 270 0 R (section.6.3) 462 0 R (section.7.1) 514 0 R (section.7.2) 518 0 R (section.7.3) 530 0 R (section.8.1) 538 0 R (section.8.2) 546 0 R (section.8.3) 550 0 R (section.A.1) 558 0 R (section.A.2) 566 0 R (section.A.3) 574 0 R (server_statement_definition_and_usage) 948 0 R (server_statement_grammar) 1036 0 R (statsfile) 930 0 R (subsection.1.4.1) 26 0 R (subsection.1.4.2) 30 0 R (subsection.1.4.3) 34 0 R (subsection.1.4.4) 38 0 R (subsection.1.4.5) 54 0 R (subsection.1.4.6) 62 0 R (subsection.3.1.1) 98 0 R (subsection.3.1.2) 102 0 R (subsection.3.3.1) 114 0 R (subsection.3.3.2) 126 0 R (subsection.4.2.1) 142 0 R (subsection.4.5.1) 158 0 R (subsection.4.5.2) 170 0 R (subsection.4.5.3) 174 0 R (subsection.4.5.4) 178 0 R (subsection.4.5.5) 182 0 R (subsection.4.5.6) 186 0 R (subsection.4.8.1) 202 0 R (subsection.4.8.2) 206 0 R (subsection.4.8.3) 210 0 R (subsection.4.9.1) 218 0 R (subsection.4.9.2) 222 0 R (subsection.6.1.1) 246 0 R (subsection.6.1.2) 258 0 R (subsection.6.2.1) 274 0 R (subsection.6.2.10) 310 0 R (subsection.6.2.11) 322 0 R (subsection.6.2.12) 326 0 R (subsection.6.2.13) 330 0 R (subsection.6.2.14) 334 0 R (subsection.6.2.15) 338 0 R (subsection.6.2.16) 342 0 R (subsection.6.2.17) 414 0 R (subsection.6.2.18) 418 0 R (subsection.6.2.19) 422 0 R (subsection.6.2.2) 278 0 R (subsection.6.2.20) 426 0 R (subsection.6.2.21) 430 0 R (subsection.6.2.22) 434 0 R (subsection.6.2.23) 438 0 R (subsection.6.2.24) 442 0 R (subsection.6.2.3) 282 0 R (subsection.6.2.4) 286 0 R (subsection.6.2.5) 290 0 R (subsection.6.2.6) 294 0 R (subsection.6.2.7) 298 0 R (subsection.6.2.8) 302 0 R (subsection.6.2.9) 306 0 R (subsection.6.3.1) 466 0 R (subsection.6.3.2) 478 0 R (subsection.6.3.3) 482 0 R (subsection.6.3.4) 486 0 R (subsection.6.3.5) 490 0 R (subsection.6.3.6) 506 0 R (subsection.7.2.1) 522 0 R (subsection.7.2.2) 526 0 R (subsection.8.1.1) 542 0 R (subsection.A.1.1) 562 0 R (subsection.A.2.1) 570 0 R (subsection.A.3.1) 578 0 R (subsection.A.3.2) 582 0 R (subsection.A.3.3) 586 0 R (subsubsection.1.4.4.1) 42 0 R (subsubsection.1.4.4.2) 46 0 R (subsubsection.1.4.4.3) 50 0 R (subsubsection.1.4.5.1) 58 0 R (subsubsection.3.3.1.1) 118 0 R (subsubsection.3.3.1.2) 122 0 R (subsubsection.4.5.1.1) 162 0 R (subsubsection.4.5.1.2) 166 0 R (subsubsection.6.1.1.1) 250 0 R (subsubsection.6.1.1.2) 254 0 R (subsubsection.6.1.2.1) 262 0 R (subsubsection.6.1.2.2) 266 0 R (subsubsection.6.2.10.1) 314 0 R (subsubsection.6.2.10.2) 318 0 R (subsubsection.6.2.16.1) 346 0 R (subsubsection.6.2.16.10) 382 0 R (subsubsection.6.2.16.11) 386 0 R (subsubsection.6.2.16.12) 390 0 R (subsubsection.6.2.16.13) 394 0 R (subsubsection.6.2.16.14) 398 0 R (subsubsection.6.2.16.15) 402 0 R (subsubsection.6.2.16.16) 406 0 R (subsubsection.6.2.16.17) 410 0 R (subsubsection.6.2.16.2) 350 0 R (subsubsection.6.2.16.3) 354 0 R (subsubsection.6.2.16.4) 358 0 R (subsubsection.6.2.16.5) 362 0 R (subsubsection.6.2.16.6) 366 0 R (subsubsection.6.2.16.7) 370 0 R (subsubsection.6.2.16.8) 374 0 R (subsubsection.6.2.16.9) 378 0 R (subsubsection.6.2.24.1) 446 0 R (subsubsection.6.2.24.2) 450 0 R (subsubsection.6.2.24.3) 454 0 R (subsubsection.6.2.24.4) 458 0 R (subsubsection.6.3.1.1) 470 0 R (subsubsection.6.3.1.2) 474 0 R (subsubsection.6.3.5.1) 494 0 R (subsubsection.6.3.5.2) 498 0 R (subsubsection.6.3.5.3) 502 0 R (table.1.1) 621 0 R (table.1.2) 636 0 R (table.3.1) 692 0 R (table.3.2) 725 0 R (table.6.1) 829 0 R (table.6.10) 1117 0 R (table.6.11) 1119 0 R (table.6.12) 1129 0 R (table.6.13) 1132 0 R (table.6.14) 1139 0 R (table.6.15) 1142 0 R (table.6.16) 1145 0 R (table.6.17) 1152 0 R (table.6.18) 1166 0 R (table.6.2) 852 0 R (table.6.3) 860 0 R (table.6.4) 899 0 R (table.6.5) 936 0 R (table.6.6) 1015 0 R (table.6.7) 1030 0 R (table.6.8) 1062 0 R (table.6.9) 1107 0 R (table.A.1) 1222 0 R (table.A.2) 1224 0 R (the_category_phrase) 893 0 R (the_sortlist_statement) 1006 0 R (topology) 1001 0 R (tsig) 760 0 R (tuning) 1020 0 R (types_of_resource_records_and_when_to_use_them) 643 0 R (view_statement_grammar) 1024 0 R (zone_statement_grammar) 962 0 R (zone_transfers) 737 0 R]
-/Limits [(Access_Control_Lists) (zone_transfers)]
+1937 0 obj <<
+/Names [(Access_Control_Lists) 1470 0 R (Bv9ARM.ch01) 869 0 R (Bv9ARM.ch02) 918 0 R (Bv9ARM.ch03) 935 0 R (Bv9ARM.ch04) 984 0 R (Bv9ARM.ch05) 1071 0 R (Bv9ARM.ch06) 1082 0 R (Bv9ARM.ch07) 1469 0 R (Bv9ARM.ch08) 1495 0 R (Bv9ARM.ch09) 1510 0 R (Bv9ARM.ch10) 1732 0 R (Configuration_File_Grammar) 1107 0 R (DNSSEC) 1050 0 R (Doc-Start) 651 0 R (Setting_TTLs) 1435 0 R (acache) 925 0 R (access_control) 1225 0 R (acl) 1115 0 R (address_match_lists) 1088 0 R (admin_tools) 958 0 R (appendix.A) 566 0 R (appendix.B) 602 0 R (bibliography) 1518 0 R (boolean_options) 1000 0 R (builtin) 1294 0 R (chapter*.1) 686 0 R (chapter.1) 6 0 R (chapter.2) 66 0 R (chapter.3) 90 0 R (chapter.4) 130 0 R (chapter.5) 226 0 R (chapter.6) 238 0 R (chapter.7) 522 0 R (chapter.8) 546 0 R (cite.RFC1033) 1642 0 R (cite.RFC1034) 1526 0 R (cite.RFC1035) 1528 0 R (cite.RFC1101) 1628 0 R (cite.RFC1123) 1630 0 R (cite.RFC1183) 1585 0 R (cite.RFC1464) 1668 0 R (cite.RFC1535) 1575 0 R (cite.RFC1536) 1577 0 R (cite.RFC1537) 1644 0 R (cite.RFC1591) 1632 0 R (cite.RFC1706) 1587 0 R (cite.RFC1712) 1689 0 R (cite.RFC1713) 1670 0 R (cite.RFC1794) 1672 0 R (cite.RFC1876) 1589 0 R (cite.RFC1912) 1646 0 R (cite.RFC1982) 1579 0 R (cite.RFC1995) 1533 0 R (cite.RFC1996) 1535 0 R (cite.RFC2010) 1648 0 R (cite.RFC2052) 1591 0 R (cite.RFC2065) 1697 0 R (cite.RFC2136) 1541 0 R (cite.RFC2137) 1699 0 R (cite.RFC2163) 1598 0 R (cite.RFC2168) 1600 0 R (cite.RFC2181) 1543 0 R (cite.RFC2219) 1650 0 R (cite.RFC2230) 1602 0 R (cite.RFC2240) 1674 0 R (cite.RFC2308) 1545 0 R (cite.RFC2317) 1634 0 R (cite.RFC2345) 1676 0 R (cite.RFC2352) 1678 0 R (cite.RFC2535) 1701 0 R (cite.RFC2536) 1604 0 R (cite.RFC2537) 1606 0 R (cite.RFC2538) 1608 0 R (cite.RFC2539) 1610 0 R (cite.RFC2540) 1612 0 R (cite.RFC2671) 1547 0 R (cite.RFC2672) 1549 0 R (cite.RFC2673) 1691 0 R (cite.RFC2782) 1614 0 R (cite.RFC2825) 1658 0 R (cite.RFC2826) 1636 0 R (cite.RFC2845) 1551 0 R (cite.RFC2874) 1693 0 R (cite.RFC2915) 1616 0 R (cite.RFC2929) 1638 0 R (cite.RFC2930) 1553 0 R (cite.RFC2931) 1555 0 R (cite.RFC3007) 1557 0 R (cite.RFC3008) 1703 0 R (cite.RFC3071) 1681 0 R (cite.RFC3090) 1705 0 R (cite.RFC3110) 1618 0 R (cite.RFC3123) 1620 0 R (cite.RFC3225) 1563 0 R (cite.RFC3258) 1683 0 R (cite.RFC3445) 1707 0 R (cite.RFC3490) 1660 0 R (cite.RFC3491) 1662 0 R (cite.RFC3492) 1664 0 R (cite.RFC3596) 1622 0 R (cite.RFC3597) 1624 0 R (cite.RFC3645) 1559 0 R (cite.RFC3655) 1713 0 R (cite.RFC3658) 1715 0 R (cite.RFC3755) 1717 0 R (cite.RFC3757) 1719 0 R (cite.RFC3833) 1565 0 R (cite.RFC3845) 1721 0 R (cite.RFC3901) 1685 0 R (cite.RFC4033) 1567 0 R (cite.RFC4035) 1569 0 R (cite.RFC4044) 1571 0 R (cite.RFC4074) 1581 0 R (cite.RFC974) 1530 0 R (cite.id2499275) 1726 0 R (configuration_file_elements) 1083 0 R (controls_statement_definition_and_usage) 971 0 R (diagnostic_tools) 906 0 R (dynamic_update) 994 0 R (dynamic_update_policies) 1045 0 R (dynamic_update_security) 1229 0 R (empty) 1296 0 R (historical_dns_information) 1512 0 R (id2465026) 870 0 R (id2467301) 871 0 R (id2467572) 875 0 R (id2467581) 876 0 R (id2467713) 886 0 R (id2467890) 888 0 R (id2467911) 889 0 R (id2467945) 890 0 R (id2468029) 893 0 R (id2470291) 900 0 R (id2470314) 903 0 R (id2470344) 904 0 R (id2470434) 905 0 R (id2470464) 911 0 R (id2470499) 912 0 R (id2470594) 913 0 R (id2470628) 919 0 R (id2470654) 920 0 R (id2470667) 921 0 R (id2470693) 924 0 R (id2470704) 930 0 R (id2470872) 937 0 R (id2470888) 938 0 R (id2470910) 944 0 R (id2470997) 945 0 R (id2471334) 948 0 R (id2471339) 949 0 R (id2472978) 976 0 R (id2472989) 977 0 R (id2473299) 1009 0 R (id2473818) 1025 0 R (id2473835) 1026 0 R (id2473874) 1031 0 R (id2473892) 1032 0 R (id2473902) 1033 0 R (id2474010) 1034 0 R (id2474068) 1035 0 R (id2474113) 1041 0 R (id2474195) 1042 0 R (id2474244) 1043 0 R (id2474449) 1051 0 R (id2474518) 1052 0 R (id2474597) 1057 0 R (id2474808) 1062 0 R (id2474870) 1064 0 R (id2474960) 1065 0 R (id2474993) 1072 0 R (id2475208) 1084 0 R (id2476001) 1093 0 R (id2476028) 1094 0 R (id2476203) 1099 0 R (id2476218) 1100 0 R (id2476248) 1101 0 R (id2476331) 1108 0 R (id2476747) 1114 0 R (id2476858) 1116 0 R (id2477005) 1118 0 R (id2477366) 1125 0 R (id2477381) 1126 0 R (id2477404) 1127 0 R (id2477426) 1128 0 R (id2477585) 1137 0 R (id2477779) 1138 0 R (id2477831) 1144 0 R (id2478456) 1155 0 R (id2479266) 1161 0 R (id2479339) 1162 0 R (id2479403) 1169 0 R (id2479447) 1170 0 R (id2479462) 1171 0 R (id2481444) 1192 0 R (id2483414) 1218 0 R (id2483541) 1224 0 R (id2483880) 1235 0 R (id2484037) 1240 0 R (id2484784) 1249 0 R (id2484798) 1255 0 R (id2484982) 1257 0 R (id2485184) 1263 0 R (id2485614) 1277 0 R (id2486968) 1307 0 R (id2487888) 1324 0 R (id2488005) 1325 0 R (id2488085) 1327 0 R (id2489456) 1345 0 R (id2489463) 1346 0 R (id2489468) 1347 0 R (id2489950) 1353 0 R (id2489984) 1354 0 R (id2491390) 1399 0 R (id2491648) 1405 0 R (id2491666) 1406 0 R (id2491686) 1409 0 R (id2491923) 1411 0 R (id2492952) 1417 0 R (id2493148) 1423 0 R (id2493238) 1424 0 R (id2493532) 1426 0 R (id2493669) 1432 0 R (id2493691) 1433 0 R (id2494232) 1436 0 R (id2494357) 1442 0 R (id2494372) 1443 0 R (id2494484) 1445 0 R (id2494506) 1446 0 R (id2494567) 1447 0 R (id2494705) 1453 0 R (id2494741) 1454 0 R (id2494803) 1455 0 R (id2495349) 1479 0 R (id2495562) 1480 0 R (id2495622) 1481 0 R (id2495770) 1496 0 R (id2495776) 1497 0 R (id2495787) 1498 0 R (id2495804) 1499 0 R (id2495866) 1511 0 R (id2495960) 1517 0 R (id2496148) 1522 0 R (id2496150) 1524 0 R (id2496158) 1529 0 R (id2496182) 1525 0 R (id2496205) 1527 0 R (id2496242) 1542 0 R (id2496268) 1544 0 R (id2496294) 1532 0 R (id2496318) 1534 0 R (id2496342) 1540 0 R (id2496397) 1546 0 R (id2496424) 1548 0 R (id2496451) 1550 0 R (id2496513) 1552 0 R (id2496542) 1554 0 R (id2496572) 1556 0 R (id2496599) 1558 0 R (id2496674) 1561 0 R (id2496681) 1562 0 R (id2496708) 1564 0 R (id2496744) 1566 0 R (id2496809) 1570 0 R (id2496874) 1568 0 R (id2497008) 1573 0 R (id2497016) 1574 0 R (id2497042) 1576 0 R (id2497110) 1578 0 R (id2497145) 1580 0 R (id2497186) 1583 0 R (id2497191) 1584 0 R (id2497317) 1586 0 R (id2497354) 1599 0 R (id2497389) 1588 0 R (id2497444) 1590 0 R (id2497482) 1597 0 R (id2497508) 1601 0 R (id2497533) 1603 0 R (id2497560) 1605 0 R (id2497587) 1607 0 R (id2497626) 1609 0 R (id2497656) 1611 0 R (id2497686) 1613 0 R (id2497729) 1615 0 R (id2497762) 1617 0 R (id2497788) 1619 0 R (id2497812) 1621 0 R (id2497869) 1623 0 R (id2497894) 1626 0 R (id2497901) 1627 0 R (id2497927) 1629 0 R (id2497949) 1631 0 R (id2497973) 1633 0 R (id2498019) 1635 0 R (id2498042) 1637 0 R (id2498092) 1640 0 R (id2498100) 1641 0 R (id2498123) 1643 0 R (id2498150) 1645 0 R (id2498177) 1647 0 R (id2498213) 1649 0 R (id2498253) 1656 0 R (id2498259) 1657 0 R (id2498291) 1659 0 R (id2498337) 1661 0 R (id2498372) 1663 0 R (id2498398) 1666 0 R (id2498417) 1667 0 R (id2498507) 1669 0 R (id2498533) 1671 0 R (id2498558) 1673 0 R (id2498582) 1675 0 R (id2498628) 1677 0 R (id2498651) 1680 0 R (id2498678) 1682 0 R (id2498704) 1684 0 R (id2498740) 1679 0 R (id2498764) 1687 0 R (id2498771) 1688 0 R (id2498828) 1690 0 R (id2498855) 1692 0 R (id2498891) 1695 0 R (id2498903) 1696 0 R (id2498942) 1698 0 R (id2498969) 1700 0 R (id2498999) 1702 0 R (id2499025) 1704 0 R (id2499051) 1706 0 R (id2499088) 1712 0 R (id2499124) 1714 0 R (id2499150) 1716 0 R (id2499177) 1718 0 R (id2499222) 1720 0 R (id2499264) 1723 0 R (id2499273) 1725 0 R (id2499275) 1727 0 R (incremental_zone_transfers) 1006 0 R (internet_drafts) 1722 0 R (ipv6addresses) 1066 0 R (journal) 995 0 R (lwresd) 1073 0 R (man.dig) 1733 0 R (man.dnssec-keygen) 1781 0 R (man.dnssec-signzone) 1799 0 R (man.host) 1766 0 R (man.named) 1848 0 R (man.named-checkconf) 1819 0 R (man.named-checkzone) 1831 0 R (man.rndc) 1870 0 R (man.rndc-confgen) 1899 0 R (man.rndc.conf) 1882 0 R (notify) 985 0 R (options) 1181 0 R (page.1) 650 0 R (page.10) 910 0 R (page.100) 1761 0 R (page.101) 1773 0 R (page.102) 1777 0 R (page.103) 1789 0 R (page.104) 1795 0 R (page.105) 1806 0 R (page.106) 1811 0 R (page.107) 1816 0 R (page.108) 1828 0 R (page.109) 1839 0 R (page.11) 917 0 R (page.110) 1844 0 R (page.111) 1856 0 R (page.112) 1860 0 R (page.113) 1868 0 R (page.114) 1878 0 R (page.115) 1889 0 R (page.116) 1895 0 R (page.117) 1906 0 R (page.118) 1912 0 R (page.12) 929 0 R (page.13) 934 0 R (page.14) 943 0 R (page.15) 954 0 R (page.16) 962 0 R (page.17) 969 0 R (page.18) 975 0 R (page.19) 983 0 R (page.2) 675 0 R (page.20) 1005 0 R (page.21) 1014 0 R (page.22) 1019 0 R (page.23) 1023 0 R (page.24) 1030 0 R (page.25) 1039 0 R (page.26) 1049 0 R (page.27) 1056 0 R (page.28) 1061 0 R (page.29) 1070 0 R (page.3) 685 0 R (page.30) 1077 0 R (page.31) 1081 0 R (page.32) 1092 0 R (page.33) 1098 0 R (page.34) 1106 0 R (page.35) 1113 0 R (page.36) 1122 0 R (page.37) 1135 0 R (page.38) 1143 0 R (page.39) 1148 0 R (page.4) 740 0 R (page.40) 1154 0 R (page.41) 1160 0 R (page.42) 1168 0 R (page.43) 1175 0 R (page.44) 1180 0 R (page.45) 1185 0 R (page.46) 1191 0 R (page.47) 1197 0 R (page.48) 1202 0 R (page.49) 1212 0 R (page.5) 804 0 R (page.50) 1217 0 R (page.51) 1222 0 R (page.52) 1233 0 R (page.53) 1239 0 R (page.54) 1244 0 R (page.55) 1248 0 R (page.56) 1254 0 R (page.57) 1262 0 R (page.58) 1268 0 R (page.59) 1275 0 R (page.6) 864 0 R (page.60) 1283 0 R (page.61) 1290 0 R (page.62) 1302 0 R (page.63) 1306 0 R (page.64) 1312 0 R (page.65) 1317 0 R (page.66) 1322 0 R (page.67) 1331 0 R (page.68) 1336 0 R (page.69) 1340 0 R (page.7) 868 0 R (page.70) 1344 0 R (page.71) 1352 0 R (page.72) 1364 0 R (page.73) 1375 0 R (page.74) 1398 0 R (page.75) 1404 0 R (page.76) 1416 0 R (page.77) 1422 0 R (page.78) 1430 0 R (page.79) 1441 0 R (page.8) 885 0 R (page.80) 1452 0 R (page.81) 1460 0 R (page.82) 1464 0 R (page.83) 1468 0 R (page.84) 1474 0 R (page.85) 1485 0 R (page.86) 1490 0 R (page.87) 1494 0 R (page.88) 1505 0 R (page.89) 1509 0 R (page.9) 899 0 R (page.90) 1516 0 R (page.91) 1539 0 R (page.92) 1596 0 R (page.93) 1654 0 R (page.94) 1711 0 R (page.95) 1731 0 R (page.96) 1740 0 R (page.97) 1746 0 R (page.98) 1752 0 R (page.99) 1756 0 R (proposed_standards) 1010 0 R (rfcs) 895 0 R (rndc) 1131 0 R (rrset_ordering) 950 0 R (sample_configuration) 936 0 R (section*.10) 1655 0 R (section*.11) 1665 0 R (section*.12) 1686 0 R (section*.13) 1694 0 R (section*.14) 1724 0 R (section*.15) 1734 0 R (section*.16) 1735 0 R (section*.17) 1736 0 R (section*.18) 1741 0 R (section*.19) 1742 0 R (section*.2) 1521 0 R (section*.20) 1747 0 R (section*.21) 1757 0 R (section*.22) 1762 0 R (section*.23) 1763 0 R (section*.24) 1764 0 R (section*.25) 1765 0 R (section*.26) 1767 0 R (section*.27) 1768 0 R (section*.28) 1769 0 R (section*.29) 1778 0 R (section*.3) 1523 0 R (section*.30) 1779 0 R (section*.31) 1780 0 R (section*.32) 1782 0 R (section*.33) 1783 0 R (section*.34) 1784 0 R (section*.35) 1785 0 R (section*.36) 1790 0 R (section*.37) 1796 0 R (section*.38) 1797 0 R (section*.39) 1798 0 R (section*.4) 1531 0 R (section*.40) 1800 0 R (section*.41) 1801 0 R (section*.42) 1802 0 R (section*.43) 1807 0 R (section*.44) 1812 0 R (section*.45) 1817 0 R (section*.46) 1818 0 R (section*.47) 1820 0 R (section*.48) 1821 0 R (section*.49) 1822 0 R (section*.5) 1560 0 R (section*.50) 1823 0 R (section*.51) 1824 0 R (section*.52) 1829 0 R (section*.53) 1830 0 R (section*.54) 1832 0 R (section*.55) 1833 0 R (section*.56) 1834 0 R (section*.57) 1835 0 R (section*.58) 1845 0 R (section*.59) 1846 0 R (section*.6) 1572 0 R (section*.60) 1847 0 R (section*.61) 1849 0 R (section*.62) 1850 0 R (section*.63) 1851 0 R (section*.64) 1852 0 R (section*.65) 1861 0 R (section*.66) 1862 0 R (section*.67) 1863 0 R (section*.68) 1864 0 R (section*.69) 1869 0 R (section*.7) 1582 0 R (section*.70) 1871 0 R (section*.71) 1872 0 R (section*.72) 1873 0 R (section*.73) 1874 0 R (section*.74) 1879 0 R (section*.75) 1880 0 R (section*.76) 1881 0 R (section*.77) 1883 0 R (section*.78) 1884 0 R (section*.79) 1885 0 R (section*.8) 1625 0 R (section*.80) 1890 0 R (section*.81) 1896 0 R (section*.82) 1897 0 R (section*.83) 1898 0 R (section*.84) 1900 0 R (section*.85) 1901 0 R (section*.86) 1902 0 R (section*.87) 1907 0 R (section*.88) 1908 0 R (section*.89) 1913 0 R (section*.9) 1639 0 R (section*.90) 1914 0 R (section.1.1) 10 0 R (section.1.2) 14 0 R (section.1.3) 18 0 R (section.1.4) 22 0 R (section.2.1) 70 0 R (section.2.2) 74 0 R (section.2.3) 78 0 R (section.2.4) 82 0 R (section.2.5) 86 0 R (section.3.1) 94 0 R (section.3.2) 106 0 R (section.3.3) 110 0 R (section.4.1) 134 0 R (section.4.2) 138 0 R (section.4.3) 146 0 R (section.4.4) 150 0 R (section.4.5) 154 0 R (section.4.6) 190 0 R (section.4.7) 194 0 R (section.4.8) 198 0 R (section.4.9) 214 0 R (section.5.1) 230 0 R (section.5.2) 234 0 R (section.6.1) 242 0 R (section.6.2) 270 0 R (section.6.3) 470 0 R (section.7.1) 526 0 R (section.7.2) 530 0 R (section.7.3) 542 0 R (section.8.1) 550 0 R (section.8.2) 558 0 R (section.8.3) 562 0 R (section.A.1) 570 0 R (section.A.2) 578 0 R (section.A.3) 586 0 R (section.B.1) 606 0 R (section.B.10) 642 0 R (section.B.2) 610 0 R (section.B.3) 614 0 R (section.B.4) 618 0 R (section.B.5) 622 0 R (section.B.6) 626 0 R (section.B.7) 630 0 R (section.B.8) 634 0 R (section.B.9) 638 0 R (server_statement_definition_and_usage) 1208 0 R (server_statement_grammar) 1313 0 R (statsfile) 1187 0 R (subsection.1.4.1) 26 0 R (subsection.1.4.2) 30 0 R (subsection.1.4.3) 34 0 R (subsection.1.4.4) 38 0 R (subsection.1.4.5) 54 0 R (subsection.1.4.6) 62 0 R (subsection.3.1.1) 98 0 R (subsection.3.1.2) 102 0 R (subsection.3.3.1) 114 0 R (subsection.3.3.2) 126 0 R (subsection.4.2.1) 142 0 R (subsection.4.5.1) 158 0 R (subsection.4.5.2) 170 0 R (subsection.4.5.3) 174 0 R (subsection.4.5.4) 178 0 R (subsection.4.5.5) 182 0 R (subsection.4.5.6) 186 0 R (subsection.4.8.1) 202 0 R (subsection.4.8.2) 206 0 R (subsection.4.8.3) 210 0 R (subsection.4.9.1) 218 0 R (subsection.4.9.2) 222 0 R (subsection.6.1.1) 246 0 R (subsection.6.1.2) 258 0 R (subsection.6.2.1) 274 0 R (subsection.6.2.10) 310 0 R (subsection.6.2.11) 322 0 R (subsection.6.2.12) 326 0 R (subsection.6.2.13) 330 0 R (subsection.6.2.14) 334 0 R (subsection.6.2.15) 338 0 R (subsection.6.2.16) 342 0 R (subsection.6.2.17) 422 0 R (subsection.6.2.18) 426 0 R (subsection.6.2.19) 430 0 R (subsection.6.2.2) 278 0 R (subsection.6.2.20) 434 0 R (subsection.6.2.21) 438 0 R (subsection.6.2.22) 442 0 R (subsection.6.2.23) 446 0 R (subsection.6.2.24) 450 0 R (subsection.6.2.3) 282 0 R (subsection.6.2.4) 286 0 R (subsection.6.2.5) 290 0 R (subsection.6.2.6) 294 0 R (subsection.6.2.7) 298 0 R (subsection.6.2.8) 302 0 R (subsection.6.2.9) 306 0 R (subsection.6.3.1) 474 0 R (subsection.6.3.2) 486 0 R (subsection.6.3.3) 490 0 R (subsection.6.3.4) 494 0 R (subsection.6.3.5) 498 0 R (subsection.6.3.6) 514 0 R (subsection.6.3.7) 518 0 R (subsection.7.2.1) 534 0 R (subsection.7.2.2) 538 0 R (subsection.8.1.1) 554 0 R (subsection.A.1.1) 574 0 R (subsection.A.2.1) 582 0 R (subsection.A.3.1) 590 0 R (subsection.A.3.2) 594 0 R (subsection.A.3.3) 598 0 R (subsubsection.1.4.4.1) 42 0 R (subsubsection.1.4.4.2) 46 0 R (subsubsection.1.4.4.3) 50 0 R (subsubsection.1.4.5.1) 58 0 R (subsubsection.3.3.1.1) 118 0 R (subsubsection.3.3.1.2) 122 0 R (subsubsection.4.5.1.1) 162 0 R (subsubsection.4.5.1.2) 166 0 R (subsubsection.6.1.1.1) 250 0 R (subsubsection.6.1.1.2) 254 0 R (subsubsection.6.1.2.1) 262 0 R (subsubsection.6.1.2.2) 266 0 R (subsubsection.6.2.10.1) 314 0 R (subsubsection.6.2.10.2) 318 0 R (subsubsection.6.2.16.1) 346 0 R (subsubsection.6.2.16.10) 382 0 R (subsubsection.6.2.16.11) 386 0 R (subsubsection.6.2.16.12) 390 0 R (subsubsection.6.2.16.13) 394 0 R (subsubsection.6.2.16.14) 398 0 R (subsubsection.6.2.16.15) 402 0 R (subsubsection.6.2.16.16) 406 0 R (subsubsection.6.2.16.17) 410 0 R (subsubsection.6.2.16.18) 414 0 R (subsubsection.6.2.16.19) 418 0 R (subsubsection.6.2.16.2) 350 0 R (subsubsection.6.2.16.3) 354 0 R (subsubsection.6.2.16.4) 358 0 R (subsubsection.6.2.16.5) 362 0 R (subsubsection.6.2.16.6) 366 0 R (subsubsection.6.2.16.7) 370 0 R (subsubsection.6.2.16.8) 374 0 R (subsubsection.6.2.16.9) 378 0 R (subsubsection.6.2.24.1) 454 0 R (subsubsection.6.2.24.2) 458 0 R (subsubsection.6.2.24.3) 462 0 R (subsubsection.6.2.24.4) 466 0 R (subsubsection.6.3.1.1) 478 0 R (subsubsection.6.3.1.2) 482 0 R (subsubsection.6.3.5.1) 502 0 R (subsubsection.6.3.5.2) 506 0 R (subsubsection.6.3.5.3) 510 0 R (table.1.1) 877 0 R (table.1.2) 887 0 R (table.3.1) 946 0 R (table.3.2) 978 0 R (table.6.1) 1085 0 R (table.6.10) 1410 0 R (table.6.11) 1412 0 R (table.6.12) 1418 0 R (table.6.13) 1425 0 R (table.6.14) 1431 0 R (table.6.15) 1434 0 R (table.6.16) 1437 0 R (table.6.17) 1444 0 R (table.6.18) 1456 0 R (table.6.2) 1109 0 R (table.6.3) 1117 0 R (table.6.4) 1156 0 R (table.6.5) 1193 0 R (table.6.6) 1278 0 R (table.6.7) 1308 0 R (table.6.8) 1348 0 R (table.6.9) 1400 0 R (the_category_phrase) 1150 0 R (the_sortlist_statement) 1269 0 R (topology) 1264 0 R (tsig) 1024 0 R (tuning) 1279 0 R (types_of_resource_records_and_when_to_use_them) 894 0 R (view_statement_grammar) 1298 0 R (zone_statement_grammar) 1228 0 R (zone_transfers) 1001 0 R (zonefile_format) 1286 0 R]
+/Limits [(Access_Control_Lists) (zonefile_format)]
>> endobj
-1366 0 obj <<
-/Kids [1365 0 R]
+1938 0 obj <<
+/Kids [1937 0 R]
>> endobj
-1367 0 obj <<
-/Dests 1366 0 R
+1939 0 obj <<
+/Dests 1938 0 R
>> endobj
-1368 0 obj <<
+1940 0 obj <<
/Type /Catalog
-/Pages 1363 0 R
-/Outlines 1364 0 R
-/Names 1367 0 R
+/Pages 1935 0 R
+/Outlines 1936 0 R
+/Names 1939 0 R
/PageMode /UseOutlines
-/OpenAction 589 0 R
+/OpenAction 645 0 R
>> endobj
-1369 0 obj <<
+1941 0 obj <<
/Author()/Title()/Subject()/Creator(LaTeX with hyperref package)/Producer(pdfeTeX-1.21a)/Keywords()
-/CreationDate (D:20061128121044+11'00')
+/CreationDate (D:20070215121800+11'00')
/PTEX.Fullbanner (This is pdfeTeX, Version 3.141592-1.21a-2.2 (Web2C 7.5.4) kpathsea version 3.5.4)
>> endobj
xref
-0 1370
+0 1942
0000000001 65535 f
0000000002 00000 f
0000000003 00000 f
0000000004 00000 f
0000000000 00000 f
0000000009 00000 n
-0000018863 00000 n
-0000490048 00000 n
+0000066574 00000 n
+0000661205 00000 n
0000000054 00000 n
0000000086 00000 n
-0000018987 00000 n
-0000489976 00000 n
+0000066698 00000 n
+0000661133 00000 n
0000000133 00000 n
0000000173 00000 n
-0000019112 00000 n
-0000489890 00000 n
+0000066823 00000 n
+0000661047 00000 n
0000000221 00000 n
0000000273 00000 n
-0000019237 00000 n
-0000489804 00000 n
+0000066948 00000 n
+0000660961 00000 n
0000000321 00000 n
0000000377 00000 n
-0000023672 00000 n
-0000489694 00000 n
+0000071356 00000 n
+0000660851 00000 n
0000000425 00000 n
0000000478 00000 n
-0000023796 00000 n
-0000489620 00000 n
+0000071480 00000 n
+0000660777 00000 n
0000000531 00000 n
0000000572 00000 n
-0000023921 00000 n
-0000489533 00000 n
+0000071605 00000 n
+0000660690 00000 n
0000000625 00000 n
0000000674 00000 n
-0000024046 00000 n
-0000489446 00000 n
+0000071730 00000 n
+0000660603 00000 n
0000000727 00000 n
0000000757 00000 n
-0000028194 00000 n
-0000489322 00000 n
+0000076025 00000 n
+0000660479 00000 n
0000000810 00000 n
0000000861 00000 n
-0000028319 00000 n
-0000489248 00000 n
+0000076150 00000 n
+0000660405 00000 n
0000000919 00000 n
0000000964 00000 n
-0000028444 00000 n
-0000489161 00000 n
+0000076275 00000 n
+0000660318 00000 n
0000001022 00000 n
0000001062 00000 n
-0000028569 00000 n
-0000489087 00000 n
+0000076400 00000 n
+0000660244 00000 n
0000001120 00000 n
0000001162 00000 n
-0000031482 00000 n
-0000488963 00000 n
+0000079196 00000 n
+0000660120 00000 n
0000001215 00000 n
0000001260 00000 n
-0000031607 00000 n
-0000488902 00000 n
+0000079321 00000 n
+0000660059 00000 n
0000001318 00000 n
0000001355 00000 n
-0000031732 00000 n
-0000488828 00000 n
+0000079446 00000 n
+0000659985 00000 n
0000001408 00000 n
0000001463 00000 n
-0000034120 00000 n
-0000488703 00000 n
+0000082373 00000 n
+0000659860 00000 n
0000001509 00000 n
0000001556 00000 n
-0000034245 00000 n
-0000488629 00000 n
+0000082498 00000 n
+0000659786 00000 n
0000001604 00000 n
0000001648 00000 n
-0000034370 00000 n
-0000488542 00000 n
+0000082623 00000 n
+0000659699 00000 n
0000001696 00000 n
0000001735 00000 n
-0000034493 00000 n
-0000488455 00000 n
+0000082748 00000 n
+0000659612 00000 n
0000001783 00000 n
0000001825 00000 n
-0000034617 00000 n
-0000488368 00000 n
+0000082872 00000 n
+0000659525 00000 n
0000001873 00000 n
0000001936 00000 n
-0000035653 00000 n
-0000488294 00000 n
+0000083958 00000 n
+0000659451 00000 n
0000001984 00000 n
0000002034 00000 n
-0000037331 00000 n
-0000488166 00000 n
+0000085668 00000 n
+0000659323 00000 n
0000002080 00000 n
0000002126 00000 n
-0000037455 00000 n
-0000488053 00000 n
+0000085792 00000 n
+0000659210 00000 n
0000002174 00000 n
0000002218 00000 n
-0000037580 00000 n
-0000487977 00000 n
+0000085917 00000 n
+0000659134 00000 n
0000002271 00000 n
0000002323 00000 n
-0000037705 00000 n
-0000487900 00000 n
+0000086042 00000 n
+0000659057 00000 n
0000002377 00000 n
0000002436 00000 n
-0000040321 00000 n
-0000487809 00000 n
+0000088553 00000 n
+0000658966 00000 n
0000002485 00000 n
0000002523 00000 n
-0000040572 00000 n
-0000487692 00000 n
+0000088805 00000 n
+0000658849 00000 n
0000002572 00000 n
0000002618 00000 n
-0000040698 00000 n
-0000487574 00000 n
+0000088931 00000 n
+0000658731 00000 n
0000002672 00000 n
0000002739 00000 n
-0000043877 00000 n
-0000487495 00000 n
+0000092111 00000 n
+0000658652 00000 n
0000002798 00000 n
0000002842 00000 n
-0000044003 00000 n
-0000487416 00000 n
+0000092237 00000 n
+0000658573 00000 n
0000002901 00000 n
0000002949 00000 n
-0000053920 00000 n
-0000487337 00000 n
+0000102534 00000 n
+0000658494 00000 n
0000003003 00000 n
0000003036 00000 n
-0000057191 00000 n
-0000487205 00000 n
+0000107458 00000 n
+0000658362 00000 n
0000003083 00000 n
0000003126 00000 n
-0000057317 00000 n
-0000487126 00000 n
+0000107584 00000 n
+0000658283 00000 n
0000003175 00000 n
0000003205 00000 n
-0000057443 00000 n
-0000486994 00000 n
+0000107710 00000 n
+0000658151 00000 n
0000003254 00000 n
0000003292 00000 n
-0000057568 00000 n
-0000486929 00000 n
+0000107836 00000 n
+0000658086 00000 n
0000003346 00000 n
0000003388 00000 n
-0000062008 00000 n
-0000486836 00000 n
+0000112115 00000 n
+0000657993 00000 n
0000003437 00000 n
0000003496 00000 n
-0000062134 00000 n
-0000486743 00000 n
+0000112244 00000 n
+0000657900 00000 n
0000003545 00000 n
0000003578 00000 n
-0000068838 00000 n
-0000486611 00000 n
+0000119613 00000 n
+0000657768 00000 n
0000003627 00000 n
0000003655 00000 n
-0000068964 00000 n
-0000486493 00000 n
+0000119740 00000 n
+0000657650 00000 n
0000003709 00000 n
0000003778 00000 n
-0000069090 00000 n
-0000486414 00000 n
+0000119869 00000 n
+0000657571 00000 n
0000003837 00000 n
0000003885 00000 n
-0000069216 00000 n
-0000486335 00000 n
+0000122743 00000 n
+0000657492 00000 n
0000003944 00000 n
0000003989 00000 n
-0000072218 00000 n
-0000486242 00000 n
+0000122872 00000 n
+0000657399 00000 n
0000004043 00000 n
0000004111 00000 n
-0000072344 00000 n
-0000486149 00000 n
+0000123001 00000 n
+0000657306 00000 n
0000004165 00000 n
0000004235 00000 n
-0000072470 00000 n
-0000486056 00000 n
+0000123130 00000 n
+0000657213 00000 n
0000004289 00000 n
0000004352 00000 n
-0000072596 00000 n
-0000485963 00000 n
+0000123258 00000 n
+0000657120 00000 n
0000004406 00000 n
0000004461 00000 n
-0000076316 00000 n
-0000485884 00000 n
+0000126895 00000 n
+0000657041 00000 n
0000004515 00000 n
0000004547 00000 n
-0000076442 00000 n
-0000485791 00000 n
+0000127024 00000 n
+0000656948 00000 n
0000004596 00000 n
0000004624 00000 n
-0000076567 00000 n
-0000485698 00000 n
+0000127153 00000 n
+0000656855 00000 n
0000004673 00000 n
0000004705 00000 n
-0000076693 00000 n
-0000485566 00000 n
+0000130754 00000 n
+0000656723 00000 n
0000004754 00000 n
0000004784 00000 n
-0000080149 00000 n
-0000485487 00000 n
+0000130883 00000 n
+0000656644 00000 n
0000004838 00000 n
0000004879 00000 n
-0000080274 00000 n
-0000485394 00000 n
+0000131011 00000 n
+0000656551 00000 n
0000004933 00000 n
0000004975 00000 n
-0000080400 00000 n
-0000485315 00000 n
+0000134470 00000 n
+0000656472 00000 n
0000005029 00000 n
0000005074 00000 n
-0000087840 00000 n
-0000485197 00000 n
+0000137544 00000 n
+0000656354 00000 n
0000005123 00000 n
0000005169 00000 n
-0000087966 00000 n
-0000485118 00000 n
+0000137673 00000 n
+0000656275 00000 n
0000005223 00000 n
0000005283 00000 n
-0000088092 00000 n
-0000485039 00000 n
+0000137801 00000 n
+0000656196 00000 n
0000005337 00000 n
0000005406 00000 n
-0000090527 00000 n
-0000484906 00000 n
+0000140281 00000 n
+0000656063 00000 n
0000005453 00000 n
0000005506 00000 n
-0000090653 00000 n
-0000484827 00000 n
+0000140410 00000 n
+0000655984 00000 n
0000005555 00000 n
0000005611 00000 n
-0000090779 00000 n
-0000484748 00000 n
+0000140539 00000 n
+0000655905 00000 n
0000005660 00000 n
0000005709 00000 n
-0000094890 00000 n
-0000484615 00000 n
+0000144723 00000 n
+0000655772 00000 n
0000005756 00000 n
0000005808 00000 n
-0000095016 00000 n
-0000484497 00000 n
+0000144852 00000 n
+0000655654 00000 n
0000005857 00000 n
0000005908 00000 n
-0000099160 00000 n
-0000484379 00000 n
+0000149108 00000 n
+0000655536 00000 n
0000005962 00000 n
0000006007 00000 n
-0000099285 00000 n
-0000484300 00000 n
+0000149237 00000 n
+0000655457 00000 n
0000006066 00000 n
0000006100 00000 n
-0000099410 00000 n
-0000484221 00000 n
+0000149366 00000 n
+0000655378 00000 n
0000006159 00000 n
0000006207 00000 n
-0000102688 00000 n
-0000484103 00000 n
+0000152708 00000 n
+0000655260 00000 n
0000006261 00000 n
0000006301 00000 n
-0000102814 00000 n
-0000484024 00000 n
+0000152837 00000 n
+0000655181 00000 n
0000006360 00000 n
0000006394 00000 n
-0000102940 00000 n
-0000483945 00000 n
+0000152966 00000 n
+0000655102 00000 n
0000006453 00000 n
0000006501 00000 n
-0000106666 00000 n
-0000483812 00000 n
+0000156871 00000 n
+0000654969 00000 n
0000006550 00000 n
0000006600 00000 n
-0000110504 00000 n
-0000483733 00000 n
+0000160493 00000 n
+0000654890 00000 n
0000006654 00000 n
0000006701 00000 n
-0000110630 00000 n
-0000483640 00000 n
+0000160622 00000 n
+0000654797 00000 n
0000006755 00000 n
0000006815 00000 n
-0000110880 00000 n
-0000483547 00000 n
+0000160879 00000 n
+0000654704 00000 n
0000006869 00000 n
0000006921 00000 n
-0000111006 00000 n
-0000483454 00000 n
+0000161008 00000 n
+0000654611 00000 n
0000006975 00000 n
0000007040 00000 n
-0000115636 00000 n
-0000483361 00000 n
+0000165662 00000 n
+0000654518 00000 n
0000007094 00000 n
0000007145 00000 n
-0000115762 00000 n
-0000483268 00000 n
+0000165791 00000 n
+0000654425 00000 n
0000007199 00000 n
0000007263 00000 n
-0000115888 00000 n
-0000483175 00000 n
+0000165920 00000 n
+0000654332 00000 n
0000007317 00000 n
0000007364 00000 n
-0000116014 00000 n
-0000483082 00000 n
+0000166049 00000 n
+0000654239 00000 n
0000007418 00000 n
0000007478 00000 n
-0000118956 00000 n
-0000482989 00000 n
+0000169396 00000 n
+0000654146 00000 n
0000007532 00000 n
0000007583 00000 n
-0000119082 00000 n
-0000482857 00000 n
+0000169525 00000 n
+0000654014 00000 n
0000007638 00000 n
0000007703 00000 n
-0000119208 00000 n
-0000482778 00000 n
+0000174160 00000 n
+0000653935 00000 n
0000007763 00000 n
0000007810 00000 n
-0000129617 00000 n
-0000482699 00000 n
+0000180339 00000 n
+0000653856 00000 n
0000007870 00000 n
0000007918 00000 n
-0000133330 00000 n
-0000482606 00000 n
+0000184081 00000 n
+0000653763 00000 n
0000007973 00000 n
0000008023 00000 n
-0000133456 00000 n
-0000482513 00000 n
+0000184210 00000 n
+0000653670 00000 n
0000008078 00000 n
0000008141 00000 n
-0000135194 00000 n
-0000482420 00000 n
+0000185958 00000 n
+0000653577 00000 n
0000008196 00000 n
0000008248 00000 n
-0000135320 00000 n
-0000482327 00000 n
+0000186087 00000 n
+0000653484 00000 n
0000008303 00000 n
0000008368 00000 n
-0000135446 00000 n
-0000482234 00000 n
+0000186216 00000 n
+0000653391 00000 n
0000008423 00000 n
0000008475 00000 n
-0000140719 00000 n
-0000482101 00000 n
+0000189968 00000 n
+0000653258 00000 n
0000008530 00000 n
0000008595 00000 n
-0000144791 00000 n
-0000482022 00000 n
+0000198252 00000 n
+0000653179 00000 n
0000008655 00000 n
0000008699 00000 n
-0000162452 00000 n
-0000481929 00000 n
+0000215386 00000 n
+0000653086 00000 n
0000008759 00000 n
0000008798 00000 n
-0000162576 00000 n
-0000481836 00000 n
+0000219756 00000 n
+0000652993 00000 n
0000008858 00000 n
0000008905 00000 n
-0000162702 00000 n
-0000481743 00000 n
+0000219885 00000 n
+0000652900 00000 n
0000008965 00000 n
0000009008 00000 n
-0000166677 00000 n
-0000481650 00000 n
+0000223624 00000 n
+0000652807 00000 n
0000009068 00000 n
0000009107 00000 n
-0000169550 00000 n
-0000481557 00000 n
+0000226684 00000 n
+0000652714 00000 n
0000009167 00000 n
0000009209 00000 n
-0000173583 00000 n
-0000481464 00000 n
+0000226813 00000 n
+0000652621 00000 n
0000009269 00000 n
0000009312 00000 n
-0000177138 00000 n
-0000481371 00000 n
+0000233783 00000 n
+0000652528 00000 n
0000009372 00000 n
0000009419 00000 n
-0000181163 00000 n
-0000481278 00000 n
+0000238035 00000 n
+0000652435 00000 n
0000009479 00000 n
0000009540 00000 n
-0000181289 00000 n
-0000481185 00000 n
+0000238164 00000 n
+0000652342 00000 n
0000009601 00000 n
0000009653 00000 n
-0000184888 00000 n
-0000481092 00000 n
+0000241534 00000 n
+0000652249 00000 n
0000009714 00000 n
0000009767 00000 n
-0000185015 00000 n
-0000480999 00000 n
+0000241663 00000 n
+0000652156 00000 n
0000009828 00000 n
0000009866 00000 n
-0000189024 00000 n
-0000480906 00000 n
+0000245562 00000 n
+0000652063 00000 n
0000009927 00000 n
0000009979 00000 n
-0000192176 00000 n
-0000480813 00000 n
+0000248987 00000 n
+0000651970 00000 n
0000010040 00000 n
0000010084 00000 n
-0000196560 00000 n
-0000480720 00000 n
+0000249245 00000 n
+0000651877 00000 n
0000010145 00000 n
0000010181 00000 n
-0000196689 00000 n
-0000480627 00000 n
+0000257943 00000 n
+0000651784 00000 n
0000010242 00000 n
0000010305 00000 n
-0000200114 00000 n
-0000480548 00000 n
+0000258072 00000 n
+0000651691 00000 n
0000010366 00000 n
-0000010415 00000 n
-0000204331 00000 n
-0000480455 00000 n
-0000010470 00000 n
-0000010521 00000 n
-0000204460 00000 n
-0000480362 00000 n
-0000010576 00000 n
-0000010640 00000 n
-0000208218 00000 n
-0000480269 00000 n
-0000010695 00000 n
-0000010752 00000 n
-0000208347 00000 n
-0000480176 00000 n
-0000010807 00000 n
-0000010877 00000 n
-0000208476 00000 n
-0000480083 00000 n
-0000010932 00000 n
-0000010981 00000 n
-0000208605 00000 n
-0000479990 00000 n
-0000011036 00000 n
-0000011098 00000 n
-0000211144 00000 n
-0000479897 00000 n
-0000011153 00000 n
-0000011202 00000 n
-0000214243 00000 n
-0000479779 00000 n
-0000011257 00000 n
-0000011319 00000 n
-0000214372 00000 n
-0000479700 00000 n
-0000011379 00000 n
-0000011418 00000 n
-0000223329 00000 n
-0000479607 00000 n
-0000011478 00000 n
-0000011512 00000 n
-0000223458 00000 n
-0000479514 00000 n
-0000011572 00000 n
-0000011613 00000 n
-0000233632 00000 n
-0000479435 00000 n
-0000011673 00000 n
-0000011725 00000 n
-0000237666 00000 n
-0000479317 00000 n
-0000011774 00000 n
-0000011807 00000 n
-0000237795 00000 n
-0000479199 00000 n
-0000011861 00000 n
-0000011933 00000 n
-0000237923 00000 n
-0000479120 00000 n
-0000011992 00000 n
-0000012036 00000 n
-0000245477 00000 n
-0000479041 00000 n
-0000012095 00000 n
-0000012148 00000 n
-0000249238 00000 n
-0000478948 00000 n
-0000012202 00000 n
-0000012252 00000 n
-0000249496 00000 n
-0000478855 00000 n
-0000012306 00000 n
-0000012344 00000 n
-0000252743 00000 n
-0000478762 00000 n
-0000012398 00000 n
-0000012447 00000 n
-0000253002 00000 n
-0000478630 00000 n
-0000012501 00000 n
-0000012553 00000 n
-0000253131 00000 n
-0000478551 00000 n
-0000012612 00000 n
-0000012664 00000 n
-0000253260 00000 n
-0000478458 00000 n
-0000012723 00000 n
-0000012776 00000 n
-0000256913 00000 n
-0000478379 00000 n
-0000012835 00000 n
-0000012884 00000 n
-0000257042 00000 n
-0000478300 00000 n
-0000012938 00000 n
-0000013018 00000 n
-0000261560 00000 n
-0000478167 00000 n
-0000013065 00000 n
-0000013117 00000 n
-0000261689 00000 n
-0000478088 00000 n
+0000010416 00000 n
+0000263388 00000 n
+0000651598 00000 n
+0000010477 00000 n
+0000010526 00000 n
+0000267136 00000 n
+0000651519 00000 n
+0000010587 00000 n
+0000010643 00000 n
+0000267264 00000 n
+0000651426 00000 n
+0000010698 00000 n
+0000010749 00000 n
+0000271927 00000 n
+0000651333 00000 n
+0000010804 00000 n
+0000010868 00000 n
+0000275574 00000 n
+0000651240 00000 n
+0000010923 00000 n
+0000010980 00000 n
+0000275703 00000 n
+0000651147 00000 n
+0000011035 00000 n
+0000011105 00000 n
+0000275832 00000 n
+0000651054 00000 n
+0000011160 00000 n
+0000011209 00000 n
+0000275961 00000 n
+0000650961 00000 n
+0000011264 00000 n
+0000011326 00000 n
+0000278854 00000 n
+0000650868 00000 n
+0000011381 00000 n
+0000011430 00000 n
+0000285099 00000 n
+0000650750 00000 n
+0000011485 00000 n
+0000011547 00000 n
+0000285228 00000 n
+0000650671 00000 n
+0000011607 00000 n
+0000011646 00000 n
+0000289999 00000 n
+0000650578 00000 n
+0000011706 00000 n
+0000011740 00000 n
+0000290128 00000 n
+0000650485 00000 n
+0000011800 00000 n
+0000011841 00000 n
+0000305064 00000 n
+0000650406 00000 n
+0000011901 00000 n
+0000011953 00000 n
+0000309075 00000 n
+0000650288 00000 n
+0000012002 00000 n
+0000012035 00000 n
+0000309204 00000 n
+0000650170 00000 n
+0000012089 00000 n
+0000012161 00000 n
+0000309332 00000 n
+0000650091 00000 n
+0000012220 00000 n
+0000012264 00000 n
+0000316570 00000 n
+0000650012 00000 n
+0000012323 00000 n
+0000012376 00000 n
+0000320317 00000 n
+0000649919 00000 n
+0000012430 00000 n
+0000012480 00000 n
+0000320576 00000 n
+0000649826 00000 n
+0000012534 00000 n
+0000012572 00000 n
+0000323637 00000 n
+0000649733 00000 n
+0000012626 00000 n
+0000012675 00000 n
+0000323896 00000 n
+0000649601 00000 n
+0000012729 00000 n
+0000012781 00000 n
+0000324025 00000 n
+0000649522 00000 n
+0000012840 00000 n
+0000012892 00000 n
+0000324154 00000 n
+0000649429 00000 n
+0000012951 00000 n
+0000013004 00000 n
+0000326890 00000 n
+0000649350 00000 n
+0000013063 00000 n
+0000013112 00000 n
+0000327019 00000 n
+0000649257 00000 n
0000013166 00000 n
-0000013210 00000 n
-0000265419 00000 n
-0000477956 00000 n
-0000013259 00000 n
-0000013321 00000 n
-0000265548 00000 n
-0000477877 00000 n
-0000013375 00000 n
-0000013423 00000 n
-0000265677 00000 n
-0000477798 00000 n
-0000013477 00000 n
-0000013528 00000 n
-0000265806 00000 n
-0000477719 00000 n
-0000013577 00000 n
-0000013624 00000 n
-0000268736 00000 n
-0000477586 00000 n
-0000013671 00000 n
-0000013708 00000 n
-0000268865 00000 n
-0000477468 00000 n
-0000013757 00000 n
-0000013796 00000 n
-0000268994 00000 n
-0000477403 00000 n
-0000013850 00000 n
-0000013928 00000 n
-0000269123 00000 n
-0000477310 00000 n
-0000013977 00000 n
-0000014044 00000 n
-0000269252 00000 n
-0000477231 00000 n
-0000014093 00000 n
-0000014138 00000 n
-0000272731 00000 n
-0000477112 00000 n
-0000014186 00000 n
-0000014218 00000 n
-0000272860 00000 n
-0000476994 00000 n
-0000014267 00000 n
-0000014306 00000 n
-0000272989 00000 n
-0000476929 00000 n
-0000014360 00000 n
-0000014421 00000 n
-0000276996 00000 n
-0000476797 00000 n
-0000014470 00000 n
-0000014527 00000 n
-0000277125 00000 n
-0000476732 00000 n
-0000014581 00000 n
-0000014630 00000 n
-0000277513 00000 n
-0000476614 00000 n
-0000014679 00000 n
-0000014741 00000 n
-0000277642 00000 n
-0000476535 00000 n
-0000014795 00000 n
-0000014850 00000 n
-0000290746 00000 n
-0000476442 00000 n
-0000014904 00000 n
-0000014945 00000 n
-0000291808 00000 n
-0000476363 00000 n
-0000014999 00000 n
+0000013246 00000 n
+0000331008 00000 n
+0000649178 00000 n
+0000013300 00000 n
+0000013349 00000 n
+0000333285 00000 n
+0000649045 00000 n
+0000013396 00000 n
+0000013448 00000 n
+0000333414 00000 n
+0000648966 00000 n
+0000013497 00000 n
+0000013541 00000 n
+0000337507 00000 n
+0000648834 00000 n
+0000013590 00000 n
+0000013631 00000 n
+0000337636 00000 n
+0000648755 00000 n
+0000013685 00000 n
+0000013733 00000 n
+0000337765 00000 n
+0000648676 00000 n
+0000013787 00000 n
+0000013838 00000 n
+0000337894 00000 n
+0000648597 00000 n
+0000013887 00000 n
+0000013934 00000 n
+0000342171 00000 n
+0000648464 00000 n
+0000013981 00000 n
+0000014018 00000 n
+0000342300 00000 n
+0000648346 00000 n
+0000014067 00000 n
+0000014106 00000 n
+0000342429 00000 n
+0000648281 00000 n
+0000014160 00000 n
+0000014238 00000 n
+0000342558 00000 n
+0000648188 00000 n
+0000014287 00000 n
+0000014354 00000 n
+0000342687 00000 n
+0000648109 00000 n
+0000014403 00000 n
+0000014448 00000 n
+0000346221 00000 n
+0000647976 00000 n
+0000014496 00000 n
+0000014528 00000 n
+0000346350 00000 n
+0000647858 00000 n
+0000014577 00000 n
+0000014616 00000 n
+0000346479 00000 n
+0000647793 00000 n
+0000014670 00000 n
+0000014731 00000 n
+0000350291 00000 n
+0000647661 00000 n
+0000014780 00000 n
+0000014837 00000 n
+0000350420 00000 n
+0000647596 00000 n
+0000014891 00000 n
+0000014940 00000 n
+0000350549 00000 n
+0000647478 00000 n
+0000014989 00000 n
0000015051 00000 n
-0000015407 00000 n
-0000015655 00000 n
-0000015104 00000 n
-0000015529 00000 n
-0000015592 00000 n
-0000473205 00000 n
-0000447541 00000 n
-0000473031 00000 n
-0000446492 00000 n
-0000420557 00000 n
-0000446318 00000 n
-0000474210 00000 n
-0000016313 00000 n
-0000016128 00000 n
-0000015740 00000 n
-0000016250 00000 n
-0000419872 00000 n
-0000417727 00000 n
-0000419708 00000 n
-0000019488 00000 n
-0000018678 00000 n
-0000016398 00000 n
-0000018800 00000 n
-0000018924 00000 n
-0000019049 00000 n
-0000019174 00000 n
-0000416873 00000 n
-0000396515 00000 n
-0000416699 00000 n
-0000019299 00000 n
-0000019362 00000 n
-0000019425 00000 n
-0000395566 00000 n
-0000375814 00000 n
-0000395393 00000 n
-0000375087 00000 n
-0000358703 00000 n
-0000374914 00000 n
-0000024171 00000 n
-0000022989 00000 n
-0000019612 00000 n
-0000023483 00000 n
-0000358168 00000 n
-0000341251 00000 n
-0000357984 00000 n
-0000023546 00000 n
-0000023609 00000 n
-0000023733 00000 n
-0000023858 00000 n
-0000023983 00000 n
-0000023139 00000 n
-0000023332 00000 n
-0000024108 00000 n
-0000237859 00000 n
-0000277706 00000 n
-0000028694 00000 n
-0000027659 00000 n
-0000024295 00000 n
-0000028131 00000 n
-0000028256 00000 n
-0000027809 00000 n
-0000027971 00000 n
-0000028381 00000 n
-0000028506 00000 n
-0000028631 00000 n
-0000043940 00000 n
-0000031856 00000 n
-0000031297 00000 n
-0000028818 00000 n
-0000031419 00000 n
-0000031544 00000 n
-0000031669 00000 n
-0000031793 00000 n
-0000034742 00000 n
-0000033935 00000 n
-0000031967 00000 n
-0000034057 00000 n
-0000034182 00000 n
-0000034307 00000 n
-0000034432 00000 n
-0000034554 00000 n
-0000034679 00000 n
-0000474328 00000 n
-0000035778 00000 n
-0000035468 00000 n
-0000034827 00000 n
-0000035590 00000 n
-0000035715 00000 n
-0000037831 00000 n
-0000037146 00000 n
-0000035876 00000 n
-0000037268 00000 n
-0000037393 00000 n
-0000037517 00000 n
-0000037642 00000 n
-0000037768 00000 n
-0000040824 00000 n
-0000039957 00000 n
-0000037929 00000 n
-0000040258 00000 n
-0000040384 00000 n
-0000040447 00000 n
-0000040509 00000 n
-0000040099 00000 n
-0000040635 00000 n
-0000040761 00000 n
-0000192240 00000 n
-0000044129 00000 n
-0000043692 00000 n
-0000040935 00000 n
-0000043814 00000 n
-0000340724 00000 n
-0000331415 00000 n
-0000340547 00000 n
-0000044066 00000 n
-0000047728 00000 n
-0000047543 00000 n
-0000044253 00000 n
-0000047665 00000 n
-0000330972 00000 n
-0000324173 00000 n
-0000330795 00000 n
-0000051997 00000 n
-0000051607 00000 n
-0000047891 00000 n
-0000051934 00000 n
-0000051749 00000 n
-0000474446 00000 n
-0000111069 00000 n
-0000054170 00000 n
-0000053735 00000 n
-0000052134 00000 n
-0000053857 00000 n
-0000053983 00000 n
-0000054044 00000 n
-0000054107 00000 n
-0000057694 00000 n
-0000056656 00000 n
-0000054294 00000 n
-0000057128 00000 n
-0000057254 00000 n
-0000057380 00000 n
-0000056806 00000 n
-0000056967 00000 n
-0000057505 00000 n
-0000057631 00000 n
-0000144854 00000 n
-0000173646 00000 n
-0000062260 00000 n
-0000061469 00000 n
-0000057792 00000 n
-0000061945 00000 n
-0000062071 00000 n
-0000061619 00000 n
-0000061784 00000 n
-0000062197 00000 n
-0000282256 00000 n
-0000065099 00000 n
-0000064727 00000 n
-0000062410 00000 n
-0000065036 00000 n
-0000064869 00000 n
-0000066255 00000 n
-0000066070 00000 n
-0000065223 00000 n
-0000066192 00000 n
-0000069342 00000 n
-0000068653 00000 n
-0000066353 00000 n
-0000068775 00000 n
-0000068901 00000 n
-0000069027 00000 n
-0000069153 00000 n
-0000069279 00000 n
-0000474564 00000 n
-0000072722 00000 n
-0000071845 00000 n
-0000069479 00000 n
-0000072155 00000 n
-0000072281 00000 n
-0000072407 00000 n
-0000072533 00000 n
-0000072659 00000 n
-0000071987 00000 n
-0000233696 00000 n
-0000076818 00000 n
-0000076131 00000 n
-0000072859 00000 n
-0000076253 00000 n
-0000076379 00000 n
-0000076505 00000 n
-0000076630 00000 n
-0000076755 00000 n
-0000080524 00000 n
-0000079964 00000 n
-0000076942 00000 n
-0000080086 00000 n
-0000080211 00000 n
-0000080337 00000 n
-0000080461 00000 n
-0000083525 00000 n
-0000085224 00000 n
-0000083403 00000 n
-0000080648 00000 n
-0000085161 00000 n
-0000323354 00000 n
-0000314545 00000 n
-0000323182 00000 n
-0000084993 00000 n
-0000085050 00000 n
-0000085139 00000 n
-0000088218 00000 n
-0000087476 00000 n
-0000085376 00000 n
-0000087777 00000 n
-0000087903 00000 n
-0000087618 00000 n
-0000088029 00000 n
-0000088155 00000 n
-0000277189 00000 n
-0000090905 00000 n
-0000090342 00000 n
-0000088342 00000 n
-0000090464 00000 n
-0000090590 00000 n
-0000090716 00000 n
-0000090842 00000 n
-0000474682 00000 n
-0000091337 00000 n
-0000091152 00000 n
-0000091003 00000 n
-0000091274 00000 n
-0000095267 00000 n
-0000094519 00000 n
-0000091378 00000 n
-0000094827 00000 n
-0000094953 00000 n
-0000095078 00000 n
-0000095141 00000 n
-0000095204 00000 n
-0000094661 00000 n
-0000099223 00000 n
-0000099536 00000 n
-0000098975 00000 n
-0000095365 00000 n
-0000099097 00000 n
-0000099347 00000 n
-0000099473 00000 n
-0000103066 00000 n
-0000102503 00000 n
-0000099673 00000 n
-0000102625 00000 n
-0000102751 00000 n
-0000102877 00000 n
-0000103003 00000 n
-0000105678 00000 n
-0000106917 00000 n
-0000105556 00000 n
-0000103177 00000 n
-0000106603 00000 n
-0000106729 00000 n
-0000106792 00000 n
-0000106855 00000 n
-0000111132 00000 n
-0000110319 00000 n
-0000107069 00000 n
-0000110441 00000 n
-0000110567 00000 n
-0000110691 00000 n
-0000110754 00000 n
-0000110817 00000 n
-0000110943 00000 n
-0000474800 00000 n
-0000116140 00000 n
-0000114574 00000 n
-0000111243 00000 n
-0000115573 00000 n
-0000114748 00000 n
-0000114898 00000 n
-0000115699 00000 n
-0000115825 00000 n
-0000115951 00000 n
-0000116077 00000 n
-0000115056 00000 n
-0000115207 00000 n
-0000115391 00000 n
-0000292322 00000 n
-0000119334 00000 n
-0000118771 00000 n
-0000116277 00000 n
-0000118893 00000 n
-0000119019 00000 n
-0000119145 00000 n
-0000119271 00000 n
-0000123845 00000 n
-0000123660 00000 n
-0000119471 00000 n
-0000123782 00000 n
-0000126880 00000 n
-0000126510 00000 n
-0000123956 00000 n
-0000126817 00000 n
-0000126652 00000 n
-0000129680 00000 n
-0000129869 00000 n
-0000129432 00000 n
-0000126991 00000 n
-0000129554 00000 n
-0000129743 00000 n
-0000129806 00000 n
-0000133582 00000 n
-0000132814 00000 n
-0000129980 00000 n
-0000133267 00000 n
-0000133393 00000 n
-0000133519 00000 n
-0000132964 00000 n
-0000133115 00000 n
-0000474918 00000 n
-0000135572 00000 n
-0000135009 00000 n
-0000133693 00000 n
-0000135131 00000 n
-0000135257 00000 n
-0000135383 00000 n
-0000135509 00000 n
-0000137122 00000 n
-0000136937 00000 n
-0000135683 00000 n
-0000137059 00000 n
-0000140844 00000 n
-0000140534 00000 n
-0000137220 00000 n
-0000140656 00000 n
-0000140781 00000 n
-0000144917 00000 n
-0000144432 00000 n
-0000140968 00000 n
-0000144728 00000 n
-0000144574 00000 n
-0000200178 00000 n
-0000148826 00000 n
-0000148515 00000 n
-0000145041 00000 n
-0000148637 00000 n
-0000148700 00000 n
-0000148763 00000 n
-0000153958 00000 n
-0000152681 00000 n
-0000148950 00000 n
-0000153895 00000 n
-0000152863 00000 n
-0000153016 00000 n
-0000153172 00000 n
-0000153355 00000 n
-0000153527 00000 n
-0000153711 00000 n
-0000475036 00000 n
-0000204524 00000 n
-0000158215 00000 n
-0000158030 00000 n
-0000154136 00000 n
-0000158152 00000 n
-0000162828 00000 n
-0000161906 00000 n
-0000158352 00000 n
-0000162389 00000 n
-0000162515 00000 n
-0000162056 00000 n
-0000162639 00000 n
-0000162765 00000 n
-0000162224 00000 n
-0000211208 00000 n
-0000166803 00000 n
-0000166302 00000 n
-0000162952 00000 n
-0000166614 00000 n
-0000166444 00000 n
-0000166740 00000 n
-0000265869 00000 n
-0000169676 00000 n
-0000169365 00000 n
-0000166927 00000 n
-0000169487 00000 n
-0000169613 00000 n
-0000314019 00000 n
-0000306129 00000 n
-0000313846 00000 n
-0000173709 00000 n
-0000173398 00000 n
-0000169841 00000 n
-0000173520 00000 n
-0000177262 00000 n
-0000176953 00000 n
-0000173820 00000 n
-0000177075 00000 n
-0000177200 00000 n
-0000475154 00000 n
-0000181415 00000 n
-0000180623 00000 n
-0000177414 00000 n
-0000181100 00000 n
-0000181226 00000 n
-0000180773 00000 n
-0000181352 00000 n
-0000180946 00000 n
-0000185142 00000 n
-0000184703 00000 n
-0000181526 00000 n
-0000184825 00000 n
-0000184951 00000 n
-0000185078 00000 n
-0000189153 00000 n
-0000188487 00000 n
-0000185294 00000 n
-0000188959 00000 n
-0000189088 00000 n
-0000188642 00000 n
-0000188804 00000 n
-0000192432 00000 n
-0000191796 00000 n
-0000189319 00000 n
-0000192111 00000 n
-0000191942 00000 n
-0000192303 00000 n
-0000192367 00000 n
-0000196818 00000 n
-0000196012 00000 n
-0000192598 00000 n
-0000196495 00000 n
-0000196624 00000 n
-0000196167 00000 n
-0000196753 00000 n
-0000196329 00000 n
-0000208540 00000 n
-0000200372 00000 n
-0000199923 00000 n
-0000196984 00000 n
-0000200049 00000 n
-0000200242 00000 n
-0000200307 00000 n
-0000475275 00000 n
-0000204588 00000 n
-0000203968 00000 n
-0000200484 00000 n
-0000204266 00000 n
-0000204395 00000 n
-0000204115 00000 n
-0000208734 00000 n
-0000207681 00000 n
-0000204700 00000 n
-0000208153 00000 n
-0000207837 00000 n
-0000208282 00000 n
-0000208411 00000 n
-0000207999 00000 n
-0000208669 00000 n
-0000211272 00000 n
-0000210953 00000 n
-0000208846 00000 n
-0000211079 00000 n
-0000212676 00000 n
-0000212485 00000 n
-0000211384 00000 n
-0000212611 00000 n
-0000214630 00000 n
-0000214052 00000 n
-0000212775 00000 n
-0000214178 00000 n
-0000214307 00000 n
-0000214436 00000 n
-0000214501 00000 n
-0000214566 00000 n
-0000218616 00000 n
-0000218425 00000 n
-0000214742 00000 n
-0000218551 00000 n
-0000475400 00000 n
-0000223587 00000 n
-0000222083 00000 n
-0000218728 00000 n
-0000223264 00000 n
-0000223393 00000 n
-0000223522 00000 n
-0000222275 00000 n
-0000222437 00000 n
-0000222599 00000 n
-0000222761 00000 n
-0000222932 00000 n
-0000223103 00000 n
-0000228876 00000 n
-0000226808 00000 n
-0000223699 00000 n
-0000228811 00000 n
-0000227045 00000 n
-0000227208 00000 n
-0000227369 00000 n
-0000227531 00000 n
-0000227692 00000 n
-0000227854 00000 n
-0000228016 00000 n
-0000228170 00000 n
-0000228332 00000 n
-0000228494 00000 n
-0000228653 00000 n
-0000233890 00000 n
-0000232249 00000 n
-0000229001 00000 n
-0000233567 00000 n
-0000232450 00000 n
-0000232612 00000 n
-0000232774 00000 n
-0000232935 00000 n
-0000233089 00000 n
-0000233250 00000 n
-0000233405 00000 n
-0000233760 00000 n
-0000233825 00000 n
-0000238310 00000 n
-0000237113 00000 n
-0000234015 00000 n
-0000237601 00000 n
-0000237730 00000 n
-0000237987 00000 n
-0000237269 00000 n
-0000237439 00000 n
-0000238052 00000 n
-0000238117 00000 n
-0000238181 00000 n
-0000238246 00000 n
-0000241771 00000 n
-0000241516 00000 n
-0000238448 00000 n
-0000241642 00000 n
-0000241707 00000 n
-0000245736 00000 n
-0000245221 00000 n
-0000241870 00000 n
-0000245347 00000 n
-0000245412 00000 n
-0000245541 00000 n
-0000245606 00000 n
-0000245671 00000 n
-0000475525 00000 n
-0000249753 00000 n
-0000248917 00000 n
-0000245848 00000 n
-0000249043 00000 n
-0000249108 00000 n
-0000249173 00000 n
-0000249302 00000 n
-0000249367 00000 n
-0000249431 00000 n
-0000249559 00000 n
-0000249624 00000 n
-0000249688 00000 n
-0000253388 00000 n
-0000252552 00000 n
-0000249878 00000 n
-0000252678 00000 n
-0000252807 00000 n
-0000252872 00000 n
-0000252937 00000 n
-0000253066 00000 n
-0000253195 00000 n
-0000305774 00000 n
-0000303777 00000 n
-0000305609 00000 n
-0000253323 00000 n
-0000257301 00000 n
-0000256722 00000 n
-0000253594 00000 n
-0000256848 00000 n
-0000256977 00000 n
-0000257106 00000 n
-0000257171 00000 n
-0000257236 00000 n
-0000258796 00000 n
-0000258605 00000 n
-0000257493 00000 n
-0000258731 00000 n
-0000259236 00000 n
-0000259045 00000 n
-0000258895 00000 n
-0000259171 00000 n
-0000261817 00000 n
-0000260909 00000 n
-0000259278 00000 n
-0000261495 00000 n
-0000261624 00000 n
-0000261753 00000 n
-0000261065 00000 n
-0000261280 00000 n
-0000475650 00000 n
-0000265933 00000 n
-0000265228 00000 n
-0000261943 00000 n
-0000265354 00000 n
-0000303456 00000 n
-0000294243 00000 n
-0000303270 00000 n
-0000265483 00000 n
-0000265612 00000 n
-0000265741 00000 n
-0000269380 00000 n
-0000268154 00000 n
-0000266098 00000 n
-0000268671 00000 n
-0000268800 00000 n
-0000268929 00000 n
-0000269058 00000 n
-0000269187 00000 n
-0000269316 00000 n
-0000268310 00000 n
-0000268482 00000 n
-0000269834 00000 n
-0000269643 00000 n
-0000269493 00000 n
-0000269769 00000 n
-0000273118 00000 n
-0000272540 00000 n
-0000269876 00000 n
-0000272666 00000 n
-0000272795 00000 n
-0000272924 00000 n
-0000273053 00000 n
-0000277770 00000 n
-0000276420 00000 n
-0000273204 00000 n
-0000276931 00000 n
-0000277060 00000 n
-0000277253 00000 n
-0000277318 00000 n
-0000277383 00000 n
-0000277448 00000 n
-0000277577 00000 n
-0000276576 00000 n
-0000276754 00000 n
-0000284654 00000 n
-0000280594 00000 n
-0000277922 00000 n
-0000280768 00000 n
-0000281476 00000 n
-0000280946 00000 n
-0000281124 00000 n
-0000281300 00000 n
-0000281541 00000 n
-0000281606 00000 n
-0000281671 00000 n
-0000281736 00000 n
-0000281801 00000 n
-0000281866 00000 n
-0000281931 00000 n
-0000281996 00000 n
-0000282061 00000 n
-0000282126 00000 n
-0000282191 00000 n
-0000282320 00000 n
-0000282385 00000 n
-0000282450 00000 n
-0000282515 00000 n
-0000282580 00000 n
-0000282644 00000 n
-0000282709 00000 n
-0000282773 00000 n
-0000282838 00000 n
-0000282903 00000 n
-0000282968 00000 n
-0000283033 00000 n
-0000283097 00000 n
-0000283162 00000 n
-0000283227 00000 n
-0000283292 00000 n
-0000283357 00000 n
-0000283422 00000 n
-0000283487 00000 n
-0000283551 00000 n
-0000283616 00000 n
-0000283681 00000 n
-0000283746 00000 n
-0000283811 00000 n
-0000283876 00000 n
-0000283941 00000 n
-0000284006 00000 n
-0000284071 00000 n
-0000284136 00000 n
-0000284201 00000 n
-0000284266 00000 n
-0000284331 00000 n
-0000284396 00000 n
-0000284461 00000 n
-0000284526 00000 n
-0000284590 00000 n
-0000475775 00000 n
-0000290874 00000 n
-0000287567 00000 n
-0000284806 00000 n
-0000287693 00000 n
-0000287758 00000 n
-0000287823 00000 n
-0000287888 00000 n
-0000287953 00000 n
-0000288018 00000 n
-0000288082 00000 n
-0000288147 00000 n
-0000288212 00000 n
-0000288277 00000 n
-0000288342 00000 n
-0000288407 00000 n
-0000288472 00000 n
-0000288537 00000 n
-0000288602 00000 n
-0000288667 00000 n
-0000288732 00000 n
-0000288797 00000 n
-0000288862 00000 n
-0000288927 00000 n
-0000288992 00000 n
-0000289057 00000 n
-0000289122 00000 n
-0000289187 00000 n
-0000289251 00000 n
-0000289316 00000 n
-0000289381 00000 n
-0000289446 00000 n
-0000289511 00000 n
-0000289576 00000 n
-0000289641 00000 n
-0000289706 00000 n
-0000289771 00000 n
-0000289836 00000 n
-0000289901 00000 n
-0000289966 00000 n
-0000290031 00000 n
-0000290096 00000 n
-0000290161 00000 n
-0000290226 00000 n
-0000290291 00000 n
-0000290356 00000 n
-0000290421 00000 n
-0000290486 00000 n
-0000290551 00000 n
-0000290616 00000 n
-0000290681 00000 n
-0000290810 00000 n
-0000292197 00000 n
-0000291617 00000 n
-0000290986 00000 n
-0000291743 00000 n
-0000291872 00000 n
-0000291937 00000 n
-0000292002 00000 n
-0000292067 00000 n
-0000292132 00000 n
-0000292354 00000 n
-0000303698 00000 n
-0000306021 00000 n
-0000305990 00000 n
-0000314294 00000 n
-0000323752 00000 n
-0000331214 00000 n
-0000341010 00000 n
-0000358508 00000 n
-0000375495 00000 n
-0000396134 00000 n
-0000417277 00000 n
-0000420359 00000 n
-0000420129 00000 n
-0000447046 00000 n
-0000473724 00000 n
-0000475873 00000 n
-0000475993 00000 n
-0000476116 00000 n
-0000476205 00000 n
-0000476287 00000 n
-0000490158 00000 n
-0000502158 00000 n
-0000502199 00000 n
-0000502239 00000 n
-0000502373 00000 n
+0000350678 00000 n
+0000647399 00000 n
+0000015105 00000 n
+0000015160 00000 n
+0000374453 00000 n
+0000647306 00000 n
+0000015214 00000 n
+0000015255 00000 n
+0000374582 00000 n
+0000647227 00000 n
+0000015309 00000 n
+0000015361 00000 n
+0000377282 00000 n
+0000647107 00000 n
+0000015409 00000 n
+0000015443 00000 n
+0000377411 00000 n
+0000647028 00000 n
+0000015492 00000 n
+0000015519 00000 n
+0000395360 00000 n
+0000646935 00000 n
+0000015568 00000 n
+0000015596 00000 n
+0000402947 00000 n
+0000646842 00000 n
+0000015645 00000 n
+0000015682 00000 n
+0000409275 00000 n
+0000646749 00000 n
+0000015731 00000 n
+0000015770 00000 n
+0000418787 00000 n
+0000646656 00000 n
+0000015819 00000 n
+0000015858 00000 n
+0000421692 00000 n
+0000646563 00000 n
+0000015907 00000 n
+0000015946 00000 n
+0000427976 00000 n
+0000646470 00000 n
+0000015995 00000 n
+0000016024 00000 n
+0000437167 00000 n
+0000646377 00000 n
+0000016073 00000 n
+0000016101 00000 n
+0000440192 00000 n
+0000646284 00000 n
+0000016150 00000 n
+0000016183 00000 n
+0000446424 00000 n
+0000646205 00000 n
+0000016233 00000 n
+0000016270 00000 n
+0000016639 00000 n
+0000016761 00000 n
+0000024590 00000 n
+0000016323 00000 n
+0000024464 00000 n
+0000024527 00000 n
+0000642088 00000 n
+0000616145 00000 n
+0000641914 00000 n
+0000643113 00000 n
+0000019624 00000 n
+0000019841 00000 n
+0000019910 00000 n
+0000019979 00000 n
+0000020047 00000 n
+0000020115 00000 n
+0000020164 00000 n
+0000020211 00000 n
+0000020544 00000 n
+0000020566 00000 n
+0000020734 00000 n
+0000020899 00000 n
+0000021068 00000 n
+0000021247 00000 n
+0000021556 00000 n
+0000021716 00000 n
+0000025949 00000 n
+0000025764 00000 n
+0000024690 00000 n
+0000025886 00000 n
+0000615072 00000 n
+0000588808 00000 n
+0000614898 00000 n
+0000588123 00000 n
+0000585979 00000 n
+0000587959 00000 n
+0000037649 00000 n
+0000028998 00000 n
+0000026034 00000 n
+0000037523 00000 n
+0000037586 00000 n
+0000029532 00000 n
+0000029686 00000 n
+0000029843 00000 n
+0000030000 00000 n
+0000030156 00000 n
+0000030313 00000 n
+0000030475 00000 n
+0000030636 00000 n
+0000030797 00000 n
+0000030959 00000 n
+0000031126 00000 n
+0000031293 00000 n
+0000031458 00000 n
+0000031620 00000 n
+0000031786 00000 n
+0000031947 00000 n
+0000032102 00000 n
+0000032259 00000 n
+0000032415 00000 n
+0000032572 00000 n
+0000032729 00000 n
+0000032886 00000 n
+0000033040 00000 n
+0000033196 00000 n
+0000033358 00000 n
+0000033520 00000 n
+0000033676 00000 n
+0000033833 00000 n
+0000033995 00000 n
+0000034162 00000 n
+0000034328 00000 n
+0000034489 00000 n
+0000034644 00000 n
+0000034801 00000 n
+0000034958 00000 n
+0000035120 00000 n
+0000035277 00000 n
+0000035434 00000 n
+0000035591 00000 n
+0000035753 00000 n
+0000035920 00000 n
+0000036087 00000 n
+0000036248 00000 n
+0000036410 00000 n
+0000036572 00000 n
+0000036734 00000 n
+0000036896 00000 n
+0000037053 00000 n
+0000037208 00000 n
+0000037363 00000 n
+0000051025 00000 n
+0000040974 00000 n
+0000037734 00000 n
+0000050962 00000 n
+0000585428 00000 n
+0000568347 00000 n
+0000585244 00000 n
+0000041564 00000 n
+0000041727 00000 n
+0000041890 00000 n
+0000042048 00000 n
+0000042211 00000 n
+0000042374 00000 n
+0000042530 00000 n
+0000042688 00000 n
+0000042846 00000 n
+0000043001 00000 n
+0000043159 00000 n
+0000043322 00000 n
+0000043490 00000 n
+0000043658 00000 n
+0000043821 00000 n
+0000043989 00000 n
+0000044157 00000 n
+0000044315 00000 n
+0000044477 00000 n
+0000044640 00000 n
+0000044803 00000 n
+0000044965 00000 n
+0000045127 00000 n
+0000045290 00000 n
+0000045452 00000 n
+0000045614 00000 n
+0000045777 00000 n
+0000045941 00000 n
+0000046109 00000 n
+0000046277 00000 n
+0000046441 00000 n
+0000046605 00000 n
+0000046768 00000 n
+0000046932 00000 n
+0000047096 00000 n
+0000047259 00000 n
+0000047428 00000 n
+0000047597 00000 n
+0000047765 00000 n
+0000047934 00000 n
+0000048103 00000 n
+0000048272 00000 n
+0000048441 00000 n
+0000048610 00000 n
+0000048779 00000 n
+0000048949 00000 n
+0000049119 00000 n
+0000049289 00000 n
+0000049459 00000 n
+0000049628 00000 n
+0000049798 00000 n
+0000049968 00000 n
+0000050138 00000 n
+0000050307 00000 n
+0000050477 00000 n
+0000050639 00000 n
+0000050800 00000 n
+0000063624 00000 n
+0000054499 00000 n
+0000051123 00000 n
+0000063561 00000 n
+0000055057 00000 n
+0000055220 00000 n
+0000055383 00000 n
+0000055546 00000 n
+0000055709 00000 n
+0000055871 00000 n
+0000056039 00000 n
+0000056207 00000 n
+0000056375 00000 n
+0000056541 00000 n
+0000056698 00000 n
+0000056859 00000 n
+0000057026 00000 n
+0000057193 00000 n
+0000057355 00000 n
+0000057517 00000 n
+0000057679 00000 n
+0000057841 00000 n
+0000058008 00000 n
+0000058175 00000 n
+0000058342 00000 n
+0000058504 00000 n
+0000058666 00000 n
+0000058821 00000 n
+0000058978 00000 n
+0000059133 00000 n
+0000059295 00000 n
+0000059457 00000 n
+0000059614 00000 n
+0000059769 00000 n
+0000059926 00000 n
+0000060088 00000 n
+0000060245 00000 n
+0000060401 00000 n
+0000060557 00000 n
+0000060713 00000 n
+0000060875 00000 n
+0000061032 00000 n
+0000061194 00000 n
+0000061351 00000 n
+0000061513 00000 n
+0000061674 00000 n
+0000061836 00000 n
+0000061992 00000 n
+0000062149 00000 n
+0000062306 00000 n
+0000062463 00000 n
+0000062620 00000 n
+0000062777 00000 n
+0000062933 00000 n
+0000063090 00000 n
+0000567410 00000 n
+0000547731 00000 n
+0000567237 00000 n
+0000063247 00000 n
+0000063404 00000 n
+0000064069 00000 n
+0000063884 00000 n
+0000063735 00000 n
+0000064006 00000 n
+0000067199 00000 n
+0000066389 00000 n
+0000064110 00000 n
+0000066511 00000 n
+0000066635 00000 n
+0000066760 00000 n
+0000066885 00000 n
+0000546842 00000 n
+0000525510 00000 n
+0000546668 00000 n
+0000067010 00000 n
+0000067073 00000 n
+0000067136 00000 n
+0000524743 00000 n
+0000507335 00000 n
+0000524570 00000 n
+0000643231 00000 n
+0000071855 00000 n
+0000070673 00000 n
+0000067323 00000 n
+0000071167 00000 n
+0000071230 00000 n
+0000071293 00000 n
+0000071417 00000 n
+0000071542 00000 n
+0000071667 00000 n
+0000070823 00000 n
+0000071016 00000 n
+0000071792 00000 n
+0000309268 00000 n
+0000350742 00000 n
+0000076525 00000 n
+0000075489 00000 n
+0000071979 00000 n
+0000075962 00000 n
+0000076087 00000 n
+0000075639 00000 n
+0000075801 00000 n
+0000076212 00000 n
+0000076337 00000 n
+0000076462 00000 n
+0000092174 00000 n
+0000079571 00000 n
+0000079011 00000 n
+0000076649 00000 n
+0000079133 00000 n
+0000079258 00000 n
+0000079383 00000 n
+0000079508 00000 n
+0000082997 00000 n
+0000081857 00000 n
+0000079682 00000 n
+0000082310 00000 n
+0000082435 00000 n
+0000082560 00000 n
+0000082685 00000 n
+0000082810 00000 n
+0000082007 00000 n
+0000082159 00000 n
+0000082934 00000 n
+0000267200 00000 n
+0000084083 00000 n
+0000083773 00000 n
+0000083082 00000 n
+0000083895 00000 n
+0000084020 00000 n
+0000086168 00000 n
+0000085483 00000 n
+0000084181 00000 n
+0000085605 00000 n
+0000085730 00000 n
+0000085854 00000 n
+0000085979 00000 n
+0000086105 00000 n
+0000643349 00000 n
+0000089056 00000 n
+0000088188 00000 n
+0000086266 00000 n
+0000088490 00000 n
+0000088616 00000 n
+0000088679 00000 n
+0000088742 00000 n
+0000088330 00000 n
+0000088868 00000 n
+0000088994 00000 n
+0000249051 00000 n
+0000092363 00000 n
+0000091926 00000 n
+0000089167 00000 n
+0000092048 00000 n
+0000506679 00000 n
+0000495097 00000 n
+0000506502 00000 n
+0000092300 00000 n
+0000095962 00000 n
+0000095777 00000 n
+0000092487 00000 n
+0000095899 00000 n
+0000494562 00000 n
+0000485048 00000 n
+0000494385 00000 n
+0000100500 00000 n
+0000100110 00000 n
+0000096125 00000 n
+0000100437 00000 n
+0000100252 00000 n
+0000161071 00000 n
+0000102786 00000 n
+0000102349 00000 n
+0000100637 00000 n
+0000102471 00000 n
+0000102597 00000 n
+0000102660 00000 n
+0000102723 00000 n
+0000105437 00000 n
+0000107962 00000 n
+0000105287 00000 n
+0000102910 00000 n
+0000107395 00000 n
+0000107521 00000 n
+0000107647 00000 n
+0000107073 00000 n
+0000107234 00000 n
+0000484205 00000 n
+0000474883 00000 n
+0000484033 00000 n
+0000474321 00000 n
+0000465238 00000 n
+0000474148 00000 n
+0000107773 00000 n
+0000107899 00000 n
+0000643467 00000 n
+0000106905 00000 n
+0000106962 00000 n
+0000107051 00000 n
+0000198315 00000 n
+0000226877 00000 n
+0000112373 00000 n
+0000111567 00000 n
+0000108114 00000 n
+0000112050 00000 n
+0000112179 00000 n
+0000111722 00000 n
+0000111888 00000 n
+0000112308 00000 n
+0000351520 00000 n
+0000115864 00000 n
+0000115485 00000 n
+0000112524 00000 n
+0000115799 00000 n
+0000115631 00000 n
+0000117097 00000 n
+0000116907 00000 n
+0000115989 00000 n
+0000117032 00000 n
+0000119998 00000 n
+0000119423 00000 n
+0000117196 00000 n
+0000119548 00000 n
+0000119675 00000 n
+0000119804 00000 n
+0000119933 00000 n
+0000123387 00000 n
+0000122553 00000 n
+0000120136 00000 n
+0000122678 00000 n
+0000122807 00000 n
+0000122936 00000 n
+0000123065 00000 n
+0000123193 00000 n
+0000123322 00000 n
+0000127281 00000 n
+0000126513 00000 n
+0000123525 00000 n
+0000126830 00000 n
+0000126660 00000 n
+0000126959 00000 n
+0000127088 00000 n
+0000127217 00000 n
+0000643590 00000 n
+0000305128 00000 n
+0000131140 00000 n
+0000130563 00000 n
+0000127393 00000 n
+0000130689 00000 n
+0000130818 00000 n
+0000130946 00000 n
+0000131075 00000 n
+0000134599 00000 n
+0000134279 00000 n
+0000131278 00000 n
+0000134405 00000 n
+0000134534 00000 n
+0000137930 00000 n
+0000137171 00000 n
+0000134711 00000 n
+0000137479 00000 n
+0000137608 00000 n
+0000137318 00000 n
+0000137737 00000 n
+0000137865 00000 n
+0000350484 00000 n
+0000140668 00000 n
+0000140090 00000 n
+0000138096 00000 n
+0000140216 00000 n
+0000140345 00000 n
+0000140474 00000 n
+0000140603 00000 n
+0000141108 00000 n
+0000140917 00000 n
+0000140767 00000 n
+0000141043 00000 n
+0000145110 00000 n
+0000144344 00000 n
+0000141150 00000 n
+0000144658 00000 n
+0000144787 00000 n
+0000144915 00000 n
+0000144980 00000 n
+0000145045 00000 n
+0000144491 00000 n
+0000643715 00000 n
+0000149172 00000 n
+0000149495 00000 n
+0000148917 00000 n
+0000145209 00000 n
+0000149043 00000 n
+0000149301 00000 n
+0000149430 00000 n
+0000153095 00000 n
+0000152517 00000 n
+0000149633 00000 n
+0000152643 00000 n
+0000152772 00000 n
+0000152901 00000 n
+0000153030 00000 n
+0000155880 00000 n
+0000157130 00000 n
+0000155754 00000 n
+0000153220 00000 n
+0000156806 00000 n
+0000156935 00000 n
+0000157000 00000 n
+0000157065 00000 n
+0000161135 00000 n
+0000160302 00000 n
+0000157284 00000 n
+0000160428 00000 n
+0000160557 00000 n
+0000160684 00000 n
+0000160749 00000 n
+0000160814 00000 n
+0000160943 00000 n
+0000166177 00000 n
+0000164779 00000 n
+0000161247 00000 n
+0000165597 00000 n
+0000164953 00000 n
+0000165104 00000 n
+0000165726 00000 n
+0000165855 00000 n
+0000165984 00000 n
+0000166113 00000 n
+0000165263 00000 n
+0000165413 00000 n
+0000451429 00000 n
+0000169654 00000 n
+0000168997 00000 n
+0000166315 00000 n
+0000169331 00000 n
+0000169144 00000 n
+0000169460 00000 n
+0000169589 00000 n
+0000643840 00000 n
+0000174289 00000 n
+0000173969 00000 n
+0000169779 00000 n
+0000174095 00000 n
+0000174224 00000 n
+0000177453 00000 n
+0000177074 00000 n
+0000174414 00000 n
+0000177388 00000 n
+0000177221 00000 n
+0000180403 00000 n
+0000180597 00000 n
+0000180148 00000 n
+0000177565 00000 n
+0000180274 00000 n
+0000180468 00000 n
+0000180532 00000 n
+0000184339 00000 n
+0000183555 00000 n
+0000180709 00000 n
+0000184016 00000 n
+0000184145 00000 n
+0000184274 00000 n
+0000183711 00000 n
+0000183863 00000 n
+0000186345 00000 n
+0000185767 00000 n
+0000184451 00000 n
+0000185893 00000 n
+0000186022 00000 n
+0000186151 00000 n
+0000186280 00000 n
+0000187890 00000 n
+0000187699 00000 n
+0000186457 00000 n
+0000187825 00000 n
+0000643965 00000 n
+0000190097 00000 n
+0000189777 00000 n
+0000187989 00000 n
+0000189903 00000 n
+0000190032 00000 n
+0000194415 00000 n
+0000194047 00000 n
+0000190209 00000 n
+0000194350 00000 n
+0000194194 00000 n
+0000263452 00000 n
+0000198510 00000 n
+0000198061 00000 n
+0000194540 00000 n
+0000198187 00000 n
+0000198380 00000 n
+0000198445 00000 n
+0000202640 00000 n
+0000202274 00000 n
+0000198635 00000 n
+0000202575 00000 n
+0000202421 00000 n
+0000207674 00000 n
+0000206541 00000 n
+0000202765 00000 n
+0000207609 00000 n
+0000206724 00000 n
+0000206880 00000 n
+0000207065 00000 n
+0000207239 00000 n
+0000207424 00000 n
+0000271991 00000 n
+0000211774 00000 n
+0000211583 00000 n
+0000207866 00000 n
+0000211709 00000 n
+0000644090 00000 n
+0000215515 00000 n
+0000215195 00000 n
+0000211886 00000 n
+0000215321 00000 n
+0000215450 00000 n
+0000220014 00000 n
+0000219022 00000 n
+0000215627 00000 n
+0000219691 00000 n
+0000219187 00000 n
+0000219820 00000 n
+0000219949 00000 n
+0000219356 00000 n
+0000219521 00000 n
+0000278918 00000 n
+0000337958 00000 n
+0000223753 00000 n
+0000223241 00000 n
+0000220180 00000 n
+0000223559 00000 n
+0000223388 00000 n
+0000223688 00000 n
+0000226942 00000 n
+0000226493 00000 n
+0000223878 00000 n
+0000226619 00000 n
+0000226748 00000 n
+0000230940 00000 n
+0000230749 00000 n
+0000227108 00000 n
+0000230875 00000 n
+0000233912 00000 n
+0000233592 00000 n
+0000231052 00000 n
+0000233718 00000 n
+0000233847 00000 n
+0000644215 00000 n
+0000238291 00000 n
+0000237485 00000 n
+0000234065 00000 n
+0000237970 00000 n
+0000238099 00000 n
+0000237641 00000 n
+0000238227 00000 n
+0000237815 00000 n
+0000241792 00000 n
+0000241343 00000 n
+0000238403 00000 n
+0000241469 00000 n
+0000241598 00000 n
+0000241727 00000 n
+0000245691 00000 n
+0000245024 00000 n
+0000241945 00000 n
+0000245497 00000 n
+0000245626 00000 n
+0000245180 00000 n
+0000245342 00000 n
+0000249374 00000 n
+0000248606 00000 n
+0000245857 00000 n
+0000248922 00000 n
+0000248753 00000 n
+0000249115 00000 n
+0000249180 00000 n
+0000249309 00000 n
+0000253794 00000 n
+0000253248 00000 n
+0000249553 00000 n
+0000253729 00000 n
+0000253404 00000 n
+0000253566 00000 n
+0000331072 00000 n
+0000258200 00000 n
+0000257562 00000 n
+0000253960 00000 n
+0000257878 00000 n
+0000464883 00000 n
+0000462885 00000 n
+0000464718 00000 n
+0000258007 00000 n
+0000257709 00000 n
+0000258135 00000 n
+0000644340 00000 n
+0000275896 00000 n
+0000260287 00000 n
+0000260096 00000 n
+0000258339 00000 n
+0000260222 00000 n
+0000263647 00000 n
+0000263197 00000 n
+0000260399 00000 n
+0000263323 00000 n
+0000263517 00000 n
+0000263582 00000 n
+0000267393 00000 n
+0000266945 00000 n
+0000263787 00000 n
+0000267071 00000 n
+0000267328 00000 n
+0000272056 00000 n
+0000271564 00000 n
+0000267505 00000 n
+0000271862 00000 n
+0000271711 00000 n
+0000276090 00000 n
+0000275039 00000 n
+0000272168 00000 n
+0000275509 00000 n
+0000275195 00000 n
+0000275638 00000 n
+0000275767 00000 n
+0000275355 00000 n
+0000276025 00000 n
+0000278982 00000 n
+0000278663 00000 n
+0000276202 00000 n
+0000278789 00000 n
+0000644465 00000 n
+0000280382 00000 n
+0000280191 00000 n
+0000279094 00000 n
+0000280317 00000 n
+0000281794 00000 n
+0000281603 00000 n
+0000280481 00000 n
+0000281729 00000 n
+0000285487 00000 n
+0000284908 00000 n
+0000281893 00000 n
+0000285034 00000 n
+0000285163 00000 n
+0000285292 00000 n
+0000285357 00000 n
+0000285422 00000 n
+0000290257 00000 n
+0000288765 00000 n
+0000285599 00000 n
+0000289934 00000 n
+0000290063 00000 n
+0000290192 00000 n
+0000288957 00000 n
+0000289118 00000 n
+0000289280 00000 n
+0000289442 00000 n
+0000289604 00000 n
+0000289774 00000 n
+0000295160 00000 n
+0000293756 00000 n
+0000290369 00000 n
+0000295095 00000 n
+0000293957 00000 n
+0000294120 00000 n
+0000294283 00000 n
+0000294446 00000 n
+0000294609 00000 n
+0000294772 00000 n
+0000294935 00000 n
+0000301257 00000 n
+0000298024 00000 n
+0000295285 00000 n
+0000301192 00000 n
+0000298324 00000 n
+0000298485 00000 n
+0000298647 00000 n
+0000298809 00000 n
+0000298971 00000 n
+0000299134 00000 n
+0000299288 00000 n
+0000299450 00000 n
+0000299612 00000 n
+0000299772 00000 n
+0000299932 00000 n
+0000300094 00000 n
+0000300253 00000 n
+0000300412 00000 n
+0000300565 00000 n
+0000300727 00000 n
+0000300878 00000 n
+0000301040 00000 n
+0000644590 00000 n
+0000305323 00000 n
+0000304873 00000 n
+0000301382 00000 n
+0000304999 00000 n
+0000305193 00000 n
+0000305258 00000 n
+0000309720 00000 n
+0000308522 00000 n
+0000305448 00000 n
+0000309010 00000 n
+0000309139 00000 n
+0000309395 00000 n
+0000308678 00000 n
+0000308848 00000 n
+0000309460 00000 n
+0000309525 00000 n
+0000309590 00000 n
+0000309655 00000 n
+0000312971 00000 n
+0000312650 00000 n
+0000309832 00000 n
+0000312776 00000 n
+0000312841 00000 n
+0000312906 00000 n
+0000316891 00000 n
+0000316379 00000 n
+0000313070 00000 n
+0000316505 00000 n
+0000316633 00000 n
+0000316698 00000 n
+0000316763 00000 n
+0000316828 00000 n
+0000320835 00000 n
+0000320061 00000 n
+0000317003 00000 n
+0000320187 00000 n
+0000320252 00000 n
+0000320381 00000 n
+0000320446 00000 n
+0000320511 00000 n
+0000320640 00000 n
+0000320705 00000 n
+0000320770 00000 n
+0000324282 00000 n
+0000323446 00000 n
+0000320960 00000 n
+0000323572 00000 n
+0000323701 00000 n
+0000323766 00000 n
+0000323831 00000 n
+0000323960 00000 n
+0000324089 00000 n
+0000324218 00000 n
+0000644715 00000 n
+0000327278 00000 n
+0000326699 00000 n
+0000324488 00000 n
+0000326825 00000 n
+0000326954 00000 n
+0000327083 00000 n
+0000327148 00000 n
+0000327213 00000 n
+0000331137 00000 n
+0000330817 00000 n
+0000327457 00000 n
+0000330943 00000 n
+0000331603 00000 n
+0000331412 00000 n
+0000331262 00000 n
+0000331538 00000 n
+0000333543 00000 n
+0000333094 00000 n
+0000331645 00000 n
+0000333220 00000 n
+0000333349 00000 n
+0000333478 00000 n
+0000338023 00000 n
+0000337079 00000 n
+0000333655 00000 n
+0000337442 00000 n
+0000462564 00000 n
+0000453351 00000 n
+0000462378 00000 n
+0000337226 00000 n
+0000337571 00000 n
+0000337700 00000 n
+0000337829 00000 n
+0000339061 00000 n
+0000338870 00000 n
+0000338256 00000 n
+0000338996 00000 n
+0000644840 00000 n
+0000339488 00000 n
+0000339297 00000 n
+0000339147 00000 n
+0000339423 00000 n
+0000342815 00000 n
+0000341589 00000 n
+0000339530 00000 n
+0000342106 00000 n
+0000342235 00000 n
+0000342364 00000 n
+0000342493 00000 n
+0000342622 00000 n
+0000342751 00000 n
+0000341745 00000 n
+0000341917 00000 n
+0000343269 00000 n
+0000343078 00000 n
+0000342928 00000 n
+0000343204 00000 n
+0000346608 00000 n
+0000346030 00000 n
+0000343311 00000 n
+0000346156 00000 n
+0000346285 00000 n
+0000346414 00000 n
+0000346543 00000 n
+0000351840 00000 n
+0000349715 00000 n
+0000346694 00000 n
+0000350226 00000 n
+0000350355 00000 n
+0000350613 00000 n
+0000349871 00000 n
+0000350050 00000 n
+0000350806 00000 n
+0000350871 00000 n
+0000350936 00000 n
+0000351001 00000 n
+0000351066 00000 n
+0000351131 00000 n
+0000351196 00000 n
+0000351261 00000 n
+0000351326 00000 n
+0000351391 00000 n
+0000351456 00000 n
+0000351584 00000 n
+0000351648 00000 n
+0000351712 00000 n
+0000351776 00000 n
+0000358577 00000 n
+0000355009 00000 n
+0000351992 00000 n
+0000355135 00000 n
+0000355200 00000 n
+0000355265 00000 n
+0000355330 00000 n
+0000355395 00000 n
+0000355460 00000 n
+0000355525 00000 n
+0000355590 00000 n
+0000355655 00000 n
+0000355720 00000 n
+0000355785 00000 n
+0000355850 00000 n
+0000355915 00000 n
+0000355980 00000 n
+0000356045 00000 n
+0000356110 00000 n
+0000356175 00000 n
+0000356240 00000 n
+0000356305 00000 n
+0000356370 00000 n
+0000356435 00000 n
+0000356500 00000 n
+0000356565 00000 n
+0000356630 00000 n
+0000356695 00000 n
+0000356760 00000 n
+0000356825 00000 n
+0000356890 00000 n
+0000356955 00000 n
+0000357020 00000 n
+0000357085 00000 n
+0000357150 00000 n
+0000357215 00000 n
+0000357280 00000 n
+0000357345 00000 n
+0000357410 00000 n
+0000357475 00000 n
+0000357540 00000 n
+0000357605 00000 n
+0000357670 00000 n
+0000357734 00000 n
+0000357799 00000 n
+0000357864 00000 n
+0000357929 00000 n
+0000357994 00000 n
+0000358059 00000 n
+0000358124 00000 n
+0000358189 00000 n
+0000358254 00000 n
+0000358319 00000 n
+0000358384 00000 n
+0000358449 00000 n
+0000358513 00000 n
+0000644965 00000 n
+0000365304 00000 n
+0000361609 00000 n
+0000358689 00000 n
+0000361735 00000 n
+0000361800 00000 n
+0000361865 00000 n
+0000361930 00000 n
+0000361995 00000 n
+0000362059 00000 n
+0000362124 00000 n
+0000362189 00000 n
+0000362254 00000 n
+0000362319 00000 n
+0000362384 00000 n
+0000362449 00000 n
+0000362514 00000 n
+0000362579 00000 n
+0000362644 00000 n
+0000362709 00000 n
+0000362774 00000 n
+0000362839 00000 n
+0000362904 00000 n
+0000362969 00000 n
+0000363034 00000 n
+0000363099 00000 n
+0000363164 00000 n
+0000363229 00000 n
+0000363293 00000 n
+0000363358 00000 n
+0000363423 00000 n
+0000363488 00000 n
+0000363553 00000 n
+0000363618 00000 n
+0000363683 00000 n
+0000363748 00000 n
+0000363813 00000 n
+0000363878 00000 n
+0000363943 00000 n
+0000364008 00000 n
+0000364073 00000 n
+0000364138 00000 n
+0000364203 00000 n
+0000364268 00000 n
+0000364333 00000 n
+0000364398 00000 n
+0000364463 00000 n
+0000364528 00000 n
+0000364593 00000 n
+0000364658 00000 n
+0000364723 00000 n
+0000364788 00000 n
+0000364853 00000 n
+0000364918 00000 n
+0000364983 00000 n
+0000365047 00000 n
+0000365112 00000 n
+0000365176 00000 n
+0000365240 00000 n
+0000371853 00000 n
+0000368225 00000 n
+0000365416 00000 n
+0000368351 00000 n
+0000368416 00000 n
+0000368480 00000 n
+0000368544 00000 n
+0000368608 00000 n
+0000368673 00000 n
+0000368738 00000 n
+0000368803 00000 n
+0000368868 00000 n
+0000368933 00000 n
+0000368998 00000 n
+0000369063 00000 n
+0000369128 00000 n
+0000369193 00000 n
+0000369258 00000 n
+0000369323 00000 n
+0000369387 00000 n
+0000369452 00000 n
+0000369516 00000 n
+0000369581 00000 n
+0000369646 00000 n
+0000369711 00000 n
+0000369776 00000 n
+0000369841 00000 n
+0000369906 00000 n
+0000369971 00000 n
+0000370036 00000 n
+0000370101 00000 n
+0000370166 00000 n
+0000370231 00000 n
+0000370296 00000 n
+0000370361 00000 n
+0000370426 00000 n
+0000370491 00000 n
+0000370556 00000 n
+0000370621 00000 n
+0000370686 00000 n
+0000370751 00000 n
+0000370816 00000 n
+0000370881 00000 n
+0000370946 00000 n
+0000371011 00000 n
+0000371076 00000 n
+0000371141 00000 n
+0000371206 00000 n
+0000371270 00000 n
+0000371335 00000 n
+0000371400 00000 n
+0000371465 00000 n
+0000371530 00000 n
+0000371595 00000 n
+0000371660 00000 n
+0000371725 00000 n
+0000371789 00000 n
+0000374971 00000 n
+0000373613 00000 n
+0000371965 00000 n
+0000373739 00000 n
+0000373804 00000 n
+0000373869 00000 n
+0000373934 00000 n
+0000373999 00000 n
+0000374064 00000 n
+0000374129 00000 n
+0000374194 00000 n
+0000374259 00000 n
+0000374323 00000 n
+0000374388 00000 n
+0000374517 00000 n
+0000374646 00000 n
+0000374711 00000 n
+0000374776 00000 n
+0000374841 00000 n
+0000374906 00000 n
+0000377735 00000 n
+0000377091 00000 n
+0000375096 00000 n
+0000377217 00000 n
+0000377346 00000 n
+0000377475 00000 n
+0000377540 00000 n
+0000377605 00000 n
+0000377670 00000 n
+0000382216 00000 n
+0000381895 00000 n
+0000377847 00000 n
+0000382021 00000 n
+0000382086 00000 n
+0000382151 00000 n
+0000385471 00000 n
+0000385215 00000 n
+0000382368 00000 n
+0000385341 00000 n
+0000385406 00000 n
+0000645090 00000 n
+0000388730 00000 n
+0000388539 00000 n
+0000385609 00000 n
+0000388665 00000 n
+0000392510 00000 n
+0000392254 00000 n
+0000388855 00000 n
+0000392380 00000 n
+0000392445 00000 n
+0000395684 00000 n
+0000394909 00000 n
+0000392648 00000 n
+0000395035 00000 n
+0000395100 00000 n
+0000395165 00000 n
+0000395230 00000 n
+0000395295 00000 n
+0000395424 00000 n
+0000395489 00000 n
+0000395554 00000 n
+0000395619 00000 n
+0000400154 00000 n
+0000399963 00000 n
+0000395822 00000 n
+0000400089 00000 n
+0000403335 00000 n
+0000402562 00000 n
+0000400292 00000 n
+0000402688 00000 n
+0000402753 00000 n
+0000402818 00000 n
+0000402882 00000 n
+0000403011 00000 n
+0000403076 00000 n
+0000403140 00000 n
+0000403205 00000 n
+0000403270 00000 n
+0000406754 00000 n
+0000406498 00000 n
+0000403500 00000 n
+0000406624 00000 n
+0000406689 00000 n
+0000645215 00000 n
+0000409599 00000 n
+0000408889 00000 n
+0000406892 00000 n
+0000409015 00000 n
+0000409080 00000 n
+0000409145 00000 n
+0000409210 00000 n
+0000409339 00000 n
+0000409404 00000 n
+0000409469 00000 n
+0000409534 00000 n
+0000413280 00000 n
+0000413024 00000 n
+0000409750 00000 n
+0000413150 00000 n
+0000413215 00000 n
+0000416630 00000 n
+0000416374 00000 n
+0000413405 00000 n
+0000416500 00000 n
+0000416565 00000 n
+0000419240 00000 n
+0000418467 00000 n
+0000416768 00000 n
+0000418593 00000 n
+0000418658 00000 n
+0000418723 00000 n
+0000418851 00000 n
+0000418916 00000 n
+0000418981 00000 n
+0000419046 00000 n
+0000419111 00000 n
+0000419176 00000 n
+0000422081 00000 n
+0000421371 00000 n
+0000419391 00000 n
+0000421497 00000 n
+0000421562 00000 n
+0000421627 00000 n
+0000421756 00000 n
+0000421821 00000 n
+0000421886 00000 n
+0000421951 00000 n
+0000422016 00000 n
+0000425616 00000 n
+0000425425 00000 n
+0000422232 00000 n
+0000425551 00000 n
+0000645340 00000 n
+0000428364 00000 n
+0000427590 00000 n
+0000425741 00000 n
+0000427716 00000 n
+0000427781 00000 n
+0000427846 00000 n
+0000427911 00000 n
+0000428040 00000 n
+0000428104 00000 n
+0000428169 00000 n
+0000428234 00000 n
+0000428299 00000 n
+0000431238 00000 n
+0000431047 00000 n
+0000428515 00000 n
+0000431173 00000 n
+0000434147 00000 n
+0000433697 00000 n
+0000431431 00000 n
+0000433823 00000 n
+0000433888 00000 n
+0000433953 00000 n
+0000434018 00000 n
+0000434083 00000 n
+0000437554 00000 n
+0000436911 00000 n
+0000434379 00000 n
+0000437037 00000 n
+0000437102 00000 n
+0000437231 00000 n
+0000437296 00000 n
+0000437360 00000 n
+0000437424 00000 n
+0000437489 00000 n
+0000440516 00000 n
+0000439806 00000 n
+0000437692 00000 n
+0000439932 00000 n
+0000439997 00000 n
+0000440062 00000 n
+0000440127 00000 n
+0000440256 00000 n
+0000440321 00000 n
+0000440386 00000 n
+0000440451 00000 n
+0000443612 00000 n
+0000443356 00000 n
+0000440680 00000 n
+0000443482 00000 n
+0000443547 00000 n
+0000645465 00000 n
+0000446748 00000 n
+0000446039 00000 n
+0000443737 00000 n
+0000446165 00000 n
+0000446230 00000 n
+0000446295 00000 n
+0000446360 00000 n
+0000446488 00000 n
+0000446553 00000 n
+0000446618 00000 n
+0000446683 00000 n
+0000450339 00000 n
+0000450018 00000 n
+0000446899 00000 n
+0000450144 00000 n
+0000450209 00000 n
+0000450274 00000 n
+0000451317 00000 n
+0000450996 00000 n
+0000450477 00000 n
+0000451122 00000 n
+0000451187 00000 n
+0000451252 00000 n
+0000451462 00000 n
+0000462806 00000 n
+0000465130 00000 n
+0000465099 00000 n
+0000474618 00000 n
+0000484617 00000 n
+0000494846 00000 n
+0000507048 00000 n
+0000525181 00000 n
+0000547269 00000 n
+0000567968 00000 n
+0000585780 00000 n
+0000588610 00000 n
+0000588380 00000 n
+0000615646 00000 n
+0000642623 00000 n
+0000645572 00000 n
+0000645694 00000 n
+0000645820 00000 n
+0000645946 00000 n
+0000646036 00000 n
+0000646128 00000 n
+0000661315 00000 n
+0000678553 00000 n
+0000678594 00000 n
+0000678634 00000 n
+0000678768 00000 n
trailer
<<
-/Size 1370
-/Root 1368 0 R
-/Info 1369 0 R
-/ID [<52936C5C32902731CDA6B6FA6B2205C2> <52936C5C32902731CDA6B6FA6B2205C2>]
+/Size 1942
+/Root 1940 0 R
+/Info 1941 0 R
+/ID [<C16C2A8590B8858C2F91556A1B642356> <C16C2A8590B8858C2F91556A1B642356>]
>>
startxref
-502637
+679032
%%EOF
diff --git a/contrib/bind9/doc/arm/Makefile.in b/contrib/bind9/doc/arm/Makefile.in
index 88a54e3..4d48169 100644
--- a/contrib/bind9/doc/arm/Makefile.in
+++ b/contrib/bind9/doc/arm/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2001, 2002 Internet Software Consortium.
#
# Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.8.2.2.8.5 2005/05/13 01:22:35 marka Exp $
+# $Id: Makefile.in,v 1.12.18.7 2007/02/07 23:57:58 marka Exp $
srcdir = @srcdir@
VPATH = @srcdir@
@@ -21,43 +21,47 @@ top_srcdir = @top_srcdir@
@BIND9_MAKE_RULES@
+@BIND9_VERSION@
+
MANOBJS = Bv9ARM.html
PDFOBJS = Bv9ARM.pdf
-distclean::
- rm -f validate.sh
- rm -f nominum-docbook-html.dsl nominum-docbook-print.dsl
- rm -f HTML.index HTML.manifest
-
doc man:: ${MANOBJS} ${PDFOBJS}
clean::
- rm -f Bv9ARM.aux Bv9ARM.brf Bv9ARM.glo Bv9ARM.idx
+ rm -f Bv9ARM.aux Bv9ARM.brf Bv9ARM.glo Bv9ARM.idx Bv9ARM.toc
rm -f Bv9ARM.log Bv9ARM.out Bv9ARM.tex Bv9ARM.tex.tmp
docclean manclean maintainer-clean:: clean
- rm -f *.html *.pdf
+ rm -f *.html ${PDFOBJS}
-Bv9ARM.html: Bv9ARM-book.xml
+docclean manclean maintainer-clean distclean::
+ rm -f releaseinfo.xml
+
+Bv9ARM.html: Bv9ARM-book.xml releaseinfo.xml
+ expand Bv9ARM-book.xml | \
${XSLTPROC} --stringparam root.filename Bv9ARM \
- ${top_srcdir}/doc/xsl/isc-docbook-chunk.xsl \
- Bv9ARM-book.xml
+ ${top_srcdir}/doc/xsl/isc-docbook-chunk.xsl -
-Bv9ARM.tex: Bv9ARM-book.xml
- ${XSLTPROC} ${top_srcdir}/doc/xsl/pre-latex.xsl Bv9ARM-book.xml | \
+Bv9ARM.tex: Bv9ARM-book.xml releaseinfo.xml
+ expand Bv9ARM-book.xml | \
+ ${XSLTPROC} ${top_srcdir}/doc/xsl/pre-latex.xsl - | \
${XSLTPROC} ${top_srcdir}/doc/xsl/isc-docbook-latex.xsl - | \
@PERL@ latex-fixup.pl >$@.tmp
if test -s $@.tmp; then mv $@.tmp $@; else rm -f $@.tmp; exit 1; fi
-Bv9ARM.dvi: Bv9ARM.tex
+Bv9ARM.dvi: Bv9ARM.tex releaseinfo.xml
rm -f Bv9ARM-book.aux Bv9ARM-book.dvi Bv9ARM-book.log
- ${LATEX} '\batchmode\input Bv9ARM.tex' || rm -f $@
- ${LATEX} '\batchmode\input Bv9ARM.tex' || rm -f $@
- ${LATEX} '\batchmode\input Bv9ARM.tex' || rm -f $@
+ ${LATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1)
+ ${LATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1)
+ ${LATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1)
-Bv9ARM.pdf: Bv9ARM.tex
+Bv9ARM.pdf: Bv9ARM.tex releaseinfo.xml
rm -f Bv9ARM-book.aux Bv9ARM-book.pdf Bv9ARM-book.log
- ${PDFLATEX} '\batchmode\input Bv9ARM.tex' || rm -f $@
- ${PDFLATEX} '\batchmode\input Bv9ARM.tex' || rm -f $@
- ${PDFLATEX} '\batchmode\input Bv9ARM.tex' || rm -f $@
+ ${PDFLATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1)
+ ${PDFLATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1)
+ ${PDFLATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1)
+
+releaseinfo.xml:
+ echo >$@ '<releaseinfo>BIND Version ${VERSION}</releaseinfo>'
diff --git a/contrib/bind9/doc/arm/README-SGML b/contrib/bind9/doc/arm/README-SGML
index 8e7bc4e..e33c937 100644
--- a/contrib/bind9/doc/arm/README-SGML
+++ b/contrib/bind9/doc/arm/README-SGML
@@ -4,7 +4,7 @@ See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
The BIND v9 ARM master document is now kept in DocBook XML format.
-Version: $Id: README-SGML,v 1.16.206.1 2004/03/06 13:16:14 marka Exp $
+Version: $Id: README-SGML,v 1.17 2004/03/05 05:04:43 marka Exp $
The entire ARM is in the single file:
diff --git a/contrib/bind9/doc/arm/isc-logo.eps b/contrib/bind9/doc/arm/isc-logo.eps
new file mode 100644
index 0000000..c6a1d7a
--- /dev/null
+++ b/contrib/bind9/doc/arm/isc-logo.eps
@@ -0,0 +1,12253 @@
+%!PS-Adobe-3.1 EPSF-3.0
+%%Title: Alternate-ISC-logo-v2.ai
+%%Creator: Adobe Illustrator(R) 11
+%%AI8_CreatorVersion: 11.0.0
+%AI9_PrintingDataBegin
+%%For: Douglas E. Appelt
+%%CreationDate: 10/22/04
+%%BoundingBox: 0 0 255 149
+%%HiResBoundingBox: 0 0 254.8672 148.7520
+%%CropBox: 0 0 254.8672 148.7520
+%%LanguageLevel: 2
+%%DocumentData: Clean7Bit
+%%Pages: 1
+%%DocumentNeededResources:
+%%DocumentSuppliedResources: procset Adobe_AGM_Image (1.0 0)
+%%+ procset Adobe_CoolType_Utility_T42 (1.0 0)
+%%+ procset Adobe_CoolType_Utility_MAKEOCF (1.19 0)
+%%+ procset Adobe_CoolType_Core (2.23 0)
+%%+ procset Adobe_AGM_Core (2.0 0)
+%%+ procset Adobe_AGM_Utils (1.0 0)
+%%DocumentFonts:
+%%DocumentNeededFonts:
+%%DocumentNeededFeatures:
+%%DocumentSuppliedFeatures:
+%%DocumentProcessColors: Cyan Magenta Yellow Black
+%%DocumentCustomColors: (PANTONE 1805 C)
+%%+ (PANTONE 871 C)
+%%+ (PANTONE 301 C)
+%%+ (PANTONE 7506 C)
+%%CMYKCustomColor: 0 0.9100 1 0.2300 (PANTONE 1805 C)
+%%+ 0.3569 0.3608 0.6353 0.1882 (PANTONE 871 C)
+%%+ 1 0.4500 0 0.1800 (PANTONE 301 C)
+%%+ 0 0.0500 0.1500 0 (PANTONE 7506 C)
+%%RGBCustomColor:
+%ADO_ContainsXMP: MainFirst
+%AI7_Thumbnail: 128 76 8
+%%BeginData: 10692 Hex Bytes
+%0000330000660000990000CC0033000033330033660033990033CC0033FF
+%0066000066330066660066990066CC0066FF009900009933009966009999
+%0099CC0099FF00CC0000CC3300CC6600CC9900CCCC00CCFF00FF3300FF66
+%00FF9900FFCC3300003300333300663300993300CC3300FF333300333333
+%3333663333993333CC3333FF3366003366333366663366993366CC3366FF
+%3399003399333399663399993399CC3399FF33CC0033CC3333CC6633CC99
+%33CCCC33CCFF33FF0033FF3333FF6633FF9933FFCC33FFFF660000660033
+%6600666600996600CC6600FF6633006633336633666633996633CC6633FF
+%6666006666336666666666996666CC6666FF669900669933669966669999
+%6699CC6699FF66CC0066CC3366CC6666CC9966CCCC66CCFF66FF0066FF33
+%66FF6666FF9966FFCC66FFFF9900009900339900669900999900CC9900FF
+%9933009933339933669933999933CC9933FF996600996633996666996699
+%9966CC9966FF9999009999339999669999999999CC9999FF99CC0099CC33
+%99CC6699CC9999CCCC99CCFF99FF0099FF3399FF6699FF9999FFCC99FFFF
+%CC0000CC0033CC0066CC0099CC00CCCC00FFCC3300CC3333CC3366CC3399
+%CC33CCCC33FFCC6600CC6633CC6666CC6699CC66CCCC66FFCC9900CC9933
+%CC9966CC9999CC99CCCC99FFCCCC00CCCC33CCCC66CCCC99CCCCCCCCCCFF
+%CCFF00CCFF33CCFF66CCFF99CCFFCCCCFFFFFF0033FF0066FF0099FF00CC
+%FF3300FF3333FF3366FF3399FF33CCFF33FFFF6600FF6633FF6666FF6699
+%FF66CCFF66FFFF9900FF9933FF9966FF9999FF99CCFF99FFFFCC00FFCC33
+%FFCC66FFCC99FFCCCCFFCCFFFFFF33FFFF66FFFF99FFFFCC110000001100
+%000011111111220000002200000022222222440000004400000044444444
+%550000005500000055555555770000007700000077777777880000008800
+%000088888888AA000000AA000000AAAAAAAABB000000BB000000BBBBBBBB
+%DD000000DD000000DDDDDDDDEE000000EE000000EEEEEEEE0000000000FF
+%00FF0000FFFFFF0000FF00FFFFFF00FFFFFF
+%524C45FD1CF852FD63FFF820272726272727264B27272627272726272727
+%26272727264B20F827FD63FFF827FFFFFFCFFF84365AFFFFFFCFFFFFFFCF
+%FFFFFFCFFD04FFCAF852FD63FFF827CFCFCACFCA2F0607A8CFCACFCACFCA
+%CFCACFCACFCACFCACF7CF827FD63FFF800FFCFFFA8A8070D06A8CFFFCFFF
+%CFFFCFFFCFFFCFFFCFFFCFA7F852FD63FFF800077E2F0D060D060706537D
+%CF7D2FA8CFCACFCACFCACFCAFF7CF827FD63FFF8000D062F070D062F070D
+%062F2F0D062FCACFCFFFCFCFCFFFCFA1F852FD63FFF8050707062E517651
+%522807060706072ECFCACFCACFCACFCAFF7CF827FD63FFF8002F067C757B
+%757C757B512F072F2FFFCFCFCFFFCFFFCFFFCFA1F852FD63FFF805075251
+%75517551755175512F062FCACFCACFCACFCACFCAFF7CF827FD63FFF8F859
+%75765176757C517C757B2E2F07A8CFFFCFCFCFFFCFCFCFA1F852FD63FFF8
+%00517551757CCFCAA751755175060753CFCACFCACFCACFCACF7CF827FD63
+%FFF8F87C75757CFFCFFFCFA7517C752F072F59A8CFCFCFFFCFFFCFA7F852
+%FD04FFA87D527DA8FD5AFFF827757551A1CFCFCAFFA0755175280D060706
+%A8CFCFCACFCAFF7CF827FD05FF27F827FD5BFFF8F87C51767CFFCFFFCFA0
+%517C752F062F060D84FFCFFFCFFFCFA1F852FD05FF7DF87DFD5BFFF80552
+%7551757CC9A7A05175517606072F7E7DCFCACFC9CFCAFF6FF827FD05FF52
+%F852FD27FFA8FD33FFF80059757C7575517C517C517C2E2F06CFCFFFCFCF
+%9293CAFFCF6FF852FD05FF7DF87DFD04FFA8FD05FF7D7DA8FF527D7D7D52
+%7D52A8FFA8527D527DA8FF7D7D527D52FD05FFA8FD05FFA87D7DFFFFA852
+%7D527DA8FF527D7D7D527D52A8FD19FFF805075275755175517551752D0D
+%0653CFFFCFFFA78C6899939344F827FD05FF52F852FFFFFFA8F87DFD04FF
+%7D27FFA87D7DA8F827A87D7DFFA8F827A8527DFFA8F852A827F8A8FFFFFF
+%7DF8FD05FF2752FFFFA8F827A8527DA87D7DA8F827A87D7DFD19FFF8F82F
+%0752517C757B757C2E0D062FA8C999CFCFC28C928C8C8C6EF852FD05FF7D
+%F87DFD04FFF8F87DFFFFFF7D52FD05FFF852FD05FFF87DFD05FFF852FFFF
+%F852FFFFFF7DF8F8FD04FF7D52FFFFFFF87DFD07FFF852FD1CFFF8000607
+%062F2852282E060D0607067D928C9293688C6892688C44F827FD05FF52F8
+%52FFFFFFA85252F852FFFF7D27FD05FFF87DFD04FFA8F852FD05FFF852FF
+%FFF8A8FFFFFF7D5227F8A8FFFF527DFFFFA8F852FD07FFF87DFD1CFFF800
+%852F2F062F070D062F072F062F0D9A8C928C928C928C928C6EF852FD05FF
+%7DF87DFD04FF27FF52F852FF7D52FD05FFF852FD05FFF82752527DFFFFF8
+%52FF527DFD04FF527DFF27F8A8FF7D7DFFFFFFF82752527DFD04FFF852FD
+%1CFFF827CFCF7D2F060D062F2F7EA82F062F938C68928C8C68926E994AF8
+%27FD05FF52F852FFFFFFA827FFFF52F852A852FD05FFF87DFD04FFA8F852
+%FF7DA8FFFFF82752F8A8FD04FF7D52FFA827F8A87D7DFFFFA8F852FF7DA8
+%FD04FFF87DFD1CFFF827FFCFFFA80D062FA8CFCFCA927693928C928C9292
+%75517C7B51F852FD05FF7DF87DFFFFFFA827FFFFFF52F8F87DFD05FFF852
+%FD05FFF87DFD05FFF852FF52F8A8FFFFFF5252FFFFFF27F8277DFFFFFFF8
+%7DFD07FFF852FD1CFFF827CFCFCACF06062ECFCAFF928C688C6892688C6E
+%765175517C26F827FD05FF52F852FFFFFFA827FD04FF52F852FD05FFF852
+%FD04FFA8F852FFFFA8A8FFF87DFFFFF8F8A8FFFF5227FD04FF27F8A8FFFF
+%A8F852FFFFA8A8FFFFFFF852FD1CFFF827FFCFFFCF7E53A8CFFFCFC99292
+%8C928C92757C757C517C7551F852FD04FFA852F852A8FFFFA8F8A8FD04FF
+%527DFD04FF7DF827FD04FFA8F827525252FF7DF827FFFFFF2727A8FF5227
+%A8FD04FF52A8FFFFA8F827525252FFFFFF7DF827FD1CFFF827CFCFCACFCF
+%CFCAFD04CF93688C688C6F7651755175517C4BF827FD05FFA8FFA8FFFFFF
+%A8FFA8FD0BFFA8FFA8FFFFFFA8FFA8A8A8FFFFFFA8FFA8FFFFFFA8FFA8FF
+%A8FD09FFA8FFA8A8A8FD05FFA8FFA8FD1BFFF827FFCFCFCFFFCFCFCFFFCF
+%C38C928C8C6E7C7576517C75767551F852FD63FFF827CFCFCACFCACFCACF
+%92928C8C688C6875517551755175517526F827FD63FFF827FFCFFFCFFFCF
+%FFCA938C928C928C99517C757C517C757C7551F852FD63FFF827CFCFCACF
+%CACFCACFA093688C6892757551755175517551754BF827FD63FFF827FFCF
+%FFCFCFCFFFCFFF998C8C926E7C7576517C7576517CA7A1F852FD06FFA87D
+%527DA8FD58FFF827CFCFCACFCACFCAFFCF996892686F5175517551755175
+%7CFF7CF827FD05FF7D2752A82727A8FD57FFF827FFCFFFCFFFCFFFC2BB8C
+%928C8C6E7C757C517C757C51CFFFA1F852FD05FF2752FFFFFF52FD58FFF8
+%27CFCFCACFCACFCF99688C68928C6F5175517551755175CAFF7CF827FD04
+%FFA8F852FD5CFFF827FFCFCFCFFFCFFFA0998C928C926E7C517C7576517C
+%51CACFA1F852FD04FFA827F87DFFFFFFA8527DFD04FF527DFFFFA87D52A8
+%FF7D527D527D527D7DFF7D7D527D527DFFFFFFA8FD06FFA8FD04FFA87D7D
+%7DFD26FFF827CFCFCACFCACFCACFCF99688C6893517551755175517575FF
+%7CF827FD05FF52F8F852FFFFFF52F8A8FFFF7D27A8FF5252A8A852A852A8
+%7DF827A87D7DFFA8F852A87D52FFFFFFF8A8FD04FF5227FFFFFF7D27A8A8
+%52A8FD25FFF827FFCFFFCFFFCFFFCFFFA08C8C92927C517C757C517C7575
+%7C7CF852FD06FF52F8F852FFFFFF27F8FFFF52A8FFFFF87DFD07FFF87DFD
+%05FFF852FD06FFF827FD04FF2727FFFFFF2752FD29FFF827CFCFCACFCACF
+%CACFA799688C68927575517551755175517526F84BFD07FF52F8F87DFFFF
+%A8F87D7D52FFFFFFF8F87DFD05FFA8F852FD05FFF87DFD05FFA8F8F8A8FF
+%FF7DF8F8A8FFFF52F852A8FD27FFF827FFCFFFCFCFCFFFCF9368928C928C
+%995176517C7576517C7551F852FD08FF7DF8F8FFFFFF52F827FD05FFF8F8
+%27FD05FFF87DFD05FFF8277D527DFFFF7D52F852FFFF277DF8A8FFFFFF52
+%F8F87DFD26FFF827CFCFCACFCACFCAFF938C688C688C6875517551755175
+%517C26F827FD09FF27F8A8FFFFFFF852FD06FF52F827FFFFFFA8F852FD05
+%FFF852A8A87DFFFF527D7DF8FF7D52A8F87DFD04FF7DF8F8A8FD25FFF827
+%FFCFFFCFFFCFFFCFCFCFC98C928C92927C517C757C517C7551F852FD04FF
+%7DFD04FF7DF8FD04FFF852FD07FF7DF8A8FFFFFFF87DFD05FFF852FD05FF
+%52A8FF272752A8FFF87DFD06FFF8A8FD25FFF827CFCFCACFCACFCAFD04CF
+%99688C688C6E7651755175517C4BF827FD04FF5227FFFFA8F852FD04FFF8
+%7DFFFFFF7D7DFFFF7D27FD04FFF852FD05FFF852FFFFA8FFFF27A8FF7DF8
+%52FFFFF852FFA852FFFF7D27A8FD25FFF827FFCFCFCFFFCFCFCFFFCFCF92
+%928C928C926E7C517C75767551F852FD04FF7D272752277DFD04FF7DF827
+%FFFFFF7D27525227FD04FFA8F852A8FFFFFF7D2727525252FFA8F8A8FFFF
+%52FFFFFF2727A8FF275252527DFD26FFF827CFCFCACFCACFCACFCAFF998C
+%688C688C688C68755176517526F827FD07FFA8FD07FFA8FFA8FFFFFFA8A8
+%A8FD05FFA8FFA8FD05FFA8FFA8A8A8FFA8FFA8FD07FFA8FFFFFFA8A8FD28
+%FFF827FFCFFFCFFFCFFFCFFFCFCF92C29A928C928C928C99757C7551F852
+%FD63FFF827CFCFCACFCACFCACFCAFD04CFFF998C68928C8C6892689344F8
+%27FD63FFF827FFCFFFCFCFCFFFCFCFCFFFCFCFCFC98C928C928C928C928C
+%68F852FD63FFF827CFCFCACFCACFCAA8537ECACFCAFF938C6899688C688C
+%689244F827FD63FFF827FFCFFFCFFFCFA8072F07FFCFFFCFCF992F0D5992
+%928C928C68F852FD08FF7D7D527D52A8A8FD54FFF827CFCFCACFCACFA70D
+%060753A87DA8CA5A0607069368929AC244F827FD06FF7DF8527D7D7D52F8
+%27FD54FFF827FFCFCFCFFFCFCF2F2F070D062F072F062F07539993C2FFFF
+%76F852FD05FF7DF87DFD06FF27FD54FFF827CFCFCACFCACF7D0D060D0607
+%060D0607060753FFCACFCAFF76F827FD04FFA8F827FD07FFA8A8FD15FFA8
+%FD3DFFF827FFCFFFCFFF592F062F072F2852282F072F072F7DFFCFFFCFA7
+%F852FD04FF52F87DFD0CFFA87D7D7DFD05FFA8FD05FF7D7DA8FFFFA87D7D
+%7DFFFFFFA87D527D7DFD04FFA8527D527DA8FFFF7D527D527D527D7DFF7D
+%7D7DFFFFA8527DA8FFFFA8527DFFFFFFA8FD06FFA8FFFFF827CF5959CA53
+%07060D066F688C6892684B060D06077DCFCFCF7CF827FD04FF27F8A8FD0A
+%FFA82752A87D52F852FFFFA8F87DFD04FF7D27FFFF7D27A87D52FFFF5227
+%7DA87D27F8A8FFFFA8F827A827F8A8A852A87DF827A87D7DFFA8F852FFFF
+%A8F827FD04FF2727FFFFFFF8A8FD04FF5227FFFFF827A9062F070D062F28
+%928C928C928C928C92282F072F847E5953F852FD04FFF8F8A8FD0AFF2752
+%FD04FF7DF87DFFFFF8F852FFFFFF7D52FFFFF8A8FFFFA8FF7DF8A8FD04FF
+%27F8FFFFFFF87DFFFFF87DFD04FFF87DFD05FFF852FFFFFFF87DFD04FF27
+%52FFFFFFF827FD04FF2727FFFFF8272F07060D060D278C688C68928C8C68
+%8C688C060D0607060D06F827FFFFFFA827F87DFD09FF7DF8FD06FF27F8FF
+%A85252F852FFFF7D27FFFF27F87DFFFFFF2727FD05FF7DF852FFA8F852FF
+%A8F87DFFFFFFA8F852FD05FFF852FFFFA8F852FD04FF5252FFFFA8F8F8A8
+%FFFF7DF827A8FFF827FF2F2F070D06938C928CBCC9CFC9BB8C928C6F070D
+%062F0706F852FD04FF27F852FD09FF52F8FD06FF52F8FFFF27FF52F852FF
+%7D52FFFFA827F827A8FFF852FD06FFF852FFFFF852FF7D7DFD05FFF87DFD
+%05FFF852FFFFFFF87DFD04FF2752FFFF7D52F852FFFF277DF8A8FFF827CF
+%CF2F0D064C689268C2CFFFCFFFCFC2688C682E0607062F52F827FD04FF7D
+%F8F8A8FD08FF52F8A8FD05FF52F8FFA827FFFF52F852A852FD04FF7DF827
+%FF2727FD05FFA8F852FFA8F82752F8A8FD04FFA8F852FD05FFF852FFFFA8
+%F852FD04FF5252FFFF7D7D7DF8FF7D52A8F87DFFF827FFCF59062F6F8C8C
+%99CFFFCFFFCFFFCF938C8C4B2F0759CFA7F852FD05FF52F827FD06FF7DFF
+%A8F852FD05FFF852FFA827FFFFFF52F8F87DFD05FF7DF8FF52F8A8FD04FF
+%A8F8A8FFFFF87DFF52F8FD05FFF87DFD05FFF852FFFFFFF852FD04FF277D
+%FFFF27A8FF272752FFFFF87DFFF827CFCF2F070693688C99FFCACFCACFCA
+%FF998C686F060759CF7CF827FD05FFA852F8F87DFFFFFF5227FFFF52F87D
+%FFFFFF5227A8FFA827FD04FF52F852FF527DFFFF5227FFFFF827A8FFFFFF
+%2752FFFFFFF852FFFF27F8FFFFFFA8F852FD05FFF87DFFFFFF52F8A8FFFF
+%7D27A8FFFF27A8FF7DF852FFFFF827FFF827FFCF53062F6E928CC2FFFFCF
+%FFCFFFCFC28C926F2F077ECFA7F852FD07FFA8FD06277DFFFFFF7D27277D
+%527DFFFFFF7DF8A8FD04FF527DFFA827525252A8FFFFFF5227527D52A8FF
+%FFFFA8F852A8FFA82727A8FFA8F852A8FFFFFF7DF827FD04FF52277D5252
+%A8FFFFA8F8A8FFFF52FFFFFF2727A8F827CFCF2F07066F8C8C92FFCFCFCA
+%CFCFCF8C8C8C4B060D59CF7CF827FD0BFFA8FD09FFA8FD05FFA8FFA8FD09
+%FFA8A8FD07FFA8A8FD05FFA8FFA8FD05FFA8FFA8FFA8FD05FFA8FFA8FD05
+%FFA8FD05FFA8FFA8FD07FFA8FFF827AF2F2F070D4B928C8CA0FFCFFFCFFF
+%998C8C92280D067ECFA1F852FD63FFF8270707060D0607688C688C99C9CA
+%C9938C688C680D0607065A76F827FD63FFF8275A062F070D07528C928C92
+%8C928C928C928C2F070D062F072EF852FD63FFF84B842F597E0607064C8C
+%8C68928C8C688C6828060D0607060D52F827FD63FFF827FFCFCFCF7E060D
+%062F6F928C928C934B2F070D0684A85A59A1F852FD63FFF827CFCFCACFCA
+%590607060D06282728060D0607067ECACFCFCF7CF827FD63FFF827FFCFFF
+%CFFFCF59062F070D072F070D062F2FA8CFFFCFFFCFA7F852FD63FFF827CF
+%CFCACFCACF2F07060D0607060D06070653CFCFCACFCAFF7CF827FD63FFF8
+%27FFCFFFCFCFA82F070D59CFA8A8A859060D07FD04CFFFCFA1F852FD63FF
+%F827CFCFCACFCFA82F0D2FCFCACFCFCFA80D060DA8CFCACFCAFF7CF827FD
+%63FFF827FFCFFFCFFFCFFFA8FFCFFFCFFFCFFF7E7EA8FFCFFFCFFFFFA7F8
+%52FD63FFFD09F820FD07F820FD07F820F8F827FD63FF27F827F820F827F8
+%20F827F820F827F820F827F820F827F820F827F87CFDE2FFFF
+%%EndData
+%%EndComments
+%%BeginDefaults
+%%ViewingOrientation: 1 0 0 1
+%%EndDefaults
+%%BeginProlog
+%%BeginResource: procset Adobe_AGM_Utils 1.0 0
+%%Version: 1.0 0
+%%Copyright: Copyright (C) 2000-2003 Adobe Systems, Inc. All Rights Reserved.
+systemdict /setpacking known
+{
+ currentpacking
+ true setpacking
+} if
+userdict /Adobe_AGM_Utils 68 dict dup begin put
+/bdf
+{
+ bind def
+} bind def
+/nd{
+ null def
+}bdf
+/xdf
+{
+ exch def
+}bdf
+/ldf
+{
+ load def
+}bdf
+/ddf
+{
+ put
+}bdf
+/xddf
+{
+ 3 -1 roll put
+}bdf
+/xpt
+{
+ exch put
+}bdf
+/ndf
+{
+ exch dup where{
+ pop pop pop
+ }{
+ xdf
+ }ifelse
+}def
+/cdndf
+{
+ exch dup currentdict exch known{
+ pop pop
+ }{
+ exch def
+ }ifelse
+}def
+/bdict
+{
+ mark
+}bdf
+/edict
+{
+ counttomark 2 idiv dup dict begin {def} repeat pop currentdict end
+}def
+/ps_level
+ /languagelevel where{
+ pop systemdict /languagelevel get exec
+ }{
+ 1
+ }ifelse
+def
+/level2
+ ps_level 2 ge
+def
+/level3
+ ps_level 3 ge
+def
+/ps_version
+ {version cvr} stopped {
+ -1
+ }if
+def
+/makereadonlyarray
+{
+ /packedarray where{
+ pop packedarray
+ }{
+ array astore readonly
+ }ifelse
+}bdf
+/map_reserved_ink_name
+{
+ dup type /stringtype eq{
+ dup /Red eq{
+ pop (_Red_)
+ }{
+ dup /Green eq{
+ pop (_Green_)
+ }{
+ dup /Blue eq{
+ pop (_Blue_)
+ }{
+ dup () cvn eq{
+ pop (Process)
+ }if
+ }ifelse
+ }ifelse
+ }ifelse
+ }if
+}bdf
+/AGMUTIL_GSTATE 22 dict def
+/get_gstate
+{
+ AGMUTIL_GSTATE begin
+ /AGMUTIL_GSTATE_clr_spc currentcolorspace def
+ /AGMUTIL_GSTATE_clr_indx 0 def
+ /AGMUTIL_GSTATE_clr_comps 12 array def
+ mark currentcolor counttomark
+ {AGMUTIL_GSTATE_clr_comps AGMUTIL_GSTATE_clr_indx 3 -1 roll put
+ /AGMUTIL_GSTATE_clr_indx AGMUTIL_GSTATE_clr_indx 1 add def} repeat pop
+ /AGMUTIL_GSTATE_fnt rootfont def
+ /AGMUTIL_GSTATE_lw currentlinewidth def
+ /AGMUTIL_GSTATE_lc currentlinecap def
+ /AGMUTIL_GSTATE_lj currentlinejoin def
+ /AGMUTIL_GSTATE_ml currentmiterlimit def
+ currentdash /AGMUTIL_GSTATE_do xdf /AGMUTIL_GSTATE_da xdf
+ /AGMUTIL_GSTATE_sa currentstrokeadjust def
+ /AGMUTIL_GSTATE_clr_rnd currentcolorrendering def
+ /AGMUTIL_GSTATE_op currentoverprint def
+ /AGMUTIL_GSTATE_bg currentblackgeneration cvlit def
+ /AGMUTIL_GSTATE_ucr currentundercolorremoval cvlit def
+ currentcolortransfer cvlit /AGMUTIL_GSTATE_gy_xfer xdf cvlit /AGMUTIL_GSTATE_b_xfer xdf
+ cvlit /AGMUTIL_GSTATE_g_xfer xdf cvlit /AGMUTIL_GSTATE_r_xfer xdf
+ /AGMUTIL_GSTATE_ht currenthalftone def
+ /AGMUTIL_GSTATE_flt currentflat def
+ end
+}def
+/set_gstate
+{
+ AGMUTIL_GSTATE begin
+ AGMUTIL_GSTATE_clr_spc setcolorspace
+ AGMUTIL_GSTATE_clr_indx {AGMUTIL_GSTATE_clr_comps AGMUTIL_GSTATE_clr_indx 1 sub get
+ /AGMUTIL_GSTATE_clr_indx AGMUTIL_GSTATE_clr_indx 1 sub def} repeat setcolor
+ AGMUTIL_GSTATE_fnt setfont
+ AGMUTIL_GSTATE_lw setlinewidth
+ AGMUTIL_GSTATE_lc setlinecap
+ AGMUTIL_GSTATE_lj setlinejoin
+ AGMUTIL_GSTATE_ml setmiterlimit
+ AGMUTIL_GSTATE_da AGMUTIL_GSTATE_do setdash
+ AGMUTIL_GSTATE_sa setstrokeadjust
+ AGMUTIL_GSTATE_clr_rnd setcolorrendering
+ AGMUTIL_GSTATE_op setoverprint
+ AGMUTIL_GSTATE_bg cvx setblackgeneration
+ AGMUTIL_GSTATE_ucr cvx setundercolorremoval
+ AGMUTIL_GSTATE_r_xfer cvx AGMUTIL_GSTATE_g_xfer cvx AGMUTIL_GSTATE_b_xfer cvx
+ AGMUTIL_GSTATE_gy_xfer cvx setcolortransfer
+ AGMUTIL_GSTATE_ht /HalftoneType get dup 9 eq exch 100 eq or
+ {
+ currenthalftone /HalftoneType get AGMUTIL_GSTATE_ht /HalftoneType get ne
+ {
+ mark AGMUTIL_GSTATE_ht {sethalftone} stopped cleartomark
+ } if
+ }{
+ AGMUTIL_GSTATE_ht sethalftone
+ } ifelse
+ AGMUTIL_GSTATE_flt setflat
+ end
+}def
+/get_gstate_and_matrix
+{
+ AGMUTIL_GSTATE begin
+ /AGMUTIL_GSTATE_ctm matrix currentmatrix def
+ end
+ get_gstate
+}def
+/set_gstate_and_matrix
+{
+ set_gstate
+ AGMUTIL_GSTATE begin
+ AGMUTIL_GSTATE_ctm setmatrix
+ end
+}def
+/AGMUTIL_str256 256 string def
+/AGMUTIL_src256 256 string def
+/AGMUTIL_dst64 64 string def
+/AGMUTIL_srcLen nd
+/AGMUTIL_ndx nd
+/agm_sethalftone
+{
+ dup
+ begin
+ /_Data load
+ /Thresholds xdf
+ end
+ level3
+ { sethalftone }{
+ dup /HalftoneType get 3 eq {
+ sethalftone
+ } {pop} ifelse
+ }ifelse
+} def
+/rdcmntline
+{
+ currentfile AGMUTIL_str256 readline pop
+ (%) anchorsearch {pop} if
+} bdf
+/filter_cmyk
+{
+ dup type /filetype ne{
+ exch () /SubFileDecode filter
+ }
+ {
+ exch pop
+ }
+ ifelse
+ [
+ exch
+ {
+ AGMUTIL_src256 readstring pop
+ dup length /AGMUTIL_srcLen exch def
+ /AGMUTIL_ndx 0 def
+ AGMCORE_plate_ndx 4 AGMUTIL_srcLen 1 sub{
+ 1 index exch get
+ AGMUTIL_dst64 AGMUTIL_ndx 3 -1 roll put
+ /AGMUTIL_ndx AGMUTIL_ndx 1 add def
+ }for
+ pop
+ AGMUTIL_dst64 0 AGMUTIL_ndx getinterval
+ }
+ bind
+ /exec cvx
+ ] cvx
+} bdf
+/filter_indexed_devn
+{
+ cvi Names length mul names_index add Lookup exch get
+} bdf
+/filter_devn
+{
+ 4 dict begin
+ /srcStr xdf
+ /dstStr xdf
+ dup type /filetype ne{
+ 0 () /SubFileDecode filter
+ }if
+ [
+ exch
+ [
+ /devicen_colorspace_dict /AGMCORE_gget cvx /begin cvx
+ currentdict /srcStr get /readstring cvx /pop cvx
+ /dup cvx /length cvx 0 /gt cvx [
+ Adobe_AGM_Utils /AGMUTIL_ndx 0 /ddf cvx
+ names_index Names length currentdict /srcStr get length 1 sub {
+ 1 /index cvx /exch cvx /get cvx
+ currentdict /dstStr get /AGMUTIL_ndx /load cvx 3 -1 /roll cvx /put cvx
+ Adobe_AGM_Utils /AGMUTIL_ndx /AGMUTIL_ndx /load cvx 1 /add cvx /ddf cvx
+ } for
+ currentdict /dstStr get 0 /AGMUTIL_ndx /load cvx /getinterval cvx
+ ] cvx /if cvx
+ /end cvx
+ ] cvx
+ bind
+ /exec cvx
+ ] cvx
+ end
+} bdf
+/AGMUTIL_imagefile nd
+/read_image_file
+{
+ AGMUTIL_imagefile 0 setfileposition
+ 10 dict begin
+ /imageDict xdf
+ /imbufLen Width BitsPerComponent mul 7 add 8 idiv def
+ /imbufIdx 0 def
+ /origDataSource imageDict /DataSource get def
+ /origMultipleDataSources imageDict /MultipleDataSources get def
+ /origDecode imageDict /Decode get def
+ /dstDataStr imageDict /Width get colorSpaceElemCnt mul string def
+ /srcDataStrs [ imageDict begin
+ currentdict /MultipleDataSources known {MultipleDataSources {DataSource length}{1}ifelse}{1} ifelse
+ {
+ Width Decode length 2 div mul cvi string
+ } repeat
+ end ] def
+ imageDict /MultipleDataSources known {MultipleDataSources}{false} ifelse
+ {
+ /imbufCnt imageDict /DataSource get length def
+ /imbufs imbufCnt array def
+ 0 1 imbufCnt 1 sub {
+ /imbufIdx xdf
+ imbufs imbufIdx imbufLen string put
+ imageDict /DataSource get imbufIdx [ AGMUTIL_imagefile imbufs imbufIdx get /readstring cvx /pop cvx ] cvx put
+ } for
+ DeviceN_PS2 {
+ imageDict begin
+ /DataSource [ DataSource /devn_sep_datasource cvx ] cvx def
+ /MultipleDataSources false def
+ /Decode [0 1] def
+ end
+ } if
+ }{
+ /imbuf imbufLen string def
+ Indexed_DeviceN level3 not and DeviceN_NoneName or {
+ imageDict begin
+ /DataSource [AGMUTIL_imagefile Decode BitsPerComponent false 1 /filter_indexed_devn load dstDataStr srcDataStrs devn_alt_datasource /exec cvx] cvx def
+ /Decode [0 1] def
+ end
+ }{
+ imageDict /DataSource {AGMUTIL_imagefile imbuf readstring pop} put
+ } ifelse
+ } ifelse
+ imageDict exch
+ load exec
+ imageDict /DataSource origDataSource put
+ imageDict /MultipleDataSources origMultipleDataSources put
+ imageDict /Decode origDecode put
+ end
+} bdf
+/write_image_file
+{
+ begin
+ { (AGMUTIL_imagefile) (w+) file } stopped{
+ false
+ }{
+ Adobe_AGM_Utils/AGMUTIL_imagefile xddf
+ 2 dict begin
+ /imbufLen Width BitsPerComponent mul 7 add 8 idiv def
+ MultipleDataSources {DataSource 0 get}{DataSource}ifelse type /filetype eq {
+ /imbuf imbufLen string def
+ }if
+ 1 1 Height {
+ pop
+ MultipleDataSources {
+ 0 1 DataSource length 1 sub {
+ DataSource type dup
+ /arraytype eq {
+ pop DataSource exch get exec
+ }{
+ /filetype eq {
+ DataSource exch get imbuf readstring pop
+ }{
+ DataSource exch get
+ } ifelse
+ } ifelse
+ AGMUTIL_imagefile exch writestring
+ } for
+ }{
+ DataSource type dup
+ /arraytype eq {
+ pop DataSource exec
+ }{
+ /filetype eq {
+ DataSource imbuf readstring pop
+ }{
+ DataSource
+ } ifelse
+ } ifelse
+ AGMUTIL_imagefile exch writestring
+ } ifelse
+ }for
+ end
+ true
+ }ifelse
+ end
+} bdf
+/close_image_file
+{
+ AGMUTIL_imagefile closefile (AGMUTIL_imagefile) deletefile
+}def
+statusdict /product known userdict /AGMP_current_show known not and{
+ /pstr statusdict /product get def
+ pstr (HP LaserJet 2200) eq
+ pstr (HP LaserJet 4000 Series) eq or
+ pstr (HP LaserJet 4050 Series ) eq or
+ pstr (HP LaserJet 8000 Series) eq or
+ pstr (HP LaserJet 8100 Series) eq or
+ pstr (HP LaserJet 8150 Series) eq or
+ pstr (HP LaserJet 5000 Series) eq or
+ pstr (HP LaserJet 5100 Series) eq or
+ pstr (HP Color LaserJet 4500) eq or
+ pstr (HP Color LaserJet 4600) eq or
+ pstr (HP LaserJet 5Si) eq or
+ pstr (HP LaserJet 1200 Series) eq or
+ pstr (HP LaserJet 1300 Series) eq or
+ pstr (HP LaserJet 4100 Series) eq or
+ {
+ userdict /AGMP_current_show /show load put
+ userdict /show {
+ currentcolorspace 0 get
+ /Pattern eq
+ {false charpath f}
+ {AGMP_current_show} ifelse
+ } put
+ }if
+ currentdict /pstr undef
+} if
+/consumeimagedata
+{
+ begin
+ currentdict /MultipleDataSources known not
+ {/MultipleDataSources false def} if
+ MultipleDataSources
+ {
+ 1 dict begin
+ /flushbuffer Width cvi string def
+ 1 1 Height cvi
+ {
+ pop
+ 0 1 DataSource length 1 sub
+ {
+ DataSource exch get
+ dup type dup
+ /filetype eq
+ {
+ exch flushbuffer readstring pop pop
+ }if
+ /arraytype eq
+ {
+ exec pop
+ }if
+ }for
+ }for
+ end
+ }
+ {
+ /DataSource load type dup
+ /filetype eq
+ {
+ 1 dict begin
+ /flushbuffer Width Decode length 2 div mul cvi string def
+ 1 1 Height { pop DataSource flushbuffer readstring pop pop} for
+ end
+ }if
+ /arraytype eq
+ {
+ 1 1 Height { pop DataSource pop } for
+ }if
+ }ifelse
+ end
+}bdf
+/addprocs
+{
+ 2{/exec load}repeat
+ 3 1 roll
+ [ 5 1 roll ] bind cvx
+}def
+/modify_halftone_xfer
+{
+ currenthalftone dup length dict copy begin
+ currentdict 2 index known{
+ 1 index load dup length dict copy begin
+ currentdict/TransferFunction known{
+ /TransferFunction load
+ }{
+ currenttransfer
+ }ifelse
+ addprocs /TransferFunction xdf
+ currentdict end def
+ currentdict end sethalftone
+ }{
+ currentdict/TransferFunction known{
+ /TransferFunction load
+ }{
+ currenttransfer
+ }ifelse
+ addprocs /TransferFunction xdf
+ currentdict end sethalftone
+ pop
+ }ifelse
+}def
+/clonearray
+{
+ dup xcheck exch
+ dup length array exch
+ Adobe_AGM_Core/AGMCORE_tmp -1 ddf
+ {
+ Adobe_AGM_Core/AGMCORE_tmp AGMCORE_tmp 1 add ddf
+ dup type /dicttype eq
+ {
+ AGMCORE_tmp
+ exch
+ clonedict
+ Adobe_AGM_Core/AGMCORE_tmp 4 -1 roll ddf
+ } if
+ dup type /arraytype eq
+ {
+ AGMCORE_tmp exch
+ clonearray
+ Adobe_AGM_Core/AGMCORE_tmp 4 -1 roll ddf
+ } if
+ exch dup
+ AGMCORE_tmp 4 -1 roll put
+ }forall
+ exch {cvx} if
+}bdf
+/clonedict
+{
+ dup length dict
+ begin
+ {
+ dup type /dicttype eq
+ {
+ clonedict
+ } if
+ dup type /arraytype eq
+ {
+ clonearray
+ } if
+ def
+ }forall
+ currentdict
+ end
+}bdf
+/DeviceN_PS2
+{
+ /currentcolorspace AGMCORE_gget 0 get /DeviceN eq level3 not and
+} bdf
+/Indexed_DeviceN
+{
+ /indexed_colorspace_dict AGMCORE_gget dup null ne {
+ /CSD known
+ }{
+ pop false
+ } ifelse
+} bdf
+/DeviceN_NoneName
+{
+ /Names where {
+ pop
+ false Names
+ {
+ (None) eq or
+ } forall
+ }{
+ false
+ }ifelse
+} bdf
+/DeviceN_PS2_inRip_seps
+{
+ /AGMCORE_in_rip_sep where
+ {
+ pop dup type dup /arraytype eq exch /packedarraytype eq or
+ {
+ dup 0 get /DeviceN eq level3 not and AGMCORE_in_rip_sep and
+ {
+ /currentcolorspace exch AGMCORE_gput
+ false
+ }
+ {
+ true
+ }ifelse
+ }
+ {
+ true
+ } ifelse
+ }
+ {
+ true
+ } ifelse
+} bdf
+/base_colorspace_type
+{
+ dup type /arraytype eq {0 get} if
+} bdf
+/doc_setup{
+ Adobe_AGM_Utils begin
+}bdf
+/doc_trailer{
+ currentdict Adobe_AGM_Utils eq{
+ end
+ }if
+}bdf
+systemdict /setpacking known
+{
+ setpacking
+} if
+%%EndResource
+%%BeginResource: procset Adobe_AGM_Core 2.0 0
+%%Version: 2.0 0
+%%Copyright: Copyright (C) 1997-2003 Adobe Systems, Inc. All Rights Reserved.
+systemdict /setpacking known
+{
+ currentpacking
+ true setpacking
+} if
+userdict /Adobe_AGM_Core 216 dict dup begin put
+/nd{
+ null def
+}bind def
+/Adobe_AGM_Core_Id /Adobe_AGM_Core_2.0_0 def
+/AGMCORE_str256 256 string def
+/AGMCORE_save nd
+/AGMCORE_graphicsave nd
+/AGMCORE_c 0 def
+/AGMCORE_m 0 def
+/AGMCORE_y 0 def
+/AGMCORE_k 0 def
+/AGMCORE_cmykbuf 4 array def
+/AGMCORE_screen [currentscreen] cvx def
+/AGMCORE_tmp 0 def
+/AGMCORE_&setgray nd
+/AGMCORE_&setcolor nd
+/AGMCORE_&setcolorspace nd
+/AGMCORE_&setcmykcolor nd
+/AGMCORE_cyan_plate nd
+/AGMCORE_magenta_plate nd
+/AGMCORE_yellow_plate nd
+/AGMCORE_black_plate nd
+/AGMCORE_plate_ndx nd
+/AGMCORE_get_ink_data nd
+/AGMCORE_is_cmyk_sep nd
+/AGMCORE_host_sep nd
+/AGMCORE_avoid_L2_sep_space nd
+/AGMCORE_distilling nd
+/AGMCORE_composite_job nd
+/AGMCORE_producing_seps nd
+/AGMCORE_ps_level -1 def
+/AGMCORE_ps_version -1 def
+/AGMCORE_environ_ok nd
+/AGMCORE_CSA_cache 0 dict def
+/AGMCORE_CSD_cache 0 dict def
+/AGMCORE_pattern_cache 0 dict def
+/AGMCORE_currentoverprint false def
+/AGMCORE_deltaX nd
+/AGMCORE_deltaY nd
+/AGMCORE_name nd
+/AGMCORE_sep_special nd
+/AGMCORE_err_strings 4 dict def
+/AGMCORE_cur_err nd
+/AGMCORE_ovp nd
+/AGMCORE_current_spot_alias false def
+/AGMCORE_inverting false def
+/AGMCORE_feature_dictCount nd
+/AGMCORE_feature_opCount nd
+/AGMCORE_feature_ctm nd
+/AGMCORE_ConvertToProcess false def
+/AGMCORE_Default_CTM matrix def
+/AGMCORE_Default_PageSize nd
+/AGMCORE_currentbg nd
+/AGMCORE_currentucr nd
+/AGMCORE_gradientcache 32 dict def
+/AGMCORE_in_pattern false def
+/knockout_unitsq nd
+/AGMCORE_CRD_cache where{
+ pop
+}{
+ /AGMCORE_CRD_cache 0 dict def
+}ifelse
+/AGMCORE_key_known
+{
+ where{
+ /Adobe_AGM_Core_Id known
+ }{
+ false
+ }ifelse
+}ndf
+/flushinput
+{
+ save
+ 2 dict begin
+ /CompareBuffer 3 -1 roll def
+ /readbuffer 256 string def
+ mark
+ {
+ currentfile readbuffer {readline} stopped
+ {cleartomark mark}
+ {
+ not
+ {pop exit}
+ if
+ CompareBuffer eq
+ {exit}
+ if
+ }ifelse
+ }loop
+ cleartomark
+ end
+ restore
+}bdf
+/getspotfunction
+{
+ AGMCORE_screen exch pop exch pop
+ dup type /dicttype eq{
+ dup /HalftoneType get 1 eq{
+ /SpotFunction get
+ }{
+ dup /HalftoneType get 2 eq{
+ /GraySpotFunction get
+ }{
+ pop
+ {
+ abs exch abs 2 copy add 1 gt{
+ 1 sub dup mul exch 1 sub dup mul add 1 sub
+ }{
+ dup mul exch dup mul add 1 exch sub
+ }ifelse
+ }bind
+ }ifelse
+ }ifelse
+ }if
+} def
+/clp_npth
+{
+ clip newpath
+} def
+/eoclp_npth
+{
+ eoclip newpath
+} def
+/npth_clp
+{
+ newpath clip
+} def
+/add_grad
+{
+ AGMCORE_gradientcache 3 1 roll put
+}bdf
+/exec_grad
+{
+ AGMCORE_gradientcache exch get exec
+}bdf
+/graphic_setup
+{
+ /AGMCORE_graphicsave save def
+ concat
+ 0 setgray
+ 0 setlinecap
+ 0 setlinejoin
+ 1 setlinewidth
+ [] 0 setdash
+ 10 setmiterlimit
+ newpath
+ false setoverprint
+ false setstrokeadjust
+ Adobe_AGM_Core/spot_alias get exec
+ /Adobe_AGM_Image where {
+ pop
+ Adobe_AGM_Image/spot_alias 2 copy known{
+ get exec
+ }{
+ pop pop
+ }ifelse
+ } if
+ 100 dict begin
+ /dictstackcount countdictstack def
+ /showpage {} def
+ mark
+} def
+/graphic_cleanup
+{
+ cleartomark
+ dictstackcount 1 countdictstack 1 sub {end}for
+ end
+ AGMCORE_graphicsave restore
+} def
+/compose_error_msg
+{
+ grestoreall initgraphics
+ /Helvetica findfont 10 scalefont setfont
+ /AGMCORE_deltaY 100 def
+ /AGMCORE_deltaX 310 def
+ clippath pathbbox newpath pop pop 36 add exch 36 add exch moveto
+ 0 AGMCORE_deltaY rlineto AGMCORE_deltaX 0 rlineto
+ 0 AGMCORE_deltaY neg rlineto AGMCORE_deltaX neg 0 rlineto closepath
+ 0 AGMCORE_&setgray
+ gsave 1 AGMCORE_&setgray fill grestore
+ 1 setlinewidth gsave stroke grestore
+ currentpoint AGMCORE_deltaY 15 sub add exch 8 add exch moveto
+ /AGMCORE_deltaY 12 def
+ /AGMCORE_tmp 0 def
+ AGMCORE_err_strings exch get
+ {
+ dup 32 eq
+ {
+ pop
+ AGMCORE_str256 0 AGMCORE_tmp getinterval
+ stringwidth pop currentpoint pop add AGMCORE_deltaX 28 add gt
+ {
+ currentpoint AGMCORE_deltaY sub exch pop
+ clippath pathbbox pop pop pop 44 add exch moveto
+ } if
+ AGMCORE_str256 0 AGMCORE_tmp getinterval show ( ) show
+ 0 1 AGMCORE_str256 length 1 sub
+ {
+ AGMCORE_str256 exch 0 put
+ }for
+ /AGMCORE_tmp 0 def
+ }
+ {
+ AGMCORE_str256 exch AGMCORE_tmp xpt
+ /AGMCORE_tmp AGMCORE_tmp 1 add def
+ } ifelse
+ } forall
+} bdf
+/doc_setup{
+ Adobe_AGM_Core begin
+ /AGMCORE_ps_version xdf
+ /AGMCORE_ps_level xdf
+ errordict /AGM_handleerror known not{
+ errordict /AGM_handleerror errordict /handleerror get put
+ errordict /handleerror {
+ Adobe_AGM_Core begin
+ $error /newerror get AGMCORE_cur_err null ne and{
+ $error /newerror false put
+ AGMCORE_cur_err compose_error_msg
+ }if
+ $error /newerror true put
+ end
+ errordict /AGM_handleerror get exec
+ } bind put
+ }if
+ /AGMCORE_environ_ok
+ ps_level AGMCORE_ps_level ge
+ ps_version AGMCORE_ps_version ge and
+ AGMCORE_ps_level -1 eq or
+ def
+ AGMCORE_environ_ok not
+ {/AGMCORE_cur_err /AGMCORE_bad_environ def} if
+ /AGMCORE_&setgray systemdict/setgray get def
+ level2{
+ /AGMCORE_&setcolor systemdict/setcolor get def
+ /AGMCORE_&setcolorspace systemdict/setcolorspace get def
+ }if
+ /AGMCORE_currentbg currentblackgeneration def
+ /AGMCORE_currentucr currentundercolorremoval def
+ /AGMCORE_distilling
+ /product where{
+ pop systemdict/setdistillerparams known product (Adobe PostScript Parser) ne and
+ }{
+ false
+ }ifelse
+ def
+ level2 not{
+ /xput{
+ dup load dup length exch maxlength eq{
+ dup dup load dup
+ length dup 0 eq {pop 1} if 2 mul dict copy def
+ }if
+ load begin
+ def
+ end
+ }def
+ }{
+ /xput{
+ load 3 1 roll put
+ }def
+ }ifelse
+ /AGMCORE_GSTATE AGMCORE_key_known not{
+ /AGMCORE_GSTATE 21 dict def
+ /AGMCORE_tmpmatrix matrix def
+ /AGMCORE_gstack 32 array def
+ /AGMCORE_gstackptr 0 def
+ /AGMCORE_gstacksaveptr 0 def
+ /AGMCORE_gstackframekeys 10 def
+ /AGMCORE_&gsave /gsave ldf
+ /AGMCORE_&grestore /grestore ldf
+ /AGMCORE_&grestoreall /grestoreall ldf
+ /AGMCORE_&save /save ldf
+ /AGMCORE_gdictcopy {
+ begin
+ { def } forall
+ end
+ }def
+ /AGMCORE_gput {
+ AGMCORE_gstack AGMCORE_gstackptr get
+ 3 1 roll
+ put
+ }def
+ /AGMCORE_gget {
+ AGMCORE_gstack AGMCORE_gstackptr get
+ exch
+ get
+ }def
+ /gsave {
+ AGMCORE_&gsave
+ AGMCORE_gstack AGMCORE_gstackptr get
+ AGMCORE_gstackptr 1 add
+ dup 32 ge {limitcheck} if
+ Adobe_AGM_Core exch
+ /AGMCORE_gstackptr xpt
+ AGMCORE_gstack AGMCORE_gstackptr get
+ AGMCORE_gdictcopy
+ }def
+ /grestore {
+ AGMCORE_&grestore
+ AGMCORE_gstackptr 1 sub
+ dup AGMCORE_gstacksaveptr lt {1 add} if
+ Adobe_AGM_Core exch
+ /AGMCORE_gstackptr xpt
+ }def
+ /grestoreall {
+ AGMCORE_&grestoreall
+ Adobe_AGM_Core
+ /AGMCORE_gstackptr AGMCORE_gstacksaveptr put
+ }def
+ /save {
+ AGMCORE_&save
+ AGMCORE_gstack AGMCORE_gstackptr get
+ AGMCORE_gstackptr 1 add
+ dup 32 ge {limitcheck} if
+ Adobe_AGM_Core begin
+ /AGMCORE_gstackptr exch def
+ /AGMCORE_gstacksaveptr AGMCORE_gstackptr def
+ end
+ AGMCORE_gstack AGMCORE_gstackptr get
+ AGMCORE_gdictcopy
+ }def
+ 0 1 AGMCORE_gstack length 1 sub {
+ AGMCORE_gstack exch AGMCORE_gstackframekeys dict put
+ } for
+ }if
+ level3 /AGMCORE_&sysshfill AGMCORE_key_known not and
+ {
+ /AGMCORE_&sysshfill systemdict/shfill get def
+ /AGMCORE_&usrshfill /shfill load def
+ /AGMCORE_&sysmakepattern systemdict/makepattern get def
+ /AGMCORE_&usrmakepattern /makepattern load def
+ }if
+ /currentcmykcolor [0 0 0 0] AGMCORE_gput
+ /currentstrokeadjust false AGMCORE_gput
+ /currentcolorspace [/DeviceGray] AGMCORE_gput
+ /sep_tint 0 AGMCORE_gput
+ /devicen_tints [0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0] AGMCORE_gput
+ /sep_colorspace_dict null AGMCORE_gput
+ /devicen_colorspace_dict null AGMCORE_gput
+ /indexed_colorspace_dict null AGMCORE_gput
+ /currentcolor_intent () AGMCORE_gput
+ /customcolor_tint 1 AGMCORE_gput
+ <<
+ /MaxPatternItem currentsystemparams /MaxPatternCache get
+ >>
+ setuserparams
+ end
+}def
+/page_setup
+{
+ /setcmykcolor where{
+ pop
+ Adobe_AGM_Core/AGMCORE_&setcmykcolor /setcmykcolor load put
+ }if
+ Adobe_AGM_Core begin
+ /setcmykcolor
+ {
+ 4 copy AGMCORE_cmykbuf astore /currentcmykcolor exch AGMCORE_gput
+ 1 sub 4 1 roll
+ 3 {
+ 3 index add neg dup 0 lt {
+ pop 0
+ } if
+ 3 1 roll
+ } repeat
+ setrgbcolor pop
+ }ndf
+ /currentcmykcolor
+ {
+ /currentcmykcolor AGMCORE_gget aload pop
+ }ndf
+ /setoverprint
+ {
+ pop
+ }ndf
+ /currentoverprint
+ {
+ false
+ }ndf
+ /AGMCORE_deviceDPI 72 0 matrix defaultmatrix dtransform dup mul exch dup mul add sqrt def
+ /AGMCORE_cyan_plate 1 0 0 0 test_cmyk_color_plate def
+ /AGMCORE_magenta_plate 0 1 0 0 test_cmyk_color_plate def
+ /AGMCORE_yellow_plate 0 0 1 0 test_cmyk_color_plate def
+ /AGMCORE_black_plate 0 0 0 1 test_cmyk_color_plate def
+ /AGMCORE_plate_ndx
+ AGMCORE_cyan_plate{
+ 0
+ }{
+ AGMCORE_magenta_plate{
+ 1
+ }{
+ AGMCORE_yellow_plate{
+ 2
+ }{
+ AGMCORE_black_plate{
+ 3
+ }{
+ 4
+ }ifelse
+ }ifelse
+ }ifelse
+ }ifelse
+ def
+ /AGMCORE_have_reported_unsupported_color_space false def
+ /AGMCORE_report_unsupported_color_space
+ {
+ AGMCORE_have_reported_unsupported_color_space false eq
+ {
+ (Warning: Job contains content that cannot be separated with on-host methods. This content appears on the black plate, and knocks out all other plates.) ==
+ Adobe_AGM_Core /AGMCORE_have_reported_unsupported_color_space true ddf
+ } if
+ }def
+ /AGMCORE_composite_job
+ AGMCORE_cyan_plate AGMCORE_magenta_plate and AGMCORE_yellow_plate and AGMCORE_black_plate and def
+ /AGMCORE_in_rip_sep
+ /AGMCORE_in_rip_sep where{
+ pop AGMCORE_in_rip_sep
+ }{
+ AGMCORE_distilling
+ {
+ false
+ }{
+ userdict/Adobe_AGM_OnHost_Seps known{
+ false
+ }{
+ level2{
+ currentpagedevice/Separations 2 copy known{
+ get
+ }{
+ pop pop false
+ }ifelse
+ }{
+ false
+ }ifelse
+ }ifelse
+ }ifelse
+ }ifelse
+ def
+ /AGMCORE_producing_seps AGMCORE_composite_job not AGMCORE_in_rip_sep or def
+ /AGMCORE_host_sep AGMCORE_producing_seps AGMCORE_in_rip_sep not and def
+ /AGM_preserve_spots
+ /AGM_preserve_spots where{
+ pop AGM_preserve_spots
+ }{
+ AGMCORE_distilling AGMCORE_producing_seps or
+ }ifelse
+ def
+ /AGM_is_distiller_preserving_spotimages
+ {
+ currentdistillerparams/PreserveOverprintSettings known
+ {
+ currentdistillerparams/PreserveOverprintSettings get
+ {
+ currentdistillerparams/ColorConversionStrategy known
+ {
+ currentdistillerparams/ColorConversionStrategy get
+ /LeaveColorUnchanged eq
+ }{
+ true
+ }ifelse
+ }{
+ false
+ }ifelse
+ }{
+ false
+ }ifelse
+ }def
+ /convert_spot_to_process where {pop}{
+ /convert_spot_to_process
+ {
+ dup map_alias {
+ /Name get exch pop
+ } if
+ dup dup (None) eq exch (All) eq or
+ {
+ pop false
+ }{
+ AGMCORE_host_sep
+ {
+ gsave
+ 1 0 0 0 setcmykcolor currentgray 1 exch sub
+ 0 1 0 0 setcmykcolor currentgray 1 exch sub
+ 0 0 1 0 setcmykcolor currentgray 1 exch sub
+ 0 0 0 1 setcmykcolor currentgray 1 exch sub
+ add add add 0 eq
+ {
+ pop false
+ }{
+ false setoverprint
+ 1 1 1 1 5 -1 roll findcmykcustomcolor 1 setcustomcolor
+ currentgray 0 eq
+ }ifelse
+ grestore
+ }{
+ AGMCORE_distilling
+ {
+ pop AGM_is_distiller_preserving_spotimages not
+ }{
+ Adobe_AGM_Core/AGMCORE_name xddf
+ false
+ Adobe_AGM_Core/AGMCORE_in_pattern known {Adobe_AGM_Core/AGMCORE_in_pattern get}{false} ifelse
+ not currentpagedevice/OverrideSeparations known and
+ {
+ currentpagedevice/OverrideSeparations get
+ {
+ /HqnSpots /ProcSet resourcestatus
+ {
+ pop pop pop true
+ }if
+ }if
+ }if
+ {
+ AGMCORE_name /HqnSpots /ProcSet findresource /TestSpot get exec not
+ }{
+ gsave
+ [/Separation AGMCORE_name /DeviceGray {}]setcolorspace
+ false
+ currentpagedevice/SeparationColorNames 2 copy known
+ {
+ get
+ { AGMCORE_name eq or}forall
+ not
+ }{
+ pop pop pop true
+ }ifelse
+ grestore
+ }ifelse
+ }ifelse
+ }ifelse
+ }ifelse
+ }def
+ }ifelse
+ /convert_to_process where {pop}{
+ /convert_to_process
+ {
+ dup length 0 eq
+ {
+ pop false
+ }{
+ AGMCORE_host_sep
+ {
+ dup true exch
+ {
+ dup (Cyan) eq exch
+ dup (Magenta) eq 3 -1 roll or exch
+ dup (Yellow) eq 3 -1 roll or exch
+ dup (Black) eq 3 -1 roll or
+ {pop}
+ {convert_spot_to_process and}ifelse
+ }
+ forall
+ {
+ true exch
+ {
+ dup (Cyan) eq exch
+ dup (Magenta) eq 3 -1 roll or exch
+ dup (Yellow) eq 3 -1 roll or exch
+ (Black) eq or and
+ }forall
+ not
+ }{pop false}ifelse
+ }{
+ false exch
+ {
+ dup (Cyan) eq exch
+ dup (Magenta) eq 3 -1 roll or exch
+ dup (Yellow) eq 3 -1 roll or exch
+ dup (Black) eq 3 -1 roll or
+ {pop}
+ {convert_spot_to_process or}ifelse
+ }
+ forall
+ }ifelse
+ }ifelse
+ }def
+ }ifelse
+ /AGMCORE_avoid_L2_sep_space
+ version cvr 2012 lt
+ level2 and
+ AGMCORE_producing_seps not and
+ def
+ /AGMCORE_is_cmyk_sep
+ AGMCORE_cyan_plate AGMCORE_magenta_plate or AGMCORE_yellow_plate or AGMCORE_black_plate or
+ def
+ /AGM_avoid_0_cmyk where{
+ pop AGM_avoid_0_cmyk
+ }{
+ AGM_preserve_spots
+ userdict/Adobe_AGM_OnHost_Seps known
+ userdict/Adobe_AGM_InRip_Seps known or
+ not and
+ }ifelse
+ {
+ /setcmykcolor[
+ {
+ 4 copy add add add 0 eq currentoverprint and{
+ pop 0.0005
+ }if
+ }/exec cvx
+ /AGMCORE_&setcmykcolor load dup type/operatortype ne{
+ /exec cvx
+ }if
+ ]cvx def
+ }if
+ AGMCORE_host_sep{
+ /setcolortransfer
+ {
+ AGMCORE_cyan_plate{
+ pop pop pop
+ }{
+ AGMCORE_magenta_plate{
+ 4 3 roll pop pop pop
+ }{
+ AGMCORE_yellow_plate{
+ 4 2 roll pop pop pop
+ }{
+ 4 1 roll pop pop pop
+ }ifelse
+ }ifelse
+ }ifelse
+ settransfer
+ }
+ def
+ /AGMCORE_get_ink_data
+ AGMCORE_cyan_plate{
+ {pop pop pop}
+ }{
+ AGMCORE_magenta_plate{
+ {4 3 roll pop pop pop}
+ }{
+ AGMCORE_yellow_plate{
+ {4 2 roll pop pop pop}
+ }{
+ {4 1 roll pop pop pop}
+ }ifelse
+ }ifelse
+ }ifelse
+ def
+ /AGMCORE_RemoveProcessColorNames
+ {
+ 1 dict begin
+ /filtername
+ {
+ dup /Cyan eq 1 index (Cyan) eq or
+ {pop (_cyan_)}if
+ dup /Magenta eq 1 index (Magenta) eq or
+ {pop (_magenta_)}if
+ dup /Yellow eq 1 index (Yellow) eq or
+ {pop (_yellow_)}if
+ dup /Black eq 1 index (Black) eq or
+ {pop (_black_)}if
+ }def
+ dup type /arraytype eq
+ {[exch {filtername}forall]}
+ {filtername}ifelse
+ end
+ }def
+ /AGMCORE_IsSeparationAProcessColor
+ {
+ dup (Cyan) eq exch dup (Magenta) eq exch dup (Yellow) eq exch (Black) eq or or or
+ }def
+ level3 {
+ /AGMCORE_IsCurrentColor
+ {
+ gsave
+ false setoverprint
+ 1 1 1 1 5 -1 roll findcmykcustomcolor 1 setcustomcolor
+ currentgray 0 eq
+ grestore
+ }def
+ /AGMCORE_filter_functiondatasource
+ {
+ 5 dict begin
+ /data_in xdf
+ data_in type /stringtype eq
+ {
+ /ncomp xdf
+ /comp xdf
+ /string_out data_in length ncomp idiv string def
+ 0 ncomp data_in length 1 sub
+ {
+ string_out exch dup ncomp idiv exch data_in exch ncomp getinterval comp get 255 exch sub put
+ }for
+ string_out
+ }{
+ string /string_in xdf
+ /string_out 1 string def
+ /component xdf
+ [
+ data_in string_in /readstring cvx
+ [component /get cvx 255 /exch cvx /sub cvx string_out /exch cvx 0 /exch cvx /put cvx string_out]cvx
+ [/pop cvx ()]cvx /ifelse cvx
+ ]cvx /ReusableStreamDecode filter
+ }ifelse
+ end
+ }def
+ /AGMCORE_separateShadingFunction
+ {
+ 2 dict begin
+ /paint? xdf
+ /channel xdf
+ begin
+ FunctionType 0 eq
+ {
+ /DataSource channel Range length 2 idiv DataSource AGMCORE_filter_functiondatasource def
+ currentdict /Decode known
+ {/Decode Decode channel 2 mul 2 getinterval def}if
+ paint? not
+ {/Decode [1 1]def}if
+ }if
+ FunctionType 2 eq
+ {
+ paint?
+ {
+ /C0 [C0 channel get 1 exch sub] def
+ /C1 [C1 channel get 1 exch sub] def
+ }{
+ /C0 [1] def
+ /C1 [1] def
+ }ifelse
+ }if
+ FunctionType 3 eq
+ {
+ /Functions [Functions {channel paint? AGMCORE_separateShadingFunction} forall] def
+ }if
+ currentdict /Range known
+ {/Range [0 1] def}if
+ currentdict
+ end
+ end
+ }def
+ /AGMCORE_separateShading
+ {
+ 3 -1 roll begin
+ currentdict /Function known
+ {
+ currentdict /Background known
+ {[1 index{Background 3 index get 1 exch sub}{1}ifelse]/Background xdf}if
+ Function 3 1 roll AGMCORE_separateShadingFunction /Function xdf
+ /ColorSpace [/DeviceGray] def
+ }{
+ ColorSpace dup type /arraytype eq {0 get}if /DeviceCMYK eq
+ {
+ /ColorSpace [/DeviceN [/_cyan_ /_magenta_ /_yellow_ /_black_] /DeviceCMYK {}] def
+ }{
+ ColorSpace dup 1 get AGMCORE_RemoveProcessColorNames 1 exch put
+ }ifelse
+ ColorSpace 0 get /Separation eq
+ {
+ {
+ [1 /exch cvx /sub cvx]cvx
+ }{
+ [/pop cvx 1]cvx
+ }ifelse
+ ColorSpace 3 3 -1 roll put
+ pop
+ }{
+ {
+ [exch ColorSpace 1 get length 1 sub exch sub /index cvx 1 /exch cvx /sub cvx ColorSpace 1 get length 1 add 1 /roll cvx ColorSpace 1 get length{/pop cvx} repeat]cvx
+ }{
+ pop [ColorSpace 1 get length {/pop cvx} repeat cvx 1]cvx
+ }ifelse
+ ColorSpace 3 3 -1 roll bind put
+ }ifelse
+ ColorSpace 2 /DeviceGray put
+ }ifelse
+ end
+ }def
+ /AGMCORE_separateShadingDict
+ {
+ dup /ColorSpace get
+ dup type /arraytype ne
+ {[exch]}if
+ dup 0 get /DeviceCMYK eq
+ {
+ exch begin
+ currentdict
+ AGMCORE_cyan_plate
+ {0 true}if
+ AGMCORE_magenta_plate
+ {1 true}if
+ AGMCORE_yellow_plate
+ {2 true}if
+ AGMCORE_black_plate
+ {3 true}if
+ AGMCORE_plate_ndx 4 eq
+ {0 false}if
+ dup not currentoverprint and
+ {/AGMCORE_ignoreshade true def}if
+ AGMCORE_separateShading
+ currentdict
+ end exch
+ }if
+ dup 0 get /Separation eq
+ {
+ exch begin
+ ColorSpace 1 get dup /None ne exch /All ne and
+ {
+ ColorSpace 1 get AGMCORE_IsCurrentColor AGMCORE_plate_ndx 4 lt and ColorSpace 1 get AGMCORE_IsSeparationAProcessColor not and
+ {
+ ColorSpace 2 get dup type /arraytype eq {0 get}if /DeviceCMYK eq
+ {
+ /ColorSpace
+ [
+ /Separation
+ ColorSpace 1 get
+ /DeviceGray
+ [
+ ColorSpace 3 get /exec cvx
+ 4 AGMCORE_plate_ndx sub -1 /roll cvx
+ 4 1 /roll cvx
+ 3 [/pop cvx]cvx /repeat cvx
+ 1 /exch cvx /sub cvx
+ ]cvx
+ ]def
+ }{
+ AGMCORE_report_unsupported_color_space
+ AGMCORE_black_plate not
+ {
+ currentdict 0 false AGMCORE_separateShading
+ }if
+ }ifelse
+ }{
+ currentdict ColorSpace 1 get AGMCORE_IsCurrentColor
+ 0 exch
+ dup not currentoverprint and
+ {/AGMCORE_ignoreshade true def}if
+ AGMCORE_separateShading
+ }ifelse
+ }if
+ currentdict
+ end exch
+ }if
+ dup 0 get /DeviceN eq
+ {
+ exch begin
+ ColorSpace 1 get convert_to_process
+ {
+ ColorSpace 2 get dup type /arraytype eq {0 get}if /DeviceCMYK eq
+ {
+ /ColorSpace
+ [
+ /DeviceN
+ ColorSpace 1 get
+ /DeviceGray
+ [
+ ColorSpace 3 get /exec cvx
+ 4 AGMCORE_plate_ndx sub -1 /roll cvx
+ 4 1 /roll cvx
+ 3 [/pop cvx]cvx /repeat cvx
+ 1 /exch cvx /sub cvx
+ ]cvx
+ ]def
+ }{
+ AGMCORE_report_unsupported_color_space
+ AGMCORE_black_plate not
+ {
+ currentdict 0 false AGMCORE_separateShading
+ /ColorSpace [/DeviceGray] def
+ }if
+ }ifelse
+ }{
+ currentdict
+ false -1 ColorSpace 1 get
+ {
+ AGMCORE_IsCurrentColor
+ {
+ 1 add
+ exch pop true exch exit
+ }if
+ 1 add
+ }forall
+ exch
+ dup not currentoverprint and
+ {/AGMCORE_ignoreshade true def}if
+ AGMCORE_separateShading
+ }ifelse
+ currentdict
+ end exch
+ }if
+ dup 0 get dup /DeviceCMYK eq exch dup /Separation eq exch /DeviceN eq or or not
+ {
+ exch begin
+ ColorSpace dup type /arraytype eq
+ {0 get}if
+ /DeviceGray ne
+ {
+ AGMCORE_report_unsupported_color_space
+ AGMCORE_black_plate not
+ {
+ ColorSpace 0 get /CIEBasedA eq
+ {
+ /ColorSpace [/Separation /_ciebaseda_ /DeviceGray {}] def
+ }if
+ ColorSpace 0 get dup /CIEBasedABC eq exch dup /CIEBasedDEF eq exch /DeviceRGB eq or or
+ {
+ /ColorSpace [/DeviceN [/_red_ /_green_ /_blue_] /DeviceRGB {}] def
+ }if
+ ColorSpace 0 get /CIEBasedDEFG eq
+ {
+ /ColorSpace [/DeviceN [/_cyan_ /_magenta_ /_yellow_ /_black_] /DeviceCMYK {}]
+ }if
+ currentdict 0 false AGMCORE_separateShading
+ }if
+ }if
+ currentdict
+ end exch
+ }if
+ pop
+ dup /AGMCORE_ignoreshade known
+ {
+ begin
+ /ColorSpace [/Separation (None) /DeviceGray {}] def
+ currentdict end
+ }if
+ }def
+ /shfill
+ {
+ clonedict
+ AGMCORE_separateShadingDict
+ dup /AGMCORE_ignoreshade known
+ {pop}
+ {AGMCORE_&sysshfill}ifelse
+ }def
+ /makepattern
+ {
+ exch
+ dup /PatternType get 2 eq
+ {
+ clonedict
+ begin
+ /Shading Shading AGMCORE_separateShadingDict def
+ currentdict end
+ exch AGMCORE_&sysmakepattern
+ }{
+ exch AGMCORE_&usrmakepattern
+ }ifelse
+ }def
+ }if
+ }if
+ AGMCORE_in_rip_sep{
+ /setcustomcolor
+ {
+ exch aload pop
+ dup 7 1 roll inRip_spot_has_ink not {
+ 4 {4 index mul 4 1 roll}
+ repeat
+ /DeviceCMYK setcolorspace
+ 6 -2 roll pop pop
+ }{
+ Adobe_AGM_Core begin
+ /AGMCORE_k xdf /AGMCORE_y xdf /AGMCORE_m xdf /AGMCORE_c xdf
+ end
+ [/Separation 4 -1 roll /DeviceCMYK
+ {dup AGMCORE_c mul exch dup AGMCORE_m mul exch dup AGMCORE_y mul exch AGMCORE_k mul}
+ ]
+ setcolorspace
+ }ifelse
+ setcolor
+ }ndf
+ /setseparationgray
+ {
+ [/Separation (All) /DeviceGray {}] setcolorspace_opt
+ 1 exch sub setcolor
+ }ndf
+ }{
+ /setseparationgray
+ {
+ AGMCORE_&setgray
+ }ndf
+ }ifelse
+ /findcmykcustomcolor
+ {
+ 5 makereadonlyarray
+ }ndf
+ /setcustomcolor
+ {
+ exch aload pop pop
+ 4 {4 index mul 4 1 roll} repeat
+ setcmykcolor pop
+ }ndf
+ /has_color
+ /colorimage where{
+ AGMCORE_producing_seps{
+ pop true
+ }{
+ systemdict eq
+ }ifelse
+ }{
+ false
+ }ifelse
+ def
+ /map_index
+ {
+ 1 index mul exch getinterval {255 div} forall
+ } bdf
+ /map_indexed_devn
+ {
+ Lookup Names length 3 -1 roll cvi map_index
+ } bdf
+ /n_color_components
+ {
+ base_colorspace_type
+ dup /DeviceGray eq{
+ pop 1
+ }{
+ /DeviceCMYK eq{
+ 4
+ }{
+ 3
+ }ifelse
+ }ifelse
+ }bdf
+ level2{
+ /mo /moveto ldf
+ /li /lineto ldf
+ /cv /curveto ldf
+ /knockout_unitsq
+ {
+ 1 setgray
+ 0 0 1 1 rectfill
+ }def
+ /level2ScreenFreq{
+ begin
+ 60
+ HalftoneType 1 eq{
+ pop Frequency
+ }if
+ HalftoneType 2 eq{
+ pop GrayFrequency
+ }if
+ HalftoneType 5 eq{
+ pop Default level2ScreenFreq
+ }if
+ end
+ }def
+ /currentScreenFreq{
+ currenthalftone level2ScreenFreq
+ }def
+ level2 /setcolorspace AGMCORE_key_known not and{
+ /AGMCORE_&&&setcolorspace /setcolorspace ldf
+ /AGMCORE_ReplaceMappedColor
+ {
+ dup type dup /arraytype eq exch /packedarraytype eq or
+ {
+ dup 0 get dup /Separation eq
+ {
+ pop
+ dup length array copy
+ dup dup 1 get
+ current_spot_alias
+ {
+ dup map_alias
+ {
+ begin
+ /sep_colorspace_dict currentdict AGMCORE_gput
+ pop pop pop
+ [
+ /Separation Name
+ CSA map_csa
+ dup /MappedCSA xdf
+ /sep_colorspace_proc load
+ ]
+ dup Name
+ end
+ }if
+ }if
+ map_reserved_ink_name 1 xpt
+ }{
+ /DeviceN eq
+ {
+ dup length array copy
+ dup dup 1 get [
+ exch {
+ current_spot_alias{
+ dup map_alias{
+ /Name get exch pop
+ }if
+ }if
+ map_reserved_ink_name
+ } forall
+ ] 1 xpt
+ }if
+ }ifelse
+ }if
+ }def
+ /setcolorspace
+ {
+ dup type dup /arraytype eq exch /packedarraytype eq or
+ {
+ dup 0 get /Indexed eq
+ {
+ AGMCORE_distilling
+ {
+ /PhotoshopDuotoneList where
+ {
+ pop false
+ }{
+ true
+ }ifelse
+ }{
+ true
+ }ifelse
+ {
+ aload pop 3 -1 roll
+ AGMCORE_ReplaceMappedColor
+ 3 1 roll 4 array astore
+ }if
+ }{
+ AGMCORE_ReplaceMappedColor
+ }ifelse
+ }if
+ DeviceN_PS2_inRip_seps {AGMCORE_&&&setcolorspace} if
+ }def
+ }if
+ }{
+ /adj
+ {
+ currentstrokeadjust{
+ transform
+ 0.25 sub round 0.25 add exch
+ 0.25 sub round 0.25 add exch
+ itransform
+ }if
+ }def
+ /mo{
+ adj moveto
+ }def
+ /li{
+ adj lineto
+ }def
+ /cv{
+ 6 2 roll adj
+ 6 2 roll adj
+ 6 2 roll adj curveto
+ }def
+ /knockout_unitsq
+ {
+ 1 setgray
+ 8 8 1 [8 0 0 8 0 0] {<ffffffffffffffff>} image
+ }def
+ /currentstrokeadjust{
+ /currentstrokeadjust AGMCORE_gget
+ }def
+ /setstrokeadjust{
+ /currentstrokeadjust exch AGMCORE_gput
+ }def
+ /currentScreenFreq{
+ currentscreen pop pop
+ }def
+ /setcolorspace
+ {
+ /currentcolorspace exch AGMCORE_gput
+ } def
+ /currentcolorspace
+ {
+ /currentcolorspace AGMCORE_gget
+ } def
+ /setcolor_devicecolor
+ {
+ base_colorspace_type
+ dup /DeviceGray eq{
+ pop setgray
+ }{
+ /DeviceCMYK eq{
+ setcmykcolor
+ }{
+ setrgbcolor
+ }ifelse
+ }ifelse
+ }def
+ /setcolor
+ {
+ currentcolorspace 0 get
+ dup /DeviceGray ne{
+ dup /DeviceCMYK ne{
+ dup /DeviceRGB ne{
+ dup /Separation eq{
+ pop
+ currentcolorspace 3 get exec
+ currentcolorspace 2 get
+ }{
+ dup /Indexed eq{
+ pop
+ currentcolorspace 3 get dup type /stringtype eq{
+ currentcolorspace 1 get n_color_components
+ 3 -1 roll map_index
+ }{
+ exec
+ }ifelse
+ currentcolorspace 1 get
+ }{
+ /AGMCORE_cur_err /AGMCORE_invalid_color_space def
+ AGMCORE_invalid_color_space
+ }ifelse
+ }ifelse
+ }if
+ }if
+ }if
+ setcolor_devicecolor
+ } def
+ }ifelse
+ /sop /setoverprint ldf
+ /lw /setlinewidth ldf
+ /lc /setlinecap ldf
+ /lj /setlinejoin ldf
+ /ml /setmiterlimit ldf
+ /dsh /setdash ldf
+ /sadj /setstrokeadjust ldf
+ /gry /setgray ldf
+ /rgb /setrgbcolor ldf
+ /cmyk /setcmykcolor ldf
+ /sep /setsepcolor ldf
+ /devn /setdevicencolor ldf
+ /idx /setindexedcolor ldf
+ /colr /setcolor ldf
+ /csacrd /set_csa_crd ldf
+ /sepcs /setsepcolorspace ldf
+ /devncs /setdevicencolorspace ldf
+ /idxcs /setindexedcolorspace ldf
+ /cp /closepath ldf
+ /clp /clp_npth ldf
+ /eclp /eoclp_npth ldf
+ /f /fill ldf
+ /ef /eofill ldf
+ /@ /stroke ldf
+ /nclp /npth_clp ldf
+ /gset /graphic_setup ldf
+ /gcln /graphic_cleanup ldf
+ currentdict{
+ dup xcheck 1 index type dup /arraytype eq exch /packedarraytype eq or and {
+ bind
+ }if
+ def
+ }forall
+ /currentpagedevice currentpagedevice def
+/getrampcolor {
+/indx exch def
+0 1 NumComp 1 sub {
+dup
+Samples exch get
+dup type /stringtype eq { indx get } if
+exch
+Scaling exch get aload pop
+3 1 roll
+mul add
+} for
+ColorSpaceFamily /Separation eq
+ {
+ sep
+ }
+ {
+ ColorSpaceFamily /DeviceN eq
+ {
+ devn
+ }
+ {
+ setcolor
+ }ifelse
+ }ifelse
+} bind def
+/sssetbackground { aload pop setcolor } bind def
+/RadialShade {
+40 dict begin
+/ColorSpaceFamily exch def
+/background exch def
+/ext1 exch def
+/ext0 exch def
+/BBox exch def
+/r2 exch def
+/c2y exch def
+/c2x exch def
+/r1 exch def
+/c1y exch def
+/c1x exch def
+/rampdict exch def
+/setinkoverprint where {pop /setinkoverprint{pop}def}if
+gsave
+BBox length 0 gt {
+newpath
+BBox 0 get BBox 1 get moveto
+BBox 2 get BBox 0 get sub 0 rlineto
+0 BBox 3 get BBox 1 get sub rlineto
+BBox 2 get BBox 0 get sub neg 0 rlineto
+closepath
+clip
+newpath
+} if
+c1x c2x eq
+{
+c1y c2y lt {/theta 90 def}{/theta 270 def} ifelse
+}
+{
+/slope c2y c1y sub c2x c1x sub div def
+/theta slope 1 atan def
+c2x c1x lt c2y c1y ge and { /theta theta 180 sub def} if
+c2x c1x lt c2y c1y lt and { /theta theta 180 add def} if
+}
+ifelse
+gsave
+clippath
+c1x c1y translate
+theta rotate
+-90 rotate
+{ pathbbox } stopped
+{ 0 0 0 0 } if
+/yMax exch def
+/xMax exch def
+/yMin exch def
+/xMin exch def
+grestore
+xMax xMin eq yMax yMin eq or
+{
+grestore
+end
+}
+{
+/max { 2 copy gt { pop } {exch pop} ifelse } bind def
+/min { 2 copy lt { pop } {exch pop} ifelse } bind def
+rampdict begin
+40 dict begin
+background length 0 gt { background sssetbackground gsave clippath fill grestore } if
+gsave
+c1x c1y translate
+theta rotate
+-90 rotate
+/c2y c1x c2x sub dup mul c1y c2y sub dup mul add sqrt def
+/c1y 0 def
+/c1x 0 def
+/c2x 0 def
+ext0 {
+0 getrampcolor
+c2y r2 add r1 sub 0.0001 lt
+{
+c1x c1y r1 360 0 arcn
+pathbbox
+/aymax exch def
+/axmax exch def
+/aymin exch def
+/axmin exch def
+/bxMin xMin axmin min def
+/byMin yMin aymin min def
+/bxMax xMax axmax max def
+/byMax yMax aymax max def
+bxMin byMin moveto
+bxMax byMin lineto
+bxMax byMax lineto
+bxMin byMax lineto
+bxMin byMin lineto
+eofill
+}
+{
+c2y r1 add r2 le
+{
+c1x c1y r1 0 360 arc
+fill
+}
+{
+c2x c2y r2 0 360 arc fill
+r1 r2 eq
+{
+/p1x r1 neg def
+/p1y c1y def
+/p2x r1 def
+/p2y c1y def
+p1x p1y moveto p2x p2y lineto p2x yMin lineto p1x yMin lineto
+fill
+}
+{
+/AA r2 r1 sub c2y div def
+/theta AA 1 AA dup mul sub sqrt div 1 atan def
+/SS1 90 theta add dup sin exch cos div def
+/p1x r1 SS1 SS1 mul SS1 SS1 mul 1 add div sqrt mul neg def
+/p1y p1x SS1 div neg def
+/SS2 90 theta sub dup sin exch cos div def
+/p2x r1 SS2 SS2 mul SS2 SS2 mul 1 add div sqrt mul def
+/p2y p2x SS2 div neg def
+r1 r2 gt
+{
+/L1maxX p1x yMin p1y sub SS1 div add def
+/L2maxX p2x yMin p2y sub SS2 div add def
+}
+{
+/L1maxX 0 def
+/L2maxX 0 def
+}ifelse
+p1x p1y moveto p2x p2y lineto L2maxX L2maxX p2x sub SS2 mul p2y add lineto
+L1maxX L1maxX p1x sub SS1 mul p1y add lineto
+fill
+}
+ifelse
+}
+ifelse
+} ifelse
+} if
+c1x c2x sub dup mul
+c1y c2y sub dup mul
+add 0.5 exp
+0 dtransform
+dup mul exch dup mul add 0.5 exp 72 div
+0 72 matrix defaultmatrix dtransform dup mul exch dup mul add sqrt
+72 0 matrix defaultmatrix dtransform dup mul exch dup mul add sqrt
+1 index 1 index lt { exch } if pop
+/hires exch def
+hires mul
+/numpix exch def
+/numsteps NumSamples def
+/rampIndxInc 1 def
+/subsampling false def
+numpix 0 ne
+{
+NumSamples numpix div 0.5 gt
+{
+/numsteps numpix 2 div round cvi dup 1 le { pop 2 } if def
+/rampIndxInc NumSamples 1 sub numsteps div def
+/subsampling true def
+} if
+} if
+/xInc c2x c1x sub numsteps div def
+/yInc c2y c1y sub numsteps div def
+/rInc r2 r1 sub numsteps div def
+/cx c1x def
+/cy c1y def
+/radius r1 def
+newpath
+xInc 0 eq yInc 0 eq rInc 0 eq and and
+{
+0 getrampcolor
+cx cy radius 0 360 arc
+stroke
+NumSamples 1 sub getrampcolor
+cx cy radius 72 hires div add 0 360 arc
+0 setlinewidth
+stroke
+}
+{
+0
+numsteps
+{
+dup
+subsampling { round cvi } if
+getrampcolor
+cx cy radius 0 360 arc
+/cx cx xInc add def
+/cy cy yInc add def
+/radius radius rInc add def
+cx cy radius 360 0 arcn
+eofill
+rampIndxInc add
+}
+repeat
+pop
+} ifelse
+ext1 {
+c2y r2 add r1 lt
+{
+c2x c2y r2 0 360 arc
+fill
+}
+{
+c2y r1 add r2 sub 0.0001 le
+{
+c2x c2y r2 360 0 arcn
+pathbbox
+/aymax exch def
+/axmax exch def
+/aymin exch def
+/axmin exch def
+/bxMin xMin axmin min def
+/byMin yMin aymin min def
+/bxMax xMax axmax max def
+/byMax yMax aymax max def
+bxMin byMin moveto
+bxMax byMin lineto
+bxMax byMax lineto
+bxMin byMax lineto
+bxMin byMin lineto
+eofill
+}
+{
+c2x c2y r2 0 360 arc fill
+r1 r2 eq
+{
+/p1x r2 neg def
+/p1y c2y def
+/p2x r2 def
+/p2y c2y def
+p1x p1y moveto p2x p2y lineto p2x yMax lineto p1x yMax lineto
+fill
+}
+{
+/AA r2 r1 sub c2y div def
+/theta AA 1 AA dup mul sub sqrt div 1 atan def
+/SS1 90 theta add dup sin exch cos div def
+/p1x r2 SS1 SS1 mul SS1 SS1 mul 1 add div sqrt mul neg def
+/p1y c2y p1x SS1 div sub def
+/SS2 90 theta sub dup sin exch cos div def
+/p2x r2 SS2 SS2 mul SS2 SS2 mul 1 add div sqrt mul def
+/p2y c2y p2x SS2 div sub def
+r1 r2 lt
+{
+/L1maxX p1x yMax p1y sub SS1 div add def
+/L2maxX p2x yMax p2y sub SS2 div add def
+}
+{
+/L1maxX 0 def
+/L2maxX 0 def
+}ifelse
+p1x p1y moveto p2x p2y lineto L2maxX L2maxX p2x sub SS2 mul p2y add lineto
+L1maxX L1maxX p1x sub SS1 mul p1y add lineto
+fill
+}
+ifelse
+}
+ifelse
+} ifelse
+} if
+grestore
+grestore
+end
+end
+end
+} ifelse
+} bind def
+/GenStrips {
+40 dict begin
+/ColorSpaceFamily exch def
+/background exch def
+/ext1 exch def
+/ext0 exch def
+/BBox exch def
+/y2 exch def
+/x2 exch def
+/y1 exch def
+/x1 exch def
+/rampdict exch def
+/setinkoverprint where {pop /setinkoverprint{pop}def}if
+gsave
+BBox length 0 gt {
+newpath
+BBox 0 get BBox 1 get moveto
+BBox 2 get BBox 0 get sub 0 rlineto
+0 BBox 3 get BBox 1 get sub rlineto
+BBox 2 get BBox 0 get sub neg 0 rlineto
+closepath
+clip
+newpath
+} if
+x1 x2 eq
+{
+y1 y2 lt {/theta 90 def}{/theta 270 def} ifelse
+}
+{
+/slope y2 y1 sub x2 x1 sub div def
+/theta slope 1 atan def
+x2 x1 lt y2 y1 ge and { /theta theta 180 sub def} if
+x2 x1 lt y2 y1 lt and { /theta theta 180 add def} if
+}
+ifelse
+gsave
+clippath
+x1 y1 translate
+theta rotate
+{ pathbbox } stopped
+{ 0 0 0 0 } if
+/yMax exch def
+/xMax exch def
+/yMin exch def
+/xMin exch def
+grestore
+xMax xMin eq yMax yMin eq or
+{
+grestore
+end
+}
+{
+rampdict begin
+20 dict begin
+background length 0 gt { background sssetbackground gsave clippath fill grestore } if
+gsave
+x1 y1 translate
+theta rotate
+/xStart 0 def
+/xEnd x2 x1 sub dup mul y2 y1 sub dup mul add 0.5 exp def
+/ySpan yMax yMin sub def
+/numsteps NumSamples def
+/rampIndxInc 1 def
+/subsampling false def
+xStart 0 transform
+xEnd 0 transform
+3 -1 roll
+sub dup mul
+3 1 roll
+sub dup mul
+add 0.5 exp 72 div
+0 72 matrix defaultmatrix dtransform dup mul exch dup mul add sqrt
+72 0 matrix defaultmatrix dtransform dup mul exch dup mul add sqrt
+1 index 1 index lt { exch } if pop
+mul
+/numpix exch def
+numpix 0 ne
+{
+NumSamples numpix div 0.5 gt
+{
+/numsteps numpix 2 div round cvi dup 1 le { pop 2 } if def
+/rampIndxInc NumSamples 1 sub numsteps div def
+/subsampling true def
+} if
+} if
+ext0 {
+0 getrampcolor
+xMin xStart lt
+{ xMin yMin xMin neg ySpan rectfill } if
+} if
+/xInc xEnd xStart sub numsteps div def
+/x xStart def
+0
+numsteps
+{
+dup
+subsampling { round cvi } if
+getrampcolor
+x yMin xInc ySpan rectfill
+/x x xInc add def
+rampIndxInc add
+}
+repeat
+pop
+ext1 {
+xMax xEnd gt
+{ xEnd yMin xMax xEnd sub ySpan rectfill } if
+} if
+grestore
+grestore
+end
+end
+end
+} ifelse
+} bind def
+}def
+/page_trailer
+{
+ end
+}def
+/doc_trailer{
+}def
+systemdict /findcolorrendering known{
+ /findcolorrendering systemdict /findcolorrendering get def
+}if
+systemdict /setcolorrendering known{
+ /setcolorrendering systemdict /setcolorrendering get def
+}if
+/test_cmyk_color_plate
+{
+ gsave
+ setcmykcolor currentgray 1 ne
+ grestore
+}def
+/inRip_spot_has_ink
+{
+ dup Adobe_AGM_Core/AGMCORE_name xddf
+ convert_spot_to_process not
+}def
+/map255_to_range
+{
+ 1 index sub
+ 3 -1 roll 255 div mul add
+}def
+/set_csa_crd
+{
+ /sep_colorspace_dict null AGMCORE_gput
+ begin
+ CSA map_csa setcolorspace_opt
+ set_crd
+ end
+}
+def
+/setsepcolor
+{
+ /sep_colorspace_dict AGMCORE_gget begin
+ dup /sep_tint exch AGMCORE_gput
+ TintProc
+ end
+} def
+/setdevicencolor
+{
+ /devicen_colorspace_dict AGMCORE_gget begin
+ Names length copy
+ Names length 1 sub -1 0
+ {
+ /devicen_tints AGMCORE_gget 3 1 roll xpt
+ } for
+ TintProc
+ end
+} def
+/sep_colorspace_proc
+{
+ Adobe_AGM_Core/AGMCORE_tmp xddf
+ /sep_colorspace_dict AGMCORE_gget begin
+ currentdict/Components known{
+ Components aload pop
+ TintMethod/Lab eq{
+ 2 {AGMCORE_tmp mul NComponents 1 roll} repeat
+ LMax sub AGMCORE_tmp mul LMax add NComponents 1 roll
+ }{
+ TintMethod/Subtractive eq{
+ NComponents{
+ AGMCORE_tmp mul NComponents 1 roll
+ }repeat
+ }{
+ NComponents{
+ 1 sub AGMCORE_tmp mul 1 add NComponents 1 roll
+ } repeat
+ }ifelse
+ }ifelse
+ }{
+ ColorLookup AGMCORE_tmp ColorLookup length 1 sub mul round cvi get
+ aload pop
+ }ifelse
+ end
+} def
+/sep_colorspace_gray_proc
+{
+ Adobe_AGM_Core/AGMCORE_tmp xddf
+ /sep_colorspace_dict AGMCORE_gget begin
+ GrayLookup AGMCORE_tmp GrayLookup length 1 sub mul round cvi get
+ end
+} def
+/sep_proc_name
+{
+ dup 0 get
+ dup /DeviceRGB eq exch /DeviceCMYK eq or level2 not and has_color not and{
+ pop [/DeviceGray]
+ /sep_colorspace_gray_proc
+ }{
+ /sep_colorspace_proc
+ }ifelse
+} def
+/setsepcolorspace
+{
+ current_spot_alias{
+ dup begin
+ Name map_alias{
+ exch pop
+ }if
+ end
+ }if
+ dup /sep_colorspace_dict exch AGMCORE_gput
+ begin
+ /MappedCSA CSA map_csa def
+ Adobe_AGM_Core/AGMCORE_sep_special Name dup () eq exch (All) eq or ddf
+ AGMCORE_avoid_L2_sep_space{
+ [/Indexed MappedCSA sep_proc_name 255 exch
+ { 255 div } /exec cvx 3 -1 roll [ 4 1 roll load /exec cvx ] cvx
+ ] setcolorspace_opt
+ /TintProc {
+ 255 mul round cvi setcolor
+ }bdf
+ }{
+ MappedCSA 0 get /DeviceCMYK eq
+ currentdict/Components known and
+ AGMCORE_sep_special not and{
+ /TintProc [
+ Components aload pop Name findcmykcustomcolor
+ /exch cvx /setcustomcolor cvx
+ ] cvx bdf
+ }{
+ AGMCORE_host_sep Name (All) eq and{
+ /TintProc {
+ 1 exch sub setseparationgray
+ }bdf
+ }{
+ AGMCORE_in_rip_sep MappedCSA 0 get /DeviceCMYK eq and
+ AGMCORE_host_sep or
+ Name () eq and{
+ /TintProc [
+ MappedCSA sep_proc_name exch 0 get /DeviceCMYK eq{
+ cvx /setcmykcolor cvx
+ }{
+ cvx /setgray cvx
+ }ifelse
+ ] cvx bdf
+ }{
+ AGMCORE_producing_seps MappedCSA 0 get dup /DeviceCMYK eq exch /DeviceGray eq or and AGMCORE_sep_special not and{
+ /TintProc [
+ /dup cvx
+ MappedCSA sep_proc_name cvx exch
+ 0 get /DeviceGray eq{
+ 1 /exch cvx /sub cvx 0 0 0 4 -1 /roll cvx
+ }if
+ /Name cvx /findcmykcustomcolor cvx /exch cvx
+ AGMCORE_host_sep{
+ AGMCORE_is_cmyk_sep
+ /Name cvx
+ /AGMCORE_IsSeparationAProcessColor load /exec cvx
+ /not cvx /and cvx
+ }{
+ Name inRip_spot_has_ink not
+ }ifelse
+ [
+ /pop cvx 1
+ ] cvx /if cvx
+ /setcustomcolor cvx
+ ] cvx bdf
+ }{
+ /TintProc /setcolor ldf
+ [/Separation Name MappedCSA sep_proc_name load ] setcolorspace_opt
+ }ifelse
+ }ifelse
+ }ifelse
+ }ifelse
+ }ifelse
+ set_crd
+ setsepcolor
+ end
+} def
+/additive_blend
+{
+ 3 dict begin
+ /numarrays xdf
+ /numcolors xdf
+ 0 1 numcolors 1 sub
+ {
+ /c1 xdf
+ 1
+ 0 1 numarrays 1 sub
+ {
+ 1 exch add /index cvx
+ c1 /get cvx /mul cvx
+ }for
+ numarrays 1 add 1 /roll cvx
+ }for
+ numarrays [/pop cvx] cvx /repeat cvx
+ end
+}def
+/subtractive_blend
+{
+ 3 dict begin
+ /numarrays xdf
+ /numcolors xdf
+ 0 1 numcolors 1 sub
+ {
+ /c1 xdf
+ 1 1
+ 0 1 numarrays 1 sub
+ {
+ 1 3 3 -1 roll add /index cvx
+ c1 /get cvx /sub cvx /mul cvx
+ }for
+ /sub cvx
+ numarrays 1 add 1 /roll cvx
+ }for
+ numarrays [/pop cvx] cvx /repeat cvx
+ end
+}def
+/exec_tint_transform
+{
+ /TintProc [
+ /TintTransform cvx /setcolor cvx
+ ] cvx bdf
+ MappedCSA setcolorspace_opt
+} bdf
+/devn_makecustomcolor
+{
+ 2 dict begin
+ /names_index xdf
+ /Names xdf
+ 1 1 1 1 Names names_index get findcmykcustomcolor
+ /devicen_tints AGMCORE_gget names_index get setcustomcolor
+ Names length {pop} repeat
+ end
+} bdf
+/setdevicencolorspace
+{
+ dup /AliasedColorants known {false}{true}ifelse
+ current_spot_alias and {
+ 6 dict begin
+ /names_index 0 def
+ dup /names_len exch /Names get length def
+ /new_names names_len array def
+ /new_LookupTables names_len array def
+ /alias_cnt 0 def
+ dup /Names get
+ {
+ dup map_alias {
+ exch pop
+ dup /ColorLookup known {
+ dup begin
+ new_LookupTables names_index ColorLookup put
+ end
+ }{
+ dup /Components known {
+ dup begin
+ new_LookupTables names_index Components put
+ end
+ }{
+ dup begin
+ new_LookupTables names_index [null null null null] put
+ end
+ } ifelse
+ } ifelse
+ new_names names_index 3 -1 roll /Name get put
+ /alias_cnt alias_cnt 1 add def
+ }{
+ /name xdf
+ new_names names_index name put
+ dup /LookupTables known {
+ dup begin
+ new_LookupTables names_index LookupTables names_index get put
+ end
+ }{
+ dup begin
+ new_LookupTables names_index [null null null null] put
+ end
+ } ifelse
+ } ifelse
+ /names_index names_index 1 add def
+ } forall
+ alias_cnt 0 gt {
+ /AliasedColorants true def
+ 0 1 names_len 1 sub {
+ /names_index xdf
+ new_LookupTables names_index get 0 get null eq {
+ dup /Names get names_index get /name xdf
+ name (Cyan) eq name (Magenta) eq name (Yellow) eq name (Black) eq
+ or or or not {
+ /AliasedColorants false def
+ exit
+ } if
+ } if
+ } for
+ AliasedColorants {
+ dup begin
+ /Names new_names def
+ /AliasedColorants true def
+ /LookupTables new_LookupTables def
+ currentdict /TTTablesIdx known not {
+ /TTTablesIdx -1 def
+ } if
+ currentdict /NComponents known not {
+ /NComponents TintMethod /Subtractive eq {4}{3}ifelse def
+ } if
+ end
+ } if
+ }if
+ end
+ } if
+ dup /devicen_colorspace_dict exch AGMCORE_gput
+ begin
+ /MappedCSA CSA map_csa def
+ currentdict /AliasedColorants known {
+ AliasedColorants
+ }{
+ false
+ } ifelse
+ /TintTransform load type /nulltype eq or {
+ /TintTransform [
+ 0 1 Names length 1 sub
+ {
+ /TTTablesIdx TTTablesIdx 1 add def
+ dup LookupTables exch get dup 0 get null eq
+ {
+ 1 index
+ Names exch get
+ dup (Cyan) eq
+ {
+ pop exch
+ LookupTables length exch sub
+ /index cvx
+ 0 0 0
+ }
+ {
+ dup (Magenta) eq
+ {
+ pop exch
+ LookupTables length exch sub
+ /index cvx
+ 0 /exch cvx 0 0
+ }
+ {
+ (Yellow) eq
+ {
+ exch
+ LookupTables length exch sub
+ /index cvx
+ 0 0 3 -1 /roll cvx 0
+ }
+ {
+ exch
+ LookupTables length exch sub
+ /index cvx
+ 0 0 0 4 -1 /roll cvx
+ } ifelse
+ } ifelse
+ } ifelse
+ 5 -1 /roll cvx /astore cvx
+ }
+ {
+ dup length 1 sub
+ LookupTables length 4 -1 roll sub 1 add
+ /index cvx /mul cvx /round cvx /cvi cvx /get cvx
+ } ifelse
+ Names length TTTablesIdx add 1 add 1 /roll cvx
+ } for
+ Names length [/pop cvx] cvx /repeat cvx
+ NComponents Names length
+ TintMethod /Subtractive eq
+ {
+ subtractive_blend
+ }
+ {
+ additive_blend
+ } ifelse
+ ] cvx bdf
+ } if
+ AGMCORE_host_sep {
+ Names convert_to_process {
+ exec_tint_transform
+ }
+ {
+ currentdict /AliasedColorants known {
+ AliasedColorants not
+ }{
+ false
+ } ifelse
+ 5 dict begin
+ /AvoidAliasedColorants xdf
+ /painted? false def
+ /names_index 0 def
+ /names_len Names length def
+ Names {
+ AvoidAliasedColorants {
+ /currentspotalias current_spot_alias def
+ false set_spot_alias
+ } if
+ AGMCORE_is_cmyk_sep {
+ dup (Cyan) eq AGMCORE_cyan_plate and exch
+ dup (Magenta) eq AGMCORE_magenta_plate and exch
+ dup (Yellow) eq AGMCORE_yellow_plate and exch
+ (Black) eq AGMCORE_black_plate and or or or {
+ /devicen_colorspace_dict AGMCORE_gget /TintProc [
+ Names names_index /devn_makecustomcolor cvx
+ ] cvx ddf
+ /painted? true def
+ } if
+ painted? {exit} if
+ }{
+ 0 0 0 0 5 -1 roll findcmykcustomcolor 1 setcustomcolor currentgray 0 eq {
+ /devicen_colorspace_dict AGMCORE_gget /TintProc [
+ Names names_index /devn_makecustomcolor cvx
+ ] cvx ddf
+ /painted? true def
+ exit
+ } if
+ } ifelse
+ AvoidAliasedColorants {
+ currentspotalias set_spot_alias
+ } if
+ /names_index names_index 1 add def
+ } forall
+ painted? {
+ /devicen_colorspace_dict AGMCORE_gget /names_index names_index put
+ }{
+ /devicen_colorspace_dict AGMCORE_gget /TintProc [
+ names_len [/pop cvx] cvx /repeat cvx 1 /setseparationgray cvx
+ 0 0 0 0 () /findcmykcustomcolor cvx 0 /setcustomcolor cvx
+ ] cvx ddf
+ } ifelse
+ end
+ } ifelse
+ }
+ {
+ AGMCORE_in_rip_sep {
+ Names convert_to_process not
+ }{
+ level3
+ } ifelse
+ {
+ [/DeviceN Names MappedCSA /TintTransform load] setcolorspace_opt
+ /TintProc level3 not AGMCORE_in_rip_sep and {
+ [
+ Names /length cvx [/pop cvx] cvx /repeat cvx
+ ] cvx bdf
+ }{
+ /setcolor ldf
+ } ifelse
+ }{
+ exec_tint_transform
+ } ifelse
+ } ifelse
+ set_crd
+ /AliasedColorants false def
+ end
+} def
+/setindexedcolorspace
+{
+ dup /indexed_colorspace_dict exch AGMCORE_gput
+ begin
+ currentdict /CSD known {
+ CSD get_csd /Names known {
+ CSD get_csd begin
+ currentdict devncs
+ AGMCORE_host_sep{
+ 4 dict begin
+ /devnCompCnt Names length def
+ /NewLookup HiVal 1 add string def
+ 0 1 HiVal {
+ /tableIndex xdf
+ Lookup dup type /stringtype eq {
+ devnCompCnt tableIndex map_index
+ }{
+ exec
+ } ifelse
+ setdevicencolor
+ currentgray
+ tableIndex exch
+ HiVal mul cvi
+ NewLookup 3 1 roll put
+ } for
+ [/Indexed currentcolorspace HiVal NewLookup] setcolorspace_opt
+ end
+ }{
+ level3
+ {
+ [/Indexed [/DeviceN Names MappedCSA /TintTransform load] HiVal Lookup] setcolorspace_opt
+ }{
+ [/Indexed MappedCSA HiVal
+ [
+ Lookup dup type /stringtype eq
+ {/exch cvx CSD get_csd /Names get length dup /mul cvx exch /getinterval cvx {255 div} /forall cvx}
+ {/exec cvx}ifelse
+ /TintTransform load /exec cvx
+ ]cvx
+ ]setcolorspace_opt
+ }ifelse
+ } ifelse
+ end
+ }{
+ } ifelse
+ set_crd
+ }
+ {
+ /MappedCSA CSA map_csa def
+ AGMCORE_host_sep level2 not and{
+ 0 0 0 0 setcmykcolor
+ }{
+ [/Indexed MappedCSA
+ level2 not has_color not and{
+ dup 0 get dup /DeviceRGB eq exch /DeviceCMYK eq or{
+ pop [/DeviceGray]
+ }if
+ HiVal GrayLookup
+ }{
+ HiVal
+ currentdict/RangeArray known{
+ {
+ /indexed_colorspace_dict AGMCORE_gget begin
+ Lookup exch
+ dup HiVal gt{
+ pop HiVal
+ }if
+ NComponents mul NComponents getinterval {} forall
+ NComponents 1 sub -1 0{
+ RangeArray exch 2 mul 2 getinterval aload pop map255_to_range
+ NComponents 1 roll
+ }for
+ end
+ } bind
+ }{
+ Lookup
+ }ifelse
+ }ifelse
+ ] setcolorspace_opt
+ set_crd
+ }ifelse
+ }ifelse
+ end
+}def
+/setindexedcolor
+{
+ AGMCORE_host_sep {
+ /indexed_colorspace_dict AGMCORE_gget dup /CSD known {
+ begin
+ CSD get_csd begin
+ map_indexed_devn
+ devn
+ end
+ end
+ }{
+ AGMCORE_gget/Lookup get 4 3 -1 roll map_index
+ pop setcmykcolor
+ } ifelse
+ }{
+ level3 not AGMCORE_in_rip_sep and /indexed_colorspace_dict AGMCORE_gget /CSD known and {
+ /indexed_colorspace_dict AGMCORE_gget /CSD get get_csd begin
+ map_indexed_devn
+ devn
+ end
+ }
+ {
+ setcolor
+ } ifelse
+ }ifelse
+} def
+/ignoreimagedata
+{
+ currentoverprint not{
+ gsave
+ dup clonedict begin
+ 1 setgray
+ /Decode [0 1] def
+ /DataSource <FF> def
+ /MultipleDataSources false def
+ /BitsPerComponent 8 def
+ currentdict end
+ systemdict /image get exec
+ grestore
+ }if
+ consumeimagedata
+}def
+/add_csa
+{
+ Adobe_AGM_Core begin
+ /AGMCORE_CSA_cache xput
+ end
+}def
+/get_csa_by_name
+{
+ dup type dup /nametype eq exch /stringtype eq or{
+ Adobe_AGM_Core begin
+ 1 dict begin
+ /name xdf
+ AGMCORE_CSA_cache
+ {
+ 0 get name eq {
+ exit
+ }{
+ pop
+ } ifelse
+ }forall
+ end
+ end
+ }{
+ pop
+ } ifelse
+}def
+/map_csa
+{
+ dup type /nametype eq{
+ Adobe_AGM_Core/AGMCORE_CSA_cache get exch get
+ }if
+}def
+/add_csd
+{
+ Adobe_AGM_Core begin
+ /AGMCORE_CSD_cache xput
+ end
+}def
+/get_csd
+{
+ dup type /nametype eq{
+ Adobe_AGM_Core/AGMCORE_CSD_cache get exch get
+ }if
+}def
+/pattern_buf_init
+{
+ /count get 0 0 put
+} def
+/pattern_buf_next
+{
+ dup /count get dup 0 get
+ dup 3 1 roll
+ 1 add 0 xpt
+ get
+} def
+/cachepattern_compress
+{
+ 5 dict begin
+ currentfile exch 0 exch /SubFileDecode filter /ReadFilter exch def
+ /patarray 20 dict def
+ /string_size 16000 def
+ /readbuffer string_size string def
+ currentglobal true setglobal
+ patarray 1 array dup 0 1 put /count xpt
+ setglobal
+ /LZWFilter
+ {
+ exch
+ dup length 0 eq {
+ pop
+ }{
+ patarray dup length 1 sub 3 -1 roll put
+ } ifelse
+ {string_size}{0}ifelse string
+ } /LZWEncode filter def
+ {
+ ReadFilter readbuffer readstring
+ exch LZWFilter exch writestring
+ not {exit} if
+ } loop
+ LZWFilter closefile
+ patarray
+ end
+}def
+/cachepattern
+{
+ 2 dict begin
+ currentfile exch 0 exch /SubFileDecode filter /ReadFilter exch def
+ /patarray 20 dict def
+ currentglobal true setglobal
+ patarray 1 array dup 0 1 put /count xpt
+ setglobal
+ {
+ ReadFilter 16000 string readstring exch
+ patarray dup length 1 sub 3 -1 roll put
+ not {exit} if
+ } loop
+ patarray dup dup length 1 sub () put
+ end
+}def
+/add_pattern
+{
+ Adobe_AGM_Core begin
+ /AGMCORE_pattern_cache xput
+ end
+}def
+/get_pattern
+{
+ dup type /nametype eq{
+ Adobe_AGM_Core/AGMCORE_pattern_cache get exch get
+ dup wrap_paintproc
+ }if
+}def
+/wrap_paintproc
+{
+ statusdict /currentfilenameextend known{
+ begin
+ /OldPaintProc /PaintProc load def
+ /PaintProc
+ {
+ mark exch
+ dup /OldPaintProc get stopped
+ {closefile restore end} if
+ cleartomark
+ } def
+ end
+ } {pop} ifelse
+} def
+/make_pattern
+{
+ dup matrix currentmatrix matrix concatmatrix 0 0 3 2 roll itransform
+ exch 3 index /XStep get 1 index exch 2 copy div cvi mul sub sub
+ exch 3 index /YStep get 1 index exch 2 copy div cvi mul sub sub
+ matrix translate exch matrix concatmatrix
+ 1 index begin
+ BBox 0 get XStep div cvi XStep mul /xshift exch neg def
+ BBox 1 get YStep div cvi YStep mul /yshift exch neg def
+ BBox 0 get xshift add
+ BBox 1 get yshift add
+ BBox 2 get xshift add
+ BBox 3 get yshift add
+ 4 array astore
+ /BBox exch def
+ [ xshift yshift /translate load null /exec load ] dup
+ 3 /PaintProc load put cvx /PaintProc exch def
+ end
+ gsave 0 setgray
+ makepattern
+ grestore
+}def
+/set_pattern
+{
+ dup /PatternType get 1 eq{
+ dup /PaintType get 1 eq{
+ currentoverprint sop [/DeviceGray] setcolorspace 0 setgray
+ }if
+ }if
+ setpattern
+}def
+/setcolorspace_opt
+{
+ dup currentcolorspace eq{
+ pop
+ }{
+ setcolorspace
+ }ifelse
+}def
+/updatecolorrendering
+{
+ currentcolorrendering/Intent known{
+ currentcolorrendering/Intent get
+ }{
+ null
+ }ifelse
+ Intent ne{
+ false
+ Intent
+ AGMCORE_CRD_cache {
+ exch pop
+ begin
+ dup Intent eq{
+ currentdict setcolorrendering_opt
+ end
+ exch pop true exch
+ exit
+ }if
+ end
+ } forall
+ pop
+ not{
+ systemdict /findcolorrendering known{
+ Intent findcolorrendering pop
+ /ColorRendering findresource
+ dup length dict copy
+ setcolorrendering_opt
+ }if
+ }if
+ }if
+} def
+/add_crd
+{
+ AGMCORE_CRD_cache 3 1 roll put
+}def
+/set_crd
+{
+ AGMCORE_host_sep not level2 and{
+ currentdict/CRD known{
+ AGMCORE_CRD_cache CRD get dup null ne{
+ setcolorrendering_opt
+ }{
+ pop
+ }ifelse
+ }{
+ currentdict/Intent known{
+ updatecolorrendering
+ }if
+ }ifelse
+ currentcolorspace dup type /arraytype eq
+ {0 get}if
+ /DeviceRGB eq
+ {
+ currentdict/UCR known
+ {/UCR}{/AGMCORE_currentucr}ifelse
+ load setundercolorremoval
+ currentdict/BG known
+ {/BG}{/AGMCORE_currentbg}ifelse
+ load setblackgeneration
+ }if
+ }if
+}def
+/setcolorrendering_opt
+{
+ dup currentcolorrendering eq{
+ pop
+ }{
+ begin
+ /Intent Intent def
+ currentdict
+ end
+ setcolorrendering
+ }ifelse
+}def
+/cpaint_gcomp
+{
+ convert_to_process Adobe_AGM_Core/AGMCORE_ConvertToProcess xddf
+ Adobe_AGM_Core/AGMCORE_ConvertToProcess get not
+ {
+ (%end_cpaint_gcomp) flushinput
+ }if
+}def
+/cpaint_gsep
+{
+ Adobe_AGM_Core/AGMCORE_ConvertToProcess get
+ {
+ (%end_cpaint_gsep) flushinput
+ }if
+}def
+/cpaint_gend
+{
+ newpath
+}def
+/path_rez
+{
+ dup 0 ne{
+ AGMCORE_deviceDPI exch div
+ dup 1 lt{
+ pop 1
+ }if
+ setflat
+ }{
+ pop
+ }ifelse
+}def
+/set_spot_alias_ary
+{
+ /AGMCORE_SpotAliasAry where{
+ pop pop
+ }{
+ Adobe_AGM_Core/AGMCORE_SpotAliasAry xddf
+ true set_spot_alias
+ }ifelse
+}def
+/set_spot_alias
+{
+ /AGMCORE_SpotAliasAry where{
+ /AGMCORE_current_spot_alias 3 -1 roll put
+ }{
+ pop
+ }ifelse
+}def
+/current_spot_alias
+{
+ /AGMCORE_SpotAliasAry where{
+ /AGMCORE_current_spot_alias get
+ }{
+ false
+ }ifelse
+}def
+/map_alias
+{
+ /AGMCORE_SpotAliasAry where{
+ begin
+ /AGMCORE_name xdf
+ false
+ AGMCORE_SpotAliasAry{
+ dup/Name get AGMCORE_name eq{
+ save exch
+ /Adobe_AGM_Core currentdict def
+ /CSD get get_csd
+ exch restore
+ exch pop true
+ exit
+ }{
+ pop
+ }ifelse
+ }forall
+ end
+ }{
+ pop false
+ }ifelse
+}bdf
+/spot_alias
+{
+ true set_spot_alias
+ /AGMCORE_&setcustomcolor AGMCORE_key_known not {
+ Adobe_AGM_Core/AGMCORE_&setcustomcolor /setcustomcolor load put
+ } if
+ /customcolor_tint 1 AGMCORE_gput
+ Adobe_AGM_Core begin
+ /setcustomcolor
+ {
+ dup /customcolor_tint exch AGMCORE_gput
+ current_spot_alias{
+ 1 index 4 get map_alias{
+ mark 3 1 roll
+ setsepcolorspace
+ counttomark 0 ne{
+ setsepcolor
+ }if
+ pop
+ pop
+ }{
+ AGMCORE_&setcustomcolor
+ }ifelse
+ }{
+ AGMCORE_&setcustomcolor
+ }ifelse
+ }bdf
+ end
+}def
+/begin_feature
+{
+ Adobe_AGM_Core/AGMCORE_feature_dictCount countdictstack put
+ count Adobe_AGM_Core/AGMCORE_feature_opCount 3 -1 roll put
+ {Adobe_AGM_Core/AGMCORE_feature_ctm matrix currentmatrix put}if
+}def
+/end_feature
+{
+ 2 dict begin
+ /spd /setpagedevice load def
+ /setpagedevice { get_gstate spd set_gstate } def
+ stopped{$error/newerror false put}if
+ end
+ count Adobe_AGM_Core/AGMCORE_feature_opCount get sub dup 0 gt{{pop}repeat}{pop}ifelse
+ countdictstack Adobe_AGM_Core/AGMCORE_feature_dictCount get sub dup 0 gt{{end}repeat}{pop}ifelse
+ {Adobe_AGM_Core/AGMCORE_feature_ctm get setmatrix}if
+}def
+/set_negative
+{
+ Adobe_AGM_Core begin
+ /AGMCORE_inverting exch def
+ level2{
+ currentpagedevice/NegativePrint known{
+ currentpagedevice/NegativePrint get Adobe_AGM_Core/AGMCORE_inverting get ne{
+ true begin_feature true{
+ bdict /NegativePrint Adobe_AGM_Core/AGMCORE_inverting get edict setpagedevice
+ }end_feature
+ }if
+ /AGMCORE_inverting false def
+ }if
+ }if
+ AGMCORE_inverting{
+ [{1 exch sub}/exec load dup currenttransfer exch]cvx bind settransfer
+ gsave newpath clippath 1 /setseparationgray where{pop setseparationgray}{setgray}ifelse
+ /AGMIRS_&fill where {pop AGMIRS_&fill}{fill} ifelse grestore
+ }if
+ end
+}def
+/lw_save_restore_override {
+ /md where {
+ pop
+ md begin
+ initializepage
+ /initializepage{}def
+ /pmSVsetup{} def
+ /endp{}def
+ /pse{}def
+ /psb{}def
+ /orig_showpage where
+ {pop}
+ {/orig_showpage /showpage load def}
+ ifelse
+ /showpage {orig_showpage gR} def
+ end
+ }if
+}def
+/pscript_showpage_override {
+ /NTPSOct95 where
+ {
+ begin
+ showpage
+ save
+ /showpage /restore load def
+ /restore {exch pop}def
+ end
+ }if
+}def
+/driver_media_override
+{
+ /md where {
+ pop
+ md /initializepage known {
+ md /initializepage {} put
+ } if
+ md /rC known {
+ md /rC {4{pop}repeat} put
+ } if
+ }if
+ /mysetup where {
+ /mysetup [1 0 0 1 0 0] put
+ }if
+ Adobe_AGM_Core /AGMCORE_Default_CTM matrix currentmatrix put
+ level2
+ {Adobe_AGM_Core /AGMCORE_Default_PageSize currentpagedevice/PageSize get put}if
+}def
+/driver_check_media_override
+{
+ /PrepsDict where
+ {pop}
+ {
+ Adobe_AGM_Core /AGMCORE_Default_CTM get matrix currentmatrix ne
+ Adobe_AGM_Core /AGMCORE_Default_PageSize get type /arraytype eq
+ {
+ Adobe_AGM_Core /AGMCORE_Default_PageSize get 0 get currentpagedevice/PageSize get 0 get eq and
+ Adobe_AGM_Core /AGMCORE_Default_PageSize get 1 get currentpagedevice/PageSize get 1 get eq and
+ }if
+ {
+ Adobe_AGM_Core /AGMCORE_Default_CTM get setmatrix
+ }if
+ }ifelse
+}def
+AGMCORE_err_strings begin
+ /AGMCORE_bad_environ (Environment not satisfactory for this job. Ensure that the PPD is correct or that the PostScript level requested is supported by this printer. ) def
+ /AGMCORE_color_space_onhost_seps (This job contains colors that will not separate with on-host methods. ) def
+ /AGMCORE_invalid_color_space (This job contains an invalid color space. ) def
+end
+end
+systemdict /setpacking known
+{
+ setpacking
+} if
+%%EndResource
+%%BeginResource: procset Adobe_CoolType_Core 2.23 0
+%%Copyright: Copyright 1997-2003 Adobe Systems Incorporated. All Rights Reserved.
+%%Version: 2.23 0
+10 dict begin
+/Adobe_CoolType_Passthru currentdict def
+/Adobe_CoolType_Core_Defined userdict /Adobe_CoolType_Core known def
+Adobe_CoolType_Core_Defined
+ { /Adobe_CoolType_Core userdict /Adobe_CoolType_Core get def }
+if
+userdict /Adobe_CoolType_Core 60 dict dup begin put
+/Adobe_CoolType_Version 2.23 def
+/Level2?
+ systemdict /languagelevel known dup
+ { pop systemdict /languagelevel get 2 ge }
+ if def
+Level2? not
+ {
+ /currentglobal false def
+ /setglobal /pop load def
+ /gcheck { pop false } bind def
+ /currentpacking false def
+ /setpacking /pop load def
+ /SharedFontDirectory 0 dict def
+ }
+if
+currentpacking
+true setpacking
+/@_SaveStackLevels
+ {
+ Adobe_CoolType_Data
+ begin
+ @opStackCountByLevel @opStackLevel
+ 2 copy known not
+ { 2 copy 3 dict dup /args 7 index 5 add array put put get }
+ {
+ get dup /args get dup length 3 index lt
+ {
+ dup length 5 add array exch
+ 1 index exch 0 exch putinterval
+ 1 index exch /args exch put
+ }
+ { pop }
+ ifelse
+ }
+ ifelse
+ begin
+ count 2 sub 1 index lt
+ { pop count 1 sub }
+ if
+ dup /argCount exch def
+ dup 0 gt
+ {
+ exch 1 index 2 add 1 roll
+ args exch 0 exch getinterval
+ astore pop
+ }
+ { pop }
+ ifelse
+ count 1 sub /restCount exch def
+ end
+ /@opStackLevel @opStackLevel 1 add def
+ countdictstack 1 sub
+ @dictStackCountByLevel exch @dictStackLevel exch put
+ /@dictStackLevel @dictStackLevel 1 add def
+ end
+ } bind def
+/@_RestoreStackLevels
+ {
+ Adobe_CoolType_Data
+ begin
+ /@opStackLevel @opStackLevel 1 sub def
+ @opStackCountByLevel @opStackLevel get
+ begin
+ count restCount sub dup 0 gt
+ { { pop } repeat }
+ { pop }
+ ifelse
+ args 0 argCount getinterval {} forall
+ end
+ /@dictStackLevel @dictStackLevel 1 sub def
+ @dictStackCountByLevel @dictStackLevel get
+ end
+ countdictstack exch sub dup 0 gt
+ { { end } repeat }
+ { pop }
+ ifelse
+ } bind def
+/@_PopStackLevels
+ {
+ Adobe_CoolType_Data
+ begin
+ /@opStackLevel @opStackLevel 1 sub def
+ /@dictStackLevel @dictStackLevel 1 sub def
+ end
+ } bind def
+/@Raise
+ {
+ exch cvx exch errordict exch get exec
+ stop
+ } bind def
+/@ReRaise
+ {
+ cvx $error /errorname get errordict exch get exec
+ stop
+ } bind def
+/@Stopped
+ {
+ 0 @#Stopped
+ } bind def
+/@#Stopped
+ {
+ @_SaveStackLevels
+ stopped
+ { @_RestoreStackLevels true }
+ { @_PopStackLevels false }
+ ifelse
+ } bind def
+/@Arg
+ {
+ Adobe_CoolType_Data
+ begin
+ @opStackCountByLevel @opStackLevel 1 sub get /args get exch get
+ end
+ } bind def
+currentglobal true setglobal
+/CTHasResourceForAllBug
+ Level2?
+ {
+ 1 dict dup begin
+ mark
+ {
+ (*) { pop stop } 128 string /Category
+ resourceforall
+ }
+ stopped
+ cleartomark
+ currentdict eq dup
+ { end }
+ if
+ not
+ }
+ { false }
+ ifelse
+ def
+/CTHasResourceStatusBug
+ Level2?
+ {
+ mark
+ { /steveamerige /Category resourcestatus }
+ stopped
+ { cleartomark true }
+ { cleartomark currentglobal not }
+ ifelse
+ }
+ { false }
+ ifelse
+ def
+setglobal
+/CTResourceStatus
+ {
+ mark 3 1 roll
+ /Category findresource
+ begin
+ ({ResourceStatus} stopped) 0 () /SubFileDecode filter cvx exec
+ { cleartomark false }
+ { { 3 2 roll pop true } { cleartomark false } ifelse }
+ ifelse
+ end
+ } bind def
+/CTWorkAroundBugs
+ {
+ Level2?
+ {
+ /cid_PreLoad /ProcSet resourcestatus
+ {
+ pop pop
+ currentglobal
+ mark
+ {
+ (*)
+ {
+ dup /CMap CTHasResourceStatusBug
+ { CTResourceStatus }
+ { resourcestatus }
+ ifelse
+ {
+ pop dup 0 eq exch 1 eq or
+ {
+ dup /CMap findresource gcheck setglobal
+ /CMap undefineresource
+ }
+ {
+ pop CTHasResourceForAllBug
+ { exit }
+ { stop }
+ ifelse
+ }
+ ifelse
+ }
+ { pop }
+ ifelse
+ }
+ 128 string /CMap resourceforall
+ }
+ stopped
+ { cleartomark }
+ stopped pop
+ setglobal
+ }
+ if
+ }
+ if
+ } bind def
+/doc_setup
+ {
+ Adobe_CoolType_Core
+ begin
+ CTWorkAroundBugs
+ /mov /moveto load def
+ /nfnt /newencodedfont load def
+ /mfnt /makefont load def
+ /sfnt /setfont load def
+ /ufnt /undefinefont load def
+ /chp /charpath load def
+ /awsh /awidthshow load def
+ /wsh /widthshow load def
+ /ash /ashow load def
+ /sh /show load def
+ end
+ userdict /Adobe_CoolType_Data 10 dict dup
+ begin
+ /AddWidths? false def
+ /CC 0 def
+ /charcode 2 string def
+ /@opStackCountByLevel 32 dict def
+ /@opStackLevel 0 def
+ /@dictStackCountByLevel 32 dict def
+ /@dictStackLevel 0 def
+ /InVMFontsByCMap 10 dict def
+ /InVMDeepCopiedFonts 10 dict def
+ end put
+ } bind def
+/doc_trailer
+ {
+ currentdict Adobe_CoolType_Core eq
+ { end }
+ if
+ } bind def
+/page_setup
+ {
+ Adobe_CoolType_Core begin
+ } bind def
+/page_trailer
+ {
+ end
+ } bind def
+/unload
+ {
+ systemdict /languagelevel known
+ {
+ systemdict/languagelevel get 2 ge
+ {
+ userdict/Adobe_CoolType_Core 2 copy known
+ { undef }
+ { pop pop }
+ ifelse
+ }
+ if
+ }
+ if
+ } bind def
+/ndf
+ {
+ 1 index where
+ { pop pop pop }
+ { dup xcheck { bind } if def }
+ ifelse
+ } def
+/findfont systemdict
+ begin
+ userdict
+ begin
+ /globaldict where { /globaldict get begin } if
+ dup where pop exch get
+ /globaldict where { pop end } if
+ end
+ end
+Adobe_CoolType_Core_Defined
+ { /systemfindfont exch def }
+ {
+ /findfont 1 index def
+ /systemfindfont exch def
+ }
+ifelse
+/undefinefont
+ { pop } ndf
+/copyfont
+ {
+ currentglobal 3 1 roll
+ 1 index gcheck setglobal
+ dup null eq { 0 } { dup length } ifelse
+ 2 index length add 1 add dict
+ begin
+ exch
+ {
+ 1 index /FID eq
+ { pop pop }
+ { def }
+ ifelse
+ }
+ forall
+ dup null eq
+ { pop }
+ { { def } forall }
+ ifelse
+ currentdict
+ end
+ exch setglobal
+ } bind def
+/copyarray
+ {
+ currentglobal exch
+ dup gcheck setglobal
+ dup length array copy
+ exch setglobal
+ } bind def
+/newencodedfont
+ {
+ currentglobal
+ {
+ SharedFontDirectory 3 index known
+ { SharedFontDirectory 3 index get /FontReferenced known }
+ { false }
+ ifelse
+ }
+ {
+ FontDirectory 3 index known
+ { FontDirectory 3 index get /FontReferenced known }
+ {
+ SharedFontDirectory 3 index known
+ { SharedFontDirectory 3 index get /FontReferenced known }
+ { false }
+ ifelse
+ }
+ ifelse
+ }
+ ifelse
+ dup
+ {
+ 3 index findfont /FontReferenced get
+ 2 index dup type /nametype eq
+ {findfont}
+ if ne
+ { pop false }
+ if
+ }
+ if
+ {
+ pop
+ 1 index findfont
+ /Encoding get exch
+ 0 1 255
+ { 2 copy get 3 index 3 1 roll put }
+ for
+ pop pop pop
+ }
+ {
+ dup type /nametype eq
+ { findfont }
+ if
+ dup dup maxlength 2 add dict
+ begin
+ exch
+ {
+ 1 index /FID ne
+ {def}
+ {pop pop}
+ ifelse
+ }
+ forall
+ /FontReferenced exch def
+ /Encoding exch dup length array copy def
+ /FontName 1 index dup type /stringtype eq { cvn } if def dup
+ currentdict
+ end
+ definefont def
+ }
+ ifelse
+ } bind def
+/SetSubstituteStrategy
+ {
+ $SubstituteFont
+ begin
+ dup type /dicttype ne
+ { 0 dict }
+ if
+ currentdict /$Strategies known
+ {
+ exch $Strategies exch
+ 2 copy known
+ {
+ get
+ 2 copy maxlength exch maxlength add dict
+ begin
+ { def } forall
+ { def } forall
+ currentdict
+ dup /$Init known
+ { dup /$Init get exec }
+ if
+ end
+ /$Strategy exch def
+ }
+ { pop pop pop }
+ ifelse
+ }
+ { pop pop }
+ ifelse
+ end
+ } bind def
+/scff
+ {
+ $SubstituteFont
+ begin
+ dup type /stringtype eq
+ { dup length exch }
+ { null }
+ ifelse
+ /$sname exch def
+ /$slen exch def
+ /$inVMIndex
+ $sname null eq
+ {
+ 1 index $str cvs
+ dup length $slen sub $slen getinterval cvn
+ }
+ { $sname }
+ ifelse def
+ end
+ { findfont }
+ @Stopped
+ {
+ dup length 8 add string exch
+ 1 index 0 (BadFont:) putinterval
+ 1 index exch 8 exch dup length string cvs putinterval cvn
+ { findfont }
+ @Stopped
+ { pop /Courier findfont }
+ if
+ }
+ if
+ $SubstituteFont
+ begin
+ /$sname null def
+ /$slen 0 def
+ /$inVMIndex null def
+ end
+ } bind def
+/isWidthsOnlyFont
+ {
+ dup /WidthsOnly known
+ { pop pop true }
+ {
+ dup /FDepVector known
+ { /FDepVector get { isWidthsOnlyFont dup { exit } if } forall }
+ {
+ dup /FDArray known
+ { /FDArray get { isWidthsOnlyFont dup { exit } if } forall }
+ { pop }
+ ifelse
+ }
+ ifelse
+ }
+ ifelse
+ } bind def
+/?str1 256 string def
+/?set
+ {
+ $SubstituteFont
+ begin
+ /$substituteFound false def
+ /$fontname 4 index def
+ /$doSmartSub false def
+ end
+ 3 index
+ currentglobal false setglobal exch
+ /CompatibleFonts /ProcSet resourcestatus
+ {
+ pop pop
+ /CompatibleFonts /ProcSet findresource
+ begin
+ dup /CompatibleFont currentexception
+ 1 index /CompatibleFont true setexception
+ 1 index /Font resourcestatus
+ {
+ pop pop
+ 3 2 roll setglobal
+ end
+ exch
+ dup findfont
+ /CompatibleFonts /ProcSet findresource
+ begin
+ 3 1 roll exch /CompatibleFont exch setexception
+ end
+ }
+ {
+ 3 2 roll setglobal
+ 1 index exch /CompatibleFont exch setexception
+ end
+ findfont
+ $SubstituteFont /$substituteFound true put
+ }
+ ifelse
+ }
+ { exch setglobal findfont }
+ ifelse
+ $SubstituteFont
+ begin
+ $substituteFound
+ {
+ false
+ (%%[Using embedded font ) print
+ 5 index ?str1 cvs print
+ ( to avoid the font substitution problem noted earlier.]%%\n) print
+ }
+ {
+ dup /FontName known
+ {
+ dup /FontName get $fontname eq
+ 1 index /DistillerFauxFont known not and
+ /currentdistillerparams where
+ { pop false 2 index isWidthsOnlyFont not and }
+ if
+ }
+ { false }
+ ifelse
+ }
+ ifelse
+ exch pop
+ /$doSmartSub true def
+ end
+ {
+ exch pop exch pop exch
+ 2 dict dup /Found 3 index put
+ exch findfont exch
+ }
+ {
+ exch exec
+ exch dup findfont
+ dup /FontType get 3 eq
+ {
+ exch ?str1 cvs
+ dup length 1 sub
+ -1 0
+ {
+ exch dup 2 index get 42 eq
+ {
+ exch 0 exch getinterval cvn 4 1 roll 3 2 roll pop
+ exit
+ }
+ {exch pop} ifelse
+ }for
+ }
+ {
+ exch pop
+ } ifelse
+ 2 dict dup /Downloaded 6 5 roll put
+ }
+ ifelse
+ dup /FontName 4 index put copyfont definefont pop
+ } bind def
+/?str2 256 string def
+/?add
+ {
+ 1 index type /integertype eq
+ { exch true 4 2 }
+ { false 3 1 }
+ ifelse
+ roll
+ 1 index findfont
+ dup /Widths known
+ {
+ Adobe_CoolType_Data /AddWidths? true put
+ gsave dup 1000 scalefont setfont
+ }
+ if
+ /Downloaded known
+ {
+ exec
+ exch
+ {
+ exch ?str2 cvs exch
+ findfont /Downloaded get 1 dict begin /Downloaded 1 index def ?str1 cvs length
+ ?str1 1 index 1 add 3 index putinterval
+ exch length 1 add 1 index add
+ ?str1 2 index (*) putinterval
+ ?str1 0 2 index getinterval cvn findfont
+ ?str1 3 index (+) putinterval
+ 2 dict dup /FontName ?str1 0 6 index getinterval cvn put
+ dup /Downloaded Downloaded put end copyfont
+ dup /FontName get exch definefont pop pop pop
+ }
+ {
+ pop
+ }
+ ifelse
+ }
+ {
+ pop
+ exch
+ {
+ findfont
+ dup /Found get
+ dup length exch ?str1 cvs pop
+ ?str1 1 index (+) putinterval
+ ?str1 1 index 1 add 4 index ?str2 cvs putinterval
+ ?str1 exch 0 exch 5 4 roll ?str2 cvs length 1 add add getinterval cvn
+ 1 dict exch 1 index exch /FontName exch put copyfont
+ dup /FontName get exch definefont pop
+ }
+ {
+ pop
+ }
+ ifelse
+ }
+ ifelse
+ Adobe_CoolType_Data /AddWidths? get
+ { grestore Adobe_CoolType_Data /AddWidths? false put }
+ if
+ } bind def
+/?sh
+ {
+ currentfont /Downloaded known { exch } if pop
+ } bind def
+/?chp
+ {
+ currentfont /Downloaded known { pop } { false chp } ifelse
+ } bind def
+/?mv
+ {
+ currentfont /Downloaded known { moveto pop pop } { pop pop moveto } ifelse
+ } bind def
+setpacking
+userdict /$SubstituteFont 25 dict put
+1 dict
+ begin
+ /SubstituteFont
+ dup $error exch 2 copy known
+ { get }
+ { pop pop { pop /Courier } bind }
+ ifelse def
+ /currentdistillerparams where dup
+ {
+ pop pop
+ currentdistillerparams /CannotEmbedFontPolicy 2 copy known
+ { get /Error eq }
+ { pop pop false }
+ ifelse
+ }
+ if not
+ {
+ countdictstack array dictstack 0 get
+ begin
+ userdict
+ begin
+ $SubstituteFont
+ begin
+ /$str 128 string def
+ /$fontpat 128 string def
+ /$slen 0 def
+ /$sname null def
+ /$match false def
+ /$fontname null def
+ /$substituteFound false def
+ /$inVMIndex null def
+ /$doSmartSub true def
+ /$depth 0 def
+ /$fontname null def
+ /$italicangle 26.5 def
+ /$dstack null def
+ /$Strategies 10 dict dup
+ begin
+ /$Type3Underprint
+ {
+ currentglobal exch false setglobal
+ 11 dict
+ begin
+ /UseFont exch
+ $WMode 0 ne
+ {
+ dup length dict copy
+ dup /WMode $WMode put
+ /UseFont exch definefont
+ }
+ if def
+ /FontName $fontname dup type /stringtype eq { cvn } if def
+ /FontType 3 def
+ /FontMatrix [ .001 0 0 .001 0 0 ] def
+ /Encoding 256 array dup 0 1 255 { /.notdef put dup } for pop def
+ /FontBBox [ 0 0 0 0 ] def
+ /CCInfo 7 dict dup
+ begin
+ /cc null def
+ /x 0 def
+ /y 0 def
+ end def
+ /BuildChar
+ {
+ exch
+ begin
+ CCInfo
+ begin
+ 1 string dup 0 3 index put exch pop
+ /cc exch def
+ UseFont 1000 scalefont setfont
+ cc stringwidth /y exch def /x exch def
+ x y setcharwidth
+ $SubstituteFont /$Strategy get /$Underprint get exec
+ 0 0 moveto cc show
+ x y moveto
+ end
+ end
+ } bind def
+ currentdict
+ end
+ exch setglobal
+ } bind def
+ /$GetaTint
+ 2 dict dup
+ begin
+ /$BuildFont
+ {
+ dup /WMode known
+ { dup /WMode get }
+ { 0 }
+ ifelse
+ /$WMode exch def
+ $fontname exch
+ dup /FontName known
+ {
+ dup /FontName get
+ dup type /stringtype eq { cvn } if
+ }
+ { /unnamedfont }
+ ifelse
+ exch
+ Adobe_CoolType_Data /InVMDeepCopiedFonts get
+ 1 index /FontName get known
+ {
+ pop
+ Adobe_CoolType_Data /InVMDeepCopiedFonts get
+ 1 index get
+ null copyfont
+ }
+ { $deepcopyfont }
+ ifelse
+ exch 1 index exch /FontBasedOn exch put
+ dup /FontName $fontname dup type /stringtype eq { cvn } if put
+ definefont
+ Adobe_CoolType_Data /InVMDeepCopiedFonts get
+ begin
+ dup /FontBasedOn get 1 index def
+ end
+ } bind def
+ /$Underprint
+ {
+ gsave
+ x abs y abs gt
+ { /y 1000 def }
+ { /x -1000 def 500 120 translate }
+ ifelse
+ Level2?
+ {
+ [ /Separation (All) /DeviceCMYK { 0 0 0 1 pop } ]
+ setcolorspace
+ }
+ { 0 setgray }
+ ifelse
+ 10 setlinewidth
+ x .8 mul
+ [ 7 3 ]
+ {
+ y mul 8 div 120 sub x 10 div exch moveto
+ 0 y 4 div neg rlineto
+ dup 0 rlineto
+ 0 y 4 div rlineto
+ closepath
+ gsave
+ Level2?
+ { .2 setcolor }
+ { .8 setgray }
+ ifelse
+ fill grestore
+ stroke
+ }
+ forall
+ pop
+ grestore
+ } bind def
+ end def
+ /$Oblique
+ 1 dict dup
+ begin
+ /$BuildFont
+ {
+ currentglobal exch dup gcheck setglobal
+ null copyfont
+ begin
+ /FontBasedOn
+ currentdict /FontName known
+ {
+ FontName
+ dup type /stringtype eq { cvn } if
+ }
+ { /unnamedfont }
+ ifelse
+ def
+ /FontName $fontname dup type /stringtype eq { cvn } if def
+ /currentdistillerparams where
+ { pop }
+ {
+ /FontInfo currentdict /FontInfo known
+ { FontInfo null copyfont }
+ { 2 dict }
+ ifelse
+ dup
+ begin
+ /ItalicAngle $italicangle def
+ /FontMatrix FontMatrix
+ [ 1 0 ItalicAngle dup sin exch cos div 1 0 0 ]
+ matrix concatmatrix readonly
+ end
+ 4 2 roll def
+ def
+ }
+ ifelse
+ FontName currentdict
+ end
+ definefont
+ exch setglobal
+ } bind def
+ end def
+ /$None
+ 1 dict dup
+ begin
+ /$BuildFont {} bind def
+ end def
+ end def
+ /$Oblique SetSubstituteStrategy
+ /$findfontByEnum
+ {
+ dup type /stringtype eq { cvn } if
+ dup /$fontname exch def
+ $sname null eq
+ { $str cvs dup length $slen sub $slen getinterval }
+ { pop $sname }
+ ifelse
+ $fontpat dup 0 (fonts/*) putinterval exch 7 exch putinterval
+ /$match false def
+ $SubstituteFont /$dstack countdictstack array dictstack put
+ mark
+ {
+ $fontpat 0 $slen 7 add getinterval
+ { /$match exch def exit }
+ $str filenameforall
+ }
+ stopped
+ {
+ cleardictstack
+ currentdict
+ true
+ $SubstituteFont /$dstack get
+ {
+ exch
+ {
+ 1 index eq
+ { pop false }
+ { true }
+ ifelse
+ }
+ { begin false }
+ ifelse
+ }
+ forall
+ pop
+ }
+ if
+ cleartomark
+ /$slen 0 def
+ $match false ne
+ { $match (fonts/) anchorsearch pop pop cvn }
+ { /Courier }
+ ifelse
+ } bind def
+ /$ROS 1 dict dup
+ begin
+ /Adobe 4 dict dup
+ begin
+ /Japan1 [ /Ryumin-Light /HeiseiMin-W3
+ /GothicBBB-Medium /HeiseiKakuGo-W5
+ /HeiseiMaruGo-W4 /Jun101-Light ] def
+ /Korea1 [ /HYSMyeongJo-Medium /HYGoThic-Medium ] def
+ /GB1 [ /STSong-Light /STHeiti-Regular ] def
+ /CNS1 [ /MKai-Medium /MHei-Medium ] def
+ end def
+ end def
+ /$cmapname null def
+ /$deepcopyfont
+ {
+ dup /FontType get 0 eq
+ {
+ 1 dict dup /FontName /copied put copyfont
+ begin
+ /FDepVector FDepVector copyarray
+ 0 1 2 index length 1 sub
+ {
+ 2 copy get $deepcopyfont
+ dup /FontName /copied put
+ /copied exch definefont
+ 3 copy put pop pop
+ }
+ for
+ def
+ currentdict
+ end
+ }
+ { $Strategies /$Type3Underprint get exec }
+ ifelse
+ } bind def
+ /$buildfontname
+ {
+ dup /CIDFont findresource /CIDSystemInfo get
+ begin
+ Registry length Ordering length Supplement 8 string cvs
+ 3 copy length 2 add add add string
+ dup 5 1 roll dup 0 Registry putinterval
+ dup 4 index (-) putinterval
+ dup 4 index 1 add Ordering putinterval
+ 4 2 roll add 1 add 2 copy (-) putinterval
+ end
+ 1 add 2 copy 0 exch getinterval $cmapname $fontpat cvs exch
+ anchorsearch
+ { pop pop 3 2 roll putinterval cvn /$cmapname exch def }
+ { pop pop pop pop pop }
+ ifelse
+ length
+ $str 1 index (-) putinterval 1 add
+ $str 1 index $cmapname $fontpat cvs putinterval
+ $cmapname length add
+ $str exch 0 exch getinterval cvn
+ } bind def
+ /$findfontByROS
+ {
+ /$fontname exch def
+ $ROS Registry 2 copy known
+ {
+ get Ordering 2 copy known
+ { get }
+ { pop pop [] }
+ ifelse
+ }
+ { pop pop [] }
+ ifelse
+ false exch
+ {
+ dup /CIDFont resourcestatus
+ {
+ pop pop
+ save
+ 1 index /CIDFont findresource
+ dup /WidthsOnly known
+ { dup /WidthsOnly get }
+ { false }
+ ifelse
+ exch pop
+ exch restore
+ { pop }
+ { exch pop true exit }
+ ifelse
+ }
+ { pop }
+ ifelse
+ }
+ forall
+ { $str cvs $buildfontname }
+ {
+ false (*)
+ {
+ save exch
+ dup /CIDFont findresource
+ dup /WidthsOnly known
+ { dup /WidthsOnly get not }
+ { true }
+ ifelse
+ exch /CIDSystemInfo get
+ dup /Registry get Registry eq
+ exch /Ordering get Ordering eq and and
+ { exch restore exch pop true exit }
+ { pop restore }
+ ifelse
+ }
+ $str /CIDFont resourceforall
+ { $buildfontname }
+ { $fontname $findfontByEnum }
+ ifelse
+ }
+ ifelse
+ } bind def
+ end
+ end
+ currentdict /$error known currentdict /languagelevel known and dup
+ { pop $error /SubstituteFont known }
+ if
+ dup
+ { $error }
+ { Adobe_CoolType_Core }
+ ifelse
+ begin
+ {
+ /SubstituteFont
+ /CMap /Category resourcestatus
+ {
+ pop pop
+ {
+ $SubstituteFont
+ begin
+ /$substituteFound true def
+ dup length $slen gt
+ $sname null ne or
+ $slen 0 gt and
+ {
+ $sname null eq
+ { dup $str cvs dup length $slen sub $slen getinterval cvn }
+ { $sname }
+ ifelse
+ Adobe_CoolType_Data /InVMFontsByCMap get
+ 1 index 2 copy known
+ {
+ get
+ false exch
+ {
+ pop
+ currentglobal
+ {
+ GlobalFontDirectory 1 index known
+ { exch pop true exit }
+ { pop }
+ ifelse
+ }
+ {
+ FontDirectory 1 index known
+ { exch pop true exit }
+ {
+ GlobalFontDirectory 1 index known
+ { exch pop true exit }
+ { pop }
+ ifelse
+ }
+ ifelse
+ }
+ ifelse
+ }
+ forall
+ }
+ { pop pop false }
+ ifelse
+ {
+ exch pop exch pop
+ }
+ {
+ dup /CMap resourcestatus
+ {
+ pop pop
+ dup /$cmapname exch def
+ /CMap findresource /CIDSystemInfo get { def } forall
+ $findfontByROS
+ }
+ {
+ 128 string cvs
+ dup (-) search
+ {
+ 3 1 roll search
+ {
+ 3 1 roll pop
+ { dup cvi }
+ stopped
+ { pop pop pop pop pop $findfontByEnum }
+ {
+ 4 2 roll pop pop
+ exch length
+ exch
+ 2 index length
+ 2 index
+ sub
+ exch 1 sub -1 0
+ {
+ $str cvs dup length
+ 4 index
+ 0
+ 4 index
+ 4 3 roll add
+ getinterval
+ exch 1 index exch 3 index exch
+ putinterval
+ dup /CMap resourcestatus
+ {
+ pop pop
+ 4 1 roll pop pop pop
+ dup /$cmapname exch def
+ /CMap findresource /CIDSystemInfo get { def } forall
+ $findfontByROS
+ true exit
+ }
+ { pop }
+ ifelse
+ }
+ for
+ dup type /booleantype eq
+ { pop }
+ { pop pop pop $findfontByEnum }
+ ifelse
+ }
+ ifelse
+ }
+ { pop pop pop $findfontByEnum }
+ ifelse
+ }
+ { pop pop $findfontByEnum }
+ ifelse
+ }
+ ifelse
+ }
+ ifelse
+ }
+ { //SubstituteFont exec }
+ ifelse
+ /$slen 0 def
+ end
+ }
+ }
+ {
+ {
+ $SubstituteFont
+ begin
+ /$substituteFound true def
+ dup length $slen gt
+ $sname null ne or
+ $slen 0 gt and
+ { $findfontByEnum }
+ { //SubstituteFont exec }
+ ifelse
+ end
+ }
+ }
+ ifelse
+ bind readonly def
+ Adobe_CoolType_Core /scfindfont /systemfindfont load put
+ }
+ {
+ /scfindfont
+ {
+ $SubstituteFont
+ begin
+ dup systemfindfont
+ dup /FontName known
+ { dup /FontName get dup 3 index ne }
+ { /noname true }
+ ifelse
+ dup
+ {
+ /$origfontnamefound 2 index def
+ /$origfontname 4 index def /$substituteFound true def
+ }
+ if
+ exch pop
+ {
+ $slen 0 gt
+ $sname null ne
+ 3 index length $slen gt or and
+ {
+ pop dup $findfontByEnum findfont
+ dup maxlength 1 add dict
+ begin
+ { 1 index /FID eq { pop pop } { def } ifelse }
+ forall
+ currentdict
+ end
+ definefont
+ dup /FontName known { dup /FontName get } { null } ifelse
+ $origfontnamefound ne
+ {
+ $origfontname $str cvs print
+ ( substitution revised, using ) print
+ dup /FontName known
+ { dup /FontName get } { (unspecified font) }
+ ifelse
+ $str cvs print (.\n) print
+ }
+ if
+ }
+ { exch pop }
+ ifelse
+ }
+ { exch pop }
+ ifelse
+ end
+ } bind def
+ }
+ ifelse
+ end
+ end
+ Adobe_CoolType_Core_Defined not
+ {
+ Adobe_CoolType_Core /findfont
+ {
+ $SubstituteFont
+ begin
+ $depth 0 eq
+ {
+ /$fontname 1 index dup type /stringtype ne { $str cvs } if def
+ /$substituteFound false def
+ }
+ if
+ /$depth $depth 1 add def
+ end
+ scfindfont
+ $SubstituteFont
+ begin
+ /$depth $depth 1 sub def
+ $substituteFound $depth 0 eq and
+ {
+ $inVMIndex null ne
+ { dup $inVMIndex $AddInVMFont }
+ if
+ $doSmartSub
+ {
+ currentdict /$Strategy known
+ { $Strategy /$BuildFont get exec }
+ if
+ }
+ if
+ }
+ if
+ end
+ } bind put
+ }
+ if
+ }
+ if
+ end
+/$AddInVMFont
+ {
+ exch /FontName 2 copy known
+ {
+ get
+ 1 dict dup begin exch 1 index gcheck def end exch
+ Adobe_CoolType_Data /InVMFontsByCMap get exch
+ $DictAdd
+ }
+ { pop pop pop }
+ ifelse
+ } bind def
+/$DictAdd
+ {
+ 2 copy known not
+ { 2 copy 4 index length dict put }
+ if
+ Level2? not
+ {
+ 2 copy get dup maxlength exch length 4 index length add lt
+ 2 copy get dup length 4 index length add exch maxlength 1 index lt
+ {
+ 2 mul dict
+ begin
+ 2 copy get { forall } def
+ 2 copy currentdict put
+ end
+ }
+ { pop }
+ ifelse
+ }
+ if
+ get
+ begin
+ { def }
+ forall
+ end
+ } bind def
+end
+end
+%%EndResource
+%%BeginResource: procset Adobe_CoolType_Utility_MAKEOCF 1.19 0
+%%Copyright: Copyright 1987-2003 Adobe Systems Incorporated.
+%%Version: 1.19 0
+systemdict /languagelevel known dup
+ { currentglobal false setglobal }
+ { false }
+ifelse
+exch
+userdict /Adobe_CoolType_Utility 2 copy known
+ { 2 copy get dup maxlength 25 add dict copy }
+ { 25 dict }
+ifelse put
+Adobe_CoolType_Utility
+ begin
+ /ct_Level2? exch def
+ /ct_Clone? 1183615869 internaldict dup
+ /CCRun known not
+ exch /eCCRun known not
+ ct_Level2? and or def
+ct_Level2?
+ { globaldict begin currentglobal true setglobal }
+if
+ /ct_AddStdCIDMap
+ ct_Level2?
+ { {
+ ((Hex) 57 StartData
+ 0615 1e27 2c39 1c60 d8a8 cc31 fe2b f6e0
+ 7aa3 e541 e21c 60d8 a8c9 c3d0 6d9e 1c60
+ d8a8 c9c2 02d7 9a1c 60d8 a849 1c60 d8a8
+ cc36 74f4 1144 b13b 77) 0 () /SubFileDecode filter cvx exec
+ } }
+ { {
+ <BAB431EA07F209EB8C4348311481D9D3F76E3D15246555577D87BC510ED54E
+ 118C39697FA9F6DB58128E60EB8A12FA24D7CDD2FA94D221FA9EC8DA3E5E6A1C
+ 4ACECC8C2D39C54E7C946031DD156C3A6B4A09AD29E1867A> eexec
+ } }
+ ifelse bind def
+userdict /cid_extensions known
+dup { cid_extensions /cid_UpdateDB known and } if
+ {
+ cid_extensions
+ begin
+ /cid_GetCIDSystemInfo
+ {
+ 1 index type /stringtype eq
+ { exch cvn exch }
+ if
+ cid_extensions
+ begin
+ dup load 2 index known
+ {
+ 2 copy
+ cid_GetStatusInfo
+ dup null ne
+ {
+ 1 index load
+ 3 index get
+ dup null eq
+ { pop pop cid_UpdateDB }
+ {
+ exch
+ 1 index /Created get eq
+ { exch pop exch pop }
+ { pop cid_UpdateDB }
+ ifelse
+ }
+ ifelse
+ }
+ { pop cid_UpdateDB }
+ ifelse
+ }
+ { cid_UpdateDB }
+ ifelse
+ end
+ } bind def
+ end
+ }
+if
+ct_Level2?
+ { end setglobal }
+if
+ /ct_UseNativeCapability? systemdict /composefont known def
+ /ct_MakeOCF 35 dict def
+ /ct_Vars 25 dict def
+ /ct_GlyphDirProcs 6 dict def
+ /ct_BuildCharDict 15 dict dup
+ begin
+ /charcode 2 string def
+ /dst_string 1500 string def
+ /nullstring () def
+ /usewidths? true def
+ end def
+ ct_Level2? { setglobal } { pop } ifelse
+ ct_GlyphDirProcs
+ begin
+ /GetGlyphDirectory
+ {
+ systemdict /languagelevel known
+ { pop /CIDFont findresource /GlyphDirectory get }
+ {
+ 1 index /CIDFont findresource /GlyphDirectory
+ get dup type /dicttype eq
+ {
+ dup dup maxlength exch length sub 2 index lt
+ {
+ dup length 2 index add dict copy 2 index
+ /CIDFont findresource/GlyphDirectory 2 index put
+ }
+ if
+ }
+ if
+ exch pop exch pop
+ }
+ ifelse
+ +
+ } def
+ /+
+ {
+ systemdict /languagelevel known
+ {
+ currentglobal false setglobal
+ 3 dict begin
+ /vm exch def
+ }
+ { 1 dict begin }
+ ifelse
+ /$ exch def
+ systemdict /languagelevel known
+ {
+ vm setglobal
+ /gvm currentglobal def
+ $ gcheck setglobal
+ }
+ if
+ ? { $ begin } if
+ } def
+ /? { $ type /dicttype eq } def
+ /| {
+ userdict /Adobe_CoolType_Data known
+ {
+ Adobe_CoolType_Data /AddWidths? known
+ {
+ currentdict Adobe_CoolType_Data
+ begin
+ begin
+ AddWidths?
+ {
+ Adobe_CoolType_Data /CC 3 index put
+ ? { def } { $ 3 1 roll put } ifelse
+ CC charcode exch 1 index 0 2 index 256 idiv put
+ 1 index exch 1 exch 256 mod put
+ stringwidth 2 array astore
+ currentfont /Widths get exch CC exch put
+ }
+ { ? { def } { $ 3 1 roll put } ifelse }
+ ifelse
+ end
+ end
+ }
+ { ? { def } { $ 3 1 roll put } ifelse } ifelse
+ }
+ { ? { def } { $ 3 1 roll put } ifelse }
+ ifelse
+ } def
+ /!
+ {
+ ? { end } if
+ systemdict /languagelevel known
+ { gvm setglobal }
+ if
+ end
+ } def
+ /: { string currentfile exch readstring pop } executeonly def
+ end
+ ct_MakeOCF
+ begin
+ /ct_cHexEncoding
+ [/c00/c01/c02/c03/c04/c05/c06/c07/c08/c09/c0A/c0B/c0C/c0D/c0E/c0F/c10/c11/c12
+ /c13/c14/c15/c16/c17/c18/c19/c1A/c1B/c1C/c1D/c1E/c1F/c20/c21/c22/c23/c24/c25
+ /c26/c27/c28/c29/c2A/c2B/c2C/c2D/c2E/c2F/c30/c31/c32/c33/c34/c35/c36/c37/c38
+ /c39/c3A/c3B/c3C/c3D/c3E/c3F/c40/c41/c42/c43/c44/c45/c46/c47/c48/c49/c4A/c4B
+ /c4C/c4D/c4E/c4F/c50/c51/c52/c53/c54/c55/c56/c57/c58/c59/c5A/c5B/c5C/c5D/c5E
+ /c5F/c60/c61/c62/c63/c64/c65/c66/c67/c68/c69/c6A/c6B/c6C/c6D/c6E/c6F/c70/c71
+ /c72/c73/c74/c75/c76/c77/c78/c79/c7A/c7B/c7C/c7D/c7E/c7F/c80/c81/c82/c83/c84
+ /c85/c86/c87/c88/c89/c8A/c8B/c8C/c8D/c8E/c8F/c90/c91/c92/c93/c94/c95/c96/c97
+ /c98/c99/c9A/c9B/c9C/c9D/c9E/c9F/cA0/cA1/cA2/cA3/cA4/cA5/cA6/cA7/cA8/cA9/cAA
+ /cAB/cAC/cAD/cAE/cAF/cB0/cB1/cB2/cB3/cB4/cB5/cB6/cB7/cB8/cB9/cBA/cBB/cBC/cBD
+ /cBE/cBF/cC0/cC1/cC2/cC3/cC4/cC5/cC6/cC7/cC8/cC9/cCA/cCB/cCC/cCD/cCE/cCF/cD0
+ /cD1/cD2/cD3/cD4/cD5/cD6/cD7/cD8/cD9/cDA/cDB/cDC/cDD/cDE/cDF/cE0/cE1/cE2/cE3
+ /cE4/cE5/cE6/cE7/cE8/cE9/cEA/cEB/cEC/cED/cEE/cEF/cF0/cF1/cF2/cF3/cF4/cF5/cF6
+ /cF7/cF8/cF9/cFA/cFB/cFC/cFD/cFE/cFF] def
+ /ct_CID_STR_SIZE 8000 def
+ /ct_mkocfStr100 100 string def
+ /ct_defaultFontMtx [.001 0 0 .001 0 0] def
+ /ct_1000Mtx [1000 0 0 1000 0 0] def
+ /ct_raise {exch cvx exch errordict exch get exec stop} bind def
+ /ct_reraise
+ { cvx $error /errorname get (Error: ) print dup ( ) cvs print
+ errordict exch get exec stop
+ } bind def
+ /ct_cvnsi
+ {
+ 1 index add 1 sub 1 exch 0 4 1 roll
+ {
+ 2 index exch get
+ exch 8 bitshift
+ add
+ }
+ for
+ exch pop
+ } bind def
+ /ct_GetInterval
+ {
+ Adobe_CoolType_Utility /ct_BuildCharDict get
+ begin
+ /dst_index 0 def
+ dup dst_string length gt
+ { dup string /dst_string exch def }
+ if
+ 1 index ct_CID_STR_SIZE idiv
+ /arrayIndex exch def
+ 2 index arrayIndex get
+ 2 index
+ arrayIndex ct_CID_STR_SIZE mul
+ sub
+ {
+ dup 3 index add 2 index length le
+ {
+ 2 index getinterval
+ dst_string dst_index 2 index putinterval
+ length dst_index add /dst_index exch def
+ exit
+ }
+ {
+ 1 index length 1 index sub
+ dup 4 1 roll
+ getinterval
+ dst_string dst_index 2 index putinterval
+ pop dup dst_index add /dst_index exch def
+ sub
+ /arrayIndex arrayIndex 1 add def
+ 2 index dup length arrayIndex gt
+ { arrayIndex get }
+ {
+ pop
+ exit
+ }
+ ifelse
+ 0
+ }
+ ifelse
+ }
+ loop
+ pop pop pop
+ dst_string 0 dst_index getinterval
+ end
+ } bind def
+ ct_Level2?
+ {
+ /ct_resourcestatus
+ currentglobal mark true setglobal
+ { /unknowninstancename /Category resourcestatus }
+ stopped
+ { cleartomark setglobal true }
+ { cleartomark currentglobal not exch setglobal }
+ ifelse
+ {
+ {
+ mark 3 1 roll /Category findresource
+ begin
+ ct_Vars /vm currentglobal put
+ ({ResourceStatus} stopped) 0 () /SubFileDecode filter cvx exec
+ { cleartomark false }
+ { { 3 2 roll pop true } { cleartomark false } ifelse }
+ ifelse
+ ct_Vars /vm get setglobal
+ end
+ }
+ }
+ { { resourcestatus } }
+ ifelse bind def
+ /CIDFont /Category ct_resourcestatus
+ { pop pop }
+ {
+ currentglobal true setglobal
+ /Generic /Category findresource
+ dup length dict copy
+ dup /InstanceType /dicttype put
+ /CIDFont exch /Category defineresource pop
+ setglobal
+ }
+ ifelse
+ ct_UseNativeCapability?
+ {
+ /CIDInit /ProcSet findresource begin
+ 12 dict begin
+ begincmap
+ /CIDSystemInfo 3 dict dup begin
+ /Registry (Adobe) def
+ /Ordering (Identity) def
+ /Supplement 0 def
+ end def
+ /CMapName /Identity-H def
+ /CMapVersion 1.000 def
+ /CMapType 1 def
+ 1 begincodespacerange
+ <0000> <FFFF>
+ endcodespacerange
+ 1 begincidrange
+ <0000> <FFFF> 0
+ endcidrange
+ endcmap
+ CMapName currentdict /CMap defineresource pop
+ end
+ end
+ }
+ if
+ }
+ {
+ /ct_Category 2 dict begin
+ /CIDFont 10 dict def
+ /ProcSet 2 dict def
+ currentdict
+ end
+ def
+ /defineresource
+ {
+ ct_Category 1 index 2 copy known
+ {
+ get
+ dup dup maxlength exch length eq
+ {
+ dup length 10 add dict copy
+ ct_Category 2 index 2 index put
+ }
+ if
+ 3 index 3 index put
+ pop exch pop
+ }
+ { pop pop /defineresource /undefined ct_raise }
+ ifelse
+ } bind def
+ /findresource
+ {
+ ct_Category 1 index 2 copy known
+ {
+ get
+ 2 index 2 copy known
+ { get 3 1 roll pop pop}
+ { pop pop /findresource /undefinedresource ct_raise }
+ ifelse
+ }
+ { pop pop /findresource /undefined ct_raise }
+ ifelse
+ } bind def
+ /resourcestatus
+ {
+ ct_Category 1 index 2 copy known
+ {
+ get
+ 2 index known
+ exch pop exch pop
+ {
+ 0 -1 true
+ }
+ {
+ false
+ }
+ ifelse
+ }
+ { pop pop /findresource /undefined ct_raise }
+ ifelse
+ } bind def
+ /ct_resourcestatus /resourcestatus load def
+ }
+ ifelse
+ /ct_CIDInit 2 dict
+ begin
+ /ct_cidfont_stream_init
+ {
+ {
+ dup (Binary) eq
+ {
+ pop
+ null
+ currentfile
+ ct_Level2?
+ {
+ { cid_BYTE_COUNT () /SubFileDecode filter }
+ stopped
+ { pop pop pop }
+ if
+ }
+ if
+ /readstring load
+ exit
+ }
+ if
+ dup (Hex) eq
+ {
+ pop
+ currentfile
+ ct_Level2?
+ {
+ { null exch /ASCIIHexDecode filter /readstring }
+ stopped
+ { pop exch pop (>) exch /readhexstring }
+ if
+ }
+ { (>) exch /readhexstring }
+ ifelse
+ load
+ exit
+ }
+ if
+ /StartData /typecheck ct_raise
+ }
+ loop
+ cid_BYTE_COUNT ct_CID_STR_SIZE le
+ {
+ 2 copy cid_BYTE_COUNT string exch exec
+ pop
+ 1 array dup
+ 3 -1 roll
+ 0 exch put
+ }
+ {
+ cid_BYTE_COUNT ct_CID_STR_SIZE div ceiling cvi
+ dup array exch 2 sub 0 exch 1 exch
+ {
+ 2 copy
+ 5 index
+ ct_CID_STR_SIZE
+ string
+ 6 index exec
+ pop
+ put
+ pop
+ }
+ for
+ 2 index
+ cid_BYTE_COUNT ct_CID_STR_SIZE mod string
+ 3 index exec
+ pop
+ 1 index exch
+ 1 index length 1 sub
+ exch put
+ }
+ ifelse
+ cid_CIDFONT exch /GlyphData exch put
+ 2 index null eq
+ {
+ pop pop pop
+ }
+ {
+ pop /readstring load
+ 1 string exch
+ {
+ 3 copy exec
+ pop
+ dup length 0 eq
+ {
+ pop pop pop pop pop
+ true exit
+ }
+ if
+ 4 index
+ eq
+ {
+ pop pop pop pop
+ false exit
+ }
+ if
+ }
+ loop
+ pop
+ }
+ ifelse
+ } bind def
+ /StartData
+ {
+ mark
+ {
+ currentdict
+ dup /FDArray get 0 get /FontMatrix get
+ 0 get 0.001 eq
+ {
+ dup /CDevProc known not
+ {
+ /CDevProc 1183615869 internaldict /stdCDevProc 2 copy known
+ { get }
+ {
+ pop pop
+ { pop pop pop pop pop 0 -1000 7 index 2 div 880 }
+ }
+ ifelse
+ def
+ }
+ if
+ }
+ {
+ /CDevProc
+ {
+ pop pop pop pop pop
+ 0
+ 1 cid_temp /cid_CIDFONT get
+ /FDArray get 0 get
+ /FontMatrix get 0 get div
+ 7 index 2 div
+ 1 index 0.88 mul
+ } def
+ }
+ ifelse
+ /cid_temp 15 dict def
+ cid_temp
+ begin
+ /cid_CIDFONT exch def
+ 3 copy pop
+ dup /cid_BYTE_COUNT exch def 0 gt
+ {
+ ct_cidfont_stream_init
+ FDArray
+ {
+ /Private get
+ dup /SubrMapOffset known
+ {
+ begin
+ /Subrs SubrCount array def
+ Subrs
+ SubrMapOffset
+ SubrCount
+ SDBytes
+ ct_Level2?
+ {
+ currentdict dup /SubrMapOffset undef
+ dup /SubrCount undef
+ /SDBytes undef
+ }
+ if
+ end
+ /cid_SD_BYTES exch def
+ /cid_SUBR_COUNT exch def
+ /cid_SUBR_MAP_OFFSET exch def
+ /cid_SUBRS exch def
+ cid_SUBR_COUNT 0 gt
+ {
+ GlyphData cid_SUBR_MAP_OFFSET cid_SD_BYTES ct_GetInterval
+ 0 cid_SD_BYTES ct_cvnsi
+ 0 1 cid_SUBR_COUNT 1 sub
+ {
+ exch 1 index
+ 1 add
+ cid_SD_BYTES mul cid_SUBR_MAP_OFFSET add
+ GlyphData exch cid_SD_BYTES ct_GetInterval
+ 0 cid_SD_BYTES ct_cvnsi
+ cid_SUBRS 4 2 roll
+ GlyphData exch
+ 4 index
+ 1 index
+ sub
+ ct_GetInterval
+ dup length string copy put
+ }
+ for
+ pop
+ }
+ if
+ }
+ { pop }
+ ifelse
+ }
+ forall
+ }
+ if
+ cleartomark pop pop
+ end
+ CIDFontName currentdict /CIDFont defineresource pop
+ end end
+ }
+ stopped
+ { cleartomark /StartData ct_reraise }
+ if
+ } bind def
+ currentdict
+ end def
+ /ct_saveCIDInit
+ {
+ /CIDInit /ProcSet ct_resourcestatus
+ { true }
+ { /CIDInitC /ProcSet ct_resourcestatus }
+ ifelse
+ {
+ pop pop
+ /CIDInit /ProcSet findresource
+ ct_UseNativeCapability?
+ { pop null }
+ { /CIDInit ct_CIDInit /ProcSet defineresource pop }
+ ifelse
+ }
+ { /CIDInit ct_CIDInit /ProcSet defineresource pop null }
+ ifelse
+ ct_Vars exch /ct_oldCIDInit exch put
+ } bind def
+ /ct_restoreCIDInit
+ {
+ ct_Vars /ct_oldCIDInit get dup null ne
+ { /CIDInit exch /ProcSet defineresource pop }
+ { pop }
+ ifelse
+ } bind def
+ /ct_BuildCharSetUp
+ {
+ 1 index
+ begin
+ CIDFont
+ begin
+ Adobe_CoolType_Utility /ct_BuildCharDict get
+ begin
+ /ct_dfCharCode exch def
+ /ct_dfDict exch def
+ CIDFirstByte ct_dfCharCode add
+ dup CIDCount ge
+ { pop 0 }
+ if
+ /cid exch def
+ {
+ GlyphDirectory cid 2 copy known
+ { get }
+ { pop pop nullstring }
+ ifelse
+ dup length FDBytes sub 0 gt
+ {
+ dup
+ FDBytes 0 ne
+ { 0 FDBytes ct_cvnsi }
+ { pop 0 }
+ ifelse
+ /fdIndex exch def
+ dup length FDBytes sub FDBytes exch getinterval
+ /charstring exch def
+ exit
+ }
+ {
+ pop
+ cid 0 eq
+ { /charstring nullstring def exit }
+ if
+ /cid 0 def
+ }
+ ifelse
+ }
+ loop
+ } def
+ /ct_SetCacheDevice
+ {
+ 0 0 moveto
+ dup stringwidth
+ 3 -1 roll
+ true charpath
+ pathbbox
+ 0 -1000
+ 7 index 2 div 880
+ setcachedevice2
+ 0 0 moveto
+ } def
+ /ct_CloneSetCacheProc
+ {
+ 1 eq
+ {
+ stringwidth
+ pop -2 div -880
+ 0 -1000 setcharwidth
+ moveto
+ }
+ {
+ usewidths?
+ {
+ currentfont /Widths get cid
+ 2 copy known
+ { get exch pop aload pop }
+ { pop pop stringwidth }
+ ifelse
+ }
+ { stringwidth }
+ ifelse
+ setcharwidth
+ 0 0 moveto
+ }
+ ifelse
+ } def
+ /ct_Type3ShowCharString
+ {
+ ct_FDDict fdIndex 2 copy known
+ { get }
+ {
+ currentglobal 3 1 roll
+ 1 index gcheck setglobal
+ ct_Type1FontTemplate dup maxlength dict copy
+ begin
+ FDArray fdIndex get
+ dup /FontMatrix 2 copy known
+ { get }
+ { pop pop ct_defaultFontMtx }
+ ifelse
+ /FontMatrix exch dup length array copy def
+ /Private get
+ /Private exch def
+ /Widths rootfont /Widths get def
+ /CharStrings 1 dict dup /.notdef
+ <d841272cf18f54fc13> dup length string copy put def
+ currentdict
+ end
+ /ct_Type1Font exch definefont
+ dup 5 1 roll put
+ setglobal
+ }
+ ifelse
+ dup /CharStrings get 1 index /Encoding get
+ ct_dfCharCode get charstring put
+ rootfont /WMode 2 copy known
+ { get }
+ { pop pop 0 }
+ ifelse
+ exch
+ 1000 scalefont setfont
+ ct_str1 0 ct_dfCharCode put
+ ct_str1 exch ct_dfSetCacheProc
+ ct_SyntheticBold
+ {
+ currentpoint
+ ct_str1 show
+ newpath
+ moveto
+ ct_str1 true charpath
+ ct_StrokeWidth setlinewidth
+ stroke
+ }
+ { ct_str1 show }
+ ifelse
+ } def
+ /ct_Type4ShowCharString
+ {
+ ct_dfDict ct_dfCharCode charstring
+ FDArray fdIndex get
+ dup /FontMatrix get dup ct_defaultFontMtx ct_matrixeq not
+ { ct_1000Mtx matrix concatmatrix concat }
+ { pop }
+ ifelse
+ /Private get
+ Adobe_CoolType_Utility /ct_Level2? get not
+ {
+ ct_dfDict /Private
+ 3 -1 roll
+ { put }
+ 1183615869 internaldict /superexec get exec
+ }
+ if
+ 1183615869 internaldict
+ Adobe_CoolType_Utility /ct_Level2? get
+ { 1 index }
+ { 3 index /Private get mark 6 1 roll }
+ ifelse
+ dup /RunInt known
+ { /RunInt get }
+ { pop /CCRun }
+ ifelse
+ get exec
+ Adobe_CoolType_Utility /ct_Level2? get not
+ { cleartomark }
+ if
+ } bind def
+ /ct_BuildCharIncremental
+ {
+ {
+ Adobe_CoolType_Utility /ct_MakeOCF get begin
+ ct_BuildCharSetUp
+ ct_ShowCharString
+ }
+ stopped
+ { stop }
+ if
+ end
+ end
+ end
+ end
+ } bind def
+ /BaseFontNameStr (BF00) def
+ /ct_Type1FontTemplate 14 dict
+ begin
+ /FontType 1 def
+ /FontMatrix [0.001 0 0 0.001 0 0] def
+ /FontBBox [-250 -250 1250 1250] def
+ /Encoding ct_cHexEncoding def
+ /PaintType 0 def
+ currentdict
+ end def
+ /BaseFontTemplate 11 dict
+ begin
+ /FontMatrix [0.001 0 0 0.001 0 0] def
+ /FontBBox [-250 -250 1250 1250] def
+ /Encoding ct_cHexEncoding def
+ /BuildChar /ct_BuildCharIncremental load def
+ ct_Clone?
+ {
+ /FontType 3 def
+ /ct_ShowCharString /ct_Type3ShowCharString load def
+ /ct_dfSetCacheProc /ct_CloneSetCacheProc load def
+ /ct_SyntheticBold false def
+ /ct_StrokeWidth 1 def
+ }
+ {
+ /FontType 4 def
+ /Private 1 dict dup /lenIV 4 put def
+ /CharStrings 1 dict dup /.notdef <d841272cf18f54fc13> put def
+ /PaintType 0 def
+ /ct_ShowCharString /ct_Type4ShowCharString load def
+ }
+ ifelse
+ /ct_str1 1 string def
+ currentdict
+ end def
+ /BaseFontDictSize BaseFontTemplate length 5 add def
+ /ct_matrixeq
+ {
+ true 0 1 5
+ {
+ dup 4 index exch get exch 3 index exch get eq and
+ dup not
+ { exit }
+ if
+ }
+ for
+ exch pop exch pop
+ } bind def
+ /ct_makeocf
+ {
+ 15 dict
+ begin
+ exch /WMode exch def
+ exch /FontName exch def
+ /FontType 0 def
+ /FMapType 2 def
+ dup /FontMatrix known
+ { dup /FontMatrix get /FontMatrix exch def }
+ { /FontMatrix matrix def }
+ ifelse
+ /bfCount 1 index /CIDCount get 256 idiv 1 add
+ dup 256 gt { pop 256} if def
+ /Encoding
+ 256 array 0 1 bfCount 1 sub { 2 copy dup put pop } for
+ bfCount 1 255 { 2 copy bfCount put pop } for
+ def
+ /FDepVector bfCount dup 256 lt { 1 add } if array def
+ BaseFontTemplate BaseFontDictSize dict copy
+ begin
+ /CIDFont exch def
+ CIDFont /FontBBox known
+ { CIDFont /FontBBox get /FontBBox exch def }
+ if
+ CIDFont /CDevProc known
+ { CIDFont /CDevProc get /CDevProc exch def }
+ if
+ currentdict
+ end
+ BaseFontNameStr 3 (0) putinterval
+ 0 1 bfCount dup 256 eq { 1 sub } if
+ {
+ FDepVector exch
+ 2 index BaseFontDictSize dict copy
+ begin
+ dup /CIDFirstByte exch 256 mul def
+ FontType 3 eq
+ { /ct_FDDict 2 dict def }
+ if
+ currentdict
+ end
+ 1 index 16
+ BaseFontNameStr 2 2 getinterval cvrs pop
+ BaseFontNameStr exch definefont
+ put
+ }
+ for
+ ct_Clone?
+ { /Widths 1 index /CIDFont get /GlyphDirectory get length dict def }
+ if
+ FontName
+ currentdict
+ end
+ definefont
+ ct_Clone?
+ {
+ gsave
+ dup 1000 scalefont setfont
+ ct_BuildCharDict
+ begin
+ /usewidths? false def
+ currentfont /Widths get
+ begin
+ exch /CIDFont get /GlyphDirectory get
+ {
+ pop
+ dup charcode exch 1 index 0 2 index 256 idiv put
+ 1 index exch 1 exch 256 mod put
+ stringwidth 2 array astore def
+ }
+ forall
+ end
+ /usewidths? true def
+ end
+ grestore
+ }
+ { exch pop }
+ ifelse
+ } bind def
+ /ct_ComposeFont
+ {
+ ct_UseNativeCapability?
+ {
+ 2 index /CMap ct_resourcestatus
+ { pop pop exch pop }
+ {
+ /CIDInit /ProcSet findresource
+ begin
+ 12 dict
+ begin
+ begincmap
+ /CMapName 3 index def
+ /CMapVersion 1.000 def
+ /CMapType 1 def
+ exch /WMode exch def
+ /CIDSystemInfo 3 dict dup
+ begin
+ /Registry (Adobe) def
+ /Ordering
+ CMapName ct_mkocfStr100 cvs
+ (Adobe-) search
+ {
+ pop pop
+ (-) search
+ {
+ dup length string copy
+ exch pop exch pop
+ }
+ { pop (Identity)}
+ ifelse
+ }
+ { pop (Identity) }
+ ifelse
+ def
+ /Supplement 0 def
+ end def
+ 1 begincodespacerange
+ <0000> <FFFF>
+ endcodespacerange
+ 1 begincidrange
+ <0000> <FFFF> 0
+ endcidrange
+ endcmap
+ CMapName currentdict /CMap defineresource pop
+ end
+ end
+ }
+ ifelse
+ composefont
+ }
+ {
+ 3 2 roll pop
+ 0 get /CIDFont findresource
+ ct_makeocf
+ }
+ ifelse
+ } bind def
+ /ct_MakeIdentity
+ {
+ ct_UseNativeCapability?
+ {
+ 1 index /CMap ct_resourcestatus
+ { pop pop }
+ {
+ /CIDInit /ProcSet findresource begin
+ 12 dict begin
+ begincmap
+ /CMapName 2 index def
+ /CMapVersion 1.000 def
+ /CMapType 1 def
+ /CIDSystemInfo 3 dict dup
+ begin
+ /Registry (Adobe) def
+ /Ordering
+ CMapName ct_mkocfStr100 cvs
+ (Adobe-) search
+ {
+ pop pop
+ (-) search
+ { dup length string copy exch pop exch pop }
+ { pop (Identity) }
+ ifelse
+ }
+ { pop (Identity) }
+ ifelse
+ def
+ /Supplement 0 def
+ end def
+ 1 begincodespacerange
+ <0000> <FFFF>
+ endcodespacerange
+ 1 begincidrange
+ <0000> <FFFF> 0
+ endcidrange
+ endcmap
+ CMapName currentdict /CMap defineresource pop
+ end
+ end
+ }
+ ifelse
+ composefont
+ }
+ {
+ exch pop
+ 0 get /CIDFont findresource
+ ct_makeocf
+ }
+ ifelse
+ } bind def
+ currentdict readonly pop
+ end
+ end
+%%EndResource
+%%BeginResource: procset Adobe_CoolType_Utility_T42 1.0 0
+%%Copyright: Copyright 1987-2003 Adobe Systems Incorporated.
+%%Version: 1.0 0
+userdict /ct_T42Dict 15 dict put
+ct_T42Dict begin
+/Is2015?
+{
+ version
+ cvi
+ 2015
+ ge
+} bind def
+/AllocGlyphStorage
+{
+ Is2015?
+ {
+ pop
+ }
+ {
+ {string} forall
+ } ifelse
+} bind def
+/Type42DictBegin
+{
+ 25 dict begin
+ /FontName exch def
+ /CharStrings 256 dict
+ begin
+ /.notdef 0 def
+ currentdict
+ end def
+ /Encoding exch def
+ /PaintType 0 def
+ /FontType 42 def
+ /FontMatrix [1 0 0 1 0 0] def
+ 4 array astore cvx /FontBBox exch def
+ /sfnts
+} bind def
+/Type42DictEnd
+{
+ currentdict dup /FontName get exch definefont end
+ ct_T42Dict exch
+ dup /FontName get exch put
+} bind def
+/RD {string currentfile exch readstring pop} executeonly def
+/PrepFor2015
+{
+ Is2015?
+ {
+ /GlyphDirectory
+ 16
+ dict def
+ sfnts 0 get
+ dup
+ 2 index
+ (glyx)
+ putinterval
+ 2 index
+ (locx)
+ putinterval
+ pop
+ pop
+ }
+ {
+ pop
+ pop
+ } ifelse
+} bind def
+/AddT42Char
+{
+ Is2015?
+ {
+ /GlyphDirectory get
+ begin
+ def
+ end
+ pop
+ pop
+ }
+ {
+ /sfnts get
+ 4 index
+ get
+ 3 index
+ 2 index
+ putinterval
+ pop
+ pop
+ pop
+ pop
+ } ifelse
+} bind def
+end
+%%EndResource
+Adobe_CoolType_Core begin /$Oblique SetSubstituteStrategy end
+%%BeginResource: procset Adobe_AGM_Image 1.0 0
+%%Version: 1.0 0
+%%Copyright: Copyright (C) 2000-2003 Adobe Systems, Inc. All Rights Reserved.
+systemdict /setpacking known
+{
+ currentpacking
+ true setpacking
+} if
+userdict /Adobe_AGM_Image 75 dict dup begin put
+/Adobe_AGM_Image_Id /Adobe_AGM_Image_1.0_0 def
+/nd{
+ null def
+}bind def
+/AGMIMG_&image nd
+/AGMIMG_&colorimage nd
+/AGMIMG_&imagemask nd
+/AGMIMG_mbuf () def
+/AGMIMG_ybuf () def
+/AGMIMG_kbuf () def
+/AGMIMG_c 0 def
+/AGMIMG_m 0 def
+/AGMIMG_y 0 def
+/AGMIMG_k 0 def
+/AGMIMG_tmp nd
+/AGMIMG_imagestring0 nd
+/AGMIMG_imagestring1 nd
+/AGMIMG_imagestring2 nd
+/AGMIMG_imagestring3 nd
+/AGMIMG_imagestring4 nd
+/AGMIMG_imagestring5 nd
+/AGMIMG_cnt nd
+/AGMIMG_fsave nd
+/AGMIMG_colorAry nd
+/AGMIMG_override nd
+/AGMIMG_name nd
+/AGMIMG_maskSource nd
+/invert_image_samples nd
+/knockout_image_samples nd
+/img nd
+/sepimg nd
+/devnimg nd
+/idximg nd
+/doc_setup
+{
+ Adobe_AGM_Core begin
+ Adobe_AGM_Image begin
+ /AGMIMG_&image systemdict/image get def
+ /AGMIMG_&imagemask systemdict/imagemask get def
+ /colorimage where{
+ pop
+ /AGMIMG_&colorimage /colorimage ldf
+ }if
+ end
+ end
+}def
+/page_setup
+{
+ Adobe_AGM_Image begin
+ /AGMIMG_ccimage_exists {/customcolorimage where
+ {
+ pop
+ /Adobe_AGM_OnHost_Seps where
+ {
+ pop false
+ }{
+ /Adobe_AGM_InRip_Seps where
+ {
+ pop false
+ }{
+ true
+ }ifelse
+ }ifelse
+ }{
+ false
+ }ifelse
+ }bdf
+ level2{
+ /invert_image_samples
+ {
+ Adobe_AGM_Image/AGMIMG_tmp Decode length ddf
+ /Decode [ Decode 1 get Decode 0 get] def
+ }def
+ /knockout_image_samples
+ {
+ Operator/imagemask ne{
+ /Decode [1 1] def
+ }if
+ }def
+ }{
+ /invert_image_samples
+ {
+ {1 exch sub} currenttransfer addprocs settransfer
+ }def
+ /knockout_image_samples
+ {
+ { pop 1 } currenttransfer addprocs settransfer
+ }def
+ }ifelse
+ /img /imageormask ldf
+ /sepimg /sep_imageormask ldf
+ /devnimg /devn_imageormask ldf
+ /idximg /indexed_imageormask ldf
+ /_ctype 7 def
+ currentdict{
+ dup xcheck 1 index type dup /arraytype eq exch /packedarraytype eq or and{
+ bind
+ }if
+ def
+ }forall
+}def
+/page_trailer
+{
+ end
+}def
+/doc_trailer
+{
+}def
+/imageormask_sys
+{
+ begin
+ save mark
+ level2{
+ currentdict
+ Operator /imagemask eq{
+ AGMIMG_&imagemask
+ }{
+ use_mask {
+ level3 {process_mask_L3 AGMIMG_&image}{masked_image_simulation}ifelse
+ }{
+ AGMIMG_&image
+ }ifelse
+ }ifelse
+ }{
+ Width Height
+ Operator /imagemask eq{
+ Decode 0 get 1 eq Decode 1 get 0 eq and
+ ImageMatrix /DataSource load
+ AGMIMG_&imagemask
+ }{
+ BitsPerComponent ImageMatrix /DataSource load
+ AGMIMG_&image
+ }ifelse
+ }ifelse
+ cleartomark restore
+ end
+}def
+/overprint_plate
+{
+ currentoverprint {
+ 0 get dup type /nametype eq {
+ dup /DeviceGray eq{
+ pop AGMCORE_black_plate not
+ }{
+ /DeviceCMYK eq{
+ AGMCORE_is_cmyk_sep not
+ }if
+ }ifelse
+ }{
+ false exch
+ {
+ AGMOHS_sepink eq or
+ } forall
+ not
+ } ifelse
+ }{
+ pop false
+ }ifelse
+}def
+/process_mask_L3
+{
+ dup begin
+ /ImageType 1 def
+ end
+ 4 dict begin
+ /DataDict exch def
+ /ImageType 3 def
+ /InterleaveType 3 def
+ /MaskDict 9 dict begin
+ /ImageType 1 def
+ /Width DataDict dup /MaskWidth known {/MaskWidth}{/Width} ifelse get def
+ /Height DataDict dup /MaskHeight known {/MaskHeight}{/Height} ifelse get def
+ /ImageMatrix [Width 0 0 Height neg 0 Height] def
+ /NComponents 1 def
+ /BitsPerComponent 1 def
+ /Decode [0 1] def
+ /DataSource AGMIMG_maskSource def
+ currentdict end def
+ currentdict end
+}def
+/use_mask
+{
+ dup type /dicttype eq
+ {
+ dup /Mask known {
+ dup /Mask get {
+ level3
+ {true}
+ {
+ dup /MaskWidth known {dup /MaskWidth get 1 index /Width get eq}{true}ifelse exch
+ dup /MaskHeight known {dup /MaskHeight get 1 index /Height get eq}{true}ifelse
+ 3 -1 roll and
+ } ifelse
+ }
+ {false} ifelse
+ }
+ {false} ifelse
+ }
+ {false} ifelse
+}def
+/make_line_source
+{
+ begin
+ MultipleDataSources {
+ [
+ Decode length 2 div cvi {Width string} repeat
+ ]
+ }{
+ Width Decode length 2 div mul cvi string
+ }ifelse
+ end
+}def
+/datasource_to_str
+{
+ exch dup type
+ dup /filetype eq {
+ pop exch readstring
+ }{
+ /arraytype eq {
+ exec exch copy
+ }{
+ pop
+ }ifelse
+ }ifelse
+ pop
+}def
+/masked_image_simulation
+{
+ 3 dict begin
+ dup make_line_source /line_source xdf
+ /mask_source AGMIMG_maskSource /LZWDecode filter def
+ dup /Width get 8 div ceiling cvi string /mask_str xdf
+ begin
+ gsave
+ 0 1 translate 1 -1 Height div scale
+ 1 1 Height {
+ pop
+ gsave
+ MultipleDataSources {
+ 0 1 DataSource length 1 sub {
+ dup DataSource exch get
+ exch line_source exch get
+ datasource_to_str
+ } for
+ }{
+ DataSource line_source datasource_to_str
+ } ifelse
+ <<
+ /PatternType 1
+ /PaintProc [
+ /pop cvx
+ <<
+ /ImageType 1
+ /Width Width
+ /Height 1
+ /ImageMatrix Width 1.0 sub 1 matrix scale 0.5 0 matrix translate matrix concatmatrix
+ /MultipleDataSources MultipleDataSources
+ /DataSource line_source
+ /BitsPerComponent BitsPerComponent
+ /Decode Decode
+ >>
+ /image cvx
+ ] cvx
+ /BBox [0 0 Width 1]
+ /XStep Width
+ /YStep 1
+ /PaintType 1
+ /TilingType 2
+ >>
+ matrix makepattern set_pattern
+ <<
+ /ImageType 1
+ /Width Width
+ /Height 1
+ /ImageMatrix Width 1 matrix scale
+ /MultipleDataSources false
+ /DataSource mask_source mask_str readstring pop
+ /BitsPerComponent 1
+ /Decode [0 1]
+ >>
+ imagemask
+ grestore
+ 0 1 translate
+ } for
+ grestore
+ end
+ end
+}def
+/imageormask
+{
+ begin
+ SkipImageProc {
+ currentdict consumeimagedata
+ }
+ {
+ save mark
+ level2 AGMCORE_host_sep not and{
+ currentdict
+ Operator /imagemask eq DeviceN_PS2 not and {
+ imagemask
+ }{
+ AGMCORE_in_rip_sep currentoverprint and currentcolorspace 0 get /DeviceGray eq and{
+ [/Separation /Black /DeviceGray {}] setcolorspace
+ /Decode [ Decode 1 get Decode 0 get ] def
+ }if
+ use_mask {
+ level3 {process_mask_L3 image}{masked_image_simulation}ifelse
+ }{
+ DeviceN_NoneName DeviceN_PS2 Indexed_DeviceN level3 not and or or AGMCORE_in_rip_sep and
+ {
+ Names convert_to_process not {
+ 2 dict begin
+ /imageDict xdf
+ /names_index 0 def
+ gsave
+ imageDict write_image_file {
+ Names {
+ dup (None) ne {
+ [/Separation 3 -1 roll /DeviceGray {1 exch sub}] setcolorspace
+ Operator imageDict read_image_file
+ names_index 0 eq {true setoverprint} if
+ /names_index names_index 1 add def
+ }{
+ pop
+ } ifelse
+ } forall
+ close_image_file
+ } if
+ grestore
+ end
+ }{
+ Operator /imagemask eq {
+ imagemask
+ }{
+ image
+ } ifelse
+ } ifelse
+ }{
+ Operator /imagemask eq {
+ imagemask
+ }{
+ image
+ } ifelse
+ } ifelse
+ }ifelse
+ }ifelse
+ }{
+ Width Height
+ Operator /imagemask eq{
+ Decode 0 get 1 eq Decode 1 get 0 eq and
+ ImageMatrix /DataSource load
+ /Adobe_AGM_OnHost_Seps where {
+ pop imagemask
+ }{
+ currentgray 1 ne{
+ currentdict imageormask_sys
+ }{
+ currentoverprint not{
+ 1 AGMCORE_&setgray
+ currentdict imageormask_sys
+ }{
+ currentdict ignoreimagedata
+ }ifelse
+ }ifelse
+ }ifelse
+ }{
+ BitsPerComponent ImageMatrix
+ MultipleDataSources{
+ 0 1 NComponents 1 sub{
+ DataSource exch get
+ }for
+ }{
+ /DataSource load
+ }ifelse
+ Operator /colorimage eq{
+ AGMCORE_host_sep{
+ MultipleDataSources level2 or NComponents 4 eq and{
+ AGMCORE_is_cmyk_sep{
+ MultipleDataSources{
+ /DataSource [
+ DataSource 0 get /exec cvx
+ DataSource 1 get /exec cvx
+ DataSource 2 get /exec cvx
+ DataSource 3 get /exec cvx
+ /AGMCORE_get_ink_data cvx
+ ] cvx def
+ }{
+ /DataSource
+ Width BitsPerComponent mul 7 add 8 idiv Height mul 4 mul
+ /DataSource load
+ filter_cmyk 0 () /SubFileDecode filter def
+ }ifelse
+ /Decode [ Decode 0 get Decode 1 get ] def
+ /MultipleDataSources false def
+ /NComponents 1 def
+ /Operator /image def
+ invert_image_samples
+ 1 AGMCORE_&setgray
+ currentdict imageormask_sys
+ }{
+ currentoverprint not Operator/imagemask eq and{
+ 1 AGMCORE_&setgray
+ currentdict imageormask_sys
+ }{
+ currentdict ignoreimagedata
+ }ifelse
+ }ifelse
+ }{
+ MultipleDataSources NComponents AGMIMG_&colorimage
+ }ifelse
+ }{
+ true NComponents colorimage
+ }ifelse
+ }{
+ Operator /image eq{
+ AGMCORE_host_sep{
+ /DoImage true def
+ HostSepColorImage{
+ invert_image_samples
+ }{
+ AGMCORE_black_plate not Operator/imagemask ne and{
+ /DoImage false def
+ currentdict ignoreimagedata
+ }if
+ }ifelse
+ 1 AGMCORE_&setgray
+ DoImage
+ {currentdict imageormask_sys} if
+ }{
+ use_mask {
+ level3 {process_mask_L3 image}{masked_image_simulation}ifelse
+ }{
+ image
+ }ifelse
+ }ifelse
+ }{
+ Operator/knockout eq{
+ pop pop pop pop pop
+ currentcolorspace overprint_plate not{
+ knockout_unitsq
+ }if
+ }if
+ }ifelse
+ }ifelse
+ }ifelse
+ }ifelse
+ cleartomark restore
+ }ifelse
+ end
+}def
+/sep_imageormask
+{
+ /sep_colorspace_dict AGMCORE_gget begin
+ /MappedCSA CSA map_csa def
+ begin
+ SkipImageProc {
+ currentdict consumeimagedata
+ }
+ {
+ save mark
+ AGMCORE_avoid_L2_sep_space{
+ /Decode [ Decode 0 get 255 mul Decode 1 get 255 mul ] def
+ }if
+ AGMIMG_ccimage_exists
+ MappedCSA 0 get /DeviceCMYK eq and
+ currentdict/Components known and
+ Name () ne and
+ Name (All) ne and
+ Operator /image eq and
+ AGMCORE_producing_seps not and
+ level2 not and
+ {
+ Width Height BitsPerComponent ImageMatrix
+ [
+ /DataSource load /exec cvx
+ {
+ 0 1 2 index length 1 sub{
+ 1 index exch
+ 2 copy get 255 xor put
+ }for
+ } /exec cvx
+ ] cvx bind
+ MappedCSA 0 get /DeviceCMYK eq{
+ Components aload pop
+ }{
+ 0 0 0 Components aload pop 1 exch sub
+ }ifelse
+ Name findcmykcustomcolor
+ customcolorimage
+ }{
+ AGMCORE_producing_seps not{
+ level2{
+ AGMCORE_avoid_L2_sep_space not currentcolorspace 0 get /Separation ne and{
+ [/Separation Name MappedCSA sep_proc_name exch 0 get exch load ] setcolorspace_opt
+ /sep_tint AGMCORE_gget setcolor
+ }if
+ currentdict imageormask
+ }{
+ currentdict
+ Operator /imagemask eq{
+ imageormask
+ }{
+ sep_imageormask_lev1
+ }ifelse
+ }ifelse
+ }{
+ AGMCORE_host_sep{
+ Operator/knockout eq{
+ currentdict/ImageMatrix get concat
+ knockout_unitsq
+ }{
+ currentgray 1 ne{
+ AGMCORE_is_cmyk_sep Name (All) ne and{
+ level2{
+ [ /Separation Name [/DeviceGray]
+ {
+ sep_colorspace_proc AGMCORE_get_ink_data
+ 1 exch sub
+ } bind
+ ] AGMCORE_&setcolorspace
+ /sep_tint AGMCORE_gget AGMCORE_&setcolor
+ currentdict imageormask_sys
+ }{
+ currentdict
+ Operator /imagemask eq{
+ imageormask_sys
+ }{
+ sep_image_lev1_sep
+ }ifelse
+ }ifelse
+ }{
+ Operator/imagemask ne{
+ invert_image_samples
+ }if
+ currentdict imageormask_sys
+ }ifelse
+ }{
+ currentoverprint not Name (All) eq or Operator/imagemask eq and{
+ currentdict imageormask_sys
+ }{
+ currentoverprint not
+ {
+ gsave
+ knockout_unitsq
+ grestore
+ }if
+ currentdict consumeimagedata
+ }ifelse
+ }ifelse
+ }ifelse
+ }{
+ currentcolorspace 0 get /Separation ne{
+ [/Separation Name MappedCSA sep_proc_name exch 0 get exch load ] setcolorspace_opt
+ /sep_tint AGMCORE_gget setcolor
+ }if
+ currentoverprint
+ MappedCSA 0 get /DeviceCMYK eq and
+ Name inRip_spot_has_ink not and
+ Name (All) ne and {
+ imageormask_l2_overprint
+ }{
+ currentdict imageormask
+ }ifelse
+ }ifelse
+ }ifelse
+ }ifelse
+ cleartomark restore
+ }ifelse
+ end
+ end
+}def
+/decode_image_sample
+{
+ 4 1 roll exch dup 5 1 roll
+ sub 2 4 -1 roll exp 1 sub div mul add
+} bdf
+/colorSpaceElemCnt
+{
+ currentcolorspace 0 get dup /DeviceCMYK eq {
+ pop 4
+ }
+ {
+ /DeviceRGB eq {
+ pop 3
+ }{
+ 1
+ } ifelse
+ } ifelse
+} bdf
+/devn_sep_datasource
+{
+ 1 dict begin
+ /dataSource xdf
+ [
+ 0 1 dataSource length 1 sub {
+ dup currentdict /dataSource get /exch cvx /get cvx /exec cvx
+ /exch cvx names_index /ne cvx [ /pop cvx ] cvx /if cvx
+ } for
+ ] cvx bind
+ end
+} bdf
+/devn_alt_datasource
+{
+ 11 dict begin
+ /srcDataStrs xdf
+ /dstDataStr xdf
+ /convProc xdf
+ /origcolorSpaceElemCnt xdf
+ /origMultipleDataSources xdf
+ /origBitsPerComponent xdf
+ /origDecode xdf
+ /origDataSource xdf
+ /dsCnt origMultipleDataSources {origDataSource length}{1}ifelse def
+ /samplesNeedDecoding
+ 0 0 1 origDecode length 1 sub {
+ origDecode exch get add
+ } for
+ origDecode length 2 div div
+ dup 1 eq {
+ /decodeDivisor 2 origBitsPerComponent exp 1 sub def
+ } if
+ 2 origBitsPerComponent exp 1 sub ne
+ def
+ [
+ 0 1 dsCnt 1 sub [
+ currentdict /origMultipleDataSources get {
+ dup currentdict /origDataSource get exch get dup type
+ }{
+ currentdict /origDataSource get dup type
+ } ifelse
+ dup /filetype eq {
+ pop currentdict /srcDataStrs get 3 -1 /roll cvx /get cvx /readstring cvx /pop cvx
+ }{
+ /stringtype ne {
+ /exec cvx
+ } if
+ currentdict /srcDataStrs get /exch cvx 3 -1 /roll cvx /xpt cvx
+ } ifelse
+ ] cvx /for cvx
+ currentdict /srcDataStrs get 0 /get cvx /length cvx 0 /ne cvx [
+ 0 1 Width 1 sub [
+ Adobe_AGM_Utils /AGMUTIL_ndx /xddf cvx
+ currentdict /origMultipleDataSources get {
+ 0 1 dsCnt 1 sub [
+ Adobe_AGM_Utils /AGMUTIL_ndx1 /xddf cvx
+ currentdict /srcDataStrs get /AGMUTIL_ndx1 /load cvx /get cvx /AGMUTIL_ndx /load cvx /get cvx
+ samplesNeedDecoding {
+ currentdict /decodeDivisor known {
+ currentdict /decodeDivisor get /div cvx
+ }{
+ currentdict /origDecode get /AGMUTIL_ndx1 /load cvx 2 /mul cvx 2 /getinterval cvx /aload cvx /pop cvxs
+ BitsPerComponent /decode_image_sample load /exec cvx
+ } ifelse
+ } if
+ ] cvx /for cvx
+ }{
+ Adobe_AGM_Utils /AGMUTIL_ndx1 0 /ddf cvx
+ currentdict /srcDataStrs get 0 /get cvx /AGMUTIL_ndx /load cvx
+ currentdict /origDecode get length 2 idiv dup 3 1 /roll cvx /mul cvx /exch cvx /getinterval cvx
+ [
+ samplesNeedDecoding {
+ currentdict /decodeDivisor known {
+ currentdict /decodeDivisor get /div cvx
+ }{
+ currentdict /origDecode get /AGMUTIL_ndx1 /load cvx 2 /mul cvx 2 /getinterval cvx /aload cvx /pop cvx
+ BitsPerComponent /decode_image_sample load /exec cvx
+ Adobe_AGM_Utils /AGMUTIL_ndx1 /AGMUTIL_ndx1 /load cvx 1 /add cvx /ddf cvx
+ } ifelse
+ } if
+ ] cvx /forall cvx
+ } ifelse
+ currentdict /convProc get /exec cvx
+ currentdict /origcolorSpaceElemCnt get 1 sub -1 0 [
+ currentdict /dstDataStr get 3 1 /roll cvx /AGMUTIL_ndx /load cvx currentdict /origcolorSpaceElemCnt get /mul cvx /add cvx /exch cvx
+ currentdict /convProc get /filter_indexed_devn load ne {
+ 255 /mul cvx /cvi cvx
+ } if
+ /put cvx
+ ] cvx /for cvx
+ ] cvx /for cvx
+ currentdict /dstDataStr get
+ ] cvx /if cvx
+ ] cvx bind
+ end
+} bdf
+/devn_imageormask
+{
+ /devicen_colorspace_dict AGMCORE_gget begin
+ /MappedCSA CSA map_csa def
+ 2 dict begin
+ dup dup
+ /dstDataStr exch /Width get colorSpaceElemCnt mul string def
+ /srcDataStrs [ 3 -1 roll begin
+ currentdict /MultipleDataSources known {MultipleDataSources {DataSource length}{1}ifelse}{1} ifelse
+ {
+ Width Decode length 2 div mul cvi string
+ } repeat
+ end ] def
+ begin
+ SkipImageProc {
+ currentdict consumeimagedata
+ }
+ {
+ save mark
+ AGMCORE_producing_seps not {
+ level3 not {
+ Operator /imagemask ne {
+ /DataSource [
+ DataSource Decode BitsPerComponent currentdict /MultipleDataSources known {MultipleDataSources}{false} ifelse
+ colorSpaceElemCnt /devicen_colorspace_dict AGMCORE_gget /TintTransform get
+ dstDataStr srcDataStrs devn_alt_datasource /exec cvx
+ ] cvx 0 () /SubFileDecode filter def
+ /MultipleDataSources false def
+ /Decode colorSpaceElemCnt [ exch {0 1} repeat ] def
+ } if
+ }if
+ currentdict imageormask
+ }{
+ AGMCORE_host_sep{
+ Names convert_to_process {
+ CSA map_csa 0 get /DeviceCMYK eq {
+ /DataSource
+ Width BitsPerComponent mul 7 add 8 idiv Height mul 4 mul
+ [
+ DataSource Decode BitsPerComponent currentdict /MultipleDataSources known {MultipleDataSources}{false} ifelse
+ 4 /devicen_colorspace_dict AGMCORE_gget /TintTransform get
+ dstDataStr srcDataStrs devn_alt_datasource /exec cvx
+ ] cvx
+ filter_cmyk 0 () /SubFileDecode filter def
+ /MultipleDataSources false def
+ /Decode [1 0] def
+ /DeviceGray setcolorspace
+ currentdict imageormask_sys
+ }{
+ AGMCORE_report_unsupported_color_space
+ AGMCORE_black_plate {
+ /DataSource [
+ DataSource Decode BitsPerComponent currentdict /MultipleDataSources known {MultipleDataSources}{false} ifelse
+ CSA map_csa 0 get /DeviceRGB eq{3}{1}ifelse /devicen_colorspace_dict AGMCORE_gget /TintTransform get
+ dstDataStr srcDataStrs devn_alt_datasource /exec cvx
+ ] cvx 0 () /SubFileDecode filter def
+ /MultipleDataSources false def
+ /Decode colorSpaceElemCnt [ exch {0 1} repeat ] def
+ currentdict imageormask_sys
+ }
+ {
+ gsave
+ knockout_unitsq
+ grestore
+ currentdict consumeimagedata
+ } ifelse
+ } ifelse
+ }
+ {
+ /devicen_colorspace_dict AGMCORE_gget /names_index known {
+ Operator/imagemask ne{
+ MultipleDataSources {
+ /DataSource [ DataSource devn_sep_datasource /exec cvx ] cvx def
+ /MultipleDataSources false def
+ }{
+ /DataSource /DataSource load dstDataStr srcDataStrs 0 get filter_devn def
+ } ifelse
+ invert_image_samples
+ } if
+ currentdict imageormask_sys
+ }{
+ currentoverprint not Operator/imagemask eq and{
+ currentdict imageormask_sys
+ }{
+ currentoverprint not
+ {
+ gsave
+ knockout_unitsq
+ grestore
+ }if
+ currentdict consumeimagedata
+ }ifelse
+ }ifelse
+ }ifelse
+ }{
+ currentdict imageormask
+ }ifelse
+ }ifelse
+ cleartomark restore
+ }ifelse
+ end
+ end
+ end
+}def
+/imageormask_l2_overprint
+{
+ currentdict
+ currentcmykcolor add add add 0 eq{
+ currentdict consumeimagedata
+ }{
+ level3{
+ currentcmykcolor
+ /AGMIMG_k xdf
+ /AGMIMG_y xdf
+ /AGMIMG_m xdf
+ /AGMIMG_c xdf
+ Operator/imagemask eq{
+ [/DeviceN [
+ AGMIMG_c 0 ne {/Cyan} if
+ AGMIMG_m 0 ne {/Magenta} if
+ AGMIMG_y 0 ne {/Yellow} if
+ AGMIMG_k 0 ne {/Black} if
+ ] /DeviceCMYK {}] setcolorspace
+ AGMIMG_c 0 ne {AGMIMG_c} if
+ AGMIMG_m 0 ne {AGMIMG_m} if
+ AGMIMG_y 0 ne {AGMIMG_y} if
+ AGMIMG_k 0 ne {AGMIMG_k} if
+ setcolor
+ }{
+ /Decode [ Decode 0 get 255 mul Decode 1 get 255 mul ] def
+ [/Indexed
+ [
+ /DeviceN [
+ AGMIMG_c 0 ne {/Cyan} if
+ AGMIMG_m 0 ne {/Magenta} if
+ AGMIMG_y 0 ne {/Yellow} if
+ AGMIMG_k 0 ne {/Black} if
+ ]
+ /DeviceCMYK {
+ AGMIMG_k 0 eq {0} if
+ AGMIMG_y 0 eq {0 exch} if
+ AGMIMG_m 0 eq {0 3 1 roll} if
+ AGMIMG_c 0 eq {0 4 1 roll} if
+ }
+ ]
+ 255
+ {
+ 255 div
+ mark exch
+ dup dup dup
+ AGMIMG_k 0 ne{
+ /sep_tint AGMCORE_gget mul MappedCSA sep_proc_name exch pop load exec 4 1 roll pop pop pop
+ counttomark 1 roll
+ }{
+ pop
+ }ifelse
+ AGMIMG_y 0 ne{
+ /sep_tint AGMCORE_gget mul MappedCSA sep_proc_name exch pop load exec 4 2 roll pop pop pop
+ counttomark 1 roll
+ }{
+ pop
+ }ifelse
+ AGMIMG_m 0 ne{
+ /sep_tint AGMCORE_gget mul MappedCSA sep_proc_name exch pop load exec 4 3 roll pop pop pop
+ counttomark 1 roll
+ }{
+ pop
+ }ifelse
+ AGMIMG_c 0 ne{
+ /sep_tint AGMCORE_gget mul MappedCSA sep_proc_name exch pop load exec pop pop pop
+ counttomark 1 roll
+ }{
+ pop
+ }ifelse
+ counttomark 1 add -1 roll pop
+ }
+ ] setcolorspace
+ }ifelse
+ imageormask_sys
+ }{
+ write_image_file{
+ currentcmykcolor
+ 0 ne{
+ [/Separation /Black /DeviceGray {}] setcolorspace
+ gsave
+ /Black
+ [{1 exch sub /sep_tint AGMCORE_gget mul} /exec cvx MappedCSA sep_proc_name cvx exch pop {4 1 roll pop pop pop 1 exch sub} /exec cvx]
+ cvx modify_halftone_xfer
+ Operator currentdict read_image_file
+ grestore
+ }if
+ 0 ne{
+ [/Separation /Yellow /DeviceGray {}] setcolorspace
+ gsave
+ /Yellow
+ [{1 exch sub /sep_tint AGMCORE_gget mul} /exec cvx MappedCSA sep_proc_name cvx exch pop {4 2 roll pop pop pop 1 exch sub} /exec cvx]
+ cvx modify_halftone_xfer
+ Operator currentdict read_image_file
+ grestore
+ }if
+ 0 ne{
+ [/Separation /Magenta /DeviceGray {}] setcolorspace
+ gsave
+ /Magenta
+ [{1 exch sub /sep_tint AGMCORE_gget mul} /exec cvx MappedCSA sep_proc_name cvx exch pop {4 3 roll pop pop pop 1 exch sub} /exec cvx]
+ cvx modify_halftone_xfer
+ Operator currentdict read_image_file
+ grestore
+ }if
+ 0 ne{
+ [/Separation /Cyan /DeviceGray {}] setcolorspace
+ gsave
+ /Cyan
+ [{1 exch sub /sep_tint AGMCORE_gget mul} /exec cvx MappedCSA sep_proc_name cvx exch pop {pop pop pop 1 exch sub} /exec cvx]
+ cvx modify_halftone_xfer
+ Operator currentdict read_image_file
+ grestore
+ } if
+ close_image_file
+ }{
+ imageormask
+ }ifelse
+ }ifelse
+ }ifelse
+} def
+/indexed_imageormask
+{
+ begin
+ save mark
+ currentdict
+ AGMCORE_host_sep{
+ Operator/knockout eq{
+ /indexed_colorspace_dict AGMCORE_gget dup /CSA known {
+ /CSA get map_csa
+ }{
+ /CSD get get_csd /Names get
+ } ifelse
+ overprint_plate not{
+ knockout_unitsq
+ }if
+ }{
+ Indexed_DeviceN {
+ /devicen_colorspace_dict AGMCORE_gget /names_index known {
+ indexed_image_lev2_sep
+ }{
+ currentoverprint not{
+ knockout_unitsq
+ }if
+ currentdict consumeimagedata
+ } ifelse
+ }{
+ AGMCORE_is_cmyk_sep{
+ Operator /imagemask eq{
+ imageormask_sys
+ }{
+ level2{
+ indexed_image_lev2_sep
+ }{
+ indexed_image_lev1_sep
+ }ifelse
+ }ifelse
+ }{
+ currentoverprint not{
+ knockout_unitsq
+ }if
+ currentdict consumeimagedata
+ }ifelse
+ }ifelse
+ }ifelse
+ }{
+ level2{
+ Indexed_DeviceN {
+ /indexed_colorspace_dict AGMCORE_gget begin
+ CSD get_csd begin
+ }{
+ /indexed_colorspace_dict AGMCORE_gget begin
+ CSA map_csa 0 get /DeviceCMYK eq ps_level 3 ge and ps_version 3015.007 lt and {
+ [/Indexed [/DeviceN [/Cyan /Magenta /Yellow /Black] /DeviceCMYK {}] HiVal Lookup]
+ setcolorspace
+ } if
+ end
+ } ifelse
+ imageormask
+ Indexed_DeviceN {
+ end
+ end
+ } if
+ }{
+ Operator /imagemask eq{
+ imageormask
+ }{
+ indexed_imageormask_lev1
+ }ifelse
+ }ifelse
+ }ifelse
+ cleartomark restore
+ end
+}def
+/indexed_image_lev2_sep
+{
+ /indexed_colorspace_dict AGMCORE_gget begin
+ begin
+ Indexed_DeviceN not {
+ currentcolorspace
+ dup 1 /DeviceGray put
+ dup 3
+ currentcolorspace 2 get 1 add string
+ 0 1 2 3 AGMCORE_get_ink_data 4 currentcolorspace 3 get length 1 sub
+ {
+ dup 4 idiv exch currentcolorspace 3 get exch get 255 exch sub 2 index 3 1 roll put
+ }for
+ put setcolorspace
+ } if
+ currentdict
+ Operator /imagemask eq{
+ AGMIMG_&imagemask
+ }{
+ use_mask {
+ level3 {process_mask_L3 AGMIMG_&image}{masked_image_simulation}ifelse
+ }{
+ AGMIMG_&image
+ }ifelse
+ }ifelse
+ end end
+}def
+ /OPIimage
+ {
+ dup type /dicttype ne{
+ 10 dict begin
+ /DataSource xdf
+ /ImageMatrix xdf
+ /BitsPerComponent xdf
+ /Height xdf
+ /Width xdf
+ /ImageType 1 def
+ /Decode [0 1 def]
+ currentdict
+ end
+ }if
+ dup begin
+ /NComponents 1 cdndf
+ /MultipleDataSources false cdndf
+ /SkipImageProc {false} cdndf
+ /HostSepColorImage false cdndf
+ /Decode [
+ 0
+ currentcolorspace 0 get /Indexed eq{
+ 2 BitsPerComponent exp 1 sub
+ }{
+ 1
+ }ifelse
+ ] cdndf
+ /Operator /image cdndf
+ end
+ /sep_colorspace_dict AGMCORE_gget null eq{
+ imageormask
+ }{
+ gsave
+ dup begin invert_image_samples end
+ sep_imageormask
+ grestore
+ }ifelse
+ }def
+/cachemask_level2
+{
+ 3 dict begin
+ /LZWEncode filter /WriteFilter xdf
+ /readBuffer 256 string def
+ /ReadFilter
+ currentfile
+ 0 (%EndMask) /SubFileDecode filter
+ /ASCII85Decode filter
+ /RunLengthDecode filter
+ def
+ {
+ ReadFilter readBuffer readstring exch
+ WriteFilter exch writestring
+ not {exit} if
+ }loop
+ WriteFilter closefile
+ end
+}def
+/cachemask_level3
+{
+ currentfile
+ <<
+ /Filter [ /SubFileDecode /ASCII85Decode /RunLengthDecode ]
+ /DecodeParms [ << /EODCount 0 /EODString (%EndMask) >> null null ]
+ /Intent 1
+ >>
+ /ReusableStreamDecode filter
+}def
+/spot_alias
+{
+ /mapto_sep_imageormask
+ {
+ dup type /dicttype ne{
+ 12 dict begin
+ /ImageType 1 def
+ /DataSource xdf
+ /ImageMatrix xdf
+ /BitsPerComponent xdf
+ /Height xdf
+ /Width xdf
+ /MultipleDataSources false def
+ }{
+ begin
+ }ifelse
+ /Decode [/customcolor_tint AGMCORE_gget 0] def
+ /Operator /image def
+ /HostSepColorImage false def
+ /SkipImageProc {false} def
+ currentdict
+ end
+ sep_imageormask
+ }bdf
+ /customcolorimage
+ {
+ Adobe_AGM_Image/AGMIMG_colorAry xddf
+ /customcolor_tint AGMCORE_gget
+ bdict
+ /Name AGMIMG_colorAry 4 get
+ /CSA [ /DeviceCMYK ]
+ /TintMethod /Subtractive
+ /TintProc null
+ /MappedCSA null
+ /NComponents 4
+ /Components [ AGMIMG_colorAry aload pop pop ]
+ edict
+ setsepcolorspace
+ mapto_sep_imageormask
+ }ndf
+ Adobe_AGM_Image/AGMIMG_&customcolorimage /customcolorimage load put
+ /customcolorimage
+ {
+ Adobe_AGM_Image/AGMIMG_override false put
+ dup 4 get map_alias{
+ /customcolor_tint AGMCORE_gget exch setsepcolorspace
+ pop
+ mapto_sep_imageormask
+ }{
+ AGMIMG_&customcolorimage
+ }ifelse
+ }bdf
+}def
+/snap_to_device
+{
+ 6 dict begin
+ matrix currentmatrix
+ dup 0 get 0 eq 1 index 3 get 0 eq and
+ 1 index 1 get 0 eq 2 index 2 get 0 eq and or exch pop
+ {
+ 1 1 dtransform 0 gt exch 0 gt /AGMIMG_xSign? exch def /AGMIMG_ySign? exch def
+ 0 0 transform
+ AGMIMG_ySign? {floor 0.1 sub}{ceiling 0.1 add} ifelse exch
+ AGMIMG_xSign? {floor 0.1 sub}{ceiling 0.1 add} ifelse exch
+ itransform /AGMIMG_llY exch def /AGMIMG_llX exch def
+ 1 1 transform
+ AGMIMG_ySign? {ceiling 0.1 add}{floor 0.1 sub} ifelse exch
+ AGMIMG_xSign? {ceiling 0.1 add}{floor 0.1 sub} ifelse exch
+ itransform /AGMIMG_urY exch def /AGMIMG_urX exch def
+ [AGMIMG_urX AGMIMG_llX sub 0 0 AGMIMG_urY AGMIMG_llY sub AGMIMG_llX AGMIMG_llY] concat
+ }{
+ }ifelse
+ end
+} def
+level2 not{
+ /colorbuf
+ {
+ 0 1 2 index length 1 sub{
+ dup 2 index exch get
+ 255 exch sub
+ 2 index
+ 3 1 roll
+ put
+ }for
+ }def
+ /tint_image_to_color
+ {
+ begin
+ Width Height BitsPerComponent ImageMatrix
+ /DataSource load
+ end
+ Adobe_AGM_Image begin
+ /AGMIMG_mbuf 0 string def
+ /AGMIMG_ybuf 0 string def
+ /AGMIMG_kbuf 0 string def
+ {
+ colorbuf dup length AGMIMG_mbuf length ne
+ {
+ dup length dup dup
+ /AGMIMG_mbuf exch string def
+ /AGMIMG_ybuf exch string def
+ /AGMIMG_kbuf exch string def
+ } if
+ dup AGMIMG_mbuf copy AGMIMG_ybuf copy AGMIMG_kbuf copy pop
+ }
+ addprocs
+ {AGMIMG_mbuf}{AGMIMG_ybuf}{AGMIMG_kbuf} true 4 colorimage
+ end
+ } def
+ /sep_imageormask_lev1
+ {
+ begin
+ MappedCSA 0 get dup /DeviceRGB eq exch /DeviceCMYK eq or has_color not and{
+ {
+ 255 mul round cvi GrayLookup exch get
+ } currenttransfer addprocs settransfer
+ currentdict imageormask
+ }{
+ /sep_colorspace_dict AGMCORE_gget/Components known{
+ MappedCSA 0 get /DeviceCMYK eq{
+ Components aload pop
+ }{
+ 0 0 0 Components aload pop 1 exch sub
+ }ifelse
+ Adobe_AGM_Image/AGMIMG_k xddf
+ Adobe_AGM_Image/AGMIMG_y xddf
+ Adobe_AGM_Image/AGMIMG_m xddf
+ Adobe_AGM_Image/AGMIMG_c xddf
+ AGMIMG_y 0.0 eq AGMIMG_m 0.0 eq and AGMIMG_c 0.0 eq and{
+ {AGMIMG_k mul 1 exch sub} currenttransfer addprocs settransfer
+ currentdict imageormask
+ }{
+ currentcolortransfer
+ {AGMIMG_k mul 1 exch sub} exch addprocs 4 1 roll
+ {AGMIMG_y mul 1 exch sub} exch addprocs 4 1 roll
+ {AGMIMG_m mul 1 exch sub} exch addprocs 4 1 roll
+ {AGMIMG_c mul 1 exch sub} exch addprocs 4 1 roll
+ setcolortransfer
+ currentdict tint_image_to_color
+ }ifelse
+ }{
+ MappedCSA 0 get /DeviceGray eq {
+ {255 mul round cvi ColorLookup exch get 0 get} currenttransfer addprocs settransfer
+ currentdict imageormask
+ }{
+ MappedCSA 0 get /DeviceCMYK eq {
+ currentcolortransfer
+ {255 mul round cvi ColorLookup exch get 3 get 1 exch sub} exch addprocs 4 1 roll
+ {255 mul round cvi ColorLookup exch get 2 get 1 exch sub} exch addprocs 4 1 roll
+ {255 mul round cvi ColorLookup exch get 1 get 1 exch sub} exch addprocs 4 1 roll
+ {255 mul round cvi ColorLookup exch get 0 get 1 exch sub} exch addprocs 4 1 roll
+ setcolortransfer
+ currentdict tint_image_to_color
+ }{
+ currentcolortransfer
+ {pop 1} exch addprocs 4 1 roll
+ {255 mul round cvi ColorLookup exch get 2 get} exch addprocs 4 1 roll
+ {255 mul round cvi ColorLookup exch get 1 get} exch addprocs 4 1 roll
+ {255 mul round cvi ColorLookup exch get 0 get} exch addprocs 4 1 roll
+ setcolortransfer
+ currentdict tint_image_to_color
+ }ifelse
+ }ifelse
+ }ifelse
+ }ifelse
+ end
+ }def
+ /sep_image_lev1_sep
+ {
+ begin
+ /sep_colorspace_dict AGMCORE_gget/Components known{
+ Components aload pop
+ Adobe_AGM_Image/AGMIMG_k xddf
+ Adobe_AGM_Image/AGMIMG_y xddf
+ Adobe_AGM_Image/AGMIMG_m xddf
+ Adobe_AGM_Image/AGMIMG_c xddf
+ {AGMIMG_c mul 1 exch sub}
+ {AGMIMG_m mul 1 exch sub}
+ {AGMIMG_y mul 1 exch sub}
+ {AGMIMG_k mul 1 exch sub}
+ }{
+ {255 mul round cvi ColorLookup exch get 0 get 1 exch sub}
+ {255 mul round cvi ColorLookup exch get 1 get 1 exch sub}
+ {255 mul round cvi ColorLookup exch get 2 get 1 exch sub}
+ {255 mul round cvi ColorLookup exch get 3 get 1 exch sub}
+ }ifelse
+ AGMCORE_get_ink_data currenttransfer addprocs settransfer
+ currentdict imageormask_sys
+ end
+ }def
+ /indexed_imageormask_lev1
+ {
+ /indexed_colorspace_dict AGMCORE_gget begin
+ begin
+ currentdict
+ MappedCSA 0 get dup /DeviceRGB eq exch /DeviceCMYK eq or has_color not and{
+ {HiVal mul round cvi GrayLookup exch get HiVal div} currenttransfer addprocs settransfer
+ imageormask
+ }{
+ MappedCSA 0 get /DeviceGray eq {
+ {HiVal mul round cvi Lookup exch get HiVal div} currenttransfer addprocs settransfer
+ imageormask
+ }{
+ MappedCSA 0 get /DeviceCMYK eq {
+ currentcolortransfer
+ {4 mul HiVal mul round cvi 3 add Lookup exch get HiVal div 1 exch sub} exch addprocs 4 1 roll
+ {4 mul HiVal mul round cvi 2 add Lookup exch get HiVal div 1 exch sub} exch addprocs 4 1 roll
+ {4 mul HiVal mul round cvi 1 add Lookup exch get HiVal div 1 exch sub} exch addprocs 4 1 roll
+ {4 mul HiVal mul round cvi Lookup exch get HiVal div 1 exch sub} exch addprocs 4 1 roll
+ setcolortransfer
+ tint_image_to_color
+ }{
+ currentcolortransfer
+ {pop 1} exch addprocs 4 1 roll
+ {3 mul HiVal mul round cvi 2 add Lookup exch get HiVal div} exch addprocs 4 1 roll
+ {3 mul HiVal mul round cvi 1 add Lookup exch get HiVal div} exch addprocs 4 1 roll
+ {3 mul HiVal mul round cvi Lookup exch get HiVal div} exch addprocs 4 1 roll
+ setcolortransfer
+ tint_image_to_color
+ }ifelse
+ }ifelse
+ }ifelse
+ end end
+ }def
+ /indexed_image_lev1_sep
+ {
+ /indexed_colorspace_dict AGMCORE_gget begin
+ begin
+ {4 mul HiVal mul round cvi Lookup exch get HiVal div 1 exch sub}
+ {4 mul HiVal mul round cvi 1 add Lookup exch get HiVal div 1 exch sub}
+ {4 mul HiVal mul round cvi 2 add Lookup exch get HiVal div 1 exch sub}
+ {4 mul HiVal mul round cvi 3 add Lookup exch get HiVal div 1 exch sub}
+ AGMCORE_get_ink_data currenttransfer addprocs settransfer
+ currentdict imageormask_sys
+ end end
+ }def
+}if
+end
+systemdict /setpacking known
+{
+ setpacking
+} if
+%%EndResource
+currentdict Adobe_AGM_Utils eq {end} if
+%%EndProlog
+%%BeginSetup
+Adobe_AGM_Utils begin
+2 2010 Adobe_AGM_Core/doc_setup get exec
+Adobe_CoolType_Core/doc_setup get exec
+Adobe_AGM_Image/doc_setup get exec
+currentdict Adobe_AGM_Utils eq {end} if
+%%EndSetup
+%%Page: Alternate-ISC-logo-v2.ai 1
+%%EndPageComments
+%%BeginPageSetup
+/currentdistillerparams where
+{pop currentdistillerparams /CoreDistVersion get 5000 lt} {true} ifelse
+{ userdict /AI11_PDFMark5 /cleartomark load put
+userdict /AI11_ReadMetadata_PDFMark5 {flushfile cleartomark } bind put}
+{ userdict /AI11_PDFMark5 /pdfmark load put
+userdict /AI11_ReadMetadata_PDFMark5 {/PUT pdfmark} bind put } ifelse
+[/NamespacePush AI11_PDFMark5
+[/_objdef {ai_metadata_stream_123} /type /stream /OBJ AI11_PDFMark5
+[{ai_metadata_stream_123}
+currentfile 0 (% &&end XMP packet marker&&)
+/SubFileDecode filter AI11_ReadMetadata_PDFMark5
+<?xpacket begin='' id='W5M0MpCehiHzreSzNTczkc9d'?><x:xmpmeta xmlns:x='adobe:ns:meta/' x:xmptk='XMP toolkit 3.0-29, framework 1.6'>
+<rdf:RDF xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#' xmlns:iX='http://ns.adobe.com/iX/1.0/'>
+
+ <rdf:Description rdf:about='uuid:8aa76b3d-2474-11d9-a8a3-000393cd9a96'
+ xmlns:pdf='http://ns.adobe.com/pdf/1.3/'>
+ <pdf:Producer>Adobe PDF library 6.66</pdf:Producer>
+ </rdf:Description>
+
+ <rdf:Description rdf:about='uuid:8aa76b3d-2474-11d9-a8a3-000393cd9a96'
+ xmlns:tiff='http://ns.adobe.com/tiff/1.0/'>
+ </rdf:Description>
+
+ <rdf:Description rdf:about='uuid:8aa76b3d-2474-11d9-a8a3-000393cd9a96'
+ xmlns:xap='http://ns.adobe.com/xap/1.0/'
+ xmlns:xapGImg='http://ns.adobe.com/xap/1.0/g/img/'>
+ <xap:CreateDate>2004-10-06T16:15:40-07:00</xap:CreateDate>
+ <xap:ModifyDate>2004-10-22T21:51:43Z</xap:ModifyDate>
+ <xap:CreatorTool>Illustrator</xap:CreatorTool>
+ <xap:MetadataDate>2004-10-06T16:15:40-07:00</xap:MetadataDate>
+ <xap:Thumbnails>
+ <rdf:Alt>
+ <rdf:li rdf:parseType='Resource'>
+ <xapGImg:format>JPEG</xapGImg:format>
+ <xapGImg:width>256</xapGImg:width>
+ <xapGImg:height>152</xapGImg:height>
+ <xapGImg:image>/9j/4AAQSkZJRgABAgEASABIAAD/7QAsUGhvdG9zaG9wIDMuMAA4QklNA+0AAAAAABAASAAAAAEA&#xA;AQBIAAAAAQAB/+4ADkFkb2JlAGTAAAAAAf/bAIQABgQEBAUEBgUFBgkGBQYJCwgGBggLDAoKCwoK&#xA;DBAMDAwMDAwQDA4PEA8ODBMTFBQTExwbGxscHx8fHx8fHx8fHwEHBwcNDA0YEBAYGhURFRofHx8f&#xA;Hx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8f/8AAEQgAmAEAAwER&#xA;AAIRAQMRAf/EAaIAAAAHAQEBAQEAAAAAAAAAAAQFAwIGAQAHCAkKCwEAAgIDAQEBAQEAAAAAAAAA&#xA;AQACAwQFBgcICQoLEAACAQMDAgQCBgcDBAIGAnMBAgMRBAAFIRIxQVEGE2EicYEUMpGhBxWxQiPB&#xA;UtHhMxZi8CRygvElQzRTkqKyY3PCNUQnk6OzNhdUZHTD0uIIJoMJChgZhJRFRqS0VtNVKBry4/PE&#xA;1OT0ZXWFlaW1xdXl9WZ2hpamtsbW5vY3R1dnd4eXp7fH1+f3OEhYaHiImKi4yNjo+Ck5SVlpeYmZ&#xA;qbnJ2en5KjpKWmp6ipqqusra6voRAAICAQIDBQUEBQYECAMDbQEAAhEDBCESMUEFURNhIgZxgZEy&#xA;obHwFMHR4SNCFVJicvEzJDRDghaSUyWiY7LCB3PSNeJEgxdUkwgJChgZJjZFGidkdFU38qOzwygp&#xA;0+PzhJSktMTU5PRldYWVpbXF1eX1RlZmdoaWprbG1ub2R1dnd4eXp7fH1+f3OEhYaHiImKi4yNjo&#xA;+DlJWWl5iZmpucnZ6fkqOkpaanqKmqq6ytrq+v/aAAwDAQACEQMRAD8AiX5AfkB5O/MTydea1rV5&#xA;qNvdW+oyWSJZSQJGY0ghlBIlhmblymPfMfLlMTQbIQBDOPM//OKX5U6B5e1DWZ9R1uSOxhaX0hcW&#xA;il2H2U5G0NOTUFcOCcskxAVuWOaoQMj0Y1+Wf5EflJ56N+kUuvWEtgImZHu7OTmJS4+Glmv2eG+3&#xA;fMvXYJ6etwb8v2uPpNRHNdCqZz/0Jp+WH/V01v8A5H2n/ZLmv/MSczww7/oTT8sP+rprf/I+0/7J&#xA;cfzEl8MO/wChNPyw/wCrprf/ACPtP+yXH8xJfDDAfzv/AOcc/JHkPyHN5g0i+1Oe9juIYVju5bd4&#xA;uMrUYkRwRNXw+LJ48xkaRKAAfT/5V/8AksPKH/bE07/qEjzJaiynFXYq7FXYq7FXYq7FXYq7FXYq&#xA;7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq+BfyU/MTzH5Nhnn0yUPbSzt9ZsZqtBJ8CAMVBFGHZ&#xA;hv8ARtmz0uihnwkS58XPryDrdVqp4sorlXL5st1/z/8AmP5whlgu7p20+b7VnCqwW9AwYL250YD7&#xA;TE5eI6TSncgS+Zccy1OoGwPD8ggfLXmTzl5HvJLzTD9X9YKtwroksUiqSVVjvTc9iDlkp6bVjhsS&#xA;+wsIxz6Y3Vfc9B1b/nJjWZ9Hhh03TYrPVmH+lXTt6sQp/vqM/wA3+UTT365iY+w4CVyNx7v1uTPt&#xA;eRjsKk9s8j+YrjzH5W0/Wbm0aymu4wzwtsCRsXTcng1KrXemaHV4RiyGAN07jT5TkgJEVae5jNzx&#xA;v/nLL/yT91/zG2v/ABM5dg+pjPk9M/Kv/wAlh5Q/7Ymnf9QkeZzjllOKuxV2KuxV2KuxV2KuxV2K&#xA;uxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV+eX5W6Yl7aztLvBDMSy/zEqtB8tsyJ644NP6fr&#xA;lI18hZcX8oMuf1fTGP6S9h0Ly3rGtzm20q1M7RgF6UVEXtyZiFHTbOa3ke8u52Adr3lvWNEnFtqt&#xA;qYWkUlCSGRx3oykqeu+DeJ7iuxDANasU07UIriJFaF29RYmAK8kILKVPVc7bsjWnUYiJfVHY/oLy&#xA;/aOlGHIDH6S+zNB1K31TRNP1K2UJb3lvFPEg6KsiBgu38taZzGaBhMxPMF6DHMSiCOoR2VM3jf8A&#xA;zll/5J+6/wCY21/4mcuwfUxnyemflX/5LDyh/wBsTTv+oSPM5xyynFXYq7FXYq7FXYq7FXYq7FXY&#xA;q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq+A/yedP0NepT4xccie5BRR+FMxNfE8ET0uX+9bNP&#xA;IcZHWh+l9K/kxr2kW1neaZcSxwXskwmjaQhfUUqF4qT1Kla098wMUg5Mgq/nNrujzada6XDKk9+s&#xA;4mbgQ3pIEZaMR0Lcht9PhjlIWIeCebnQQ26U+MszA+AAAP31zoPZyJ4pnps6ftqQqI67s3/KGD81&#xA;YPMejRFNVh8ts6tKJ0mFp6HAsOPqDgFYUoVzYdonTGEvp4/hduJoRnE4/VwfY+lCyggEgE9B45yr&#xA;0Lxb/nLe8tYvyoe2kkCz3N7bmCM9W9NqtT5A5bhI4wFlAmBI5B6l+Vf/AJLDyh/2xNO/6hI8z3EL&#xA;y3/nLq+1nQPJem69oWsalpWoyapHZytZX11BG8UltM5BijkVK8oFoaePjir0v8ooJB+W/lq8nu7u&#xA;9vNR0uyvLy5vbme6keaeBZXPKZ34jk52XbFWYYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7F&#xA;XYq7FXYq7FXYq7FX5z/l3fy2Nq88Y5D1mDodgylE2zaafSR1GnMJfztvI0HWanUSw5xIfzf0l6Zb&#xA;a3plwnITrGe6SkIR9+x+jOdz9k6jGa4TId43dti7QwzF8Ve/Zq61zTLdORmWU9kiIcn7th9Jw6fs&#xA;nUZD9PCO+W37Vzdo4YDnfu3S3y5bW3mjzpptlqVwtnZ3U6xO5JoEFTwBAPxP9kH+Y+GdXDCNJpyI&#xA;CyBfvPf+Ojz5ynU5xxbAvozTPzt/L2W4vbT60bO109R6E8qFY5kX4SIVUF9uylakduucN+aiSbfQ&#xA;Z9gamMYkC+LoOnveJeYvzDnP5kTeatBmlMUUoayS7qRxMYSRCgbZHPLYHp4HMKWT18Qet03Zo/Kj&#xA;DkA5b179vixD84/zA8y+btFi/TEsbJaSVt44o1jVTIRy6bn7I6nMzRZJSyi+4un7Y7OxabSS8Mcz&#xA;G32N+Vf/AJLDyh/2xNO/6hI83jwxeUf85q/+Ss0r/tuW/wD1CXeKvVfyn/8AJWeTf+2Hpv8A1CR4&#xA;q8j8x/nX5n8ifnH5nGr28+o/l4tzp9rNKnxtp082nwSckAqQklWYp0Y1K/FUFV7F5gutN1/yJe6h&#xA;pmoSNaT2M1xY6jp1zJC1fRfi6SwMh2PY9+o2xVjP5faLe+ZPyb8tx3WtanDPqNraXmo6jHeXBvpD&#xA;QSMqXLSGSIOwAbifs1HeuKvOfzm0m/8ALHnz8tdI0fzJ5hhsfMmqG01aNta1GQyRC4tI6KzTEp8M&#xA;77rir2bQfIEWia5+kbXWtYurZ7SW2msNQ1G7voS7yROkyC4kk4OgjZajs2KvH9Is9R1n/nJrzd5Q&#xA;utf12Py9p+mRXtnZQavqEQjmaOxJIZZg1K3D7Vpvir2Xy/5JTSdO1PTZdW1PUbS9ujcW8l3fXUlz&#xA;bxmGKMwpcmT1uIkjZx8X7WKvB/8AnH/RPMX5gflhrGqaj5x8wQa/BqE9rYagNWvfTjEdtBLH6kLS&#xA;NG685TyqtaYq9K/5xr86+aPOH5Yw6n5kJlvYbqa1hvWADXMMQUrK3EAVDM0ZPfjirHPzm/M7zt5G&#xA;/M6wvNIt5NV8u22jC78waSrbCD620RuUG5R0LKC4FKfa23Cr1fyr5t8s+ePLcWraHeG5066HFzG7&#xA;RTROAC0UnAq8ci13FfwOKsS/JBbuS183fXNQv9Qaz8y6rp1s97eXFyUtbaVUijX1XYLxA6jfFWA6&#xA;RZ6jrP8Azk15u8oXWv67H5e0/TIr2zsoNX1CIRzNHYkkMswalbh9q03xV6vB+XE8Oi3+ijzJrJs7&#xA;2/S8W5e+uJL6GBI4gbWK8eQzIjSxFiQfssy964q8i/ObSb/yx58/LXSNH8yeYYbHzJqhtNWjbWtR&#xA;kMkQuLSOis0xKfDO+64q9n0DyDFoWvDU7XWtXurdrWW2m0/UdRur+Eu8kTpMq3MknF0EbLUdmxVl&#xA;WKuxV2KuxV2KuxV8tf8AOKPkvyrr35Z6zJq+mQ3k02qy2zTSL+8WJLa3dVRxRk+JyaqQcqnqsmMj&#xA;hkR1T4EJg8QtKPzn/LXS/JV9pzaXNNJaakJisc5VijQlKqGULUfvO4zoezNdLODxAXGnR6/SRwkc&#xA;PIsk/Ln8gtN17QNP17V9RnSO9VpPqMCKhCh2VaysXryVQ32B1+nMXW9ryxzMIgbdf2ORpezIziJS&#xA;PPownzdp3kO384XUWjyXMOkWbMrRg82kkiFCsEjVKhn25PWg+LfZc1uP2mIgRKPFLoeh9/7Ofk9P&#xA;H2GyT4JxkIxl9Q6x93f+hj2oXjXt9cXjIsbXEjStGleILmpArU985ORs2+nYcfhwEbJ4RW/PZG2X&#xA;l+4mAec+ih6LSrn6O2TjiJdNre38WI8MPXL7Pn+Pek/5j6Pa2nliWWMuW9WMfEQep9gM2GhxgZHm&#xA;O0u2cuoxGEhER8v7X2j+Vf8A5LDyh/2xNO/6hI83LzpeUf8AOapH/KrdKWu51yAgd6C0uv64q9V/&#xA;KYg/lZ5Np/1Y9N/6hI8VYb5Q0/SvMf5j/nBpWq2yXNhdzaVbXVq+4ZBp/p12oQTwqCNwehqMVea6&#xA;5Yeb/wAgZ9Tgtlm1r8qtdWWJVrym0+edCq1rQA1NK/ZkHg2Kvevyiiji/KrycqDip0TT2I93tY2Y&#xA;/STiryz/AJyO/wDJp/kv/wBtw/8AUXp+KvoDFXzXp/lvSfMH/OXnney1P6x6CaPbzJ9VurmyfmsG&#xA;nKKyWskLkUY/CWp3psMVe6+U/LmkeW0vdK064llV5hfGK5nluZo1nURqGlneSRlLQNxLH27Yq+XP&#xA;yK8n+e9f/IrzOPKfmS5025fULiJdIRLcQ3LLa2zOPXaP6xE8qNwqkqjYV74q93/Ij8xPLvmnyhBp&#xA;tjaR6Pq2hItnqnl9FMZtnj+CqI3xemxB3O4NQ2+KqFxLDN/zkwllKitGfJMpYPQhxLqiqUKkb7R4&#xA;q8984/l15r/JzzNP+YP5axNd+WZjy8w+WBXikIqzMgFf3a7lSByj90qMVehf8476tZ635O1fXrON&#xA;ooNZ8watqCJJTmFuLkugehI5BKA0xV57p/lvSfMH/OXnney1P6x6CaPbzJ9VurmyfmsGnKKyWskL&#xA;kUY/CWp3psMVe6+U/LmkeW0vdK064llV5hfGK5nluZo1nURqGlneSRlLQNxLH27Yq8e/5yO/8mn+&#xA;S/8A23D/ANRen4q+gMVdirsVdirsVdirsVfOv/OGn/ksNU/7bc//AFCWuYeo+pux8ntWreX9C1hE&#xA;TVtOttQWLl6X1mFJeHOnLhzB41oOmQx5pw+kke5M8UZ/UAUFq3mDyp5P0+zhv7iLTLI0t7KMIxUB&#xA;F+yqxq1AB36ZTlzC7kdy5ek0OTN6cUb4Q+XvzM13S9c866lqGmRJHZO4SOSMcfWKDi0xG28h36dO&#xA;u+arLIGRIfRey9PPDp4xmfV93l8EHoGmqVF5KtTX9yD2p+1/TJ4odXS9vdpkHwYH+t+r9f8AanuZ&#xA;DyTEPzS/5RKX/jNF/wASzJ0f1teb6X2H+Vf/AJLDyh/2xNO/6hI82zhlb51/K3yR52EK+aLGXUYr&#xA;ducMBvLyGJXpx5CKGaNOVO9MVTHy15Q0Ly1p0em6MlxBYQp6UFvJd3VwkaDosYnll4AduOKoTRfy&#xA;68p6Lr1/r2m29xDq2qFG1G4a9vZfXMYIT1ElmeNuAYhart2xVPNS03T9TsJ9P1G3ju7G6QxXFtMo&#xA;eN0bYqynYjFWtK0yx0rTLPS9Pi9CwsII7W0hBZgkMKBI1qxZjxVQNzXFWO+avys8j+a9VstV16xm&#xA;u7/TW9TT5heXkIgcFTyiSGaNENY1NQOoxVlFvAkEKQoXKIKAyO8jfS7lmP0nFWDXn5Gflnd69P5g&#xA;n066Ot3NPW1FNT1KOZqKEHxpcqacVAxVO9F8g+WdFsr6z02K5ij1Fle8le+vZZ3ZAFWlxLM8y0Ap&#xA;RXGKqPkr8s/JfkmGWDyxZSafbzuZZbf63dzRNIVCl/TmlkTlxUCtMVWXX5XeRbjzT/ir9Gm28wkF&#xA;ZNRs7i5s5JAQAfVFtJEslaCvMHFVWb8ufKU3mtfNklvcnzAkRt0vhfXqlYCxcxCMTCMR8mJ4caYq&#xA;yUgEUO4PUYql2g+W9D8v2cllotlHYWck0lw1vCCsYklNXKrWignstBirFLz8jPyzu9en8wT6ddHW&#xA;7mnraimp6lHM1FCD40uVNOKgYqyLyx5N8v8AllLpNHhmjN66y3Ulxc3N5I7KvFayXUkz0A7A0xVL&#xA;vNX5WeR/Neq2Wq69YzXd/prepp8wvLyEQOCp5RJDNGiGsamoHUYqyi3gSCFIULlEFAZHeRvpdyzH&#xA;6TiqpirsVdirsVdirsVfOv8Azhp/5LDVP+23P/1CWuYeo+pux8nvOY7Y8/8Azo8q6Nq/lK61O/eW&#xA;O40aCaayeJqLzYCiupqCGZVB75j6mAMbPR3XYeryYs4hGqmQC+XIYmlmjiX7UjBR82NM1z3+XIIR&#xA;MjyAtmqIqIqIKKoCqPADYZmgU+X5MhnIyPMm12Fghvzc8i6jZ/lNJ5hvHEKS3FsLe1pV2SRtnY1+&#xA;HboMy9JH1W1ZTs+nfyr/APJYeUP+2Jp3/UJHm0cQph5t84eXfKWjSaxr94tnZIwRWILvJI32Y441&#xA;DO7t2Cj8MVYZqX57aRpCQXOs+V/Mel6ZcOkUep3ViiwBpCAgfjM0sfIttzQYq9MxV2KuxV2KuxV2&#xA;KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KvnX/nDT/wAlhqn/AG25/wDqEtcw9R9Tdj5P&#xA;ecx2x4p+e3lfzteTXGr2dy7eXLa1Q3NoJ2ChkY839H7J6jf2zC1MJXfR6z2f1eniBCQ/emWxr9Lw&#xA;yw/3utv+Mqf8SGYkeYen1wvBP+pL7mZZmvmTsVZ7/wA5N6hZ6h+Rn12zINtNc2bRhabDkfh27r0O&#xA;bDTm5Boyci9X/Kv/AMlh5Q/7Ymnf9QkeZ7jF43/zl1Lrmk3vkTzVBAbvSNC1Fp7m3IPpfWFeGWES&#xA;0rtIsLqK9PpxV6v5X84+R/zX8mXB06cXFleRGDULJqLc27Ov2ZENeLKd0bcGlQTiqF1P85dE0r8w&#xA;NN8j6ppGp2OpauwXTr6ZLX6lKDWhWVbhm+0OPHhyrTbcYqnfn7z3pvkrRYtWv7S7vo5rmGyhtbBY&#xA;pLiSa4PGNUjlkh5knspJ9sVa1vz9pOg6TZX2t29zY3WozJbWGjlY576a4k+zFHHbPOrN40eg7nFV&#xA;C2/MOI6rHp2p6DqujGaGa5hur2O2Nu0cCeo/7y3nuOLcd+D0b2xVj+t/njDofl6TzFq/kvzJZaPC&#xA;sby3M0OnrxEzrGnKP676gq7qKccVRNp+cf1rSrPWU8meYho97HDPFf8Ao2DRiC4CskzLHePIE4sG&#xA;Y8dh1xVW8+/nFpHknXNH0bUtG1S7u9flNvpDWS2jpPMGjTgPUuYmU8p0HxAdcVR+kfmFNfa7a6Pe&#xA;eV9a0aW9SV7e6v47P6uTCvJkL29zcEMR0FMVTTW/OGiaLrWiaPqEpiu/MEssGnGg4GSGP1CrGu3I&#xA;bLtudsVTvFUj8u+cdD8w3utWelymWTQb06ffNQcfXWNXbgQTUKX4GtPiU/MqobzF5/0XRdZtNBEV&#xA;zqfmC+jae30iwjEs/oKeLTSF2jiij5bcpHUE9MVVPLXnBNb1HUdNl0nUNH1DTEgkuLfUY4V5JcmV&#xA;Y3ikt5biKRawOCVfFWQ4q7FXYq7FXYq7FXYq7FXYq+df+cNP/JYap/225/8AqEtcw9R9Tdj5Pecx&#xA;2x51+eHmy/0HysLa2sUuYdZE1jPPIW4xCSOlAi05MyluPxbU6HMfUzMRXe7zsHRxzZrMqMKlXfu+&#xA;YCHR6EFXU7g7EEZrn0AgEeTMrO5W5to5l/bHxAdj3H35mRlYfNNbpjgyygenL3dFbJOIxj80NQvk&#xA;8i3Fis7izluIXe35HgWVtm49K++ZWj+trzfS+u/yr/8AJYeUP+2Jp3/UJHm1cMpxrekaHr2nXeh6&#xA;vbxX1lcxgXdlLQ1jcnixA+JfiQ8WHcbbjFXx/wCefJXmT/nHvz/p3mzy1cyXHli9mMSo7fEU+1JZ&#xA;XIFA1UFUf2rsVxV9Efnb+XUf5geRuWnEx6/ptNR8vXa1WRZlAb0ww+IeqAB7NxPbFWLfk35j1D83&#xA;LrTPOOsxenY+VIhaW9r+xNrTxA3N5xB+ykLqIlP2S7HFU7/Pv8vvN/mO20LzF5MuBH5o8p3El3YW&#xA;zlQswlCc1Bf4OX7paB/hIqD1xVA/lD+ek/mzXn8necdGOh+drBWlELIyxSlFIdo1kq8T8GJpUgrU&#xA;hqbYqmH/ADlH/wCSJ8zf9GP/AHULfFWVflQA35VeTlYVB0LTQQehH1OPFXkn/OTk89v+Y35Pz29u&#xA;95PFrEjw2kbIjyut1YFY1aRkQFzsCzAeJxV61onm/wAwahr0Ol6n5SvdFR4JrlLy6uLKaP8AcsiF&#xA;V+qzXB5H1h1ptirxr/nJzRvMHmLzXZRaFM8eoeTNDm8ywrGKuXN7DH8BrXmEt3kX4TulO+Ks6i/O&#xA;car+TVj5q0dFk8x6z6el6fp43/3MzH0fTof2Uesu/wDusVxVhn/OMdldeWPP/wCYvkq8uWu5rOe3&#xA;uVuXJ5SGsgkkIPd/UQ4qmv5xeUPzP0Pz/b/mj+XcS6ldrZDT9X0dl9RpIUfn8EYKtIrUWqoeYK1F&#xA;a7Ksv/Jv839H/MewvZVsW0rzDphSDWNOloXQ1fgVchWZOQfZgCpqCO5VejYq7FXYq7FXYq7FXYq7&#xA;FXYq+df+cNP/ACWGqf8Abbn/AOoS1zD1H1N2Pk95zHbGiqkgkAlTUHwNKfxxS+UPzkutEufzA1KT&#xA;SkdOLCO+5rwU3UfwylFNDTYVr1apzV5iOI0+jdiQyR00RP4f1ejGNK1RrOQq9Wgf7Sjsf5hkYTpe&#xA;1ezBqY2Nsg5H9BZRDNFNGJImDoejDMoEF4TNgnilwzFFif5pf8olL/xmi/4lmVo/rcXN9L7D/Kv/&#xA;AMlh5Q/7Ymnf9QkebZwykHm1PzQ0f8w18xeWdIh8w6BeaZBYajpf1uO0uVnt7i4lSaJp6RfZuaHf&#xA;f2oDirH/ADj5I89/mxe6Rp3mfSI/K/k3TLpb+8tXuoru/u5kVkRF+r8ook4uwJ5k71xV7DdzSW1o&#xA;8kFs908Y/d2sJjV27UUytGg+lhirx7/nGDyX5z8keT7/AEHzPo0thcz6lLexTie0miMb28MYH7ma&#xA;R+XKE/s4qzXzNqX5haV5piutG0L/ABB5euLRIrq2huoLa5guY5Xb1Y1uWjidWRwGHMHb23VY/pvk&#xA;zzH5j/NnTvzB1/SU0CDQbGSz0ywaaK4vJpZxIjyTvbs8KIkcrBUDtua1xVGf85AeXvMnmb8r9V8u&#xA;eXtNk1HUtSNuIwstvCiCC6hnYu08kXVYzTjXFU9/LC11iw8haBpGr6bLpt/pWnWllcRyyW8oaS3h&#xA;WJijQSSgiqV3p1xV5z+fXlHz/r/nbyHq/lny9JqsHlO+a/umN1Z26y1mtZljT1plf/j3YElcVZ/p&#xA;3mfz3qGr6fay+TrrRtPeR21HULy70+ZUjWJyqpHbXE0jM8vBelAN8VSnyzpHmVvzd8z+YNU0S4tN&#xA;Jv7KxsNKuZJbSRSluJHnMkcVxI68pHAX4DXvTFWOflr+Q0vlP8ytZ1R5eflS3ma78q6dyDJFc3iB&#xA;LiUx/stCiekh7qcVdZ+TPO2hf85H635ztNElvfK+uWEdrNPBPaKVlWKD4/Rlmhf7dvStD9onFWXX&#xA;ut/mbpHmnWI4/K7+YfLtzJFNpNzZ3tpDNCBbRRywyxXckAoZkd1Kt3xVB/lr5C1ew84eavPWu28O&#xA;nap5nkhWLSbdxKttb26BAZJFCq8spHJ+OwPc1xV6RirsVdirsVdirsVdirsVdir51/5w0/8AJYap&#xA;/wBtuf8A6hLXMPUfU3Y+T3nMdsQGoa9omnT29vf30FrcXTrHbQyyKryO7cVCKTU1O2WwwzkCYgkB&#xA;hLJGJomrQd15K8p3eoXWo3WlW897ex+jczyIGZkC8e+wPHao3zGOKJNkOdDXZoxEYzIjE2Hyf5k0&#xA;uzj81alp2hRTzWkFxLHbRspaXhETy2ArQUPUVp1zWGO5p9G0+c+DGWUgSIHuspTBc3Fu/OFzG3en&#xA;eniO+AGm7Pp8eWNTAkEr896vd3Plp4JuLD1IzzpRtj7Gn4ZsNBMnJReT7d7Jw4cByQsGx12/Hxfb&#xA;v5V/+Sw8of8AbE07/qEjzePFFlOKuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV&#xA;2KuxV2KuxV86/wDOGn/ksNU/7bc//UJa5h6j6m7Hye85jtj5B/OE2S/mVrEun3KTwvKkglicOFkM&#xA;amReQJ3WSvyztuzb8CIkKeW19eMSCzGx/wCcmfMNvaWsM+k29zJDGqTztI6tKyinPYUUnqeuYM+w&#xA;4EkiRDlR7XkALDBvzG8+t5y1tNSXT49NVIkQxxkO7utfjkkCoXO9FqNhmZoezoaeyN5Hr+hp1naW&#xA;TOBAkiEeUb2vvZjpf5M+bNeg8vanNJHLYX8UL3tz6oNwkUjGQu4YDkwjYKtGY9K0zi+1cHFqZcIA&#xA;jfT7ftfRewO2oYNCIzMjkAJF7+4Wln/ORn5QaL5T8irq+k3F1KGvIYJobgo6qrh25hkRKfEoXfxy&#xA;OlwCGQENGt7ZyanBKExEcjt7w+kPyr/8lh5Q/wC2Jp3/AFCR5tnnCxj88Pzoi/LzTrSz061Gpeat&#xA;YPDSrA1KD4gvqyhSGK8moqjdjtUbnFXaF+WHnPUrGO988+dNYfV5xzmsNGuf0bZ25bf0k+rKkknD&#xA;pyL7+GKpJ5+/Lfz15b0afzB5N89a4X04fWbvTNUufr8UluhDS+m8ysyssYLDlyrSm2Kva8VdirsV&#xA;dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVfHH5K/mFceTPyPvZrD021W98wzR2qyg&#xA;soSO0tGlYgUqKUXr+1lul0Yz5al9IH9jRqtUcWOx9RKa+aP+cgPNGu+XW0lLaLTZ5zS7vLV3BeKm&#xA;8aK1SnLueZ22za4Ox8eOfFfF3AutzdpznDhqnmkUApyfv0X+uYHavb/gyOPFRkOZ6D9r1Hs97HnU&#xA;wGbOTHGeURzkO/yH2nyVQqAEBVofYE/ed85qXbOqJvjP2Pcx9l+z4x4fCj9pPzu1jwIw+H4W/A5t&#xA;tB7RzEhHNvH+d1H4/FvOdsew+MxM9L6ZD+AmwfcTuD7yR7no/wCT/wCbcnlK4k0vWZJJNAkDsigF&#xA;3gmAJ+AdeLnYr47+Ob3tHs8ZwJwri+8PBaLWHCTCd19xX/n5+cXlzzh+Xt/pGm29zC8c1vOs1yEQ&#xA;OElClVVWc/t1zUz7MyYQJSI+Ds8WvhlJiL5Poj8q/wDyWHlD/tiad/1CR5BtL5u8+3Bv/wDnMzSL&#xA;bURW1srrTYrMP9mgt0uEpX/l4kP04q+usVaIBFDuD1GKvMPzU/MTW7LzT5d/L3yq6QeZvMzGR9Rk&#xA;QSrZWUfIyTLEdncrE/Hl8PwmuKprc/lSs9sKebPMkeohaDUE1OZfiofiNsKWp3PT0sVYX+Vv5k+d&#xA;NP8AzL1L8qfPk6alqVtGZ9F1xEETXMKp6gEqr8JJiPIECoKsGJ64qk/mP86/M/kT84/M41e3n1H8&#xA;vFudPtZpU+NtOnm0+CTkgFSEkqzFOjGpX4qgqvYvMF1puv8AkS91DTNQka0nsZrix1HTrmSFq+i/&#xA;F0lgZDsex79Rtirz6383eYPLf/OMsHm2ykn1PXhpNvdtPezS3bmacokkzGZnNIw5k49NsVVfI9jo&#xA;/nfybZavoHnbVbvzAkcMt7cDUp1CXNFd4LmwRhBGjMrLQRV4/ZJGKorzz588wal+Zenflf5Uuf0b&#xA;dzW5v9f1wIkstraAEiO3SQMnqybfEynjyFB4Kpxqn5TyT2kh07zd5isNVKn0b46lPOgfqC9rITbs&#xA;teoVF9qYqxj8kvzR806t5j1/8u/PHpyeafLvJhfwKI1urdHWMyFV4gNWRGBUCqsNgQaqsa0qz1HW&#xA;v+cmfN/k+58wa7F5fsNLjvLOzt9Xv4hHM8diSVZZq0rcOaHbfFU5/KrV/PVl+avnj8ur3WLjWtI0&#xA;i2juNN1i9P1ie3kuFjeGKSQ8WkJSY1qesZpSuKqX52eTpvJv5R6vrmkeZ/Mn6Y09bQRXk2tag9TL&#xA;dwwuzR+sI/iSRv2cVT3yT+Xh1n8v/LesnzL5ii1m+0ywv5Lg6zfyRtcSQRzNzheVozGzn4lp02FM&#xA;VY//AM5AX+sad+Zf5X22m6tqVha6/qv1XVra0vrqCKaFbmzjCmOORUX4ZnBKgVrirJv+cj5b3Sfy&#xA;d1fVdK1C+0/UdNFoLS6tby5hkAkvIYW5tHIvqVRyKvXFWUflR6z/AJa+WLu4uLi7u77S7K7urm6n&#xA;luJXmnto3kYvMztuxrQGmKsJsDej/nJi80U6lqLaPF5bXU49Oe/vGtxdC8ii9T0mlKH4CRxI4+2K&#xA;oX8/fzcvPIHm/wAivDK/6PknuZddtkJo9n+6hqyjqV9RnT/KXFXsFzrGmW2kSaxNcoumQ25u3u61&#xA;jECp6hkqP2eG+KvJf+cd/wAz9U8+XnnafUGkQQanHNY2cvW2tJ4jHDEFJ+Ha3JbsWJPc4qwz/nFD&#xA;QdH138oNY0/VrWO7tJNbn5RyDofqlrRlI3Vh2INcx55pY5iUTRZ+HGcakLDyTU7a1j1y9t7RWW0i&#xA;uJlgSQ1YRI7cQxHU8RnU6zUyxaaWT+IR+0/tdN2Xo46jWwxfwyn/ALEbn7GWflb5Oh82+bodPuiR&#xA;Ywo11ehTRmijKjgDsRyZ1Wo7Z5tihxy3fae1dZ+VwcUef0x/Hk+p7Py/oVlYiwtdPt4bMLxMCxIE&#xA;I/yhT4vpzZDHECqfPZ6nJKXFKRMu+3g357/l3pegyWuu6PCLazvZDBdWqCkaTcS6NGP2Q6q1V6Cm&#xA;2YOoxCO45PY+z/aU8wOOZuURYPk8buFHIMB1G/zGdr7O6g5NPwn+A18HgfbbRRw63ijyyR4vjyP3&#xA;X8WX/mR+VFlon5Kx+a57trnUL9rKW3iQcIoormj0Nfid+JG+w9u+U63tE5JnEBUQfudfo9EIR8Qm&#xA;yR976m/Kv/yWHlD/ALYmnf8AUJHmI5heIf8AOUv5ZeY013TfzQ8qxPNeaV6LalHEC0kbWr+pBdKg&#xA;3YL0enQAHpUhV6z+U/5y+VPzE0aGayuY7fW1QfX9HdwJo5AKsUU0Mkfg4+mhxVkHnfzlpXlPQZtT&#xA;vpYxMR6en2jtxe5uX+GKGMAMxLuQDQGg3O2KvEvzwFx5K/PPyX+Z1xE7+XkjGm6jOoLiAsJomYge&#xA;MNyWXxKnFX0LZXtnfWkV5ZTx3NpOokguIWDxujbhlZSQQfbFXhOlab/i7/nKm58z6YPV0XyhYfUr&#xA;m/XeKS9khkiMKMNmZBcNy8OPyqqyDyhp+leY/wAx/wA4NK1W2S5sLubSra6tX3DINP8ATrtQgnhU&#xA;Ebg9DUYq811yw83/AJAz6nBbLNrX5Va6ssSrXlNp886FVrWgBqaV+zIPBsVe0/l3e6Lp/wCVHkSz&#xA;1Dgtvq+l6dZRxygGOSW4sRIY2DbH1OLCncmmKvHPze/Ke0/K7U9L8/8A5cXMumajLqMFmdAVyYrl&#xA;rhifSiqeXF+NGiNVp0pTFUx84T/8q9/5yis/OOsAxeWvNdqti+pN/dQyiFIOLtSi0aCNmr+yxPY4&#xA;q+jY54ZIVnjkV4HUOkqkFSpFQwYbUp3xV4P+VWlN5k/5yB88fmNZrXy6iLpOn3Y/u7meKOCGV4mG&#xA;zov1U7jb4hiqS2Wk6vqn/OXXniDStauNBuk0eCT65bRW87Mog05fTZLqOZOJLBthXbriqffkj5qf&#xA;yz5r1v8ALfzoEg85zXcl7DrT1H6YSUkpJzcmrhBRFFBxHEAFWxVkX/OUf/kifM3/AEY/91C3xVlX&#xA;5T/+Ss8m/wDbD03/AKhI8VeVf85Hf+TT/Jf/ALbh/wCovT8VZv8A85HaVeap+Snmi1s4zLOsENxw&#xA;UEnha3MVxIaDwSJjiqY/kjrFhqv5S+U57KVZUt9LtbObiQSs1rCsEqNToQ6HFWN+Xok1T/nJTzLr&#xA;Fk/rWej6Bb6PeSrui3c1wtx6XIbFkSP4h2OxxVCeavK+n+f/AM1vNXl6+/3ktPKtvp4f7XpXF7dt&#xA;dJMFr9pTbxMNv2cVYD+WeqeavNGi235IazBLDcaBfNH5mujXidFs3V47cPt8U0pWJaf7qFcVZL+W&#xA;PDRP+coPzD0FVEUOo2kOoQqo4oSBDJRen/LU3TwOKsC/5x7/ADR0byR+VF8LqGW71C61m5a0tYxx&#xA;Vgtpagl5SOKip7VPtksWglnnsaiObVm1kcMd9yWBTXZn1Ca6ICGeR3I6hfUJr91c6DXabxNPLGOf&#xA;Dt7xydZ2TrRg1mPMeQnv7jz+xmf5V+cYPKfm+HULsH6jPG1relRVljkKtyA/yXRSfbPNcU+CVvtf&#xA;a2jOpwGMfq5j8e59U2etaPe2Iv7S9gmsqBvrKSKYwD4tWg+nNkJgi7fO54JxlwyiRLup4D+fP5ga&#xA;ZrtxaaJpE4ubSwdpbq4jNYnmI4qEYbMEUt8Q23zB1GUSNDkHs/Z/s6eEHJMVKXIda/a8duGqwUGo&#xA;A3HgTna+zmnMNPxH+M38HgvbbWxzazgibGOPCf63M/oHves/m/5m0DV/+cb7S10y8WebTjpltdQH&#xA;4ZY3iURnkh3oSux6HNbqcE4ZyZD6iSGjTZYSxARPIB75+Vf/AJLDyh/2xNO/6hI8LIspxVg+v/kl&#xA;+VOvXbXupeWrRrx25vc2/O0lZ615F7ZomLe9a4qoaR+Q35S6TqUGp2nl6Nr+2dZbe4uZ7m7ZHQhk&#xA;ZfrMsoBUio8MVZvf6fYajZzWOoW0V3ZXC8J7adFkjdT2ZGBUj54qwy1/JD8s7MsLPS5bWByS9pBf&#xA;X8Vq1a15WyTrCRv0KYqy7StG0nSNOi03SrSKwsIV4xW1sgiRR7BKUPviqT6L+XXlPRdev9e023uI&#xA;dW1Qo2o3DXt7L65jBCeokszxtwDELVdu2Kp5qWm6fqdhPp+o28d3Y3SGK4tplDxujbFWU7EYqk+p&#xA;+QPJ+qeV7XytqGmR3Og2McMVnZOzkRLbJ6cPF+XqAouwblX3xVB6P+VPkTSdSt9TttPkmv7Ov1O4&#xA;vru7v2gqKfufrcs/pmn8tMVT/WtD0bXNOl03WLKHULCYUltrhFkQ+BowO47HqMVYnbfkj+WltEbe&#xA;HS5VsmrXTzfX7WdD1H1VpzBT24YqzOysrKxtYrOyt47W0gUJDbwoscaKOiqigKo+WKsXsvyo8jWX&#xA;mqfzZbWdxH5iul4XOo/X79pJEAUcHDTlWWka7EU2GKovzf8Alz5L84NaP5h0xLyexYPZ3SvLBcRM&#xA;CG/dzwPFKvxAGgbrirfmL8v/ACt5k0BdA1yC4vtJWnK3kvbwF+Lh19WRZhJLxZQRzY0xVHeXPLOj&#xA;+XNMh0vSI5YbC3RYreCW4uLgRxpsqoZ5JSoAPQYqlPmn8rfJHmnVrHV9dsprvUNMcSafMLy8hEDg&#xA;q3KJIZo0U1jU1A6jFWTRW0UVuLccniA40lZpWIP8zSFmb6TirCh+SP5ZJczXNrpD6e9weU8en3l7&#xA;YxOf8qG1mhiP/A4qyjy/5c0Ly7pqaZodjDp9ihLCCBQoLN9p2PVmPdjviqA0nyH5Z0nX77X7GG4T&#xA;VtT9P9IXEl7eTCb0UKRc45ZnjPpqxC/Dt2xVMLPy/otlq+oaxa2ccOp6qIRqN2oo8wt1KRcz/kKa&#xA;DFUmvPyw8k3fm7/GEljKnmQoIjqMF3d27lAnphSsMsaEcRTdcVfOX/OO/wCXGled/wApJ7e+mktm&#xA;svMFzJHPCFL8XsrUOnxVA5UU/Rjj1stPMkC7DDLpY5ogHoU9/M/8hodE0RNU8r/WLtLQMdRgmZZJ&#xA;TH19VOCp9n9oAdN+xzZ6Dtc5J8OShfL9TrtZ2aIR4oWa5vHIphTi/wBDf1zF7V7A8WRyYtpHmO/3&#xA;eb0vs97Yfl4DDqAZYx9MhzA7j3j7R5qoZCvLktPmK/d1znD2Nqga4D9n38nuI+1HZ5jxeLH7b+VW&#xA;sedR9j4j49vxzcdn+zkuISz7D+b+s/qeX7Z9uIcJhpbMj/Gdq9w5376rzZn+Xv5ReYPOkFzeRyCw&#xA;sYgRDdzozLNNX7C0INB+029OmdDq+0MenqNWe4dA8Dp9HPPcifiepQv5oflBrHlD8vdZ1PWJYZJP&#xA;XtLayNuxdGV5eUjnkEYEcFA27nNZrO0o5hGML7zbsdJoZYiZS+D6p/Kv/wAlh5Q/7Ymnf9QkeYbm&#xA;FlOKuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV86/wDOGn/ksNU/&#xA;7bc//UJa5h6j6m7Hye63Mxht5ZgjSmNGcRoKs3EV4qO5PbKYizTMmg+NNH8sa75q85nSVga31C7u&#xA;He8EiFfQBYtK7qeJASvT6O+dzlzww4uK7iBt5vJwwyy5OHkSfk9Lk/5xf1YT0j16BoN/jaB1f2+A&#xA;Mw/4bNUO3o19Jv3uw/kc/wA77Hk+q6PdeW/M8um6nCJJdOuAs0RFVkRWDAivVZEoR7HNxjyDLj4o&#xA;/wAQdZPGcc6l0L7Wso7SO0hSzRI7RUUW8cahECU+EKoAAFM4ORNm+b18QK25PIf+csv/ACT91/zG&#xA;2v8AxM5Zg+pE+T0z8q//ACWHlD/tiad/1CR5nOOWU4q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FX&#xA;Yq7FXYq7FXYq7FXYq7FXYq7FXyD5H/Lj/nLDyRpMuk+XLW1tbGedrqSN5dPlJldEjLcpGY/ZiXbK&#xA;5YxI7s4ypkX1b/nNfws/v0vI+BHuZcZUv0Z/zmb9Z+tehYfWuHp+vx0r1OFa8OXXjXemHwhVb0ji&#xA;3vZV+rf85r+Fn9+l4PAj3J4yl0nlT/nLmXVv0vLp2lyaoEWMXjx6S0oVCStGIqKV6jLBYjw2eHut&#xA;rIjxcVC0x+rf85r+Fn9+l5X4Ee5s4ykfnHyH/wA5becdEfRdftrW5055ElaJZNOiPOM1U8oyrYY4&#xA;gDYQZW+m/IelXuj+R/Luk3yhL3TtMs7S6RSGCywW6RuAw2NGU7jLWsp7irsVdirsVdirsVdirsVd&#xA;irsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVf/9k=</xapGImg:image>
+ </rdf:li>
+ </rdf:Alt>
+ </xap:Thumbnails>
+ </rdf:Description>
+
+ <rdf:Description rdf:about='uuid:8aa76b3d-2474-11d9-a8a3-000393cd9a96'
+ xmlns:xapMM='http://ns.adobe.com/xap/1.0/mm/'>
+ <xapMM:DocumentID>uuid:c63b31d6-45fe-11d8-8e7c-000393cd9a96</xapMM:DocumentID>
+ </rdf:Description>
+
+ <rdf:Description rdf:about='uuid:8aa76b3d-2474-11d9-a8a3-000393cd9a96'
+ xmlns:dc='http://purl.org/dc/elements/1.1/'>
+ <dc:format>application/postscript</dc:format>
+ </rdf:Description>
+
+</rdf:RDF>
+</x:xmpmeta>
+ <?xpacket end='w'?>
+% &&end XMP packet marker&&
+[{ai_metadata_stream_123}
+<</Type /Metadata /Subtype /XML>>
+/PUT AI11_PDFMark5
+[/Document
+1 dict begin /Metadata {ai_metadata_stream_123} def
+currentdict end /BDC AI11_PDFMark5
+Adobe_AGM_Utils begin
+Adobe_AGM_Core/page_setup get exec
+Adobe_CoolType_Core/page_setup get exec
+Adobe_AGM_Image/page_setup get exec
+%%EndPageSetup
+Adobe_AGM_Core/AGMCORE_save save ddf
+1 -1 scale 0 -148.752 translate
+[1 0 0 1 0 0 ] concat
+% page clip
+gsave
+newpath
+gsave % PSGState
+0 0 mo
+0 148.752 li
+254.868 148.752 li
+254.868 0 li
+clp
+[1 0 0 1 0 0 ] concat
+54.9161 147.252 mo
+1.5 147.252 li
+1.5 1.5 li
+54.9161 1.5 li
+54.9161 147.252 li
+false sop
+/0
+<<
+/Name (PANTONE 7506 C)
+/0
+[/DeviceCMYK] add_csa
+/CSA /0
+/TintMethod /Subtractive
+/TintProc null
+/MappedCSA null
+/NComponents 4
+/Components [ 0 0.05 0.15 0 ]
+>>
+add_csd
+1 /0 get_csd
+sepcs
+1 sep
+f
+7.82032 17.3956 mo
+12.9034 12.8946 20.6797 13.3624 25.1856 18.4405 cv
+29.4395 23.2481 29.1768 31.1573 24.5225 35.4014 cv
+19.4395 39.9131 11.2784 39.8477 6.76954 34.7637 cv
+2.26661 29.6758 2.73926 21.9004 7.82032 17.3956 cv
+cp
+11.7549 43.3096 mo
+12.2579 48.5938 li
+16.7979 48.8663 li
+17.9268 43.7178 li
+20.3682 43.4747 22.7608 42.7344 24.8936 41.4756 cv
+28.8946 44.7803 li
+32.2999 41.7657 li
+29.4512 37.3243 li
+30.8975 35.3721 31.9356 33.1631 32.5196 30.8428 cv
+37.9678 30.3233 li
+38.2413 25.7842 li
+33.0137 24.6417 li
+32.794 22.21 32.0909 19.837 30.8458 17.6924 cv
+34.1573 13.6866 li
+31.1416 10.2813 li
+26.8135 13.0518 li
+24.8252 11.46 22.5674 10.3506 20.1846 9.75684 cv
+19.6973 4.61329 li
+15.1592 4.34083 li
+14.0616 9.35645 li
+11.6202 9.62598 9.22754 10.4092 7.04786 11.7168 cv
+3.06153 8.42383 li
+2 9.36426 li
+2 15.0967 li
+2.42969 15.7667 li
+2.27442 15.96 2.14551 16.167 2 16.3663 cv
+2 42.168 li
+5.16114 40.1416 li
+7.12208 41.6631 9.37012 42.7315 11.7549 43.3096 cv
+/1
+<<
+/Name (PANTONE 301 C)
+/CSA /0
+/TintMethod /Subtractive
+/TintProc null
+/MappedCSA null
+/NComponents 4
+/Components [ 1 0.45 0 0.18 ]
+>>
+add_csd
+1 /1 get_csd
+sepcs
+1 sep
+f
+19.8682 23.167 mo
+21.6221 25.1495 21.9336 28.1055 19.6426 30.2452 cv
+17.7315 32.5264 13.9385 32.1124 12.1084 30.046 cv
+10.2051 27.9034 10.4053 24.626 12.5489 22.7256 cv
+14.6924 20.8213 17.9698 21.0293 19.8682 23.167 cv
+cp
+24.5225 35.4014 mo
+29.1768 31.1573 29.4395 23.2481 25.1856 18.4405 cv
+20.6797 13.3624 12.9034 12.8946 7.82032 17.3956 cv
+2.73926 21.9004 2.26661 29.6758 6.76954 34.7637 cv
+11.2784 39.8477 19.4395 39.9131 24.5225 35.4014 cv
+/2
+<<
+/Name (PANTONE 871 C)
+/CSA /0
+/TintMethod /Subtractive
+/TintProc null
+/MappedCSA null
+/NComponents 4
+/Components [ 0.3569 0.3608 0.6353 0.1882 ]
+>>
+add_csd
+1 /2 get_csd
+sepcs
+1 sep
+f
+42.0054 124.904 mo
+38.6949 132.106 29.9537 135.87 22.7505 132.561 cv
+15.5523 129.245 12.4058 120.72 15.7144 113.527 cv
+19.0259 106.334 27.5503 103.179 34.7427 106.488 cv
+41.5435 109.62 44.98 118.187 42.0054 124.904 cv
+cp
+52.1324 108.189 mo
+46.0132 109.425 li
+44.6382 106.935 42.775 104.731 40.4371 103.029 cv
+42.0914 97.1954 li
+37.271 94.9756 li
+33.9527 99.9629 li
+31.0816 99.1973 28.1519 99.0762 25.3277 99.5635 cv
+22.3921 94.2989 li
+17.4175 96.1416 li
+18.6011 102.011 li
+16.1207 103.443 13.9351 105.404 12.2232 107.825 cv
+6.41944 106.179 li
+4.2046 111.001 li
+9.19288 114.318 li
+8.42237 117.192 8.30616 120.126 8.78467 122.94 cv
+3.52295 125.882 li
+5.36475 130.86 li
+11.2349 129.672 li
+12.6656 132.151 14.6226 134.34 17.0562 136.049 cv
+15.4068 141.854 li
+20.23 144.069 li
+23.5582 139.057 li
+26.3648 139.764 29.271 139.844 32.0865 139.344 cv
+35.1089 144.747 li
+40.0816 142.907 li
+38.8687 136.883 li
+41.3609 135.473 43.5679 133.563 45.2554 131.213 cv
+51.0806 132.864 li
+53.2984 128.045 li
+48.1685 124.64 li
+48.7964 121.878 48.8687 119.031 48.4048 116.281 cv
+53.9722 113.169 li
+52.1324 108.189 li
+1 /1 get_csd
+sepcs
+1 sep
+f
+25.3804 126.851 mo
+21.3306 124.99 19.5601 120.199 21.4234 116.152 cv
+23.2847 112.103 28.0757 110.342 32.1226 112.198 cv
+35.8609 113.921 38.1509 117.934 36.23 122.414 cv
+34.9371 126.865 29.2769 128.645 25.3804 126.851 cv
+cp
+34.7427 106.488 mo
+27.5503 103.179 19.0259 106.334 15.7144 113.527 cv
+12.4058 120.72 15.5523 129.245 22.7505 132.561 cv
+29.9537 135.87 38.6949 132.106 42.0054 124.904 cv
+44.98 118.187 41.5435 109.62 34.7427 106.488 cv
+/3
+<<
+/Name (PANTONE 1805 C)
+/CSA /0
+/TintMethod /Subtractive
+/TintProc null
+/MappedCSA null
+/NComponents 4
+/Components [ 0 0.91 1 0.23 ]
+>>
+add_csd
+1 /3 get_csd
+sepcs
+1 sep
+f
+51.919 34.2159 mo
+50.1553 34.3702 48.4336 34.6612 46.7647 35.085 cv
+45.0293 31.7598 li
+41.462 32.9639 li
+42.0958 36.6563 li
+40.4815 37.3428 38.9317 38.1573 37.4639 39.085 cv
+34.7881 36.46 li
+31.7666 38.7081 li
+33.5157 42.0323 li
+32.1993 43.1778 30.9776 44.4268 29.8624 45.7686 cv
+26.5 44.0938 li
+24.3194 47.1651 li
+27.0049 49.7813 li
+26.1094 51.2696 25.3331 52.837 24.6817 54.4659 cv
+20.9756 53.917 li
+19.8526 57.5108 li
+23.2159 59.169 li
+22.8292 60.8477 22.5831 62.5772 22.4659 64.3418 cv
+18.7579 64.9659 li
+18.7999 68.7315 li
+22.5225 69.2696 li
+22.6778 71.0323 22.9639 72.7549 23.3868 74.4249 cv
+20.0635 76.1573 li
+21.2667 79.7266 li
+24.959 79.0928 li
+25.6456 80.709 26.46 82.2569 27.3887 83.7256 cv
+24.7627 86.4004 li
+27.0127 89.4219 li
+30.336 87.6729 li
+31.4795 88.9883 32.7305 90.21 34.0713 91.3243 cv
+32.3975 94.6895 li
+35.4698 96.8663 li
+38.085 94.1827 li
+39.5743 95.0782 41.1387 95.8555 42.7725 96.5069 cv
+42.2208 100.211 li
+45.8155 101.335 li
+47.4737 97.9708 li
+49.1524 98.3584 50.8799 98.6104 52.6456 98.7227 cv
+53.2696 102.43 li
+54.8282 102.401 li
+54.8282 90.2071 li
+50.5508 90.4063 47.168 89.4581 43.1543 87.2188 cv
+31.6788 80.8194 27.5655 66.3292 33.9717 54.8516 cv
+38.3282 47.044 45.9112 42.2872 54.8282 42.667 cv
+54.8282 30.4581 li
+52.4581 30.4971 li
+51.919 34.2159 li
+1 /3 get_csd
+sepcs
+1 sep
+f
+33.9717 54.8516 mo
+27.5655 66.3292 31.6788 80.8194 43.1543 87.2188 cv
+47.168 89.4581 50.5508 90.4063 54.8282 90.2071 cv
+54.8282 73.5127 li
+54.4903 73.5616 55.1485 73.5948 54.7969 73.5948 cv
+50.8213 73.5948 47.5987 70.3731 47.5987 66.3975 cv
+47.5987 62.419 50.8213 59.1944 54.7969 59.1944 cv
+55.1485 59.1944 54.4903 59.2286 54.8282 59.2764 cv
+54.8282 42.667 li
+45.9112 42.2872 38.3282 47.044 33.9717 54.8516 cv
+1 /2 get_csd
+sepcs
+1 sep
+f
+3 lw
+0 lc
+0 lj
+4 ml
+[] 0 dsh
+true sadj
+54.9161 147.252 mo
+1.5 147.252 li
+1.5 1.5 li
+54.9161 1.5 li
+54.9161 147.252 li
+cp
+0.99 0.99 0.99 1 cmyk
+@
+0 0 0 1 cmyk
+%ADOBeginSubsetFont: TrajanPro-Bold Initial
+%ADOt1write: (1.0.21)
+13 dict dup begin
+/FontType 1 def
+/FontName /TrajanPro-Bold def
+/FontInfo 7 dict dup begin
+/Notice (Copyright 2000 Adobe Systems Incorporated. All Rights Reserved.Trajan is either a registered trademark or a trademark of Adobe Systems Incorporated in the United States and/or other countries.) def
+/Weight (Bold) def
+/ItalicAngle 0 def
+/FSType 8 def
+end def
+/PaintType 0 def
+/FontMatrix [0.001 0 0 0.001 0 0] def
+/Encoding 256 array
+0 1 255 {1 index exch /.notdef put} for
+dup 67 /C put
+dup 73 /I put
+dup 83 /S put
+dup 127 /Nsmall put
+dup 128 /Tsmall put
+dup 129 /Esmall put
+dup 130 /Rsmall put
+dup 131 /Ysmall put
+dup 132 /Ssmall put
+dup 133 /Msmall put
+dup 134 /Osmall put
+dup 135 /Ismall put
+dup 136 /Usmall put
+def
+/UniqueID 45714 def
+/FontBBox {-248 -284 1528 985} def
+end
+systemdict begin
+dup /Private
+15 dict dup begin
+/|- {def} def
+/| {put} def
+/BlueValues [-17 0 750 775 638 660] def
+/OtherBlues [301 305 405 408 -261 -256 -222 -209] def
+/FamilyBlues [-17 0 750 767 638 656] def
+/FamilyOtherBlues [301 305 405 408 -273 -255 -214 -209 -252 -239] def
+/StdHW [47] def
+/StdVW [118] def
+/StemSnapH [47 55] def
+/StemSnapV [118 126] def
+/ForceBold true def
+/password 5839 def
+/MinFeature {16 16} def
+/OtherSubrs[{}{}{}{systemdict/internaldict known not{pop 3}{1183615869
+systemdict/internaldict get exec dup/startlock known{/startlock get exec}{dup
+/strtlck known{/strtlck get exec}{pop 3}ifelse}ifelse}ifelse}executeonly]def
+/Subrs 5 array
+dup 0 <1C60D8A8CC31FE2BF6E07AA3E541E2> |
+dup 1 <1C60D8A8C9C3D06D9E> |
+dup 2 <1C60D8A8C9C202D79A> |
+dup 3 <1C60D8A849> |
+dup 4 <1C60D8A8CC3674F41144B13B77> |
+def
+put
+dup /CharStrings
+14 dict dup begin
+/C <1C60D8A8C9B6D5A0DEDEC57B918D61DDFA401F5A49FEA3B89C6864173301
+6BDC674395116B42D2387AF24DF2F1DC60C61A5B6585CC0DA86F050A110B506B
+B65171C092F0636620BAA275DBDEA04B3E655EC58BDFB8B9B535650BF4DE0E82
+1C2ADFD8C9F649E0C395722C228833505318AA21D61F3D55D035246FCF9BC983
+692D83F8C9AF492468B91F4CB872C7D1953185BF38A8E7A5B72C7F51E36572D3
+718D9C26EEF5DDFAB02F3E79248875F4CA6CC06F7C289C017B388B2CFE4B85A5
+1B0090> |-
+/I <1C60D8A8C9B77771C05B04C6A1CDBDED73825D1016AD1A9F739BE3AE28A3
+2F89A16FA0ADB365C478020BF11BB9ADC332932373DC2832A2FD54E961E2B084
+4B0EB81447C317CA2A36F9297140F653C6CF38B651D9BF313FA9254650245A3A
+6E604D8E9EFFEAAF12423E3B4CFD19A9AFAFF5FC58BD3FF4189B6F8AF938C510
+BD91FB49103F7E5C2AE8440096A8B2CFB59E1B448BD934D6C96663C7ECAD3789
+1B4FEEBF9172B6A7CCC0965D9AA12297E39BBF30EB7B8F6243DD70D9185FBD81
+8CFC74B60F41E69C4533165A53D5C2FC5A9B44BA5F12F31CB79A71FA4F70F551
+E84E63E5837361F7B7736F91> |-
+/S <1C60D8A8C9B7F51B95A0DFD92CF0B9552EA2D8DB80CD668D35E3A70F4576
+D4238E8EEA2F046EF8BC16C7785D1607E04A62100A5AFF084F37B544AFC2004C
+0BC4AE1356D2B0EC8700AB99117F620401AEDDDFA69D53F0F4E5314303A9C779
+D85053ADE7DEA169C445735EBAC333F65F31A077498B479248885315A58C9DAE
+7AD6ABA3F9562E1A36EA3EA3274E191D557F04A6CB9FA3B240660C95B31FD1EC
+ACE3874E2F240022DE09CA2256274ED580EE94FBAA5793BD5F9D37682BE7C541
+ACC5EE4D95FB35149493D2CCA9BEA729ABD0DCEC9C95E902EA9DD124CA919CBA
+F3364C7699DDBE268B46D54393CC359D98EA67700B83CEF348489F1F90A16D> |-
+/Nsmall <1C60D8A8C9B6BC88BD85FE8659C453EEEB8E1BD03325A00213B3F3D
+4D450DC128DD37CC24C857B6D60D557A08CD43D812DF35B5BD6760576A63576C
+506A238602F1E6EA5D2CF18DAD28B193AFC0FA899C7F243B47EAB7B8460C0CB0
+4242476B1602C4D8E3342E27EB421C00D297126C6E43889F0137C7A1C441FC72
+2BE08EFEBABED7A59A7395971A284A820995BDAAE7D9478AB8745D9C9402C363
+B7514AFE9E3D0AF6A39663E1D555B5F7BDA2CE94F32DDC1E19216692DC849907
+7A3E6206E838004DD8DB4A986C8F31EDCAB6E6B82F722A0EF26221ADD2189144
+83D5E5F90B6CEB939F64EF523B4531C4C0B4ED4F521923EBA94C1FE7AE3B2648
+AB7B1D48BCD570F1DED35E03DBB412CF55B5989A09E378971DDF42BBC4FD1669
+7B92AE130992922E13408AB712F27D256F7305A6C6B07A0AD7C13FE23EFB63CE
+65111A1A787D3875B8B8D9507C694904CE3BA8114CCE10FF99A55> |-
+/Tsmall <1C60D8A8C9B66C0E1D18F4614EAB544F0CEC538C8C01A016933AA12
+429EBE5390D596C5F67CFF90C2108DEC0E3557EFE47A84AD0A504C83D7E8F287
+5DCBB9233950E37680119C5422B9BA74EB5E3A2AE4E2F090670CEE3CC015972E
+6CE8DF50DCD73A5ECEE824E6627364F3B83B1B73833AA7E396445D318F119C4C
+5EA2429D5B49B0EDBDDF4808A5790BF8CDC63B184CD3A9CE7C22C4D23ACC081C
+FF7BCA42342880880724EDF5A0F6F9059ADD736C441B65FC95D81D78B14BCAE7
+32E0959A4FEDBBA605D7DB559BC1CFFED39160EF11111F189C967E86115A679A
+21BB269B7452490D7C600719A2B02BE0A92DC8D7E101DFFE6011D579AD666FD2
+6352E7C3F88546D427880A3ED55A53668B9B911F227F478005846196CB2A821D
+9436A361DD997E24624546B193AD16A013BF60C83D456FEFAB524A4C3C4DAF51
+640204EE51B9A6B98D186E77DE45F4BD3696405A93E6DE14A3A251AC1EF6440B
+3F074B20C4913F3447DE56969C6BBDB2354148031166D8E9781263F94442062C
+991765ADD918972AAE466DE6B9C6E0991428CD75BCCEE> |-
+/Esmall <1C60D8A8C9B7FBE1B006E95A68A3EFE857D335EDE0BE9AEA4BE7F95
+2FA0109C6CB803A7F2B985E7BDE818880C9FD186C7136A63CCA57CEDB6AF2828
+DE38E8685BB8771E2988A810F73E0345E8908310C31FD0F7C222F54500389519
+240356E338A96366351A20F484B5651422D1A0FDAE927D548045766A19F6150D
+CC390EA0D98D6C0EC5E1C97E0B4512533CA015299550D65A6EA9A741DBD81A7F
+575EC26534A2210CD8BC3335B163A776277B6F29843653C092C384FA226EA0E5
+F40EBE1799B10828B444468B3DA053A6ABB46879088C5CDBC46D899C794B325A
+A3C97D044BB760BC39839995FB64819C682832A40321F78B99C09513B805CEC3
+996F9F6C14C0DA278CFDCC8EE83409A0C9BCAE8289E42BA209582E05976E48A0
+66222F364CA72855AA1A8DD971B9E012D88EC883F11B6B8DD1F7A3A1A193533F
+B42207516FD3B0F5443A7865F511A1795EBD587D37DBDF03F04386AD8496835A
+76A8A2EA2B1821C0A26A3284A32DDD223178AF712B0015CA9C866D881702FB56
+88AFCD83EBB5B8B70C983ADB28C933F563180B2F5D693852DE904FE07D55275B
+BF14C6F4184BD1B4A9AECA29C644CB5A0BE9622ABA21F24CFE079641418F3570
+3415A4A73F296C050FA68AD25A13C7E948BFB4A1F5816B4ED0207AE7F70F6A21
+CEF402873ACC39E699949E03BE7A042549D2AB51127EAC04572696553A61D3AD
+7A50684611A83B8CC45B07DFB59CE66FF4633DDD79F> |-
+/Rsmall <1C60D8A8C9B6232B67C2503515E3E19A361BD6B49811E165A598B41
+3BB79166E3FDF489EB666983D5C7D39CD639562A5B5DFFD54539B03730F39196
+01122BFF4EFD30EC733326ACD5E99E075E6AD0B22300446FDA3039558CE7D82F
+A6C33C70F1D07536B16D4B1DC2398D650AD9DE1FE1EEF9FC8801CF7C62691F3D
+44ABC62967E1B752BCC2F000EEC07286667F57839EF2E6B9C04C2DA9F22FCE01
+4B7A5598EA7A603107AC2DBC5AB39CAF9666BA8BD1E17DD88F1B0183C4C1C3F1
+1214AD45BA4F39EED6AE5D1943AADDA9D1EC079FB2B1E8FDACACF0141DE87287
+5FA936F561AD9761380B6FCDEE2C83C4F292D6BC0EFBBEBA1571BC78DB7E53A3
+C2355971E9941081B36BC438EEEB16D9D4B14BD1644AC5E58981D2AC452FD6A5
+580957C704505040E5A864423A1DEC798AD589C92753FF4E99FE4D12AC55E99D
+5F0AB1E5E4B10AE2F480F509E7AF89EE8CEFA0BA716FB8CEAE96307008D32070
+D365B7F6583B829884DD2FE6EB7D95965527303A93BC3BED5A9AD904DA3DA> |-
+/Ysmall <1C60D8A8C9B7CDD8BD7DBD65E184B9680768C945EF501FFBAF34DB2
+EB89B7C35DCB2E8CDE46F9D37FB471E35DF335DEED86CBC9BD25ACBBBE505717
+85D55C56B45ACC3A263ED736CAA051A570F787892A1CB6821A2FFAD018F8067C
+A681AE9EC8078E3C7AFE94C42C7FD5A558E11749ACDE333C8BDC9884D4FA3DAC
+AE8A34DD32D0843E9B8D09766739B4ABA55282A00532DD1F8B6DE1183006D340
+67C1700BABA7CDD73E0CDB5BE2DDAE32FBEED1C6D7EEEA3B5CEB4C4205571F0D
+CF1A506D8FC5DC8499A45715F34A9B98FE00C59CEE5F28BBF36D76480FA97A6C
+7DA2BD1F5844A8385287554D6A25D036C1B44B3D155C43934FF8AA5F5EFA8691
+C8A756E6E6312D494BA1468BA6D0686CD0C8B3FDB8C0351FA65E6040F976F25D
+799285A835570C29A2FB34B27E1A794353E610FC2C4A30406992C247A28AA7F6
+E944BDFAB0BBA11598F8F567A868E003F8F3944F74A873C0B590A5CBD543024C
+D6E3B83887E8B4201> |-
+/Ssmall <1C60D8A8C9B79FB048C852057885B7FB39D71FC3016435158EC7538
+3A43C835122312509B1BFED76A61F209ED65A42B34BB62984E18488BC60B5218
+01752FF5C2563FA0352A4574582BF27E08DA350B6E25230194888F1FA389A5D9
+3FBF39576DDF170A31E4F9A79349B244BDF70FC82577F5D740926CBB4F2ACA8D
+2425F341518CF5F38A11D5613BD07DDED6A6C9CC2A89D2BA18004761AD9B9FC3
+4EDA3D0BA2574B07F9B17535C3DFBDB872ECFEEFC15F4D3F7BCA04E0B730A15B
+DD0D5BCB061E10476825BE14CC3CD57D1B8CD428D2118BB782F85F1A67B39448
+980A962927A8E8DBBBF65E6278D0AFECB529564B170722C87DEFBDB> |-
+/Msmall <1C60D8A8C9B5BDB4869BB7396C2BCC7E2D035A8DDF69463A769AD1A
+A49DB431BF0660A482C35C477875AA9502C9E16D281765C1FE89158C85EF4F3E
+57125A0E615EF95AE1B7077390D7D5D6DDBA63FCBAB687625D16C58A812887A3
+BF8B333347AF25B78756DD80DFD049480BBC5CC2E60C8AAAAAEC52485278ACB4
+CB64431DB98372ED33A1281E6970D65A9DEE7B405CB6932D27F2DFA40B98C2E6
+9A163099093F74C6495CCB4C78B91CF36A00F110217924E037A2F56731347A29
+95E8AFF22D6698D628918F5A55716FEBDE556231C95D2821D1B0DE3CCFA65E60
+C9DDB56BAFC7C7328AEA86A4824D8004029A0A0834D297E9E2EE5DAE0DFFB8A2
+CC6F17A3EDC65> |-
+/Osmall <1C60D8A8C9B6AE36D8AFC06EF7691CEA7388408CB5711A90AA9C8BB
+7DF107C83E9F4C9D93C2707EED4FFD917928C910BF7966EA41381731C2EDBAD2
+707004603AE29A600E85B2D80CC1F8253013508BECCA2FDAB8779E3B7D43916A
+0E2CE1B80BB3DF3> |-
+/Ismall <1C60D8A8C9B704CCC403F91AADD9CB2F76DB90BC6EC90EF3D45C6A9
+10C33779B027A5893F399469312EDD288FF0EA2B3848F5A530D7C0162C275993
+6728784ECB91933A5B31FC0120544923268E389858466EE39EB2181D57CD3BF7
+07FB3669BB94B89A418CD729CFF5FBF8DC7045D58C25F7CB07F19116123D927E
+59434BBF93B4FE5DBF40C126B117E6B60590BBF45DA98B6DE8B19144213326F9
+87495E510476E3585AE1A21D73828E47A902A177877DAAAB4C0EE1255BEF7F14
+75F7B919B37EA781F4D15EE851B6A63CFE7192BA2E00BB3BF61621837B8C6E3E
+7AB8CE9EC58E9FFE71C29175C76E5> |-
+/Usmall <1C60D8A8C9B6ED055F5BB1EE84E1A93ADDC8E7C125E88D8FF53587C
+17D959293900B8FD46371B21619962E4E05301A5E3EA5963AEEE83B21393A2AB
+3695359695D60CA9917C3B4C055638C566E55787F9201E25FB6F1ED940BE5C4D
+321EC5E70BC368233DBA0CBD12DA827A229D0CC8A349901F7F6297A8D2B5EE1C
+32919F009B7DEC73D0710E8891AA9A0D36238E9E944FAFD91D10D63C6B88D5BD
+C3A7985808BE85B22B832353DB0C8315F69AE576B8073207A5E9FE25F5A1E4F5
+9C748E9F7D4D5B9763098CB580B40B6CD00897D0384713B624EAD8EE1E24E326
+A2BE8083CCA899DE1FAB4FB90AF9AEB63CFCC24D405FB6596CE1D598C7EFABAD
+D016781F1785ACBA6641462356572572D87FF66C89B7A4AFB38B24B24E1E7B07
+44FD561E659DB89FDAA3D90E0980DCB66> |-
+/.notdef <1C60D8A8C9B7A73DC56ED86593A26411A239A9F576A4BB06AD4079
+CBD73625AFEDCD129CE8B573E3C4C05A38ADB9D43C2E751D7FE69FF5F6F4BCAD
+D50244964753D5C819FE275F32A27920BE3EA3D1AFD957ADA922B28CD2CD8E15
+58DDDC89C143A1> |-
+end put
+end
+dup /FontName get exch definefont pop
+end
+%ADOEndSubsetFont
+/FDJFDP+TrajanPro-Bold /TrajanPro-Bold findfont def
+/FDJFDP+TrajanPro-Bold*1
+[
+67{/.notdef}repeat /C 5{/.notdef}repeat /I 9{/.notdef}repeat /S 43{/.notdef}repeat /Nsmall
+/Tsmall /Esmall /Rsmall /Ysmall /Ssmall /Msmall /Osmall /Ismall
+/Usmall 119{/.notdef}repeat
+] FDJFDP+TrajanPro-Bold nfnt
+FDJFDP+TrajanPro-Bold*1 [32 0 -0 -32 0 0 ]mfnt sfnt
+63.709 49.9312 mov
+(I) sh
+FDJFDP+TrajanPro-Bold*1 [26 0 -0 -26 0 0 ]mfnt sfnt
+78.333 49.9312 mov
+0.080658 0 128 0.288605 0 (\177\200\201) awsh
+131.874 49.9312 mov
+-1.83563 0 127 1.73947 0 (\202\177\201) awsh
+188.218 49.9312 mov
+(\200) sh
+FDJFDP+TrajanPro-Bold*1 [32 0 -0 -32 0 0 ]mfnt sfnt
+63.709 85.9316 mov
+(S) sh
+FDJFDP+TrajanPro-Bold*1 [26 0 -0 -26 0 0 ]mfnt sfnt
+81.7983 85.9316 mov
+0.213654 0 132 -0.177307 0 (\203\204\200) awsh
+127.864 85.9316 mov
+-0.0141907 0 133 0.276245 0 (\201\205\204) awsh
+FDJFDP+TrajanPro-Bold*1 [32 0 -0 -32 0 0 ]mfnt sfnt
+63.709 121.932 mov
+(C) sh
+FDJFDP+TrajanPro-Bold*1 [26 0 -0 -26 0 0 ]mfnt sfnt
+88.9883 121.932 mov
+(\206) sh
+109.841 121.932 mov
+(\177) sh
+130.882 121.932 mov
+(\204) sh
+144.271 121.932 mov
+(\206) sh
+165.124 121.932 mov
+(\202) sh
+182.77 121.932 mov
+(\200) sh
+199.487 121.932 mov
+(\207) sh
+210.59 121.932 mov
+(\210) sh
+230.869 121.932 mov
+(\205) sh
+%ADOBeginClientInjection: EndPageContent "AI11EPS"
+userdict /annotatepage 2 copy known {get exec}{pop pop} ifelse
+
+%ADOEndClientInjection: EndPageContent "AI11EPS"
+% page clip
+grestore
+grestore % PSGState
+/FDJFDP+TrajanPro-Bold*1 ufnt
+Adobe_AGM_Core/AGMCORE_save get restore
+%%PageTrailer
+[/EMC AI11_PDFMark5
+[/NamespacePop AI11_PDFMark5
+Adobe_AGM_Image/page_trailer get exec
+Adobe_CoolType_Core/page_trailer get exec
+Adobe_AGM_Core/page_trailer get exec
+currentdict Adobe_AGM_Utils eq {end} if
+%%Trailer
+Adobe_AGM_Image/doc_trailer get exec
+Adobe_CoolType_Core/doc_trailer get exec
+Adobe_AGM_Core/doc_trailer get exec
+%%EOF
+%AI9_PrintingDataEnd
+
+userdict /AI9_read_buffer 256 string put
+userdict begin
+/ai9_skip_data
+{
+ mark
+ {
+ currentfile AI9_read_buffer { readline } stopped
+ {
+ }
+ {
+ not
+ {
+ exit
+ } if
+ (%AI9_PrivateDataEnd) eq
+ {
+ exit
+ } if
+ } ifelse
+ } loop
+ cleartomark
+} def
+end
+userdict /ai9_skip_data get exec
+%AI9_PrivateDataBegin
+%!PS-Adobe-3.0 EPSF-3.0
+%%Creator: Adobe Illustrator(R) 11.0
+%%AI8_CreatorVersion: 11.0.0
+%%For: (Douglas E. Appelt) (Mad Doug Software)
+%%Title: (Alternate-ISC-logo-v2.eps)
+%%CreationDate: 10/22/04 2:51 PM
+%AI9_DataStream
+%Gb"-6CMtIYE[^blnitWj!HrIdV0lorEFGN3p=d2AK:U\*q_!hY[_$iT*gP5UX1]SSqSRQ?_'$)V>TY%qP`SMZ@PZ&5]GQS5IeD7R
+%m`Y!Qle<L>GQ7K.<ATW8Y&.3ff<4tLWP85on#ub1r+t\(\B,1VnRC\d?aFN#k'iiu,P=Jej)_iEpKp\9gP9_8n(o-NJ)9&<gtdJZ
+%c"d.Iea;XG=$QIuY#bRC]XbTMbA)*>p&6?3aPlR\_,pU'rp&CDDZ00VZam^DTYCI"bGS,pf>eC0p"$ku^->l[*"R8fVlPU'FAYD.
+%pH<]YO.ZB_I5g)6.fSi&qjT5\No0V,*'aApjM1[&?VKA;s5+k>*rNhPC\4:.?Tp^0SRbF/qI]^'n%Sf"Iau[8YhK*1=8[PW@95Bj
+%feh2g<p8L3A_Z,@b<N!cr+8s4l3l4F)ZS3.jk%=mrI?bp\bL4Cb1F/eHN2#M)10h-\l(\1c#S;^"2j?\A#s>C0m5p>Dk5X:Z"Oie
+%_>('6rT`ihmf%TV6aJF?pEP/0^\r2;05#YbIeS'\a5_%#</7$:3`Y.podN#Y[0)AgpUKKQL2Ok'].nKiG?6^6&XYr6NSe+CnDck=
+%d?+"\lhda;+2Wq^BXjUsa1jXk?iT6ap8=BiCnj_^n;[HORXgF0o\5ig-[E'j?N,`?LX9Z("VI(0Lot+`kmtfVY!5/+?ThZOh>Z`D
+%M#tCQSj(t84WKTq]6a,<n([nmj8WB5P83V<H.@$R:$^2BE;aO?4\HWk:*fbtIp=)qnf&+kpXckbGFs@1$N0&_4jiKiro)Vts74)f
+%2XP7"/X?=obK]SVO13_+fi[>!Z/=Ac38STd5'sfM!j\oF_"j]3hd,(<E.%/VlgEmCN:f-1\`U)Es5in@lK@1jd58MolVGRUn*^/k
+%p9n\jC8eaE[rSTh\+/\1&lSEE_>Bg28!D:rMsrhk/^7$3khgXInb)kR&(e;*iD*,)s5!YHLWE;hFu@_jloh"cpiZ.#*V<iiGW=Q#
+%LSsUUqshkocaR!-*[$G42:&XBs2p=ngY:Q7_j)mW8(XpCrqN+dc-Hp9ct`U0FmsSpiNI=lGIs-gY(P''K5\@3^?muXp2GP[l)AZU
+%>2om4is<'4&Sd<ci?2tu#BcPh3mRc@e':62kF`Ug#CiGuFpk^d>Bk2#Kl=D(W,jr6[thj\_UF8BI"+-&1Xoq"0D1+W8Dh:JnpT+i
+%?bp*J"_3/!:^b8g,Gjj:7.;#X^kgo%N*@Djcbc(-0AOC"i%MH*E2&Y,7.;#4%A-H(@tJn;2!Os8$cW@"U!DTsAMQKsF+Q,4Oe;i,
+%kt)dRoq)"TIA=8=cXi-4#5pe=(a&[0Q=pJ:eFXd+(jnY%(n]#+6%tnan\JSBK@/*E_dD[hPe^Y)"lk6M1lI#5"BTn6]MWVJH7nt;
+%F%6*QW'`.gS%s_I:;)FS;nqP0e?[:7eW:lO"/?ORK[IWb1huk&`Wq!e(?%32O'k<#_I'5DUT;*AbSJnUaO(q4]*3rn<s79NkCb:;
+%$UPXbVZ_5/*C67Q95oNTbDaNpW:*PUhG13%oCP3E:sXtR$(GYS#r^;M!IkB),IPuVeQ5)>Og5*b&bcUD"n*]8_:'!OK[Sm3$^B[6
+%5`Z&2n8s><oMt`<n"k3lael'-#<mtp2Z2%4oM,7ZT>%6#pdm^#=2R9LnWSF!M=0COrQI(Rca192k+D=8^58KSZe<]Rr1otMX5/e.
+%i[=]kpN.KAl),"U`6Vl[i%N>*h9-geqXLul[N?!kAp]o#p95J:So\,F?=@Y?r9HTE9mTU-eQ5>%g-7NM(++>09[hd@j04R<oEk-3
+%-+gb_TBi9Xe(0#T?,LT-W5j3fcZ0Q2*hUt'rVB#`%hO6g5O3SXf2KA`7qdIri+`$@rEW41%lg\<s*"Dnr_E.MQ-(+04mgrjg*?AU
+%A:9!kHj`mNoJ>P-UK1TF%c8k1lR(l6i1KQ.D>/ZiP77uF=:=.,l*oJ5h?SSg[%2rnj-9S%rs]G0#5Y%NI9>jRd)*Dm_=p:p6Ha4(
+%%s]7ECC]5b_C2&frY,1V!dlA`)%DM2%tN!shJ!Ad=ANrJE#?0-pjfm:H\(YXcc>jYILn%7LGPCXK7=doF?NF3Tq-Amq6356p8p]/
+%6aLY9>CE'2qW-gq0ue!MF2[/GR<gh4r$VJ.CnuOdT@cBS6UD;RUk@LYQY$S.Rs)N"S[@N^<@]lf+m.A)=s,dKjrC8s[,ZTqlJ$Q>
+%ID^&7gH`q9k)StGE/[64elI6>-HA)u?IH9bK3#J6Y3dN$<6>cP#CnF3fQ7'/b18A51>EE4/c=%\dK7XPDtQBgl"Sm!\%$3Y`+g>^
+%phb4CTn#q_5Gi]fcCeRTY4"5qE(gL_B,hStRio_GnkVgFj:;#QGL.SM!pD(QA:T_K#IUb-.^[@YnKl!DO]%%E@$]M0nJRC?TJaO/
+%[/OG4$eMo?o)eM8UH$VVn0^Oaf&iE!L-:Ue^bO'_&jB#SoZSTJ1gB+)*ZLLtcG87`T*)j!Fq4E8\oG`8B]7Fc")p\s#s\DC1H6&Z
+%^V)m<pRSgHbQ.8oc3V[ZH>8VOV"`D@n-.9Ri:D?2".%s#oN+DNk$.ZdGU'mT6QL,4qBY+@H[MF!OkpI7,gZ#I6AsAq1^9,N+OLJ_
+%0Uc_EnIin#3eBHQ$c%8\>ec#;QRRJ25F&?&^'+35b_\N[GM$P^0gZ\=Xp$HD=ZE^Y$$\,Fqge4XF^7(gSot56ST)P"8AU6<-)7,Q
+%UpuHR/l2P/J=dI!&;Q><JFf>Z5h'uT%#cI\]flh6U9K+%qklsH<82S$i^Hu'LXNQmOTH#g)t?H/7.Z$'dRL#8OCRF`K,oY:V.i/9
+%6)H_q\\OhK#AX<J#(!"L_A\h\_$Iht_&o$lkoK:[J2Uh*e2orH-12:iWjJPUNmA$PJl_8dC_*=U_XlN7E$>7.#W%%<d;S#\OOU"J
+%n_GIe2X*0mItVA3*C%6<>uFnAA(PN@jK0cnHeo(4+86'6O_)EI+eS)ToS`:0W?-MjmcVDF>)bc3-+I\o]2!?0a6sf"DnFd0hfJ5)
+%\rN<<b%g\d\Ec?:]9OH#*/jqY<sf')oNIAbi(,VmE"-s&\HEd`e#ur;-HCc+O/L?AWoJX=+t8Qi\JqCc>5l"eD!!=b>g:hX64>lD
+%i`;cm+I."DJKlOj`I80gcMO&DUHLk:Uti3!YmPSWJ0`AeoMEF;oMh?aKV!aA7%S/TP\ARfcOZbDd4]kh[C4_BbZ!$4@E+trFtD[Y
+%JjO)n0TcLpVOTL6d`BmG(5\YKJ(H7+f#5moL'QgDl\XCe\.c9Y7emMN[R1WS&E\YX*rEF$ILt,.D8b;<mf7\QK1OZDH/LojECJ]8
+%@4+0%E`(?d>n1#3d.J)-X@/Vp+ZtJ<>D"11Z@q@ATG6L%WhJZTRLR+L/Zi,iT\cg0.(BXI7/.<q!,4$e\Nu<EF3n4q#"0J0CHYl#
+%K7k$l`A-m6T]B0X!U.Vs>T$`VXDO5J0!,;0gilp_l^?ft$cOeN8]rFHV4KH5c.$C>L'c39Qq9D?s5N.7<b:f"96Sm4Uh-BT!bQ*_
+%)6Jd=AAVcj9?(SD2%"It0+Ba8Au!%A+M(pAg57on`;5,MCJ;&i^[d%`7u7'i:'%*sl]RYmg:/W;<,Z?Wa4ZcS6-aCIfKs?R(W82-
+%+c1W,jA4:hKL<^sUF*@>UUD!7#`V>hS`R7pP.&nB&VgH0O'61pfquQW9(N(dBXOB*5Nth7HqL%'4duc(9>$L^\o$7a=ck_HMh$i#
+%U_*o&d28')d7gtLiXT!2b3)f(:Ab9oS^Y\CrcHUQjV/<9iG$odb.+72JK5HUV@"4Oeu45M\0cX&'5ItAGNeXIXkBQX2E9VG?LM53
+%CKeCbhf\7%kSMSsi+KF>#h5[;'N2HH[]=0C-EtO,g$UPR"maTmgp,MlBbrA4f^kY9;[:sA&NeecGlt/b"Q*&E7Z7Idl#mijK9L`g
+%M[&hpCi6ju>86t'XOXQ4>L@2Mge2HoM:Qa0HfjEu*>RsKA^(RRNqTd2E`(FL#Rgqs3'Y"qfU3"_iutR%qi/B(m>?\$dOp0Rg=9ue
+%1l7Q7BphR9il8ne78KT,**L+Plk=.OQ)n-gb-a"AQ8"Y^VGkjii-D6&3l"rNc+5U@F732Dc=;s!*\q3aT!J>rQ3O1h"^NO:8gGY)
+%:snJ:C;h5G3n>@M^BLRTdVSQ[2EAj;efM-EmQ_a%<prkZBE`?BBc4#:UK55eIM<e:@%LN_%eQl2)tkRSYfJ#ocE1`mMC;)&77XWL
+%0[n02,iX+c8r[(E<iDK>g;"`1_J$=kpM+*KnI7)=&]%"8ViA:^+gp6j'fs3%H4VrOXW9fech-gF2?f+09bSrjX;81`e2)5b>9sNr
+%Sj\lFfNjA\DD.;``k4=5K&ZX*Cun;HO#WaeO(*0e(gW`VPUjmI$^thg\cYj0T;!oOpSlAl)4nO=LN:;O4['aCP"O-AV>@Q0$`*dc
+%n^,a"[3bTF[$M"kk\9_r;ao:Flh`A6P(k/\BA*_pqk9aLN4<(!,Lu*`ZE6PV&hZ[p7s%0J?-E.\)e)pS-epH/\=ti)io;3GAS*e9
+%?n%PAXKAnm/>LfI\tR#eh?/1hlk`mP+ma!'#U?N!`H`4nF,Y9EdX&m`,@t$_OOOi42m2)37!>F5C/LT52P*U_:0/>&4@k+Cc:K]M
+%&/;@6ABkLn]ja:]&ab)FMtV-]ng8FliDD\;5slM]i2Apple@,k#IY>CV4reK?3L8]Db,J]lU[.'TemP=,K72KG!OdQ-<VSiXf#ri
+%j*#F%*-UGqPHdQ.#0K%L2Iflj7k6Fp-G&;FpS$Kg4mWGMbTV>o/QsJFs.$Jb'Q0XfDq'AX5Ds'oGR3d,LaU%1F78@74ZEh)W3pqF
+%F]%_<J8+<)]IGmC*sg7d`SY*[qTPc-RR?_+YW`UB98(bB4[FMUmealX5O'gdT>t66M/\_\F#Yef+'r0JfDs>b>N>8L>oW4@]\cZV
+%U,PR.JR9'*ej4tgqL7/9ITO0H+;@XbU/:n2c#&GbY!;)/;VoThfae;,?)JuAT>%eH4_ps&m;G4>HRJd$]fUe7m:UG:r9""Hk3`KN
+%0)UdfI!^89nu;Iae[`kQs)RjQr-Wqi_p*2_`lfIlYQ!Pf/u4j"&(ejKs39`MotCD%Er5k2iVM^!l>hCIrl`4Lo(N[H2]n'H?V@fl
+%nrMad/#mWDX^,8H^V53tjn/**pn*mSYmrpHKoNj6`fKn*Fa9cQO6Y,&Gk@Gn^SX'DWm5acF,S:EQZlF'Np>K#\p'k9*HgHO<W,6a
+%^Vm/&jd/g<_po8^*:GOFp^S@+Qg[)M00_Z@mr)SJT9&HWZhX+;?Z'bA&!rokmK!B]I_>;KS??`or;"?"koTf*I;9oWhqrkYq&]IT
+%0-BVc4rd@"pHMq]+2[=rDXSW1*'[c4pQo6:^:F+<@hjkbh0f$G]"\+U/'6u#a4ned(L(-Up#P`4rkldODsI2m#lgO"5/7,<"#j-:
+%b*V_Ss8C.21CWilh-Y%QO8o%Tk3@X"HL/4lIs'cn#Z#l]\au#SGN4H3I]AI,]8)m9a+nn0O>u+P>^q?fJ,XQ_rckuNa]L@)n]1Y"
+%%WLM&KC@7MnUr!?a<&:PW8(4=GSeQ&nAFpK>Q]Q\TEU__9DIu9r>!T@rlb6\p(Sr%oGd8'\a&bG[3%)tLO\pW-i]dM%tGc^f9+AX
+%I.d:P3f#`/lGJ[,?TrfNW@ld07JH*I2.=KgFDamIq(7m3<hnu!6`&[<V6?lHf;^tOpX`C)O&Y/#\sYe2=!(hI5(C;\<):t2S?C`+
+%"2<Y7WS5mL,R>T.U?Ln5a"Ond>hslih->ARn8ro!Hi3.!rKVl8qJMANo#!\>s4uikVrM\r^\;)5bQ+rJrU'JD#Vu8$lMEE6a%#k%
+%l-`P@2"esZs1A<')Ya/+RU3*\h#7'Dh9V^ReXr;8@Cfc&;g7KbF8Ybc=#U]IFEr<3dF6.Rc\guf-<S)?c/TP_1>GjRg]6kiid\JP
+%](p=Dn`-Gfg^3!k/jJ1LIJEBiZ\E8QiWCkphu)gn^HNZf\6;ml)_O9$!('jHDS!LWj<+.mmY.,`GK62.X&[pHN4khJrp+h+_f=6#
+%2,q<[q#(*"5G.q&GOtbZI<#l%%=KA/Idc7nNLqI%4/dW.$,2hBs5rI%s6B(@n%O2GmHqs+l;n7ZeMe%PE.@cXXoIS)e`QkSk9!d_
+%h;-obHBhOhYG`32o):r,55PgsGId\)d#6W7??q9W>kn/DWVOF*iB9i[SpfSVk3Dp_gVDS5H1o?uh]jOB]hH0JN>J0GrrtlJld)K]
+%YUYM05DBc!U2E*fr>_9"gXrcTfDd"Jk8W.r5Mk4geC7slrq8R:2g:l.(dj/COfNuC])T.e/G.5Ol3@ibDnfOA*90HESN]?dip,8?
+%Y<G6l<g+rM1C$VrJ+GU3#cF(kRp5RahZ<7n%euODYBIt4Su]'ohM]2L]"@o`AICUpqM.6"WrBc5?h^%=g[FueIi.IEnI*'Kk_ER`
+%LM?6-Y?1EV_fjZAqr'6[@l(Q'2tl8cNh]tNN,Dm]RrLOX`r1/OCS@Wr9>YT3EVF+7k/g?`BesV(S_%*WF$2I2.FQK>4NuhJc1C;7
+%@_M<tPhj!E&$C'bGgO"XNG`dpbIF_1`bhckoj(jIl[D!ua#33S4)d_tDqDVoIXTkuRqC,e\kTpW2WJE'bT"#oD`4*PB"-H3%bl<a
+%Ctig9mC0uVgeP)Po.(Q[V/:E\^T?2?]4T[_\m<&iG2mJobr`C=ml%d0Gd6]Iqg./dgO6R"pVVIP3r$@3qt5EEhsP^crVgc7&'^fM
+%%c*iQ?#=t%_3a%dD;G#gY<?Q=!A`2Hm71<_rO&VQ^\j812sqcCl:ob(X)!$2%:1<=c/`%(gpgs%2=&6mZIq.MVp2r,pXN*PD;3?C
+%4YHcVbC+8:RrdD3OL0JhmB58tcR\X`CS5_"Fa_g5h#O!OIJ*R$hY.jn#QD/N%0sW@I-p^_ijI`\c'RI+jpQU(/,s8C97D3"3kee3
+%)STstq?()O^34Tu*`(bKn?muY0a"[L?ZU7a5O7Ca,hJ?bMZ;?Uf06_TqHDLmeKgKRM$j7Oe]EMNBB0d!,Qnhrogn@f<3VVV<%sSV
+%<NqbXeRNEL.#UV8d$>5E:fiaFd$G?3;:m*.i39sY[JL>4LGZfa`a;q`'C'&YEPa)nh&^48_7>3og>_b7IdX+_oMaW@?/Kt0Y.I'1
+%pO1qB)\2r#c/$l8aDUH$ZE660ep`arpB\D(W4N8;/e$_V4F22md36I"i/rNP!OhNkFe1K<O1'\=Qd4%]`6fQ>E$X:dl<78\cmSt3
+%GK_;HJ%Dd?aqonV6mA2J&8?bbg*)Rg8>Hn3WN1!TJOm7@UjFB8)Mtgi,$cPE*KoY1,uYpa:So1&UPG(HS/jS5Y<DM9*eo1Kq[OsS
+%#*.YHL[+@bGc6ZEp7B\.=]dJDhZ=5f-6/E)'=T?<:E6!O^-epW+Kb*orX['d)Ou#)>0@HrRACLkFpt4%g"=(kbV<4C%$H@]JY8qQ
+%&o34'0rftq'FoQ.@BXstHQI'_6QLE=:<Tp-/HhK-A(<(4g#,>Qg5JQ+gtY-Hikt81cTH9eAgS#(EnD?g\A:Y.=_JYT"#aLfY/.0X
+%pN625*ng%=Qa"<IoHJo$DAIMaT:\aG-fV618m@Cd'?])J=XFB+U%ANa]0dJ&V(g'N)J(Woj0mYaSg(KfJMEm<SnM*EERuV92^k[l
+%=G+,<b;5WDCOg8TDlFk=1n%5i@pgc[R8,8pVad1G8rWm0V,bC[PZg5Q<_TZLY['T!;kR2Y?D1Ifi<>[P(nVJI-+l^I-.E^A,m7;6
+%)qeF)g>,ndS+,/[ESKau]3X@'ou5kdU,nR`WLd*QYBFONh!3Sco36nT(06C<=O"+>j^atM9_2LjJMh3`MC1M?B[NVdcLn:)H1s+%
+%l)BH[s+QL8+.X!,U,_jmcGoGikP<rpFeHRGIck.sGjIJ9T!7f+@cR9<o=ST(S7M,:V=X<-GhbB*#.4!gB]E6Zo8IGTChot3"a,8,
+%)ipEmcgGtJokcf!F.OsYSja-\auVc7NCVcVkH$bkB/cF,3R<7(c]8=WSNBXCNCRcC6)u+B_tW'aED.2jf_`LmIZUthQM,dS><hnj
+%#K#hY0m]Mb*]Pb8eYl.0:j659`Mn/&bpa9Goer7;,ipMPA\<9)ro?XtK^9ro;QsOmR!OA^&OX8&eY1F#eQ:Y#YI+,l>A57m`7S!(
+%$i"<R/fG9#fYh5.I(k4a'a%F'0W3,[FU$BOjXSUYk>C3Hqt@m&i><UgInS*rk*5Wej<<d.7Qn=Z6/F*Qc#hpdHqN70^Vd>%aZ"3i
+%VVKeZm"/5'N!!X<_=+NkI(9#up$GO>s16W;^9p`&"L8U298N5/bVbm5/=UV;iNGlQfl*$hCTa5=m*@u#MEVMmE])uoc./5_O&s<d
+%+FT73R`mXY.p40!\;nE6q>\VUF."[_05&L?rO.$PJh+8J<%pVG4J5=">)Q,J>*FrRfMp7/_qZ[HPG^sqk6T;sjV(RaQg3ZG;kB?@
+%jV(RaQg3ZG;`:IPes8dOckpjhdJr@%"hL?7ME\NV>+oVa]:^8*<<_Bc_\M`WKW>J^cW@><TdD5B,VC!+WLSTU.I-"U.%-fCDM,O2
+%$VDcsT$2bu0Wfp:g&t-W%Jm$eUj^T`76;NBN]Mko$*HrOe5o(O'tn`'[+B0A@7?75M`)M2g,eH*ri0)6'c!'o<V>kBX+/8l4fqnt
+%]#Uu=nLE[9cX544'ae#`m]+Q^]m)..<*@&pVCJ%(CWNb>A$3A8+DC^iYm)Ws%TK>aI\YGnd[0`.4cb\NY&6<tJ*P%5;F<TqY0qA*
+%R,9"cZ?g`-qWQIrn?6aX-nh1$mSI+J0SaM,IQHVt^hJYWc=fCJ1WS=G2s6e.DRA5A<A<3eb_3CG7[n2?<!1nWkpPt\P^fK6`:=Pa
+%;&!B:EqU-69QC;CUQ*PPjPoui8@>fLJf<0)L1I_:P7@>\Z.,hpPQ0*RETcDbQGpA&J(mE^heM0Amsm8am3Yrh^iD-UcUH<+E=MG_
+%9dC[]jT?Xb3_'ifktCp'7Fr5%I&Xu(M!UW.j+j[j]DL.XkG'E3jOUfm$aBk)PVTHW+]B_hH$h)2]OE#[J^tF7VN>O#>%=d_K1D[d
+%-kE9YOXLfNDGj,aF?o,h8e_Z8>%mTG.N)F;8CS)H34-i%eW-/BS7<P_/h3WU'UV@X>o<5[W$mq]<5bM2S*AK;X<ogKANG$][^Iqi
+%H=kU9coPG>mZJVMKDfgK+OiYLFg_u6)A6fC<RB)jh2M"^V37\?=K70+-*.H0UQdF=0_VehMKVIp1m4t<m#@#a(,rljKNEkn8$Y;G
+%__S\2#3[D4RU%U9pU!_S#&2d^RWpX11W'QZdq#$S^:61Ab^9oX<h-dJ_YWUZgj;s_CQ8%@eT2I+C!Tq[SQS6[KpCAUf4qt-Ot>20
+%bPC<lHC"5homX]U59.=$hg*&PnH.Qm5sKXG5Bt$%H)tlnp&<kaJt5sO2Z=l_+.dj)K@_)(heKL$G6e/>SU]P:^Xql8b'.=eS`tR#
+%>2Ql:Hgi'3^"bYRQ-I3"[glJNoC0r*_c>APr,V+B[CFQS6L/T%c,4iL4kW)gPMMF>@;Gbf]s:7IDl9(9D:gBYQnQ]m[ql_$bNp9o
+%>:&%Z7.g:E2j1plFYaEhO9:Z>ib^iT1^@1G+4%7,<A1WJBYK&8b\XLZ]r\?%YA3<[QX6r5(]KN7dd)dRKIY'AU'Zs9<0^"RdMel+
+%Vb696iq?R_cUsS%E%UVJ)N`kKLsi*#YeQOqoSPh=dCW'L\o=2[S@SJGG]H4`Y3<JD?<bfcCQ3_b+n(k^E(RGSOGeBJ<Zs/#A7ol3
+%aOC^$\*T3eD-=8L,Em2MqFnur7TPOqjEY.<6N%4&JdadIA:]).]sbuh2lrNX!\%Z;PVmVPIR\W\LFgmR<2]lLa=@eB0DDCtP4H+K
+%cFIQ[E^gO"Z2Qa+-gd%cG,S"'\tR,\[f\.i463SLepl;mB,td/'PE0l`R_G1^LI'O/aZ+67O]a+0^b,o;(0:8MSghR=X7$?.Rprs
+%Otk,!-llmn1^_;P,/YI:P`nsBZE.$R1<N7PQr.IM4k2%'bpYTIlkJ\%j_'gN,"$ts,ro-4>SAZX(qW2)MEHk229Jm\W_oo?WZYJ6
+%\46!,"Dl_@NA<Eg;i!qtm)+,rr@F6!EK-uEM[am4;,qP>iN>&<l7FpL[7400`J2"UW2d>ZE)62^4l7S9J3g?cZ&<:(_VpN9E:j9.
+%Y7sX%;jJIeF+pC@JT<S3&$EC[bq$cYLWIaU0<Z$q^<F]eO&pnbLli&]D_`rZ9t9sB&$I/b:H5lRn(f5d46,04Ec9pmLQ$G\'Ab=2
+%HUp,?b."-7EJ7H,G0l6L<.L8uhh`*Wm]K'P$9CYrlPi"?o\)=Zr#W%6^(V"41StZ-XLW<BdC8*X0t#/ZimFd?`J-E9Kb;7Tk?&]'
+%E-6U+B/hUmr9'Oe`Q%Zgb=p.oX1)2CC7\P@`A1B``9Jq?R@5N&?g,4`c@d5kmIRb1T6+)U1AN7up%g#$)P#[HWnsbLEeEuLY:;%n
+%qun241b*_j'sHPC<#K&=g`,JaX'NCkXU8ji_t%AdQO818<T_Y-Eb[Yui+-)`.dcc%Y2RT9SY-U>W%.Cq>4RYVp63@qdO.)h51P@b
+%HC\tSDVD'rk?F4@L9&r%<oq>ll?0g@\Oj;W?8u2(o9V!]mM4>PfYj9NSc9A)pA^(nH&W)(RIa(RLtdjr0/2Qj?FI[k,2u0qp$>2o
+%8M#?kO&^Gm71EE2h'ZRJR(Ki@r^So'bJ),8iP56cT@P,&P[:VB.]o;B[u'("X/G6"@Q<B4WHt$NNjsD8hBmt%Y+DZF`GhU]q6f0M
+%<n"'TlUbYFXm3=Q797m;Sen:"\>E9>:#^`&BiQf^4L!n.qj=1/<)7dE5C-!l;k@'UEQ$#UYtEVkq5T<i>PY[Vj9dE<C2qAgQr!.e
+%:K;?l0429R6:UlPEW2hMaX\('k:E'[f/[.,PoI[)K86&4@Jmcl]Y4dfI]e1s)gfrp=4%NOVM;LnRN:aSlsYr.cCVdu,fciBZ;-=(
+%<P=Z?>1BV<XfU!G?<(oTSJLmuH7S<gW)qMR=f94u?.$O`_DU/6#%#djkXl%pfm,#8?_"<SHSfUY#?=438^'5Sj'40NVoEZbs2#ga
+%2$>#n;7CVL(:D&L8Q1['m%Q.[YM2'=Mh4?9YhW63T[[X4JBl]>G+&V$37bF8Tpn&@krCh(h]?]#6W1Q]*'aA49($)^.tjGV?.^0m
+%F`^NKPE"2(kuom/bB@Z?SZ17[-Mkr.N:t)++`+<!Pj?2fS7?(o'i^1(8phId)`;N-MC1d`AWWJ34VLD/BL#Ip_KKYK.W(PfA</S8
+%OG\77m#C_]_a4"1cURIX)nqqQm!bs[HblF^4_Dis$).dY-GM#=ONF\3nLErM`#mDSbI]"Bb255Pb@j6*2D:Aoa\5BNAjVf]i,"eR
+%3A<*R[0T:n_0C)JFh.^X?6;b0/jZPi7oH6Xd-CGKn'6Z6"oVM87BoE]fNt4,iX@".5\IB#8TCadH#[q<S2n+UC1go8mRmsYE5n&Z
+%MJe^jUqB#;E.oA_bH[Qd,nA,WR%/tsQ^:t'[oU8Z]_mRkpatOnGMn2L7U(",_De#lkS\*0QEit[-G`oqi!F<W0e+:(2T[$t<K]P%
+%11%[tY"Ku5$L.Ku10k6l=$l<#ZWoW?G4F>sQ)@h=Cp]Xj="?eBjZ*Y\HWRV:SA:M^(31$5>7Q=5Pm"?<./]OYe&(e8Y^-)VlYZT"
+%A-;Z;%H/#.pP+Fl@BSJ<&3e^r>8k@-qe,7shD<oq]Q]d,PkQm#A)>DAT:r.tlUr*#/auT[7<:XRJr=`N3T[i9jek+/%6W0OBim6?
+%)=)f)kB'dmYJH?R-SO(7j?!"P<-bekY=],2-j'Q!JoGQ/.rEMUO9M=B?Bpi;/`t_)LW6LM<U\45@KXHn"WPBKkHV(pYWl(N=UY+^
+%j7-`hrV6X2F2Q]q/V$l;=l6u2VBnh`nV3Htesi\,dDoaf#SLM8,Y.j3=p:t)3q>Mc.TiNZ6/?b4Mp:NgIUp-lh+=?]"_k(P>$sjr
+%ahC)/CkpEj%@^i<fER^RaXBeo=Ye3aBi^2!EVDQIB.IJdIEY7:D`U%q[mc#D[X-,m>JT[,QYMS-P])nQK-Y,QFt)n^,-=J<GWgWp
+%>GTMe^MX_6cq%EkJ>)]X`\\73jKVQ\_3"Z+UUP^6gZ>(QLfZ7iN!X]S)J<759pRkX/%'4K/]FSAQa3<!_Q/>oi<3+B"6gdr1_)t6
+%eBGUl/AR)O\6=^$=bs]KYa\PK%>We>@N=Oo)i:EHF%-F1&AaJgRuiunKkj`@7#P!S`cG4O8D"083!(AYp!ADge;RAb)R.`WW"\b+
+%et+k"`*H'#(]1Jj[%):i?peKF0)u;[UUpMS?gUaU^87nl/N#GF(K94i<'L!`MTk$\pVV]W5#p?d6)3Q#GJf+R[(_ilA)/1FQnCK]
+%\lEN9>l9nP3c;"c]Pc4n8qf'.@-u?-]$FD-<jCjKC=F>DDm)pV&$$e^a=C.k;;<V"0cef4Xinb4_[:]^Fd='7$aH^adTE6h')4bX
+%0SD`5jIj<T6CaWG*+:ZDJ[oj@9O[f(;s5%XnTG4GfMmP)CE6kIo^^H[((m=DS&d,DWpgNF$OaE7F,i8&AU2JiX,72i+1\t\>ns!%
+%nXOASG?&:i*+*_d`T$.D=+u.*Hf'GRjI+UU4j9N9@J,?]+*2(`=(Z2p/2uTe#"J=)H\3%#dBlldV.'j:>4jd&guJ7=HHB#$k8#Z"
+%o5^,;U.(QCB=57=_@fY1H$%056D=q.FJt?>c-KY6)&Zt/0Q)KbcSf#I^=M8+,D0UB4J\tt*=Y4''i%`^amhi+\0Ope9_ZVoA@6]n
+%YBYt+\e0EMI'(:4k8MV(&l'(M;;cb_8IC4fIN4b8Z[4m56ZJeb=f))nIGqJW/U+2$W)RpLHeAOj0m[&2BbnCm$DH;L)@P.n\-ftE
+%V9jdV_e83]j"b2$e<1>XamV*Rad]<g@9`<F4WA6,)rWOM^mLr?k]HZPjTG]IWD$m0b+)$QP:%M%,aG?F<gcGj&]@WOlRWbO-R4^P
+%"Qtp[m$!YhBf^i+8OkI6Bhk'DV3G+1.1&[GJgt/4^o(hBPbHI+?d9mA"(>6D2"B.["jZNr]]c0.?VXc"mlP+BnPcK!a&nsMF>*qb
+%`j=cgcDkNJ=nMp\K<"9dY]sVWaZh.E_,hr.3BP@!a*p%nOIoSh'C\G_SEQ*a<,-'.W&Z+^92Bm/;`oa;r+HIBBZ4ocoG653RcnjZ
+%DRf2OlbJnI3E<7%3*5JZ:Y&sa(n4[s<]s?EX@_(+?KG\cq[;#"3krjIQ,5O9f'695p,,kl&(H3)#>4qV>*U''\K^1;OK$)_MRf+"
+%9)cM'fO/aS[DLk3I#9+<$_8\hU>RbOpaS*-D'f40Z5YDh.To`-+@8p>KM`]6$,dJYX,q+'P0*./Tn%/%?p"a7@N":Eq1%Ai5M7Qj
+%_O5n+g+f5qUq_0"hgQTlpqu_%eDYlQ?p@_lF8b*dIUYO9ZVJWP,F01OL<SW+dl"=;[cFm8g[0@gC5iUT2B7A'LSI[[$XO<2F`Jl[
+%?F3JE:&,,tEX+cP[H=kfb=ACPHsCEYS9Ui*2psl`_6GD2Qq]\R1U#Hd(Y1R]<f-Qdg$a(*^UWLs>!:k>Hp3@cn5C'Z?Dp<l6K5bA
+%pb*ol$]4mMikLTM0-pN)M>op%^QA4D,lZCAnKd-G=TZ22U?g/Z-Tcu>IYAYGbKe75q<RARY%UUMl<lP+VGL<I2mQR"Mu%Ac9ROY\
+%D"Vs0CLJjhXOb.O;ZfL#I%.BfNh-+"bVQ`\=`qe,G.V?-)@tTg.e66+>ou6jBB#-L-n7L7l\83n,<!`Cn1h8OkF-Vdg'U@,1$=O/
+%nr;/Y4==e5&M)`--E*H^[q@0ZbA;mEL+W#[Nd8!Nl&e!6KH:]>?8Kpai%F=JE:,k#HkdJXS`\D@fV:D'q("AuZL]QPl_Ohn5/"cX
+%8kRjk[A@0`g@J-**UK[5mb<V9mYAaCY-%,$GE4,'BZn!tr56mr.\,oql.9lE7J9\Yh_sfd8t.?:]oot:"Xgd:gg5nO10@=2npH]s
+%(YNsd^9:OYI\dOhi@Yp[',BtV]l9#_O&;uf6o'm0P6C`YB+UC"iKP#"W&V7a`iF+uX&<9(/Cd]7d'?4GFPJXe";[5USHE+LL@XKD
+%;GFi-JKD#oK>V?ecLF(dGN$,VbZ]Fr4uo0#0k?!Y/JEoU3#=G7R:e^/6JY_B&8cD[U,?-fY>7a^f1r"2P\SP6WdB0>W.bGJS(fFe
+%kQ<kogITK'<GrgJ$'C*`Qr4JtBD%Q>"bCr"D\_5j'-\n=#@KGU2\Nf;#^Xl<f!+J5&#kgFWBuk`66'skLD?pte'b6sYA<OJ[ZT*W
+%'pc>n!d@,1/?WrU2=A"TDRI"$V.10_At?QHb2kKu<ES6YGj%=ogW#Lq+2UIeYb#u?fVfd\h9a7`*p6fX5k7UF8+J%(RB"P5HQB0T
+%MQFB^Nq%R)f_AYrITuH)ISspl^T(f5RmiiKl)I_<C!U@hHh+.6ia5Xg#G[V4!B*,2<U+,e='ei(F]L'8HKFg'8-'C]12hb9Thrt-
+%,KFE)ljucYf''b&"oEl'%Q7cXW/Tt+bQ_T;&=^KQC^+t%+s?R\@k4M1<8]2548bP2'M>[@@U]1dEtlc[\;I!t'+0>C?!IPDN^HUb
+%Po&HN;&48l_["I%(j5ZJU@%WA:J\'qA,\W4E@Nh2W11qma6UH7TF=8?1-k&+&1G]ahYQ*$]*_=!FB,lprpj(3o4BXqniq?cSoBCU
+%C:j,EH,?u7YK@Qh-X?8RX%M@bc<Y^_'f%+U-mtAPe?,5\bEZjgE%ffQk5*l]9pLCf3^*^Qa4I."G,=E6,R1_UhWGN)].lM5:5@Y[
+%B\U?_UU*=6V1$eF.m<Q!f14rEOf)tYSNcnK:OIoq;"9\Anbc>QXkoE^%ir]q9u8c>ms5`.0[a>:*Dhkf9a"gHP3d+KUIQh.e_>hj
+%&,YYZ&qSEHZ?j^\%j9)r\'4gOiiIJ%b#4_hrd*_bs#CND_,Sa@:OM7"T@@8CbWb8Bm=]#r&oA@YMI.^b`sDFeoNI:hmht\Ub2sSj
+%d%_kfLq"p4nRG2U'?ocsQ:WrWI(]'pRp3PEa2X[A%t(6;L6hQOE3B:pM.i6&c_:%2W`YLl&VddO*:H8=S:b>2NB2s2+*[mK`*UWT
+%3H1#\ZBs+O<H6saMENKd>Mcg@n;5S/hS=*CTf@&9rlB*VP#%pX3/pAM@JgRgo&BfO^e%T#*7hl7m:$`hiK^0_*=orp?6pb7&f.AI
+%j'%HlN59KH+K%Tf-qKBEl'4e"F]pH#c<k\1o5^p.os,7&QXbHDQ_!WY*:$P:m"FQ`=J+k)a75Zm(LNI!`KR7tT>RP`Wkn^^L%4sC
+%duChn1@!It2SgS[B\eR;p#@7H\Vo;hZcYK'[/(K/6OVh41@s%FASjBV\uA_7HV^_=$h9pG2oCg40A-/t'7(+:[b@dJhc"7^4lsC>
+%A5n<U_/GMs32d#2Ji`qA6D*]]TiuCngVsn&6`S8/-4($DYeVVG/;QsEo'55iY*Ig'8@FC10r1G4I_P;r2A]([$Ph.c[qt*X=.H1n
+%J'&h?<94m$/).mL-S!f3c;o9%%f``m%p,gVc'P1qh=s4A(!K,+1oT7#F@<jgCs]2_9.ie$JQW3_FcG[Te5\Khq!A-k'oc3H&(aQd
+%16Y\a:Wq8caN76.iqZ<Z$fp=3ani$/FE#1IN^cKlZ$PKHLpP,Cj)i$'4Q:bQ;SDK\inWru^$\#BI)/^ojud+2E[jr$:<Pl#*;hkX
+%I`S[aj:5186R>l[ba/j(`*9an#&^_pgSml]ajr&=]qG(jo3jD#$NB]OU[1LHB1CQ4!I@t.5EtknML.ltbcMO-V6ZUm8m'WC)j<i'
+%s.'#S$`Ck,c?Ll>PT?SV/lB<u0f'-VW6R/Xjce11%o:N4RsFj=1Ol7]B(?%:?>uS8=g1j5:c`eSce/Ea98E4'oba;F[-`E#kH;ZI
+%Pc)Kl<HJ-h:KY-,B1*:n)Ge0?Cc34B9&GJ0AMKV1-<t>m!Pt6:<O*8MG9]H:S?O.K2^RJ'7,4:<)\eZtWgJ47P\[:`<lu\MZDjTk
+%Bqf'GW)=rjPP#5&5)VFmnpF3/e4j)7VCM+_.6/fB;X9TKp#H+(kIS=b^'j.deQ_IRJGN3Xjh;,$5Lj!+]7B`V^#cs9W'AgJc>5Lb
+%5SG[WB9,&64,@'Vj^1l:?$%mllTtM.bO`JJ5p'u(UG3tR6HRP2bUVh#4*55LB\5Nmp^g5H0@!PYi21fD\1&kVcI29UI_:+hrkEnJ
+%H1h.a^Ud*VIB11#g%3e.T9?=KRPcS$'.U4>5")c(NE*K!'X$<\\,\8k=)W:f!#^Kkf3!`"7cEVi<oK3=\14$nMQF?U(9CEp96=M)
+%@$!E:a1=sP)8X#mD-)5V`E+u&H_j\'eGk-=^E@M&M'#73k90XG')R:LIt)\>c2I>&_tEC-J+GT+\+LQfmm"WI*I[P(e\f;prmi=m
+%qYk`IqSSXA4Jmm`=&!a5:L1"bPCJ><p[S]af0d7MkF_;<+8inRjpV3pl;t`)rTR\TeH[Z*k<FJj0s.%ObS7ca$gDe=HF>LkIZ*c4
+%r<_BZ2'ib8JVqkerU/Ci:SINboKMY70E"PenrE@]53JcIn7-tip$i+X+rp:gCrFSSh.n#o3k>\p%Pr:+SM+0M4,1%a]'u0P%/6@Y
+%go;AJ`hDd#':_oV\CD@dJ[2kbZ50Kch%4M&\Y8nOmsP`:Om/TWC'W#7DOTK@j4o]rEV9`-^M;`&*oIk9#9,*rl<3;_^,&M#FZ5@X
+%B7_]T\;+\6B__S?J#7!7I+9[1FT^7[ICXiE\8TkQ>W,7ldocK.gr;%DmudMAe2Q_eW5F&VpR\hRGi4#j"Tg[CTa*ic"<^'UiMh89
+%5T<l11^5Lse_NjU%eh25NTUN7]f*s8_>+2Jd`M5Kk1AL7cJq2-%GrB53]cCqauV`pc?H[?(Of(4Y<!Lp1Va#"?A3=e4ahP%_gr-m
+%HniJHp(Opi?h>C0_nCeH..`OT_lT\oWOj#FngM.`JoPoR^.8#T[2s^$Z]`$,Ho3n^T#m\?^o]V=N^^)#__7^75*BGXqu283Y2pS(
+%05]]cPFrd&ecVk=<qQ;D)gn%eHpPCTFlnV8H)2MK^$ri7H5bc!Zfb3TItYKQO-^t2&BF]9E+jt2E*'u_*">h'/YKC<pP^*;OA$cI
+%6Zsd(bfD^jmii-i+oAP`Z6ooK7fWI=mLa7hF^B[C1C./4)[:[#[O9O>&Ki8+#PY=p^P7!ESc=m+@h_N(Vt>SB'6tru"7_h>kJSCI
+%<>StFc`W?'C19LIlqKPE.^h&kjre4tZacC^C&sr*N47kETGWD;$;=PZp*_d'KQ%$+Y07mp'^S[B-(XKaLa>jjd-j"P3=fu%n)N'd
+%0_X'^]94LgYIr`T<q70dle-&g1j7ch="+1'>OW#64^uqAYMR18ojt:B3O`G`"gT+1&#Q)KX."9L$q%Bfl.6Y>dmYhQZ")F>VhCa;
+%.Rp(7H!?HR4P15MmsMGM%0&pqR+'4'b;RWj4$BsW@]Wj1-eUa:+Nc7ZE&l)FEt%aEQj=d<O=PdaJr^!B;!o"lNe*XHqr:<&n:Pkt
+%Y=fRDfoK]?q7IsdB-t#?mg?k:LouatOmURg%6\gf%dV?c"*cBlb"O!j,aQiJ@n+>>/41q<pu<7b[:/`:E_;ge16=,[qV]*ZD,)md
+%1(?oGe&+>K(@[=grq@<_:lHcY#"Z\-qZJ1n\A2<6$h<Km%3Naj$tC.t/nhs.h>9V]h5?-'K*jHBg:)M\JX?YfKdHfjd)UJL!@DA6
+%kW"+iT_!DG2hMSsN'Z?jB;P'Jmc<o]JM,Kt!!$-#XrN@&=Y@eo<\68m6*2Y`'&c_8J=TmWnJ:n\kug_fR&iJFQCBrH"-@sphTsKJ
+%#&s$tiHS_UKQmsQg5'mk^2@=Fld!]:M:IC@"C!-"+Gh+32I6b%"1&,jXb%dr"JJ4Q4P-M[=J.'oD`PYB`tlJcSq(K\T\#7Q#/AY$
+%EZ`GmNmSRic:qlc(4^<N-NfML:-)G)fg*iqTT9KAYe2o*F-7_7=dJW9eEMaBAK>Ii!0*+d+Pb8&merBm,P+<GH<)HVOmaZ!,3Y)n
+%,#_tCUfM2Uq.j$OV$1s*;:3<c#)p*iBnZA$i:#JA*q>'.c-R[e4YdVAcfFs`S]b+b/6#aU9DG5mRjGoj4ZDk\#+='S$M=iZmh,bc
+%HVHiTDmkDE"+p]J"!,aLFTdD9kQ&6,ejC.;I$<k!RpGEJWj#/"&((T')ONe:EBFM"BX=e`fWh!G/7gr00pQFRK+k!dKV1mo/PkA>
+%+>O]TdO!*t!Mfa;@4'9u&b`%K@N]C*Cra_O9::`M6AA?S$h&N\\dCqo?=5[\Bo3*P44QG*4g(X>^&8@akrbMhL=IO/.]BIM[EV\.
+%P'U@U0ggL0Oa805cm+R;.;ig<0)IpO;i)0abf]K3MmsP51ZU2#a>q43=B*lcM`NT25kjb@r<>6SkU)jeTqg5ijhC2(rM9a1']]@q
+%5^i+?Y$Vu#:XrJkiV$A321aN";4h:\Gj]2p8epnB32iPBcsWI+Du6e^JJ*8GaQO7J^ip+p6mCj2psaO<;YQS7coJC_Lbd<pV5c$o
+%<NT<%=;d;X;:`Mu!X*?@+"-?d;C-bA8lad,igXJ!?`+q3lb'"@H*.%!!EoJn!KmXt!pJ'C0GDDdi$luGeDK:a7/2_UmlDdF;,hpG
+%4%(+3h_sN!Z64Fm9%>EuDI@&V>'N?,&#P-8+IH<K'@RqhAT)*h?]^8\P)W76W"d@06C!XsV7.(/6LUTSXtfJ63!U3'pJ$jU0W[%U
+%JVE'2mn.[Q\s0X0M_8QmgsuO5[$#c2L!R7]n7fQ(,,9niJRt0]>Z`?<'0jnR7DnsXZmjtK?r%k-[hT3R;_OWN*ESur$q>Tp,7=e8
+%0!$NF7B?jgT%3mC9-e.PUu@sm-HkDFT.V#^UkfiecCk8N@#"E3/nG6\f.am9"%3=WN=+Z,3`#DM<E]$(fh7_:Bo!XGRa+*o8sql6
+%Pg1*AD9$5-SkO6m^a%qPQ@fn0EDDe)A0BrF8]?ij7W-dFC.tQP1TRHf@.tU[l$s]-i.j(3@hGCiUbbPE^tTLZ0l3i)\PPSE>qG0*
+%(8ASR%4(i9MS+Rl>Z30k881c[fHe(%ZU`*@=jUC^n>qjsn-O61h")Stf*gtB2PUH[\#=\8ZWC2dXr1(+##*$B19[O^Ng9Z!`XWj<
+%J;^ga*9Zn<g3h<E5mIct`sWik:ka8P0.rakMmi:dpPMVuG]l'ml0b;$oA0`?5__>46TNK*6Wp^09sjLO_fm?mFj5A<55T>C['A/.
+%S-P-6@hXg-ZU^)p2\XTK3(9LpM2>sK*<Og8CbeMIqGSI`P+.[[H(i"I.T5IDh"l/KoEi,=$b$=6"$E[,WtqjDYRT4oGe67Kf^Q8;
+%U=lDXH"/^#&W8sZ/G&^4#E?*s+,n6UcYL,u%g+QfZ*e\FFBPu*C1CtoqU,Gd?n'(N"l";iX&&)"$XebH`9orh4\!"sqh1obXho!*
+%Rpg+bdXO@U\'-PsAc_9sbd<aA_JWl8[<CGjD4$EMS5#+21op`3F_EI#)2"*W2jM`B5u!9K"mkr!I%$,sAd?\6cPB5trA5&(.C$3k
+%B=0G`--Mgdgt=Q-HSPD(irU+k\UcYN-7Ef1inBq'4H6WOgo3GEqi6jQ*FWf'fD[)nJF/-ZB43@8V'pWAML3FUQ(cS=(T!kCaH7cG
+%'?$"F=!c.+R;9fg$WJmB*cJkQN-ids.."@nEA(PNME:cCm@l`M[Zqj5$ek/b<FAY)rr@_L.%1Co4js[a;BeJJn:\Uo(n,#^L*[U[
+%VX:c/<GCNfD"8h/NA?#*=Nq&2;?^8%(e5unB1A!P0?`4tYe\=+/JHBb)S-+=Knn;I[t2Vm0Z8JA(-us\ilMWf&X:tnRCQ%#Amnm.
+%PjPt$=Ad)64O<T:nl.4*O$\fZ^_=jEH_:`Ll@jP9VK/jG1fRmOn)d#<J_R>q'0-74TOo6t*:&>Y<RIZn;,quS'31mp;H60ROapPD
+%PVUW7rHnLU:Z5WL>>uKo'h*0Y_d^_P:"1+hB:Qf9NR\tM$B!CDV!?\SHe41)1Z3ilgdT^lZr8c^m*n-tK+t4Em;*Z1nZ9(RJjUVR
+%`)*A3Y[87C!BHQ@^FgFh%g>]ePXSRhmPMZ!]k2%X7Vp>e'5=BN.go,\n+*!EIYGf1YiM;K;6_B@'rh\?8,*eESrfu?Z7$gCAPkXe
+%b6;CCZ!\@Vgl"X@0pGm0q@Xqt`+Fk25d/DbI2UZl!]\!V3CZc9@r"Yi9Mt#LfKm;.MhNHNc&HDf`g5<:=<[7=l1uPQ7,TL$#+J%s
+%UU<W2K;C;:g537o:dPq0log^eS-t;3pT0'.WWLj:7>$hUS<T<X#&Ace!gkiA=9D"n@-9@;K3;A.;SjW?,mA9u78bJ<$G<^`?PDRk
+%E?*Q*huUcDetf+h^t6/&c01WrP6-rZd\J^.S^Sa![n^@/**B%GUa9Vgq/OEV$iHN@4f6phi3V"+ouJ_,1?]Gqbe,j-Kp,\28)@u`
+%D`53F5;MT*W.:[BA#HId]r\FA'OZVh#$E/:F)#6"m']L_b&^\:VoikD^VU[hp0u_$i^bc8[-La,P/;NUdA;$W/7Y-rLXq%,eSAV7
+%m%ZM=@9U;4ATaf.R^uWYp):\Ml^)tLGF/8TNVi1--Yh$l^j:o@D\D)MU@%Et,or1*!XQTD!5R0[^O"r&l-(LO"Ls/RbIUPF8ZAo%
+%c2=,(^UE=&7&I?lX3=#L\kjr<V2S]W>C&q4[L0Ad:Y=^5HXJ/35D*M1]jRnk^6i7LG[==#aA\b'CrP)p#I?Kh_J+r&O3inVWn?ob
+%@#MX1AL@r=?"E7-#C7d!'[%K[WV$tV'+U8"^.G[g//t(_`JXCBm'&P!U@aJ,K<7Jm"_*72#@!%E'8LePMQCjXFrfh_&r-P6WQjcr
+%N(FkEMF3dtDt[F5b2t.'%p]b-?F,Vf`c3ETL;]J#HZU6boL7<H^.KB&$qEC!bD=i^?2u1poaEY$;&H=m'.?+YT0Se\D1In^'>)$'
+%Xk<9`=HqWkju%mXJIrfj-H5C;pR+$a@b29M\XJ6Q,)jX4$K40H-F$k)L;\Q2CUD594cuS4oJBsU_</6k.=8d^qK$1-NZ9mOaKZ04
+%-ko_o1SKceG.7PZapAXI'5VC\.Rr$(A(Zfo]iVuqjh^@G>*_^@J7Cs%":5e4bMloiUDY+W>gI*B%(ue41,N(,b6%(.[(Sa(I`N/>
+%+Wuma%KW%/0He/'%$H-(bcR<4Lb@e^/N`bU<@7KLYc$uF68-bNQ:B7q*r$?p&LNOU,f4tn]L@np_^)#e$'SIVZ4ma"P3.R:E8=>W
+%JQU3PCt0Z94=ASbVW2n6EO'\j<Bj3oag/i3/LSd[D,)V>\1plDNDlNo0W7;LMNg[<&jIu\81!WI`*4_i$3H@q.P;;7Lu8mhcq78p
+%R^Je"T2rE%=X\eP'PNJ2'p>RJm>.o]V^<l/-2/AeZ]d"OY\JtIEA,SqEXnH]YQknV4VG6b9\bd]`%<t_[j5f]gsQ6i>1SnCVS`6M
+%%'^(;5dE0u6FKf?2>GO<40UMn%fim8/9;-@8M$cBk!kJC=cSdKq5i;mWfHFq1Of"iE/4C15Zr1ZOUZ7Y8:jW(Tf<MVK#E9FBuBd-
+%:uTcVL_;1V>mMkc,aJ.,f,bL5FX,iU25#haJ#ETor_2;nTFANE-1\!HeL?.mKn<iG>Sr'RlA5XbN'8_G+.:b6>]\GgUt)`sZ'$F7
+%@Wk)t">9Hhf5o[+P:i(jTULOKN!1[6"(d+Xrn=(.^c2QS%G2*]q>?2I["KQ^Re]:+ii!`uP=UIt7=L&X$8@TM.17E?'c,Sd9;,W,
+%MA_WdD^kG"p9lY%a&F2?)\#XA1og>1@K8nAk3WbYA@pPUWE#m'&1,Mr_L`,cqBQs]mlac5)?Xln9i-1@kXWDr7_Jru%n_baO'9CI
+%_,*RtOgC;co)Ua!hCE:@Mf/[/o(ereg*&k<:k<l)FA8094i^"%#$%I;;fbnIW^u<;m0lsV_("DId<\h#=[Jp:OI@fM29![/fM[hs
+%/X+GhE045rK]sX&VIn('7)[a:Sl^fT&LE9fFRTop%.S:q1lF[`KMIf30B5,3B.AfU"%!CV;N0El#A2^N@I@_5G*(h$[8LOM``4e.
+%;hE=U7qPEZ-R&/I)e@10n.WDn0oMBm)@bn$]!`GR@7G5#-'m$nU(u$06eESdQ\[h8$T[g/]g;/SAC!*Z!*nCbca4=g4<&JtZ8N"N
+%;M>ha,6BjCs"FX)cM(#i+W<Z13s9X3+ET_tn6QN3$&hqp=9@MW2XX!m$sWJ#4bgXs<KQO6Z?n7)WpJT#d*TE!U1$Vm=&?_:X1bne
+%m4F14&oB$"@L8Dh,aP![a"1jh5=fE?(1IE1kR8*@,Xe%g>6r[bi>0;;6G,a,apWHV@88_V_S@a:b#*D;TIJ9h6A/DW4bn8b&3X0C
+%9;9Lb;&mIQ65YLI^C\F_#'E*OfmMm(ZbnQ9/k#k+U:Y!T'pYJO";;+od]dt5oIf\i$-rmi9Y2n[F\/)ddXhY^s/;`H%X/L6+lP$t
+%-7%BCAD5.K8+OogdKYU;DD:o5"3VnEZ"GS).<&(/XW"aKA[>sZ6tJ\/TgY72Xo@4Eo`'$*O4D1Qd3jf^f]a'SQu)GP=:?oJ+r3Q,
+%=TO`3BPh@G-b\Mt/1P.=$hT3(:l+*D'r\Sk:g[+OP)-d[YSlNnff:"dDr)I5pS<<7#`@ZLgaM2ajiGq<!8lHhIQRS(6D3l`2I]+g
+%P+C6gh:*?E1ZN85LiYU9I)(o@-r&]7'soI\Zs)Tn)->#V?H*s@][&"$5X4EOM<?nlloqC(naq%`SMdt9`\42RmHG-#%Bu%tlL_tF
+%T)Pmf`NXO7#)atN%radm"/e65CZ9l3P5RuG4s_IJp-'d5/G)ViQ-J5@4O0X:k'\Zb9p9p@.g]d'6(GP4m&7-o3Y,qT$LFF:Ti_@u
+%B(fV10&cDlHH_/D+GY8)1JuaPq[qS2?bPnMp4htkEI!$Ok<T/sA=b'^8*3^]Wq1%"I"WVp"@#H/FF]#HF_QYC1HBhSKL?,Q(8M`,
+%`E>e,\]m<_Bs7FZ/c%6&#\>hUE#[sMm[AUSh0&&r/)Bk\2%??c1^%BulHG^1D"AFc\2Bg1:fBu+Q6Jt$4'["ukp9.oJ0KOg(2sk"
+%$gtqKP>6uc"DkEs=Mi_7?>%N.\]Jcaa!JODJL`<?E,^?XZF)9na]YZM5,DlN/S:6/LY_hQ>f;2dK7GTb(F]sT3Oe!a4M8@j$p"J_
+%$#mmRO;SXfO?;W.CpE=@q+6el<jq)[a2fYZ_b/]@B=O6L>8@@rh`B-)2/+10@!#!S%_^s0-5[2:\k3*(M9=->(7T3H^t-0IZIU5s
+%buqF4i$B_2*LB<rcn%[Z'aJXXA,o_^Z1)*h&]/uqIVY=US_]5^)9u5kDY_f7WQRfaVf@$es/P,S$H.A4Za_i2gRruR)4XW(A#CrO
+%?HZe/$X+H>=g=2DLo^PI&ZM!$!K-c(\F4G^'dn$q;YDg]"Od:pU*rRbL+!BAekpHTl]V#`dJq,hW9uG^;$,06c]isf!!!b`-MgiC
+%_to`'`YGV1/-.'Z7jOnKr5`,X+*j_qM9HN?(V&51H)bU.OU*>R5bs?Gah\;3.IF]!*LBSG)46'a'l>5I;:R_5(>K"o$Xr1,=S+pR
+%0uRNt$-S.h8jJ.c>m68lAlc=h<n:*e5nLo53!c6<_\NV2QBX)FfVgSNp3BTG2Mbumo7CDa:':G_lOfKk5LD/2-I8Ki+GH%u+a78%
+%>VbWA(,fZQ/)aimUDAVXGg;7I68X@X8r,rVi!).YoG0A=1*^FL"Z<^n;>VW/9[l64-X/Jk5,)9HR'k-H@dPF0>Dhg)l"P,skB'?i
+%[jSTMNWR/AQXq&QEluP0&jIu;>f2^t>T9NH6oG2ad\I59[]kU?-"WfY8Jk?^F$2t(e.As'B(%;D9?R*1l]oho,2lW9@KfHF:bC-R
+%4F(Z1(AK8bYSEaF=`T)hPSdB:]eV&Ze(?]YjdlUr-<9.AP%9C@"9gTL?d#)n""V]_SPM?)q,$Es/N=([3u;15h-NlKTlQ1<gh.!i
+%[f(pGk;EP4e.@TA)tkFqV\JijeI(\7PZ?C"+EtfLI!(@mUKK6JLD.@fRCVBh:-1l\"F+bHS-h-s@a1J`>#k+o0*(8lJ0u9CYrB,+
+%A]K\Pr??=0=S.>S5ec5IL#(%s2S@2s)iJ-Y2Csdl)WJW":&R`V;!N)PD"c`61b@[8TV!EnfmT?+@qTdTAXAU3FjjA/C-rjX9F"U"
+%>ILIWaZJ0F2t0:Zb>*@T@`+W%d4n#!h$grag9SoT5^TI^];,nC=k>.<XFWMS>2G,RfQEm!hpcVKbSX7/Z'Xc!h@8fq15^.*$H3l/
+%9<Zj5dPg/m^F,7c?RWjk$%3gS7A_+:7UL7))"Pa.6NnZ4SO3k0VC"PDNJgLE+Kr(_bN.#f7@:iP'5,DaL3l'%8ZmX,E6<D7LkhBe
+%#!OmEP%uIep_4>KoNk<63@/`2V/V`IS/_1ZOg8;mQI&)SM_Ogi?5?u)'>[`6WQ")2asjsi%!+Ir-WPo!0/\/uhNC?r<WT;pdgh5M
+%Ue[O?+nl;)qg^Hc:lJgPh*d$!9b_d#dmO@p4cK',KF6q22KC.qE6;5gbq(=[:j!)8"3Oi2.$0E7Xc2ntOJa:29B$g*(rN%_F9l)5
+%Ym<W>&JH(!qYW8PD4#GM]u>SZ2<D>,MZS\l.@+L8<-Uj2)lB,#:tUu)A\ZNQ*=8NIkuoj3/Z/W63h54gZr+]I!]F4u?,GfUop.'7
+%P]P+tB4,`1.-KiGFTbBD0Mn^XPOo*+r3bf+k_8[HlX58@&DQ+[nODb*kb'tYS9J$S=Qr3U2]$bGjkgr*0+fS.8T*51GbdIDD.a(%
+%,tNZ+/lFU3Q]![t+rMV/XlM'*B6KQ%nV37^(`[^6U8Ce.)7&9^0s^#:)F0NqPqkGE$qk8mBqefmHje@[E16!61_:]CK\=C9b//^8
+%gd[DW/Jk]tWi44='5&Z#2#1e^Q#*X+P,1<#,:ea;K91dp)9OBqYmdPKPRQTXN3*6EF1Q269BKiD37`.I[?U?sl-QY*m+K&+W%cDd
+%j&-hnhOXgJ)igIhq6*2Yn&Z3rE`c&^hMWrhh1uuuW]g*J%J($UP4WRXDqL6t$q=kO7Pf+eK6Cof855>T5#_F,<Os.65Rd@E-4jSu
+%JoIpE-JaoP^!gP5%OoH)/$L@nIn])6p%r:"0Xt</cm+m;Hl+2NVOJT;A"OTmi*#86J_B;:"#2Jn[Q(f5!HJ=b7UelW6"A'2f[i+t
+%6Wm(1&`&6(BFXq.hEnL6*Gs\RdZE#JmD=3!B,QJn2B8m2!8A4aG&FUWAtuW+X`GmRiY659k9OVn[M$_5ct5B\_f:rU<r)(.Nnu65
+%N?kbl-$b]@J/Q$gcQ@EEXMsBp(<0r0S1Ts5Ms5Ig`fM75d>W03EM>\k&<T\RQ6TE7G)+"K]!3[CTA^5ri-HRWQEnK"D<B><+l<_s
+%\G%W8:uB8sKc\ZVNQeD=*nhd+MHH\ofP]+c4&k[cWAguO>&sY5poFR!6CMI[`X_;[9LUb/S2'+.`c:*ZN!5g54U,rC#n6QsWON"L
+%)_c"4(M;Tara=W.dUgiWgZpW\YjB?7T6t0Z5-f6Yc?>LLA5=CC@$BZe`j(88Q6hMJdqZ#9>LJH<Uh*+N,>[1@CY?n3kM<e:h7sf:
+%:s,^l5%[of_/"\s-.4cN:sF((RrJ+_bq>`3JA:1+>gQ%h5t@c\9Uq)$eDY5VUAKa$8b:Df%k(mF5;=Z&5!SRg.=1V"+2oc>C#Y>F
+%Kcs0<C9T%?&-^5A^r2#+Ml70(d0YC!&9]LlLPnP@QjZNO.k"DkN0Q+k*74DRX'+Z,fdc;eP@=Y]^(AU#lYe5AgP\HHcY_N=g\l?-
+%9SR4G:]aQ"arJpMl%"DXKoo-CQkDkLnO^`hh+W3t]'(UW+0.#([W$LcX0OE>kq[gZJSXKj=[2J+QH"M(2[ep[m5"!t$:<27pBcZX
+%/G5O/bYXZM^_2XL,G5iIXIgc9.h!k*S+n6SFT@+X!_f^af.\%OeNQQe0mm3CGgUd(R_ZM>NBV=LM*%k#pV_[tjX[n)dqInWPs.dC
+%)EA%sQ=IG>#R2p4BOi6[nYl?+q[.*<Um,u:5<^21<J)Lc=ak)\Bo2$D+]U(5-5N@#EU<2?X&aBTN0a:TN)DG$\a#oR/5VYo,aQp?
+%!(e;FTNP*#cKJ<;9.-$,8[n)k$6#RK!:P#t0F>oj$K*nA>?NE]`0M$nV5)6ORbCCjF)&hXapCF(@iIF:W+^9!FL!<-0sZJ>"f>dS
+%;T?.)*Ot<K';kpKIBLLKcCR8:*`7788]j);\aRL1MI#dADsikEIP5#*Yte($s1nl;(Z1N23hH!'pc&D;3HBN.+I;#YS%.-lfU*MV
+%3o6Y=4]>d!kghi7Z;02'nQ^r#ghVgU.$KkB\n'j,@,L8%n[+S![3j$Uhoan]1So/1eNkoEMZ=dR,?)EKpR%A*l9a15\"E5Z$t[p6
+%3b3s=p$ANM\tk@R^g7Q<]I9OY0G<#DH+Rjam=X-+;S/:,0_[#F=SsW,R.u8UACqZBF<!n\@4!\:7Sd>pVhS&a3%Z(NZ-P!,4\;:9
+%4G%heIAUQ4Z`I>]E`rt2&Ai2ZPk\Ds"4FOMS<T`5gGi">p:2UrT>aTa^I8i4Xh;X\>d>%s](OdbWL0V>o9(gmA_:WLe7*A'aX,t.
+%a$]Lc-&3Aj]7ih]'5&]$2#3QEcJ%j[PrANa[N)g-ZeoTBJR,)erAfpFq[UPSZf8G0J^QVr5I,_R`cB@qf@&q5idI%.<hAA-a2fPW
+%[n7VsB<mg.>>"/5Bt!--SXuBaV:@hm.VpL)QK*sNG-^JgOQ7YH<Tflt%2K=e:O0KZoQK:5n$B[3`'<jBgMu=bBBRVA+*J,'nB39O
+%,>1B-H.G=q2J1WIOVR$FdW!YJ_eo4f$JAp^Ai]"R3(Sr1#"]/HFN0ZV1qaZ>(92#O:3G>%/0DN9I[3![B5:)0PU1jA,hag1X;HfX
+%lr#U(H]>,#N$CAFNU.MHQhG,7;RSfNWE:S%Yi[rG>in%H>f(n-BhF6j/!%"bOfVfBnLFcBXH'!7*2:GFCsdr2cA,k?B9Mk[L(J?`
+%a/LIjS`CJ,@\=AVikn$j'D%SLBmoMH\h*^DBs"mQJ=)d)X2&-4E=C;Q0d`ogSGJHp:ORg$iDr[1PR1uljQIKDCh7"Nn?h[;c&$F'
+%['#63pVi2N-A3\9GSr])Th+<@fG+'^'<:\,1_AoVBHTaUR'gj:qffkGDXHYUS\7E_QJ*lI('rL;%2^^O\'KG\;LjSHH2F<kC!c(^
+%-Cb4f/1)-o[:E+?"ug=^itK*o0q.l*02[[o/<A@CBs!_uR7q5I@RC0)pjaOHlkg5fN.J;OB^_H@Bh*1f]2Ugp$]VG01Gr9:K15lN
+%B-Y=*9QoRH_MF@$BbMbTO]WplC&)PaI1%T]%LciQ.Q#;Z<5<`)dH<QUqA@P]["8?fSPpb-YLoqEnk.(ucg]]1OtF`"R/32M8(3^&
+%:Sk=/n?MK+62WHt;(1D!,bsA%$1faQ)U"-rG#dI6G&GOZSK">;CbeK-fEu/;7ZAr04`/Q[Ygb*`3HjtN69F9\QM2qiUDT.mEjcuK
+%\cpDkR\Ls3_r3uA?H$%^lJR4eToG5sf/htrLY\+lYAsKJNkn@0W^Yfrgl'*sR:NaN4*L6kiOBpX)`Xpsi@(hi/bjA1;6d=5:%M-7
+%YAIuKbe+^>,HUouorhI;9+ejR[q&\dgWhM-?$8<2ZjAGW0E`XG*ufA5,j2sLgm5:9&U(LTK[pq3+!D_R`qJ5KD/i@Rm):.EZ.#l-
+%YmaPDn<1Y.6@tT\3J>PuDQDekUpA_^@H_.sa2M#)iX5-6;l7(A43j'>mbLY"@[&j;E6\bO83"n%X6q2Gi3JcWf1MRUCr23Ejd@62
+%.T.TJ.+3k*lh@>5m#/f]KQBo0]iu#&SaL(-icHgb&XK/AVXl,=:I0PVP%K8X75b0Wil&Vco;_5b9`RlY!R>GCkmZq&?u2!"B.EM,
+%"D6&4AE-8`[jDat1_%RN?iZRY;0\J8+PO8QMlcQH-\A2C;iAb;EDlLdO_Bs^o;)jopC8?5`>Lu%Pb?D/Sb4_A8"'_XBoIe2!EuFs
+%X<>]jGd]]!+]KJP1B?-"r.*gTW[.ekER<_/+s$to2mcDUQ].dmc(1P$9tL^KQft'Z4(QDFhB=#(^]P$(M,Ig(W[S0d=U^*'F$?Zu
+%VYX92aM*0J(4ut_.!3@K1)gH':cQ`2.fg@4C?V(7$O9L!R06>W)auU,0[\nE+t<u3VpnNeQu``k5toiZME7\c(td_'63!]FIP&C4
+%5\knD0W9NM:=*ck'bDB@g1&L^/i\8?c3de8ba*MnhHhI&1bUi24Y3j$c32'FQXUCLmZ8n4&B,(m$-!<P,BQS!RG8usW8a'cTZC^m
+%C)?'M\stNWg6#Q('L654SRmLd4Jj@:3:!jQ2E;H'j9gH4c3-$s)b%?F4NR)l1*=sYB4eP*nRihsCnFI&$u$+J[c8irh81Ol?O=`,
+%T3-P@j@PYU=h[penN$!%2oJ/L_>Ph>&BAlt6Ph]"lS`lU#mIt/7=GB5Q8fN,S/Y0:T9*8<lm@ck3;*sm67f&&P13?D09/@D+C@7$
+%AJel$0OK42>k@9+*aT+H_LiiL[=VkOC0%%f^m(E*U6DB,KHo#pqIkg`;Tk"9qPDbLTs3YmBI/+dNo"_*1ECK/*f9KgeT%l<:e1p\
+%A.Y<,0W7gA@U*(c0J/766DFgm&nDI<QR6C1j#H7aG`)+.>k_2_i=M@Y^1kGRVk!\4FYT13%,V+XZ%PX,^3$/?#/gqoV>$4#@sV?!
+%&Ogq0<dQ*Di!fuD_Pro`E_P9;?'XfW-cB!;Q'#B2Q'PF5fQcUI^kUn)n`"lR<)ti(MM.>$af,nq4VUt-+0,r$("beX=\DmeJYs2B
+%:Ip=YcL[uEa9X)7RtKl=Z?`J#%Hap@0(Q&U3%P<0:X+0!''gFtmhpF_0&nK\Z(MrZ</P=gq&E4fBWClucm!$:poEAh,rR@613b@c
+%X9*"t=Fb+NNV:"GPRT#ITh7d77V]nDL;59":1@NT]StedQ;iHrKjY*ogM\ml/5j^cNT1&a#dQ0g88P\i-q:9fIZe]@*'B9MN$Uk5
+%(l;Z(Q;Laj@b1s1/Q#blLaBIk4AEYV>#QWC,+`AuR,_rgWJ^mt=[LCnfKG5b:6&WL:NN%UZG\$7.;iRX>=:%2Mbm*/'IKaIeXY)/
+%rU:R$L;3qcmLYd/e1G"`#pa&62t1)ZBaK/gN)0i<%D2A/(P_=(d2_2nFOj^M^m@C@_&"t/G4;oXOH;+mY<kdIk[1Kg]$2PO/JO'h
+%'OnENXR1s/Aj;b!T?pM-@80W:igN8H#k8+f1dh1pE39b&+e5Smo*+b?#ZM^A2Y7tK(5/uYR);o27B[''?NC-B9TSFVfm?I4fYu2I
+%iI`;^6hoRPYd5c5P?-si2R7_s,r,C$YZY^o#hqOho>'cFPVsUQ(R2,aIdD[(KB>lJYp-8T,$'B)(JH%qR:dcb5sjTe^6*E$1B.Z[
+%LZ^\9R0689:)=3a:*6O+oPJ):k$$)-iNga$0N-%k1T"BN:Pk/GeRDEl$regUdR%=k/HfN+l\o94:UJ9Ko;/9oM#S&9)$5=V8erf;
+%9GEp5-SrGp=_6s$5_g!2,q@;Q<MHIg&nNaiUA4k$1Y<KjkZgZII<?0?(HRom@=dAS[ZiMLP)>ZMiN]We$j2ZP=]VE:`iNiX7AFI,
+%q+M6m"o_>-+bmlKQk4RLM%V+@=$b#5j8^'ia>cc:D_f8?UerD1F+2*&LX55s$??*413)]*SD63]/$#<m_bAD9s6hAfZaaj6Q+0p?
+%AK5?)QUi"7$/GuT-k7&Wbts6DPKcpH+$1g)RGf;'m7O,(jt7+GRFNGp@S$uNjA<6:NCZZ";!"XS+cT%0K+d;`WJ;A#q*5PcTqCL)
+%,"^^1k9apaA_1D'(OSiuAA?db-g,j%*;UlnToPn@h"g<JXs]F--?usF,!qAWh++g$'T`[NLJ-,",q'kXn?OaU0JC\/g&/:Jj/!3,
+%*NA2NM&nE<;TA=kVBcojPB?DA3RVCs]`8NNP9/3;"Y(?F2%4&Nlcc_A14X"Lo$!,#TI<HTQ7,CZbMa\+PK6DlL]U3N\qmg!(Lr@s
+%V^b//8gc/V/iZI6k.AjMB3)JSIHC7r"Gsj5I(I2#!R@(sN#AfYULr@7@[)t06V&p.r6WK#o:1NK7#+PE=pr7,E2Rg%"sudfWNdFR
+%VM-5Pc8chJ1ufu1,=8Jb=dDB*WN7?qERY'A2,(R![k[jeO*siU9s.%iS"sip$jS[^R05E.:@2C4['Pm1VI+.o:3if"Z01ndime>[
+%cT"&m:eA\RJ1:u/2#&%U(4[9a5H7!V<N'lVaE0",c?PE3:R6Kq5]<PJS%`s=m*jl\2l=EJR`<YWYE]?2S$]BC]4EA2:1.4pVl[nD
+%U;`fW*2;2aR!6tiEjchj#7)KqJjL,$H^KR<m!p_,b3mUpN?k/aF9W'H&=oNYVT&g,dJ(RC./I?8RF2s!?qnchTM>&R\_"3db30DE
+%3E=?s#"8h)&m6V+5p@huJR6YL`GI;'X/VcPI(GgsSC95>83p%J.`4.jEe.RHNpXDR&k=5GQ8g'+=2@F<Hrpb/Y*o!%*=T%PimR0@
+%(h,4uJ7N.L9*cDRJ-Rl:$T!?RAnP^SKX"!Zp?Es)p5$-A1pg+Z%.:SO=eQpLVG(:4-`)$UQV.11PY(e-nBrNW=VS7l>Xn>7[Vh)n
+%72,W?+IcNFLQ"1C`b94N`_:*/e08l=d5ckI=K-sm#V.K&90..Ie.rXh?q&;`N4CBh6d8%!P>F'_s%5bAVhDB&8nMrUZ"B2_BuTea
+%p9ZZHF%W;Q>TLYV"@s_D$6mQKWD&6cph>TJ-4DmZR5U>X'([B.#1?Ik5*Rp=b`aGX"ho+;VTn$So6J7*/_eU+T!:W*.Z5K4mC40=
+%C%,'$T1Nja!3ekZ+0-7?W(39G1rJoWI*o7FN3O.3S-D!N;2_0jPm1s-+N'?D-CkN[/'Y;PRt^/g`9Ym&_D&@6kUdIT9QFRQQ6MBI
+%0#nTnK-r<<b51%)9F!MqfUPiURoGP1.VY`ls)6_V1WSU_HZS<PS[h<F\a*ju(O(YYgg5$OaddWskCa\*`WoP`.'tPflA7f.A_/-l
+%.?V/=PQ7:LbG18ZA$SJC#J'13<5uT1IYHV0b'(M)rNU3R8n%F&YZMYm`a(c<o7&%Z/a7?-D"cj$6jmB]6s&04aYn,)%aWRjroejf
+%l;t`,rUW8Ls1\9cB!qVkK*B7Qj+,[sdqi#OHfS00rT9f#\PfmND;X9Gek_q$6(QV-n:Wh?U0eA\Nms!iX``Tf/T/RO@;FYB,(4$I
+%?4gp3^/4[r/h-FOPIS^?4)coF2RK<E*G-s\HYh=n7+ll=n(fYhY)jed(.,7P5atNt0ZR**@U%<FH<2=CFkjq95#BoRm9iF%Q0$25
+%Tl@q:2brEWltWatH;,#]mLcoi7lA)s*]rSB'Q#<@lCQ63"Z2E5h8[ViW"louPL%P-E@l:b0jU1BmZAN@h/;Lt^0A_kP+3c]qqhmr
+%3aI,O:)QhQM2o&l'h'hA$UN^KQe$^3?:b\gHs.O;bhre=64NG;4%0Q(>'LK*']uNZeN9!%*H90f8-U@iGU3q9\e_MKOhaXfRt1VD
+%V#p`p$Io:Z>LM(HqYOpAiRG6,,6&;D(])gjUt1nD(_6IN&0F*V?=A9hn_Y2PUF>&d[4Lf?D34p&e>dRR_ila?"D(Gl0XK]*"Yu_m
+%U+ckqU?YR%;.@&=P6YZM:m;7LFOt8i+F\U9O2KHCpfsdp((1G<%<B9D9Y56f(]s/eP(EX)70>^r9qZ=<7U;nsa=fbB^nmV-q-];7
+%"9]'d-3sl.:G@qR5QC0'M[2a#+q-T-LjY#Cnle@/J>c1Ak0D&(5U@s,'Tj)DjAdI'R_Vhf;No$O[7XCdngIDVCPeh9_*j\/XLo+e
+%&0VSk6R7D`$P=8=/6HLPW[JM!,#+:_*9;jO#SA%C&0a(872-'fNTgI+b9f.n7uTg6Hpc3S\9s`79'4OsNjWVMlBe0g(fEcuV2Yj_
+%n<8m)P6H.d:<Bch;FOcU-LgEf/^VDG%X)9^.s7Yc;Jo""p@=eAXCC*,Q2W1CIVh<X2'+78Hc]uq_btL^pL"A[]$1r4A7JfsOF)86
+%hRo`Z0nBeB1%jdX-C'-SqBBLEs4i>LO4k+kPVpOf5(Nm(5n%kkU%9IKW$*l(:#R.%_0)SJ9K5VSl!l-*p:7>rDBE8['.e-/.1?++
+%j[E96M%Pa*Cc7:b\ioqUJu%RK1SFl)a8qG7UUl4T5"KP,cgYg/]$t-D\R!<?[,pR24G3*l64*^/(G(EI<?gl@pY7_+%":]:ZspXf
+%0CQ=/Z*lW!N_p+Q_[458H;'+BcmLg2ou(:8Y(.;.a`YU[fW);5abeb=h5po=muh'aG!(I>Te<eTFWk!j^IRQ[?_e.qWuY!hq!uI?
+%?[]?]D>4#.p;8gj%hH_X>Ir]3J%35SP2E?i[CuEYJ%b^PiVr]&naiq7F-"rTHu]o:bk@RVV7g46KE(]'I,SF5rT\U-5Q,B2qLI]-
+%r!1)%KK;#F@Del:YJu',rk-5Mi@2t^JfXX,Js`03J"]btam\0CPgtcnmopD=K'NAl:uSuqW&oaF:Bo=0f=/fHa45Cc2[$)?*n*Dt
+%SU>\-?T[gUK22^.Q[Bd65V?pH'MIKjmmp@@QR-3JrE[uTK_<q"0OU?RJ[rXRZCg\G:(+6ToI,2hTg'X:9Hu[tpU%U;1Y-l6_!JtO
+%oajjIiHZp/^`al'=+G$J+r@'Z^(W7h1gR'R/lmU)JX>Zj$B7@)BC6iQTR>'H1`]%UXh7T_n7=Jj(fE@&9rXF8-8-NHa\':5JRBg9
+%I[B]S%7@)g:=\Bk]usUf0B&%M@0YW+E.V,dP>Y35L."R_.TM\pj>@umTj\MQ,Jq@mNc;q'[18,W(/DR3BiE]cgI"&2DFnr6nCfJ.
+%A4qtCaGL=9NXi0/q\kM^C4YJ5r^gLs^(&[OUc3`q$<P\MBZtIX:Z+WP;a3.ufac[!geul?VGLs%mC&du0X!@1iu<=:`,43DD3"57
+%@s6>3Vo+D=kUs(5TE>p*JAB8A.#T>NT`[Nr\JnfS64Z@qh+0fhA#R53%?Dn@+S;&i]bqtN/-DRN"g9!S#ji>`%bl]q2p=PFhuJ.*
+%J:MLc8M18OHp8qJ`_V'`%#O<^#bDL@&AUG.TE(a?h*-BV!.IGmA,^f`KK0VeRuZ6BNY7)aGQ&Vc#%tZAoniN3jrV)lof,Wk:!;sd
+%T[NM3U4YNMN7P6\n1C>Uf20X-?Ak36+U6,>H*h/=)4GFlgUh"G8(:qrCRZ*1;.m*LqYRG`-QE0@04AlKJc^2Eb522U#"lfp%kLf_
+%?Y136635F>P5,G!!9IgEF9=-R\GYlTE%nR((nf/F_k(7o(Jl'sKHW%&f2&c,&2<St&g%92i,[4(NEK'q%/B\($"2C`4!UiN"Ukhd
+%bs<`d[,OK*A1.TEqb__*"ub0rRJDEeDbF?pgW4pDRn&P6RWVDj,ZH8i)&Y0aW.d>80\>M2idlpF@(PQ0T?/`74f1="cKLMPQ]4.u
+%O=)W6E`G%\DsHJ:8%>N,n>+3GLs5M]:#N`$(dG$c&2Q3<=r'4a3/F\\E:+uqP*6Z3[$7gd6W-q,<E4<jH"bQQi8B&D(rh$aH"9d)
+%AU<30/9tO4l%VT*%A7"WmYR\@6W?c7&\)YCl0'Jbk\o5fh^[`fDKt$fc,V2p$HL7a9::`;Sd'ktOq)=3(U^0d7//o/]Op)sZCm\g
+%S,ejL2,+Ac-bP]09"D)TcRUPi@!-/'GW&%WH+63c5]R@ZHHGM$%jgl'M7i<QklCitDbR5,3DW5Qpo.poRK`Wi*4g7(TWJ3,\QPF2
+%GQWI*Sf#'nPuoB*n$p?51AQ<!BMY[.IaGZi;D`Z=-2K$7J!Gre_0:0/jqS69r%+25f(_Ti<[`f#I4"IDgJmd<-pB.E0,;J"9O%3*
+%)G'G+*c*6'?jb5Gapark"m@1)D^(/OjB'MW6%4C>K+Ym4l\'7XSkeP\:Rc*r@1J_YR$BZYe9>?@':P^hj&[q;ND6d-aqMO%95GQr
+%np<(tH%I3:WlLkJ*V_a>"!qJf(6/o%%?H*(AG)/L]gTjBL%lCETKRt9EAp!1)Z(SfJ_frM@Fhn1;8C''2I].ld=s[jNR.ks9YX(3
+%+jdPYC>]REZZR8%UQ"XM*&+VV\HN+#P16E48VP!]kk,L[kOHWCn0H8W%lY_O(bkS#:'cF/)t@4t:a-:S<X#far1j\;:Kij"l'L>\
+%EOegb&_KWE"b(G>Ta$QX=s-@hGLUWAPh-MTKCd?"nebtmAjg^kHndlO5.!GFU!le$9jQN"6#t,k#?2Gc.N_i-3$;8Y!k.]7(6e7o
+%WZpX>0IZuI#^H&;@2?m+Lcs5UfO>>p#!_9Ia.k2aXO7;H<tE=ZWqX;nK'Fe5JLLg?8EhY_"?7doiIj6SjNn)u,eSo+(3EIch2.*V
+%3*tCNp"c6p!0RPpV`KED)]%H8dk(mLJHCF->&R3s1re]Kd\u7BX@Z3$Y"+!DQH]D3#,oS\!RGt2C>$^O"JF7rJ5b;J_qYk8a*n:B
+%\<d8rTPa`dLTnMo6^9,0LsQ.>9#'FI<iLSYqVfWJrN@aIBB>I3/Sqt*1k"E)iYN+gr\KR%ocb>SBE['X!N9Ar:)2,kW5uX+'S],c
+%&ZT`rNNWAh.Zc's$D8j5YM=no!Z59"U"p<@bk3L'St+t0&,M,?'?E?*Gn0BtjL$dj7C4r2F@Wn'rL3Wc30D6hHA:nGPC/a>*Jg05
+%FWc)Nh9Yj;HtFWRCbW[g3JmmX1r*UPCA^4ufKd+a<:\qW(7')@pl9S"](\.f0Pk^ALu-)";GBcL*i@Y%l-KaM#Q$TM2DE`S_q?2`
+%N6ncI[tCP;?8Z,";ZI=hn\_n7,OFjYaqje&7Yo,K_h[eME`p^k9Z)9S6+n<R%4"N]B0[S*k/k'/33AktqZq9KenM>le%r1t!hbRL
+%CC22'Q%l[tk2VuZ'Jg9U5YV:GZ_?Z4.)b(n`+1PX!N^GGUPWJ4!7m\K/$#7FCWIkBMub%ZAc;^"&8[Ke6c499>in'B#j^;ch\/LM
+%I-H&h$m]j4D/7ks*glsa/V=n7LE#0U$']b-ZNNl&_&8o!S'QUC3,?71V?8rdK2k`_#4ct.EYBksIL;<E2\Wje?Il+dl6289(=BtL
+%j$ZuLp^a*n$$S@4n?Hgt;9p1LiP))[492,Y%gm]]B*W)LRWb@!<@ND:*8OT3IT+M*\-[fm9L`IlKW?[):g^[;+>9fWC20W2?oh$d
+%+FjrqdL>CQ)"L/Y66IUZJhoGqTt1:`/^Wcd%Q`l#2'F#nL,_R7bP)DfFS(p*T%A,D^8#M\!218MY8KZ;b4cI949Gb0!1c/9VKn7(
+%`*1Y"%=mRZJ=f)?Uo58`ciBL6i..C">VTX&%f(sfYso"EEJd#]EKr6l6Ik#O`'>Nu#bZ.(:^.QH#(SQ&,9C<L(-<@@:X#aa+[Yo3
+%Uh0bi1m\5a)L?PpgO]DcJ-W6;nY(uEh=)cH`IlES6kDo)4JU?S%DuS(1^Z]e+AIZo!$`0rIUl-G4ddS%TdgmR(aeOU*2"t/Z31m9
+%'9Nsuh6pC&6a1(U1HPTN#"^8jj/usQD3PBLs.1!*?Aj\P*^FtsICO3`Hi&0>Zej0R%3mQWUI%)>(N3fCnF4)&6@06Bp'H*np,Xqt
+%iSfF(9>`,toe`rT%q)\1<<*q,Ekq,EHR=MS"?"7XL(PsUi44:P'6h@,\E+sFd$i_]9FlB8inV"a\7Z?^*I&9<RE$b6rf_]5Qa\59
+%L7t"=7$N*1E8P^hN:TNN1'f;k0Nc!.]MA`&\.hSejG@tHmKknGC0I8B[*dLNN`8<#Pd(]d#XjNCgI^4@0"nD7)`'U4Pf+[G?A7>2
+%95-)0cRlE!%Q&\Jjg!SrHuPJuAUR:MZ>e^J;&^oeRP%.H)1r`Un\EVh]5\i!gph2LeRgo8#!Ogp-<'\!g'n,Y[!e#$s1)Q\Z3@+g
+%NDtJ-V*N54_,rjp3RhUX7(E$4QJ<0tWG4a*!;MA'ei+U8"lgOk1*O_%6>7cBJ5?Ir@M>@7XMTB9?j)(-I7#M5[.)[\>X^RUkRO##
+%HJr3L87!V,)N.#M=j`n<LCO<"BaN]B9M79E"f-I;GS^_bXH=BOLAqo#'mbf>PH-^7!k;1Z%7/cDZm/"Z>VNl-&W,1$h(suo34pB`
+%EMOVu4`3&MKUaXhSMH,DLg_^%C>/9JqRYd2"/`lL<$_j0\f_h(N'P=CQ9"LO=:Lr^bb"<_Gro'g[mPIa$[PWD=rXUi-NOhuj.Y^,
+%[SpS+#aH<)155h/%Hec;fHVU5?4dJ;%&A%bqcLndH(+">cNcm`a><tZ6n?8_#[#&>/Lc3f-Hdk+G?H?=cDj?AmWL!"4YN0gcG6=;
+%5kNYc%L^_$.O]S@XZ-fj-3m#EBMBcI4[9SMDus3$a`jD?G(cfsViAb82n4C,M'nEm!8f#c@#kZ#>"]mg`G3#0n&SC\PQ[C[K[]ZP
+%\WiZn<0Ncjd=D?%XF?ZK:BHQ5L+WQR4F+0Ie]'^Ao+dcH$A"St=;?o%bQcjcmPkeoMEi(oO1lXoZ/ZK&W,ij7#[jRAB;t/^fI2b:
+%,-m2qo+4oQL@0$n;H&m9FKi&ieRNG6C_O5*MAAD'/d-'I@RHf=e<=F(_u.]f/^`TB/"X?c\t"dY.G&36q.%[MD[:8kVZmEJX?!A>
+%%MPT@HsL6I@A"@AMed^]9FY!,LGclr$Z>,KFWrr=bL7#ub2il*QA]J\h9:`g3.anm0;>'^bDD,f8.8n^cmpAZ%m5C$hMgKObBWY4
+%CFHb)?ch=u#<d%n7A:WF8VR[HJR9XK&Bt0DZS+h3jB.^1_7p()0Md('BX"."">jer3<,d,jq/I_Y7Q13+KI;u_Tb#De5UL$dkHsk
+%[K5D.1,'EB.e->>3286/WH^XW`l\D%AuKE@NL#:nV87]nQ.uL@E<L6d\?PeMB/YF$rgZNtE7TnhnZ`237_]AqD6X"b0_5c$O)I8g
+%5J)@k[Jp]+.35lqOWe[f!87b&^^u=eD2;>+#Yl7WJ!,b&2Y(@6RMQ8k#%4,E<E9G&@fSuXTDp5hfX[7ESl8M[?2828?1nS])i>Df
+%[QS86lh>>4N9G+H5*.=Jdfcnf_4goP&fR!hciWRcA`Eu*]d=>rUrHe`GopIP]qg$C#ClLMqj;t(#IM)%RNZ7g>%%b_.LW/k_?OH/
+%gB?%p,ug<lhe'g>c=W4Lalg0&KF#pU?,<$G6Tdm2.eN^&6ss4c[G;]QFI1Tm6U<QbiE.Zi?[VjLcj[9FbV4E:hZSJnq83X)WEm7<
+%+D_2$r*ort@9\:;);%si`0pML:B7ac@6j`[\=d0idtEl<6\Xha:u9?0WL6$K4@f$%^)gG3S-K*F'/mhRmd28U^rI.qZR5r-$_Z2!
+%liJiSVoTKe$<F`'*<^inVP)Z4:t"<4M?.>jPX"Z533]2t&_''G4PZJ(O"D2Xc7[bb7L4=a7q#6HU0-<5:j]SZaVNcDH5/s]X>"ET
+%oK_14KY4d_0PX2-'*RG&Q69N<c:6=<@>R1/ef,Pb+<]7K2n%3:Rl&32A:G#O7dFIg[QJsH0`g4#?=PrQF!KuUl%pN)2k;Gs=@*=$
+%&AB9[**kN)1hMiWjd.^8NL97o7K@t)+!A8reqL,-30;krb#<7![\+_"it4q-:I1Lf$dRi$_M*uDIb&)kci@';k(Y&5$-sSXWK5FU
+%^l5j5-5?b'I<e]:(2R3arT5/j[R_OMq:NPi?!DTW?\\222Z>fuJidBN(W&Fs0[/iW6A6#boggSW]sr^uJM!UA?sD^O1Fue90Eq/"
+%88`CJ%Z?4H.9[+KJsRV2$@^<66SP5-3BS_?69a^rS$@n&^26.PQ!On\Tgh!/183b64T9CmDhHuoKD[q-_mITIHmlcGp#A>J*Rlfc
+%Q]bku7g"8k0ZNft!!,KhU2:)g=Q=ISXfY<K'+T-tX:s*.BoM/kFI48T.7JhM#2Fk#3C)6s0a@Rg)iu"ppGuo&:]nNZr`R89*n/;?
+%Qb4NtD:fAqKIo[HQI&3$iDU=P-)KO=38imWTGYDSESrb.64R!mmce3i`o@0[CD'&KnsVH@e]Mm1+Skpi`b/.GUk.RD3=2<g(T)jp
+%0bsRFbZgbGU\jUm#5OT?]a\^@&)(Z066b,#oHhnX7RSU^"aBC#Xq7E!7,Ys0.@WYoA6j^ZQic4%D+H5O2=M8$e)Y+11'fkV0E%8n
+%[h@LEd1Q!Ja,ShE4]tBAO"<Bl*?k#>+BbT1$sDS:5]6a+8G=k7S)F,7'pdd?#tn5+X"RI;5*d>fQ?&Wr.Uc3G0:ssQo/7j8VEjq]
+%SjAYU:d0X7IHY'0r4$$"Q6<:GG=3>#N_-676AH.TB:FMC)m;)klUD8UL*7Pt011%)T8qnNpLi,HOde+^n8rCjPfhH@if=YfmBhSM
+%cZt3X,H6q$Ysldk+d7@@Tlt<T;/h/<WT5`:iP?W-0W:IDkkToHINk'9^e"uM_fD0+X%l`"Te2^Un5bl)^.39$Km`837r'S&:&&6t
+%-k?8>GUeI;g/q*@`UZ8uF9`mdE5N(d^\<mtVG0?Qp`<%__\@JFlXn+6`g*fm4ENbCN`2@BBKAPRfs!1RG`&F;@EjbkA]hdH)%I`"
+%o#8JKFh>*.&`$.NYn9<"\QNE4-QaD_11'6`q8'a\*_*5)9Kp*Y#R]M$*_ANq/9%_F]k)^X]e:c\<Feh*?X/Fj1f#/W\(se?FE&fj
+%r8c;F*WVK>lrmu?,8T92.OL.PRiT+k*p@Z%D\Ecmj$Z'[XF\0C=jtAUL>.0s[l2:uci9(e5sNOb3.Shbq(o>drH]gU3ia]7VDhk,
+%_ijj/*a,32+l:atC=7&dp`h(F+O\Dnb"'Bs3Pk6P?X?lq`ReRFjn9_M[<tb_!Vd'i(DFM<*VUEQhfC:a""Wo0?#Iu!J#Ak+Hs-$d
+%GI\;JB-FX(V$&c8a]lSY'J:^TMeGl(+e/WgHYj>sbXAX@=m,-%@uVTY?Y;74Q'G."s4LY&/53hslsaP'^OmQ\I,30D=dTE%b>91&
+%P06Z,JD]d)e.JZ[V@5``1i_el*TD+.r%0s\L_>f;$>5<gkGV+'I^^+-dM@b=MR,!>%e]c9`FHN;`@mRZDg`Su2BtF5C%//e%^#IE
+%8m>q#(u1tH9obEVb.&HQ,+asYCM0f)`\h%m0-O;&7DTRN/(IjH%4,?AlV(S*gJT;$hA?,#r!#=br^sErZ`8Q*7oM$Z@.<]$#ZD;a
+%T)#==&Zq5]#fUcU`jb_<9hD+*%%F]U0UaLH(s;!72M4Y4+`"raI-*4*FZ3&#Bu#0Tl>8S29GC?DAq]&fE;19p0NSGZ-_E,/1VfIa
+%0TX[[9qm76!Oq[S_8L;4`=)&3fkHCE4X"P^K?Js+bSr*i,I2!7)!>dhnG(@rn%TFm/kV$X&6rh3N>D_7@q<`L9`eUB<rJ:O#P=hi
+%-(_pQ%5'Rea.0BE#4p0`,HQf^`\&(,<LMAi`Lc6I2I+)/cXqIt2XP?Zrd2p_>!`]R=lq_#P"]X;D=ur79dR//,7OL[Y2DO\B2h@b
+%j)8Ra(?b$o:RM`d.G5nEo<H52ok7;JQfMWhO:o_la*b,4nTg?.;4AiX8r+Vu'X.89/28A^5*us5To.>+Bo=Y75XtS2A,9uK-WGUD
+%B:`6:jF<OJ.P\&02:Cm7F\E#RdNfkk4jCHAYNbgBGK*jhbpj3u;U0q,<ibPP42eVE'U"CGd:3'(Fp8L/Rg5^+RY&`c%\ILaQ#SDZ
+%T0S>f.2W(`R)/SH=S52qTg92>Z?k?d"REY_8Y\u8,r0=YdDl(2Zoald+asFCJMg7#;FZCJdW)A(K#W]T.Ep77&ST7mPD>C/Aft;1
+%gnd]UT6WhfGG@PChSS*O[gDm!q)e0*nAa2)/B)F-,kr$(+fu81jCY8:jrHQ)!atMAA=YEJkPTVqM>8U'S'W,J;J3:ur$qadm%RD\
+%N[_@G&2ulg!Ej4XM>+!jdPpI%>_YiPj\LDRhJ_)X4k"uR"F?!MIUb4UIE&a<*k*<AT9BN!Q:g%dSUr[LP4`41%81J$2\d^c1a8iV
+%!(./O&'Nhlj2W\p?3'2&4GR\=R?>XUa):NUOh0kq#C&_HD#65EO;:?.e$mW#AJug\bco@'Td6#%[N(E?EqJqTfL*W7Xi^aFParo5
+%*!'Q$"-N%51jI4TI$8feF\DQe%6m-G4^=&&$\9$7hr8@/!uIP"+779B?G.k5i=o7f'A+EuVSTN3'Gl"bqjL!=M)VY=rmoo,\*<ZB
+%O\)aHf@(L&CWo;6O8CrtR;#en3[?*<3?MO\#G,B1G*$4_NA?1g^]`b.h7RWe+_GFDF&3T1UPqeUAJ.pp#tg%167[CPGeJ^p)f?M1
+%]Yq<KkmtPdo%#oZJoEhI22nF$3R>1E:67T8_f.5\Tf="1\$Wj(Qo/Z6*$I+mKo"L\j%!Gi=h(OK_1,7uhIbihF=R:(<qfXlp<8=:
+%_.q#?#:Z41R:g'\Xt#3I"uVq+TpumqBGRMML9i(kVVOXhbl.m<I7U)a,oT#epb&s0g0cN(0=_VD_#U/kT7M'-iqfjZSeo>Ae_5/F
+%;tH)T+R/8r`JSU('Vhpq2-FQ]1/ad(!jf&S>c(7Ea"mj<_Zac+1btm0fg4+nJ$J<V6@MPknuj:cMW_u21,![-WiraWnKKn7\Mt\K
+%2amBI$@"a47nmc((O@=^5V2Rj,W`cbBF"M8<'Mgt+V"^p]?M\>@H!H#iK/oE7CIib]&*t/-Se.25uG4G22gau/Ode1fhYk"f<sBO
+%q(Uo<_s:@h8iY:8p6!Iq,GmeOhGhMV(R&0(nT.0fIm7Z?F.o5::cqi+)u1?`ajH32"7jK260K$XhS<t=DhI!l,s@0>f=#Vc&QN?9
+%aFnql(47`\Lng6/EgBVOFDi"%3V.f@,P4gBkGGJS]*Joamg$nDbj.<&UE8d*A&"IRhV[<q]_$!L*b%HHa^UJ`/ki(gE>3(^G?#/f
+%JE%u#AO0/$hV0%.GJi9LjN#J&m>6g\#LgBg&DE@/9M`$6L+59)8s##!>&'5\l)OT$%n0)\$`;'-2Xfg&;R(G>UkE"X:'g"('>k1Z
+%G.M;c0--!n0Q>PVV+I%D`r:Sq&aor\k'c(L4OLJRb4-)q9?*=.BBVFA];K22.nVZuH'u(_Q1aGBbaI&o45AgMq6s;i!l#TG2BtHK
+%f4@&r1O:]e7MHIN+6iYeK";Ye,+]@k(7eN1FL\LY3sdSP`iE7<ik-ORgq9MG#_`!5%RacA7qlTaOMQF1m0(JD8;[VV5"!,sKVHkr
+%M:]ZEbNZUaR5*?k&]%+2bbU!Y?$3r$fuC7tiZVQ5bt]Tko+@*re"qj6[c_ZP@qQ$%33!QTm!>._+1(lM-Lee?@%UL3Oq\P_8)dZb
+%e+/[`N%>_5PY^/+&Q,Q;8"`9TX(pq!dk?Dh91I!eVJWKJg9d'V'D'SAmG8O\@rW0FUPoO7P=I]9::q[OT2_s2.0dYC"#7so%UYAY
+%-BoTI?si#;i>59ORG"$@Vgb60QFqe..5DZ[TbQn60<<s,j1eP3Gk`\?jR&dh5iH)V0L6X,jJR3hja_Y$lo,ZWdnjMU+pFi69R5YB
+%UQ<Ja_5Jt8ZCZ_jB9mfe]#^B$[fua7s3H%ALgorH\r:BI%r]KAa=;IpWC[$5O=E.g/X(hd&jGV&kc/o`<>BikeWRFp\l:)[KN^6.
+%X@.a-nQ=nA%7Kp-ZFAoF^Jm@$'>XVfh[0L^qI/"0c;Du."Tpn]rkX;nAFnI#9=]8>.IW3e+I%8pH,3TUE,b,UCh&sfA.`V]liNfG
+%UiqgJTP5D.j2GqZStCoL;j)t7"YJ`9N2e8Y>L@5@SP-Po+XINh!hpti-.`;F)2C-qOq95eRuYm+;arcLc.f07qg=IYFQ=?_]EC<p
+%.fXW61rZDMTDA0IDo;R@9`@qI"*;#-WGjQZKpU&p\V2Rf,LOsM5]h%U##>'V(m;R69]Ku\j_VAEa<F+/)#%"\juMjf)?c8J6,Ajc
+%N@I''nM4C@]&2t*)tgrkbWe`44H=Zl"l:)K'dl-'a_1jLeJdoAHH:[;]fA9HR,[/E!,h]am6_ptf:\ORqB!$8Z8$$:p15EHfoC]#
+%#B,fj4+4jAD;7A:Up3FWbQ6N%r,E1W$Q5P*XsA1*f&`<;9=rCb"&PF(g8FqlC(7Tp(dE3lc:,H[%!mbAj#LeMqI@kRFHg;E>Uc\k
+%E50eMroNNcaIf(\^GqH97tt\q#@W^87p,)h%s>.[PW[]8#qR,(r%<=Jk_<!D0rmFU<Z/dQ2WsurCq@/a_p2J8RYG\$A,^%KIF(sC
+%VAciuCI,_Jr,((NjB#b\b5-5!o7-XrPP^KCqj,W`41_`d3_=;IL(FfV[4u?]V6c(4dAG/tmW'*[LQ/OGrAna9m4iE(qUeEsg^#LU
+%>9;1UnTb)gW.3*%ZCTb9RJ1TXgrC7p,Ao^$8p`4dIB]<r1kX:J1iI/D2J_TWS$/;a%NmVLE?6E!6utSI^4_`2Tm'P$nC->+B<aH$
+%#Ks:q\;gIMPTfa7,@s(0BkGlU+iZW;XoeC'BpKb`)#JF@l#FOd%bD3b[&(6fWFjW(Z7EmGI31NElhAc(4OY.YRW>]bV_ftG]A*SX
+%q/l\HU&UXP.qSqD0nsQD[s(#o`9bbtSn+k3ETl3NBOoVLhI+`WL+XYPq"MFBcn;G^/%]XSL7VDZGn-B*ruf'aIQ8K9'XeTLq%\QR
+%rAoJ`d!s8k_'`t[^8cE2s7ZHdY:KWm:T*KG(jDP96D\b,GW+"%35Yd_i__q,Q93JhoVZ9*CZ+N?[%)[XAb]cnXE<F!DH^lEm/IJm
+%B)gukDoe`HF&"\Po\1[B*<Z%]=i;W%".PA_(0$TGb?.:I3i^5Keq9n,(P;M7:6It>p_e?cDo?_T7&\,@<=mBJh8\PP-&D8ek`,Ld
+%qqJ?):@)BC0G+?KFIL7.:!LVC"5#BbcEH77j%f$:AVj_._K(CeP-L400A3MP])Vk?lhra0WfZh!i*C&h(q=lWZI:/e>\'Y#X-HM1
+%)8L+Q5A*f3F2WMSmF'nNI4_.##2p#%dTi72[BcZm?t8;BpGbO4V'pu3";P/+VA!6h39/c?kA$(9":jJ%2S&1GK@gs*ANN&RZA+k/
+%^Yf&Lnt/hq,c]*men"@JgIm*o/`M2G=_4(5etarGj04D^W9*(XZ]9^OEaWNYZ\V%Sk^\JO2aK157pa^]rJ,lia,ZuYh.>?k%7X[t
+%?f1lAo)G!j^a;[m:p"JVQ*DQjeO4LE.p#)Zg]p"%Jf[P.`e\DS\KN8CF;df&,HeE.OLmJFT0jra,).Z,#-`L0Ce(Q2o&)6H`7O=i
+%7iW$!oD02J#:=Af%@6_.B4+R3\`oN2[F3L0LFWUa<6B7?;Yid\'ST)eI1?1D?m^o+/b<0D@2FMe(3Be$OZZt?23Ml-+["T*I"Zt<
+%9*#DqLjZG-W9LN\-.<S/omTQWP78L[/M:9_hT(o8iEb<G$9`02^'7Z'M29!q#m+"<\,G&7DttFhkOSAc-(;^D9WIERQ%;=9\FT1U
+%JJa`/9?83DQ(k/\UVd*A>uLNPLq\uOmQFGK*aH8NU!MZf`DoM@BG)4@SK@QP_tOEmTLGeGbA*qEQB_eca%FrX5f-.e<HspN-1o#s
+%OhY]XVB1(AYUU$*M70hSDIX1$S-b7M*QhW,E_X")0k('+`HO9nd*F!E9!ELjnm'BmO17&$NhL&BEV"i.a(F(GNJuN<?4Dl]e,qA4
+%]34\5Xf88h27+X[k<Hh1@tU0l&APm>CX<_=/1a!K>E$XBj#V36SdJR:%6Pa)iit-d]AA&RO;bSSm#,?g7h"GW]VYLB!M;0ZY$C[K
+%F9&hF\Lp>fJ3MhVO*>sV+@72Fk\Luo1D2Z@;P=8l:TsN2Fu&jo(^$:&o_%Qs`^OPK(*GF.?kNU4T[/OBK**((`kM_d<"+_:mA4]@
+%0ipJEnhh2<$_XgPKI:o$NYs\G:_Fq)r"lY\`3sRnO0E^_W3jVPB6U3F+aY$s"/)]+[k!4!-EHt]h@pag&%e4A:?PY4kEiZ*NGU,e
+%(esb@737>!o'#eqZ[l\$aCKoR1-h8jk#ItqVFTlL0FH)kVc\sa^h[o]cFsKq?pkE`r\HUKPmI27a4D^OjR'1adF-R>b(lp/We$>C
+%:[T6&P6^[V?%3=o+o4WRph37?]H0CN,eHB-9sUd(%.5GKHlH;las-E=/-O69]HiQ)HjdK@9]5(oeeo[B6EC2LhtM51%uhLXE$"Fl
+%+##.p-"[Jr-E##.I-(NcK:Xk]o[c2\jO:cu0g*=\d?NK3O)TTnf.[Eop7VdEl+i)X$J551mlrVc=BkqWZ7K%blrH@uoM4'AGP+3L
+%St*lU#<E?_RDq"Fm.WBO-D@+M+/+t+bC%(;k%ddY0iRE$5r,f:Q@t[`EAO4$g0,cFZ:]DtME+Q<72\?qMT^rL/%b2+iBW>T/,9,_
+%?WE/.Uji\,i1SQum?cFP?"-=*?_m1V,LMF?`Lc)J8g.L\k82kYVeSnIk(dY+@sFejaMKs;)W:lI<?jW;U;H]Wk_ekB0fo/r',1L8
+%^Zk`\YKPIm.YfggY*Y@@5_0PBA')BE"<bQ3.p\o[VK2aW4NC$/Z384.c/"mAptUh')PS:jX)-no)I94!(KimJZI$4NK,3bOOtWiM
+%p`6k35EFkhbK4BNmlKMj.UBoOdLdp<<`[R3(8)eT+mPnpiaTQQFe&?\R!A+M%4\>?q4q_U^-U5^\:,L&ppQ2d9Mn_a,hEL#.#_KW
+%;nH$]h1rZjg;1)ZA5$[#Ma+5Mae5geFa9Pa*nfmtXra4iBtDG=IV+O*%dI9ghK46(].SR"M&<R&?aG(gE6'V+jXF<JWp(YX-#plI
+%0AopU$5bu2>h@$;h_od`Y=2Ku'>I@rX0`P>#KT\qe-R)'!m;Y[mAfN/9e2P#VRq\A;W'I!)91Gq9+]V;Sa56*-=_h#W0*;UEJ6Qf
+%FM]/c`T!hb+Kf2jXlT<A+<Cn@@u/<^6&1bF<g]@uM/L@[M=?\nqjm6q!<o9arJ\oJ7"j)$9>)nc(VuGh>*rseddI88(ELb!n3]N=
+%&RrmU")]NZc32NQ!fJFp@.aqEX88Lu[7@T@#@8@na@X7cbb']\;DkL4_n[A#:)Cl_Ic1=5o64K)_2KstV!dhFPe;7_#Y@H<$Z8M@
+%%qbD+_ub'lZBHFi6PqC#)CI,^g<IN9Dl_5R-Pp_D5uH97GU,uGF(Km"K%l%9AUoCGcKJU(/QO:8-8GZP_;To(BG.'f16R18jutie
+%<qo%DT_#ImijDVNDC@uj3MSjdU`O2WbJliP;VCNWa'i@1B>Ps-:!nq`W*mK9:\*EgY=8UM<GqsmnM_cFIm6;,KFLuodQK/SWn_IZ
+%YC0oVCGm#q,OU%mFEpcX;p7BP2t":0TiGL4$<)K;">S73\\E%Or;f0jTZrL><eCG+,ipqgd]UBN#Z^_nVK8QV70bm_%DM$WfYAd>
+%A0[&AggY`PekSgOTVu6#YB*Pg2Q$V*5]F)$1q)-@*i=6f=@Z#!-c6QM6!9T1&6P)dI!i*JSG8"2q4X*Y^jZb==.>bR/L!-+ndPVc
+%9[!ou3.7O?VE0ZeNO^V-QSM'hk`%M"ghKHs!`hj22aQX]0m("=Gd7Gd$4AY2b:jh^Y]UVF/j%aQ`GXG^U]`S0_.Lm[+CBCmU&)Z+
+%YA3i$,R-Z6jVd2LS-K.Z.RkV)QpuU)OFA,GS$Y6Ua:d)^0k(:-IEp9:UAY_S`U'G"#_A(:DNo4d8TJU6""nY^H0lU&,npL5L!DO-
+%.p]k';nakYVYeU&<.c$)Gp/Z<Q\i>?C#>o4SErnc%tH0Ii$BY<*)/@-/@BphN:dr=:inMtUf')\`YTunL,^[`H,Q;Dk/LP="IG*0
+%YJm>JDk!gGX])4I`8h\Ckp]'a6kNo4gE<uD3JNp_M]*l@[.d(.73!djXk[o\J7*-MRT#%Vl%R=%FPhq"^eXb(Mcp#CQR@6O9d=*-
+%/3L<3*0MH38MVYrO9f)?Yen:_Dh/5V:kgZP+Y+4`$/@%Sndr4Q&r9qQm>m5VDTuK+.H'-_(iF%",a;>3]8$opdS:K@FCih7C+kXl
+%$\H&M_n_d;eg<u-!hbrR&<(J<>QFU87R^9$Y>HUuFCr51R@'=d))R"lmqPprheK/;<U!I#@d>:-!l+-p(Aq"*&h<I5&QbN@Y&.GK
+%nM9&^K?NQOWLD*ZL_&`-'>K9#bYXXJ^d)?e;&;f3,dK6`fcnZk085!EOc&7mE`0t)O#%_jft;C53,;AG/cF$L'PCEBA0Oi<YUW%!
+%J6=1H)>TgWEE*$+-8nXb@+GBJSFlQI`d.rt#j=t+S8:mQE5I'3XtIF[Z&4*"cUT1`1!/cPOCpLT,`>sOPnMO2!&1>o6u?A1hn`D<
+%(n+aH?M0t>LiS#XQ5C\`rlYWkfbIs1\4?5JB,A^p9eKNh,LY5=NsD:%E?FPoP"LTf\+T$l[1?/t!_'Y-o9:_P>3miBUUoMTUff+D
+%M:.X'$X!"LES1rNJ=\+^3Rk"q:U?Go.E+'4&jU1u1F53*m^$faJZZX$p=[>H"2U%t.HkOFW@Kisb7G$NT3ksmH;K(A9_8IO*_T/L
+%(?#UoQ"ojLCuEI%V'Cn_IQQ@Q2RM37X7U4dAlt#r>g_F5HOD*uJh?MC.Od!bQDZZ;5pARJA(ZmbY].T)!Td^0aQ;GC5l]lO":!Ea
+%m_'>e+QIF@mq=*$;M^R,8e;*IA?rLSaKpsd7n_@f/PW$>8ntF]ZHK_-<)(@DKK*KtR+''?.K-L@;!M=EArK=B&$@qAU(ha+4tZFC
+%YC`!=p#^-T/jAlk(6`h=a6ctsrC2)V=hIK6G#)ohfo505(c4#TC`tCYpm?3gF0%'NOegk9lL?/.'>=;kpBPQ]_\sob#[[Z:^7YAh
+%rZ<'GAn!NR@VleN+Q,#K>Bk)>Qj6h4H/=P)>Rl=.R%U1=WP0#oY<L2'(*$9'[7uJ&9QC(]M1DW-\a=jR;6]`'1Ml/]!-GL4/0l8U
+%>*-`>I$]2"dEZPr&H,oHR]-%;j;#2)VH@7tD3J74T@Y6\N2DY\B&,X?C^*u#kUu`L\en'cf3@DZ@n<-$8b:GMY4@b9B1[*;.++]Z
+%(g*^?JJ82YWoa4CODJ_K\pPZa>o\k+#=ZV1LQ2<S^/KHE1cY`2'Nqq;LnRuI#"JiWZlVo*fHg0TOXVeq7216=Q,Srl>=/JKU)l#[
+%o-Bu(oI4p<4%To4"ClrHe5@>@b6B1X**e*Bf9:h=Wig,8EmdN4SfUmYGt*@J..M;/Zt!"B%KfF_3f]P/,#e."3MJpm09>RA'Vc,#
+%A[[I4Xbe/B(4M/pWp\r+hOosY=@">;eYF8D&U,$b<^JJlg#n@U[@;`Ka_"!r/ul$Anktno)JJ4*PL*1soCHEUX%ml.R4KW;5YhjV
+%"/iHV\jY@@kfpJM[>U$0rY72kcb[=h010)Y\F1KJ>M+c"/a5>(`D!oAhPTV\<g#3JgUM5X0&_,b2,/nJ.:W2o#,`WP$ibNU@fSL)
+%-"^`^B9k"+odTQLROZMFS6IT#d.RL!I4T5;aP#MV"f9'mojJe*n[Wb[eK-0VA@]q)\DLnV+^$'CVS][Yp+i8F/,LVBq`I8U<Ac:J
+%^pdea`"H3`f54#\7s2GM4e1X9?>YjKKn'GZQGF17[WWY2:uak<Egb=tp0t5Agr_WE2Zm3tZ,O]1RSl_M<a)@MBI!<Gh.g,?"@bsK
+%h/h@i;nnQA>&'=7=*PQ5S(j7jjPo5&D_XLqCbR@7JDH^JWi^nn4*M+g!a)Zl%hJb:nZ`56NM2W\.h*%0`4*^r:X\(n@kb&m(_LNe
+%MGffIcr#B*"e%>L#,=ck%Ftt2!X2Pg$k_M07(?9]q&]:2<,P,d[hBLC:/)7bdgetePjsp+'hFZb>?R"n[#dfl-,Fo:<>\Tj,;3aj
+%:2IA]ZkPk9lu<`K<tTBWg1Z;UQC6`K.5jQ/H6<ZOg'D.Je4Hp>TcfDj+dcfK1Wum,gP@g"4!30)fEPm7`5;?lo%TB[[+2T6;-D0Q
+%>;`a[+qfNuLY-X*+Ghukd6MMW)DDl7co0QFZ$Q5SOH+1s6Xid[&/Y)W!aUY[@VUK0U+Np7_cAnQZDCa1\`C.C&K?As+utY3=tmHI
+%GugCi]fS&sT*'P->/aFa/gnc_Kp<@t<tUugpe4(LW,W<4ZAVTZgK^PnWmf]//O30pMr"2,j=!c)K/JOuD2>bA[,>=SL6`gn$bHH>
+%@QSQW6)t,r]7tb_dRIHPN/'Q05U/XNb>P\#"ZD!R'5,h)ki\Vrk"$q9fH+"8YZ@QU8GH+qE+pQE(:Iu'5*LD]p_OMjFatjm`&kn9
+%Q^tK8k"5a1D3qE2,T<+r>p4&GZH3&4h#]W,aQ]e+e#OeVP\*uTTXeZ/(/Oh1&=[,1((Mtr#?kM6Pa*dOr\EcJa\GB;1(D"K0,2up
+%Zk%;,MY#>d$aZ^q+b+a+JA%>MQ@rncZ"p(.1$(H3LFuL.jLDRA3_eGnb=,M]MU;`D])6@rG`fpg;nndag`4J36TV3&S!iTt[US4i
+%;!QOWXt_[c<(a';%Jb/+&ruT6C8Bb=_HPLp.#9_&&pT$3>0TeE[Us$WKfPJ4,cde*/l!8"<cR-9V8\8lHHX>$9'6Xu0^-5(gSSdg
+%J5`d.29S/j,eK0."=b$]=L5%;8u1GMN5[,IZQa''4AaJF:Z\:AK79;?XO:*:_.2SB=`'(g0\qX#(H2e\,esuD<`D39hOqi)4s]dA
+%4LO-Q#?Rm!77)%Y*`3Jj$I>rfC'kY-gm3>,'a1t>&(W:rDU.mba8cHfZdC'81G5M+l'*$h%d-dW.m3Bo,CZ1KX<Q+^d0jYi>=t/O
+%eBC.8!(ZJ63Z:^:$&MIKG"bPjG9skE;qh_,>)"$Ejj[A:J/OAUA59C/-YX>Hd^%6"/!ben+TUecM>N\Y[L/nu6!'?9;_51BlL3b>
+%i&I3D4Ci(IS>`g9%7*;@kC?ne!3>/k\MD<1;GfEH3t*!&nmO,$1i4[9bTO5tl%5NaARocF-i'Cq(:BjW70pV)<1Y3;M'=)_Gas65
+%53<b"4^`DLLZ1FgM69boR[&SB_ZCKkq?ldVkRJqPgj+7n4/h:DYf?9_`30i"<SSpOKX>bO.:`c^ZpOa,#KSY$'f`mC.3A*=fATFg
+%Pj@"g^kL2Td9l&^^p-9A'&M`V-ZIu%`[;:GVtqXI4?WH$E]>?0i,?K$E.OZCSAZ:>8#f=NmDQKX7j;'m@ZnNDLC#,tU6a<\J7#56
+%5h=T_HS,?W@\D9"79WF5:6m=2:8eqDhuM\138cM+^`#q(2A<M#fN_8NEl2dWVqErk&=S<BL$q>2&T0"Q\HADmGo%d'_>NuZ`DHI8
+%Olpa$2FP<\W*+&MN?\.KQ^0(-/<?tB<V%4$Mp,;u4[[FY@3cPFE;5!0Qcc4aV1+"-Co#%>Y`"PWa"hCF5gI1ni_;Gf@5t]Xj=_l@
+%Ig(C*Q,c/!-`_EG1dNhB_+=4QSP#i52oJVP8L<%:p=es)_JDkU;2fUAFA"3?lC3h8^Wf_D/e"e&$BRN'PQdJQnl":hX/R(<:]Asl
+%a_bsi5ThjLPu2$3LDo?U;cM,U.[L8aIoQ5FirOAX2(+V2S)ZuMB#l8Ta<o[/oK],'-psm;!f@2QMBt\Pr!:YTAEAC)r]L2toui:/
+%61^XC?%Q0a`sq[>ckBj7d<(.V:Y$PKUa*4J8W/!8:P"n71uVcgUBAnE$:>9m(n@o83-S#:`%ur2_pO$%0Fmc)':NZ'^%Rgg+A+]3
+%5c!M"0PosRJes.@%[6El5)?d?h1/%(Nac21k@oIUWN0I\A&u(^E<'S`%c;*&(3c[oVs(Hp\1-[2;gj6a4gN<,o,s'JN&q(db&r*e
+%#"Sf*`7,GV":4`:15`:Ub*_]m2u@(M&lJ!gll")nEl4Uh#oH9:%Tcl<\hMdUdqET!)f.MM@7F*K(p/VXpRK?b%1a,bc!jQI"lSi#
+%D$-8fDUbbV(75Rc(mkqmNc%P6/=-iA:U1FVD)149REM;l:Z2f%_A^-Wm1aOP1u/u2M52U,;oP5l44rAd*K)g(l6IQ<f%CI)`t^ap
+%aPrlU/L\7r#&@I_9OrmV$KU)JZLlCYpoe^@ckZ.>]t:od%7dLCS5HM?0D$KM$+$#:J?b0M_k(0Xe/;IL7sJMmq\R?goW/IVAB;0'
+%*:u8;1J.M"XXePMQ`>Bj)K@U+j[<7Hm]q=D\Jh#u<0t4rHk&XZUZe-bp>^q/]h]$Kc#$=V:X@Dh[,m[a`d%a^'UFA=O.D-CY?Qa'
+%3dGGg!B`3@:4hL4[iHd+&nRsYbe\>)JY9SJjeAW>i&m3fXns)N/-%pZX#LRDVS$tb%LuVOpEnTAdFlEdhr<cM-_-m=KJ6uID4Zoe
+%NCdm1lI,m>P$M&#7+>sZ\a:_,e"Va>Ft9j3l[[V-<Qf02E*#he3R962YL[P=\-Xi.cU:;,2H)JB&Q6!<q=]UlP,KsP$Qq:oq]biM
+%9Aff??cXsD,ZgnT8q@Q@/dOcV2V]nJ:#Sb`:8":nVfT\:']EbV[tucpgj4u@4WBDFf$*^OHVr0/L+I44LT?%F)TM6].tLVnfu).`
+%fGmJC,pFjq_:)(YNcd65,d!GX50ma`jk<ZPXRD)7ZRnI&0jOLtYT1s&hA'RD6Th'5RdAhh#ii+j7p_7k(\^'(.Sg_j9nGZe)./b&
+%HekRZc,>%6hK@u?H$j'gA3&).VKkkUF;,\15-p6.#+&mpoea)%H5.utlcH67_uRs]jaA1ik.48Q#_uR$D*#6i3;L?4dPIpad**ab
+%U[te-[2bhJMW(9']j>>"C=e(X1VZ)ns#))+eQP*0Ys2_6g8t^ba*h$"2u`4r;H1jrFqa!dKG8^T/ilKb:f-u*G9DHrF.l_r3r2^K
+%,_;a0XuT#]T4bIh.NE-mZYE<k[]T6ACdp0<A0k#k>6#bpc)WVJjnRl9^i2aXdK%H&8N#:.W7=")n1m5ZII<csCg+KSPI1kS%[Sm9
+%7Q:CP)4e\WCo`8L,3aXT!oZ(+9n@,Sc`e^a%9+rbIB$0d>2bMg4)$^BGrX^-C5$Is,-pJ[[`R/.O's7Omb-If'OJ&Rj3Cu;3Ha\`
+%5B1J,&oBCo."73TD5N8V$^K$QM[&i(?O*_W3\M&_/;_`9ZlMU\?l(C+q&#)ghlt$'((0=E_bhQe/"CZ7>Mr]>d('J#p"L][*%O_h
+%I#>rb]?S@0DQ6+ACik;rh;G.<$s-(U6"1SW"g:N0FJgj5mUA%;LAs/KL=;gGf]pLn<9'j:ZP<:ZY:V_th'EDq.%Bt/>OMn2!_hA$
+%i%rTjh57B)CDhlq:J\!i@,`PkeB6J\/M.LEH,Xh1rNL"`,16p=TrtAb&`T#dF!`+>qN,KL:/JuJFB!5Aq?Hp;s4\e;Ho3IjZ.(OB
+%].kB0]9(=8W2U3K/("f7g(l$8?J%7*:t-T\KpkoM!s%\b*LES=8iWL2`k:sumoMX2MI5-/E?V\.>/Tj5OT7aJ#u:tJJpkFHokAR^
+%oM"F@6ilT[#7S1>YrB8%*en*):BS7(WcdnF_U7XW\0?1<E(L+c6d?3X)0ZGE(J-<NW\3=>lQRh\q*a;tg?-L7`9,IUf2`\Tl.r+"
+%O"DT%4lKugX=Z7T^tW%ZfiUZLg!H>P5;8hNl"9c\&ouY!#H&$;/NiI[V=:rhV/W&Zs7c.(VM7l?[:\,tK95Gr1g;WUWADC2%'a8V
+%GV%NS9K5DD(7+41_]r.aE$^eZIqNC?c%d"H_e;Y+Nr[R`:PpC?`B"go0EnYfi[J(BQPR&@2anXJ*oZYLX@&I<KAXMO:X;"oqD?"B
+%F;ktM)Ue]>j@mXcqF<.VEgo*g2,4*E*Eus=)-%CuYn1^rSu>85i>Wp+SlN#*Y4UHDLAo'^6-ucNfc"=ADCSnGWb0d?[M9,6otWHh
+%["!2).VmStA51>":C<0J%',p8h58emrgVf2H'siM]"L?qd7l2\#_7.YPaehe0;\o:;-@^WdghKgo3#O*?tR[k!6gB2aTEZZa1YuH
+%``J[(>=m[+^iIO"E0LDKC5`EG(_uP1.GEs%L=Z,nWt&#$a3T9YN&oc)"\m!!m<4-obI!Q6CmK.:NWkc2ZM/Pf^!59)Q@W$E^B>Ya
+%)]-&XBsFXK=TR;0B[$os(Sm0)])AeNaI_[*k6S_&=ntS]O41\2=f=#lI&!X4A=3Q9M3?tN%g($57$19S%<b%Z$LLhA.0=],T5@n@
+%$Looqhr.031.\D`;[J:=`7?4*=q%*3%I\ZR/>t%hi@d:+:$ld*#f*,?_CsCEP,:u@SPA_"S+q%*bcSYo/di:T^M@PH8SYcMFnYhp
+%S]$7Ng38?X,Rj$X'O@F`$OSpJ0&/>7K%8)`]\T\d[o/mO]^.oRB:G6'1O^Z?mm.5Tl!K4'h/Mlpa#0OSJEb)N6I;G]4Jl$Ndn6f!
+%J9V@p*+%G:?\_Z)-)A#Hr/?*Ch,>TDb97BpiVfp%8O*<./(CdeG%AL5+6qOQD(eL:+5$E^@E6>:j;^M/V;$cV&gX$iWfEDtOtMtj
+%XO0M'V"dX4G4@E.cNlTc0!7Y+,Nj%$1i.^s75%*B/HfFh7P+CfLR$_.$+K"X!XEN,ZI',r)ibbg&Q-5,J3pJI'$+oH;:,:0<=+U6
+%4;[o7/;^092[(D-]*,kUlc*#-n\*.T%Q>lM=4D5@I7!@ElY,2We6ML@fH8E()ZTm25/]kg&Nc:T1o[AtTdd"WV:gp<E"OuT?5SQ0
+%,^=<-^sc,`Ef##HZ[mA2=tBZ()Y+kBF[iL91,N`6/6-?%cH$'UoPRE0!oPM[g(+Su&3P")bKA(;).U\>`f7/9AMt<Mr[MEN'g4PW
+%,,-?@9LdIH5fTEc)+P&6+FruPS$jYDB55shjm&m>3>F:*=8F.KH8fRgn`rM;$L*T0XPD8sD\J/crLjpUG9[J0n.=Lf!V;.".83#]
+%Ba/r-:*.?`\3>AnZD?[lZ8*Q?!9>$YA)62jYV)%!kTL5t``J$G)<dD$`X"T?B(0*AgO^uZ73:.I%X8h6lAcbPBA1sr_soP"F`AM^
+%*6sj1ie`F-D9PX/Ki`H1n[>##Y3rAam;Ai2=\1^\,9cB<SF?NuBe%ku?*^PnKG#/=#>F)W&VJLa^M@DDh[u9'paf(k*JAbV!R7*&
+%ra>?;2l["a/MDZg@6&A4#^3^QKLEt8OChkMS&]0rQ<.l"9G1[A(R#I="KlA(O]$RP!qAQk;84[cgNiL\dGnr9\!]n)c*:/344Vb>
+%)5s\GU.GLA!3Hs+ZOK;BbL/[)Z_<W\].?GV#I"jcY[7.<Dpb,1,nE3gC`?`[_WWXg(aD-^:/<FAqB5)l/=m1;M4#([#9`%$B^9\)
+%`6Y7*Q$<^q<W_=bTFku*dc0'uL=b0H_%[30d11Etb=4-`Rs9mV>"uOdS!H8;0OHmB/VAn-Urepe9FteH1X"a_+%dSp*6ZWA+**]^
+%>5&nfC#^_or>&[&))2k\:BCHeQ'iG,65EQNMi3;+D7ig-ZY`>^ZM9j!FY[s]UmV7F<8#aL,QRHJp3aM*[,-mI_Q<kBe'gj+F.h7s
+%j27rf2D1c1W67O.]t6mgJ/c#=,s#0!Rf"eeTtlI(@hsDHF7j^1C##T?3K+naED,1-@LG[\]XB%g9^;I4Kn\?Kj)(Z$Kb9%h8Gl.K
+%<B3)&4$KbXN0nX:fO1K_A(=>6,Mj2XA6:abMBh>!UUQZ>m>Ak2l2pcc5qtroL+BV2H35LMU^5,9;!Gq.N/0%L5(hgE+[p3Bn5^2a
+%@!=OeNSAU<KlQ-'TXpu>2>dJ#@"JDt3@[FgFnnRYq3fP6<D1_.)kUtNqQ]RU-"cgN`IeOt+XS$R:R`a"TO;uV.s4)bF-"4*]O*"3
+%RnUeB4BdWRbA:@T#]Q4V)Z[(nX->=Ii.9O[L_m(&)h<Aa+0Kr2Q<_]&Y*XVPbVBhLQM!2:%UkkhJ8>cijH`N19lLY_m9&PAgP)Qo
+%OpT_8BZ&77NGhM40"!#-<.Nn/Q?,sRSf>f4i`3IaH<C'HoYJ6MoJYAp0l^34R_clE/SF1#$`/hO+-jdY5SG9L^4g4p>t39`2%6r%
+%cq.;q`.hij'S_UN\CGa?EJouZFELen%6cFtI4%bC0_nP-11bj1SLei2^,+i6_M^c9)KoYs-s[,rG"68o8kqCQW/9P0L:nJght+*t
+%@&ZOd&;*\LhumkPr%"+mO@Uo]iDaIl4:iG1]0fLB6K!!][K=(Y+%8<ol%jg/!?feuS&SO08q"4N&>HHe*dOk5%:49h70c+Y[56P#
+%fJF>8D,]l,o,[FUUL.t:_3U#mXSZAYW*-P'&j!]SINg?F@._o;Dc=*"Lqbhp.YDQ).-k'4A&>DKcZd`c@pUNH6h8'dbOM]u/]e6@
+%$\#NN?e7N'PQ.Gu!tlt^;F[i6p*7kpRoIPW]`.mp(Xj^79X);CV_hG"1IEk<8DkEf<S21]"!6CDe1572fQY\A3=;KiJprXBfZ=]5
+%BpWZ;&ZK%&Wu$Air)BbcmNnZ^<'rV<QB!'LF:NJgn&mUpS`c<(@)OmE`?!)uFj&QWK,b4r=(.TdScC^@>:@*%>4fudhe#[+"pG9:
+%[2/0Ba[.C]F7@ct`SAfC.okEp`@GT1+M:(f46Znm*<G^V*&5u^$1SbSnPkq9=:"/VWE+22Ln`M<G99k5D>AsDGgM5&(qnF1I<AWp
+%l"9#U-'@s>l.Z=heb7YN<92I4'f9E*[-*9MXt')G'9SW3'Wm([VE%c28ErVEW2Y<4"<)Ar5,T`!.(b]Pf>Y-`i>.et=]C`n-;.U@
+%lR"EcJUX##$&]__d<&^*BQB43Ih(s//H#)Zl)QA41`.%$@OFLpLNS7a13Urb;oQ)#.>4T')KBEZc"2g8Y99(pMS4`Z,%-rbeus't
+%5\qq-f!U*P5jBTBZQnP*m.Zidi(K,h3LohcSV$Hpi"',B[@8$%3R"sX8;]Xi*6WBCK5$g[Bh_VEK=iOK?.d2t8^4;kiiY%41E"r1
+%)(6B>[$eJ].,cFt^CpI31_@WN\AWe^;i<$oLmO7TF,u=\*177X[)0GW_\B/0%Nrn,eP,]2EP>$iOpI9d(0NYoYRX+Zb2Khp$j2R%
+%-CB4oGRi179h:l#AZ^ob%DNTo8KWb!]Md6B`fV^pN!&+%))DpUIu4.QK)[TdBdghZ"Js^F4=k+^4]j\+]9NoA7f#"Z8D;Rh:(RJ[
+%%[VH`@qUU+;Wj^;@$U!>r*`So2X6/n+K6J.M7a>/`@P:Z@UF*uNd7rC$!iJGS2QNOlfZ$,3AdZ'^5UQ@`]jO5fZ<9]*D*WY"=g[#
+%`]UqAK706:PCR4VT,Q1q@3t<8d(0<@+5;[1TPX0KA0ps0raij$i<K)HV.TnI;A)4M'V22hFjn)PWs+@30+BWB]2c*V+#DGSAPfF[
+%og=?BhDKE$n1_^qoB7e6,(CKtgZ7/;l:%=F0:/**>7++-;HDe'K&[1om4#k"))>Rs[TGR9Dr)8W_[3m<*D"$/;G+$*Z8uTl9NRMB
+%9*HoI.9);gR&Mg&nms,B]8o30rbf,[2L2Q)-pS$;U_Fo'I@4]B[P)BKka@#i(Hh=PFO=o)buRFaYnSuY3hM/)6[>(M#;m'5+]i[W
+%(28J+2iQfPic&i-^6Wa7Qk#TD.OKH`GIbtq*9<HKnm.B[$@dkT;[R[_Ha1)KbEc\Xf3mLubGYSq,VIg><kbY'b!9qBnCM0_M68^7
+%+V]!#Z4\nFItbB$3DYOK%qL]t>(&8>(:5H7o6$b0NfhDpe@fZI?,t9WVR;Pt)ET!03eU1khZ\-'Ca+uL_*lKUq9)=dVS+D(JSGO\
+%3J521_UuQ.5B_rg.[jd=E+s6ElI8Hk,&Z-<[n/T$.H:mj&eDbC_?3;BA6>i"8#bD)Z]'KYE!M,2qMpi2G5/A+IFk7FMl6erRnM``
+%$rO7@7^ErRIC*ok=AmdR,X^M%L7)/<7N4'l%eA:(T&%VXl#`8[NZ^)Q7N<#idS?*=iRb]1UM2&I4-$qUZ278%!R"@IKMOHY]+'&R
+%$m4nL.U0Hr,8l%_%6mP;;9%FEB'CTlI1>me5)P[SS=lR9\BoX<3Kau^8"-C[E?',DAL-iAr8h3VeZrX8&[s?W3)O<mEgGno9Prs&
+%,H=_h3',t<K"Z>57\bs/P)*I'=p!Y&$"-.]pgLR>$u's`ps#C?rV,([DZ^[hfn@*50b:Z^.)<AEY++Ka'E69GbVb(3W6SlodWE?n
+%'GSMLLgc4RUP(ng]$e2I%eCGdf%j/"%gQFO)[@p,q-ff8EotaThJ2>`<a8W+)@Il&/"YOOqDLhHl>#/Vq\!1&((b_$>a99"6-7!M
+%)3Me=kCu'[\ua+c&VQ0eU=M_W?ogkdMcCW>!-mI1<Ah$*2`KM.>EtZsVSb'%b<$g;l$A=2;5Js@!IFcKmsq,N`R[djLu9*M&O)ON
+%&kX7kXMmqhnS:RESI;u,A;C'pk(2bpL^F3=Y+M)t&oW=R\YhIfn,L$&"&AAc"bXI#JOC*7TE%Dc2*1usXi/pr/BDsK2+Y>oUVdm<
+%I2^s=0uVaD6/a8G*/HM("e1D<M8SLeAB@#75EA\YatVbHB``eMF2"m$n[!&r&XG:oU/mV'd?b@:REMMJ*3d<q/3YU71EG+ign5Si
+%1%kQm8qoLRG'"/,CjVY7T0\-/6;Y<-9X2A"QGWC93O;un_o2[r2ld`^L;D-n'JbB:M`G'/jKpcnPRE=>RCYikKED6cBA?1R3@Ddl
+%'%O/%Y[@ss5]u5QF1tfkj(GmcflbsO+G(,(,g&S\mAmW2!+r6rU#\VGW>P,$UfSWJ\g.4+PL9X+_&qN5+o&A1D,,Na*Y&c(i8.4+
+%1E:!KAZlP,;1Gle(f\Ag&_n+Y]BkhTdCHAOK4ATb]Mg.+;hD=1R,:^F^lBo+Y\10o_R"R-*!WMXC6Jdhb$AI0b!4T)D!siF&5-HA
+%D%W*>Mam6i>]JUG$Kd=CLsAr]('0+2/nsR'k9Eo\OY]8<E$8p*VIOc7'<hGNT#)8j!XM5DHVVOs$@b<"G/5ddV+PkR;^\J@b(k!'
+%G'>k.Y@14SB#;)cH$@VHMVSig]%`Inbc1`PiWLLVccR]&;^\K1Q$=Hloe@\ok\ZJ)bTJ%'a:+_S!H@_VN"at)rm?J;^95S.MIGt^
+%X#oj!:'/+T6V3L<oA;,O2BefqlHR4X-taq'Lg0`'-g2To0EDiP&r[%p+4DU^o$AS+9Z8l=rrSn\>+<`>2eB_.1qH"0+?t%R6^,Z0
+%MUF(r7d"Fij\_RCTu7="a!)cMS3hOVnF+8c!o<s'.LH_>U"ee^G-O2V$<[feDA5PfDA?([>Fkc@Nadt\o86SIF8%U/Q-RFG?9HQ-
+%dPsTGNL2NW,p`@fA#BB[,\DI#,$19@X4[=RaFM\Kd+6-mq-Qp-Q2400^!1%FDR9*?::$oL#=lYZ;Y\Yhmnls<:gW3iZD_qKP/qff
+%?'cqu)`_4]!psOs+<3(pV/QJYM\uX+#bo@9$m]%(Q%/ouil7?Q`kmqhm-I(5P[^WiU\S;nLhVi3KW(E0IeECp;1.#O,(G7pbdto`
+%rN!(QS%o7Q38:AU[Od#65o0ru&dTUK=b`G$FI`=pArqNDk+B.dmZVX[^n9#I71mF8F1^U3fcpT%J6SMe!EauOM"Dp&d9Nb"'F)4]
+%Ui\?l#<]pq9p#s)n7q$$juF]iSOm@TT+Y4U<5:-L,\9^\%V$)pLIcllpeO#-/4#A(Q4lM(:e4"FR.P$+p_phfIQ"!9'_$%2@9JSA
+%%'uq5mQrpe1b&I)7cGl<HIG%]AL=W+p#=VmV@Y.<T;Dc!MSM?tbQiYGF]FI1'mq?23W?5r:;RLb4KJ3e9irSAISAPO>W+R>:e+fH
+%lj.h\-6l3D%"&;2SOFn6U,&n8/qZ2K@)J^mfa)N@FG..O!3?1-"-1dMVk8RIPY@:/ak2@_,5u7L2S\7PF;jEPG0]4pfB4Hs\S\0:
+%dcPfc`Ffs3m%p8F%<XZRBZ.0k,:R8JcSpmaF;UaA4&`8@-PAJG!#KF^^d6>"e8lA+KF\LQN=)L&+O(A&U00sd;FjUlE6]>&&0!")
+%R/YHnfRf$!!VV+J/l)%h?aKGa+hq<IgM0"K>PloRS3$AM$eWFbH+*-;=&W2=*N[U=Fe:=R^m:E@f9EL"I&LHn$Ll;bV"bX+fc`da
+%2D\s7hs&i;eR,R4kWddu`$Z@F/Ib>Z1#K%bk@Ybi\Xg'-5O6J*bUA(Oe"WYc^nSPnAraG^2)*C38D,N`.lTW<'_1\i;lsq;%05;n
+%AG<5:'6Jn91\bI]I<Hk3)]mTFXj(@E?5=0pb"Hqs)IuSG*-J-#,]&A>.$Lp"TPCRVob3<]*1.o:+CX+"gld>%9k==0Y=&:)TJLcR
+%D)%'EnY.M-@ILMbQ=Umea5V$rGiU_sd?K,;;*9"5Z]LJ%q*nFL-pGKsW9NY@rN)LE$)d![J!eIudmFC`\i0VL)`lL0[c+C.3B^&b
+%f#;(LeM$:"AL-#`^;N;H^o]NoWb`pPVc`35Z<cVaAqu\5NUJ<B>PfOW?C#B8i^utK]j"&K#;3h\<@C/+"fJ@6A4$\_(Pc$LNb:ed
+%Go?H;X?eKhHp5tYR_sm6\u+b3[$p/<V3TQ3.P0L3A/_hsc2C-GPu2LR2hmP12HWgKR)a5pc=RcN9urrLq7#FT)@Yfmr>$1PZ`[:l
+%;FD>+ebM$2*&d?^7&:*<_Z'bXn8o/7X73HYg/*MJ3'a<[pZn"jQegTiKdfKoV82=U:N$V"fORusVZEXs9UOp&AM_s?=a<@ldjRi\
+%ZjUAZkD=&;W2;IrPc.?gK]2ugmc<0O6CqG6QE[-7+C2-U?rHJqs-2Om#5]k^Q.Z]@0fShkROFH3S,/5^H8SY)@,=+3j1Z?Wi]'0g
+%U;A4+h.2A)N#)!jKHEFJ</OWk13\(DX^V&sku+o.=(mW>3.c/+HB<4^9Q(Mo[/J)N@2i6p@0ipI'ja,%l#"+J7?&\\$ufi%EAeN[
+%l2:TO&bS"iHeDsq,`6Xr\2&l0RL2YATd\&r@o%r\DHZ'4GCQk>K9K%ukd&KCZ$ohL0Q(DH&Wn'$`afeD$pDF[Xe7Sf&@4pq[C?qt
+%5%C^KPAkt_nn-/g:M0.fR7J?,+nUm[_33eKkFs7W^Hf-S)+F$tRsJg1-U-osUl\hk]2R[??\a"E=FI\7rb%j>B&%[Wdb?fcS-ZW6
+%ST_k<@G(Y#8BuHmT<j:X`-(%]5NPp^<n@H()/:2#Httn'qO!W5"fU\!X/aGt2Dp1MmCAK<m*sNAAd#"j[`gt--VZNei[Rb,r%tq'
+%nJR7$]?#>Jf&b(bg8GuDQ:d#<YW/TFKT@sB_6STHdrJ5gUlt54iDhF[GlQ3g_Y>'u/_mnXRi7HG$leQJY-d"?A3[eJaW$FFpG#>@
+%?Jo$nTeqj&&I%2S(rYJ0qD8lt@=q\(<N!HODW!c'`*eHSF,:JDdgY4rGRm_QhSU-?XpZGAQa!m]iF@=I.uoX8`NR5]9.'q#lH03q
+%DN"<CfZ8fX2fgS0_TlthO&M(0B1Y>R-B@[d:0`Ta>*;'9CFuQQ\.=sXb9h0p_ASpq-*P,6Ypj?WFr4#V:/gh&XlJ^3:pVXA5M@65
+%e\jD8a@$W1,rJ\Pc.&jXq-t!@:!72qfV859:08;IB6HlKSGGdVB+sC#_(f4;nX$8D_rGCF:f/=3MN+-`!JP/P:VfYpQ%K7]O1V`s
+%qeQO."Ao4!=#;RXU.Va@$PEcd$E;&k&/RsKJ86IYZQkq*cM@6*J*9B2M39!,@$s;/R]T5LQ*GH&2Z>*aR`PCMY6tJ'BSeGCiPU%%
+%X8c:6+d(HL9Ms=]<i9T8's4nq.B"`K0L4idYO^j1HM5>tVT-W`K8l;&RO"E$E;EFV#CdP:'(!>oiT]AC-]8YBEkr$I:G`Z#A=^LA
+%<4:'XTgY9H\skf2@rsYT;GGI`4LB[U*O>*Q(R\![*!.^0"^3kYTLB8AKgVbnl#%::mo>K^"h1TB&^;=/]t3X$:q0c6!((S*j7mG3
+%X,I\KWKI?r7X%FQTEs%.K#+mOklDYI!XF/>%oKW1#>1`#+oI@"]1%_&:^Y(=2?4=ci4I[R8PA)UC37jrIl`tuAW,+f.r0p[;8U0Q
+%?2@4KJ]Y[+RWUDIB.<$5YhL`0s071'9L?CF;7=%"XDZLf3K!tf-gDW67jer"T>TMcB84-!6^UuID*e1\Q&11snd.%I'l)f?=.A63
+%KJ*?fkhruG&;`N@e:],9AI:/a81K>;.JDiYk"GAt]?usI%$GB%%69#+h.5jaFOBYtX.]-P2?YJAVXj.g];*lB>%\r.],CR^(ECf%
+%#B''#`&8(m`bB)AS,'>JBdX9o<&VYXZOPb>AK'H?'%"^#_#i\V19J\lpiIXP*Qp3-7$6P(JL$/_=Pob4B$H?MO$ngk@/I1<PL3M[
+%S[dF$0XG^W\&4@SB,k2bP(P#A5NX?"IX\@'m_Xoj"tKf*e-m?lm.t;'S#q1A%7#:M>b+MeJ$aDs!4T%GY_<^!?31;p-,D<c%!-XP
+%0)_&>rK&^tXTlg^o"[4+[#HEdF[D[6B\*@!PaHp30%m4C=1jp=Xm8M$8fg^]]mQ6[Ms0>AD[.7Rr$'C072C1eUkf9j^o_"uiMGPX
+%AE.2V7J%5YkJM=YPOm]N@`:uHQ47/borgPF,^5W0$NcG(ou-bg/<6+UI&C,(<=gHa6R_0fT7H9*67_T/_$j/ILa&cCK>Z]fh-\,Z
+%`s7o1O$="#[0-.l]T`^Rfr3uhmG3G8^Y?A!"Psiuc)@3X>$^b[_G@;.jnh^JTjoUJm82%$>Wu(0^r(221ZYZoL'^DhE)8=97/rur
+%AJDSZ/@L(k!@p@ghGrjGr_AYlfuLl2BdB_mb5>SK]L1;u#pP/q&Bc_%Hn==#99nDl.OJctBnpM/(1rO(%6U\Z:?F',DKMDC&e?.m
+%,Dcj5_HKL=gukRbaaKeRVNQRg.,[X(`tqa#E-`b+XRbQSZEm%Tb*`k(HDd4[*gV8Cj9?q,AC?7J`:K`PdMu-8SV%^h+(Hb=mZ0(c
+%`.@b(TN4F)JT>#?iFT8MghWD7>t`kg@e/J$b1L1M9,6HF^E:3Lk;Xo*pn$afa%T<3>HIUI!-4ZQ-!1PN-t=EtO*ju6Qc+;q>W'1?
+%:-Gr$j/E6M,J0eC1*flD)LlJ5<U!6LI`?K&=u1:d4m`))<=SDfU#O%CeWN>JVE>rj:D?iPpV`:Pl&VF-ZHp9E'u@?L&N(7.Fn^/3
+%Y]@.3TGi/F/IG(+-SQs,/(i<,$%pbXW)ed(OpA"A6"jbRFqb.]@Cqt++mD\%j6Iibh$4,c]DLrZfT?U8^ebQiR)6j[9O6]HNjb'^
+%Fhf/l.SPR2V4"*))#8$;)&!%#IF<D<qN%HbVF<'g)8,#<=)'t=VjNmDcbF\+@+1'7ZgP"Iq+\sW2@RHuYWGEZ5F4[q<0B5]!kA0B
+%gKTRi:'U5(FfN5-"!XTjg!&o/*KsXW`*,K2jo5=M;99U*3AL=Bal?,k$9o*Z;n))>-;qdm?&HDA%WcU],mBeM9O-*+],C6X5*up6
+%n;fUF4V)AV)N+/@%_5QOQD&>Pb`>!.7-*t.>t![FZAk-FY>tbs/8W!HV1Z+KMlr>d:7Y"]ZD173Fa8i=P.)]<+Vt5u$:9MJ=7[]Y
+%9@gdY%>SoVWc!ZL,XLr"niB19#"`K"5I0\#8d<PUeB\V\5!fTB!YZrR)&b&oa-QYJ]/AKCD/8Y)/,\EQ/CQ#:eT#=a:O1\/2bW>/
+%-UH0Br^I^_s0T(LeX\qT9',0Z,R`&Ng+^rmd!7s_:0aTX/b;qTP%8DL9t2[R3ab3IJF.Z8R+1O(>CZqM*4'/'k_,cWhV,5aaU\5a
+%<`+N-iJK..hNFTN[nh;TnOsnoH6FO:_2FL=\D-Z5PH9#$bgPg!D]hfJ_TA&]g!o_b+tij3qu@r;nSELGa#CU#3)f1_[Da)eW90h&
+%&,UC'7iU6r3)mHl/@!jdbd@g5M0VcWS]O#pRhC$I<%&<HAdV-Z'$gSQ>*XD'M`74\9$O(NSk5-hpT'>;MtjqK+*iE;\_s\Hh-7-K
+%Hd\;,kY`;:_?Ku1Yl<FE<GuTG+1jDOdTr^%?l2_H7Tn1p*$Ju1bs@=2<TTS'P7c\#j"N-A3Z?^k->=t*d7>EWe_mY#)F$hXqC<`s
+%!L+Q5(g)f-D:<:N;hjU-*r+j/Mtp)n5DJn/s1E*:kgh.P'KE0XgoZUhgj*_"&?*_MrmHk*9NWGFZ1/!.!-!VF,])0dmNi!Y-[?f)
+%IKOk-`3%$1-*c<*CJm:dA5d.g=U(if4GBdkdT3(=+!^!DM#iO\A-2OAHoJD0QoAZT\<=qr81d0^#e:*YeF8]=(Blnl,)%-u=IYcF
+%r`aaRi?]sVs6/'I<'ZRB60/),;7Zm%<'$-*Qtipt_0Z7WR\WcI%?l>$U>udX"rf)&R(uf@G=o>Z5n!k88Q()s$1o5"bre4+PM&6U
+%L0D?X%I5IfZG;SaK:G2L?H</O0%\E!pas3VQ@()"LX%I/:R&/a_NP.m%4I+\dYUH9RZ;C?*J\,.V`;U#RX??D.l!79MPR%a)em?<
+%%,eieTM:]69\XrSnRe9jSr/8#!9rh(7K([%:Goo%%E!jK[E>Q[Z^lmS0I=Gb#4h-c#h1YLh'.no3\-F,;!HaJ%&6m%PN]eF9TiqK
+%ncu+S.Y\U]@gELa--n'f.=HB_=2lA/oQgtc,L8Y^QMD>V0uP9k^$L[T>6?(M5($,0V`W'RT57&8`*"PnY#;-TYFs>E,pV0!Z!=5q
+%G)JJfmBKUdL42E_(V]qaT%F]eA/Z@[ZJ7HN6#[f`a,@FD[\71KK7IfX;PC+FbPX*7Rq[>u&1\)+)'RNCL10oiINoJs2@L0"&.&M*
+%e-?NeIrnYG;O1Zu.^4pe$mV0LV(Q_[n^su?3QXmO3nf0_!(n5q[9k+@JbU#kR;-cLiOBGj;Q)7$qf8#Z$Lf(Q2*f<;C\9F)Rq[<e
+%$?HG2-l2-VCrRNtlOXJ@lYn1I2]G5I2bOah1S#-tr!K02e1L^jNb(_H+kL*X_p-#E4@omC4#Q?rO.ufT's]I5aZr)-ViSdk#b1"b
+%7:g"6LOi),".Y'IY,r$*nJp]94?naT'iiIL!aO%1iPc0p(Y([8l)<lR/M?<eLe*h(eX,1==5\\+*9O6e,2ONaJ:nN/PS!3Lmc]2Q
+%TD!DV+N@fb.b;C<F9E?DO`%!B0RG#b3?^]q@i-m1;Q]G<OMlSXo4FSd28AER#c0HUhmY&t&U:Cp;T@WaNt[uM=dG.qHm;o*jkYms
+%=AB-!]7I6V$E8Y5*35AuoFdU\PV8ZonHhoL/>XO[F=men?0JXUfShQWXsF.9FboY]CQ(4,r$^i1,s?q@."XCIL;?(0oA$(;:;)VO
+%mX9"3Xn\W*f(i'AXhs4/Hr6Gb#AmjLjdL`AN_Y</p+p3F/;C"GCmnUGT?i2aJ?]Y'?ka;BJ#GH.*5_bh-'+oITCFqcb<#ZthdmWA
+%"7^0gN+m-cG!QUKZD#!1Rtn&PqTM%YES&W'\!:+&AT4\t?P:@\MigMK&Mh:7A`R#h`!2Vmlir.585aSG$K7?n+Wr\>,S]9hI1WEd
+%:b[9Uo4FVeQ+Eu6UFgS"#Ue#L?TJp<*sIco$(Sd>E#6$*oR*S#DQnPfB*muVl2WYH2)pG7]hlf\Z#).,W"_"?=+t0'@KWF:lSK4>
+%P&OO2Zl>VT8jgQO.##2W#`sJmh1p83cd.2J;^iZ=_V5q^GciUd+C3L+1p%/Ae.?R;XBbSYJ+kR,RVrOgp4j/4kSmJC0K/1XfW,Xp
+%k;u,r@%1-=YRh`^c,cmo>)FT[P\mEmaP*HC>4-')_?NC`&Jdi>lT*+sR42rUf(F!h3A&Z(+0pPLJou<eD"10Vr1K\AJ%'R!\q<g"
+%kp]hlBo:UZ<-](uJ%UGuoc5m9ll"C5OW;IVMIY223pMfO(,oGtckNMcs%bI=OsDeAr]!52?fV(YF:jhL[kpH:$b;D0Pj>oA(o?BL
+%csm$61=4)J@>gcH<-<b<PWG85:2oE&+e;krEaGQ<<AcF"rX<d8;RF<Z&S<'B'Wt(Ka2i.?W>@9bj_&fo`&L$-$L\Xn7&kf%`d%rq
+%ISA^"B2VPI0T<Y6-:B;Qg+=L%kRjhF<fB6eoM3\>ltXKFM0]$A&gHra.;Ei\#!5;5?2B<>1dJP69["Z!h>WPh22_EA<ViXnQ_`g;
+%(]6e(dPnsQg&"n6!%HeF*nYHbCC_F'qKT\1PeEF_.).M8.lZAE@E2RVmAG=DSEn%BkjWCrS&oXp[fpi,Sc$,'jj\$"HA`<frnXmF
+%C3-bj+,#i7mP'=uf16UkW^K3n*j[&YPo$<dm+uIpYGQ6`.qX?O"I.Hi5$*GJ_=]qopEusd8h-D<rb\au.S#i)IH7YGO-sAc'C[Z*
+%e>c)VWk6E8]jf(=e>_lXTMNf4Wq&b[icM4Gi*k9mFSqN(Wm5CRjqFF5dc2l='k&#c,_3-FFt\aS&$O`+82ddI[Oe-L.ATb'CWZ/h
+%d885-G_f[a<>si;,f-VI$77>)DNZQqaQ]-M>+$*VDa9Gh%re,jkZD^pM_V@ij)4eVlIJI'"f*d&@E*[kiOoLWJ=.AI[>`@-o"(lp
+%i8T]uXX0F*l?3M>nq]i.B"^pZO*NJJKq+Fn.5RiRi&=>";K7Nu/Fp5_gH[ZG9)LP:K,PMp"_*n6"B]W3EM'&Lh,dKOf"m)MRLCf2
+%>P9XH:L=#U&#0qm^(B9L6P4oJZf/cQ^iIj$<tNT5);u\)J<[?<_2P],=q]X:+j5B31`O=$ZE^oC^B3EseJt`2>g9?*Run?2+=dfR
+%&^_0,*6o.?beplu3Vi.>\8$#JE-=5b9mJWB8pQ?*Tna8aoE`HqE%ah;(/8:k0OR8h,%,GWp55$A7G%`="uWQ'<_oSrL]Qm7\O=fp
+%iD$#h'A+.D01ljC:rS0s7OT?!0Uf<4m&Fs]N5*SWMjPJ"c!-H8pJd5KJ/g"Cfp1uC3>FcT$AOR1='k+7i24;PMgscqgd:WqNHt]7
+%r0[MbL2/P>br[6s@Tf";n`j)3=VB?eW+nj)JNLX\6F:Gc)B\K-Xqp;_0!7abiQMqZ"(e!gDQT_<X9oE@$OL['e(9ANW*Dk@O-r:f
+%R2cSciPI,O33a'!mlJ,`OQSi&OMPH8DrT<o"A/0CCkMTtnHD=4eYn/G'2GiIcaC*MVs]Ge8!oHQDU![boemol4m>LpiP@40>MPE.
+%L"0d<K<!oE:2o!:E1=(i@C'O*LM@/Y9!),(90%h[jUkNQVG=Ve[0"7n#uAu@/gSQ3qZPO]*$(i5!5;h++K`1"JY(p#eB#?G(*UZb
+%loNJ5q(!r>poGW/A#!O,9_=tR%Nu/:aQrJp[I=3<.blS^qm`HdGnO0'"nB@XpnD@Bn7gJ.>l9uN`2t^>T,+L^I#FtF$9@Zlm0[6/
+%#o^AhQLc/qps(S<H5!C"24eDh_B)Cui_#$./Y-5oSrutY`VR'ZH*U/M$K6iQ@]2=%lfOou!m)LNYt2B$lnR>Tr4ZUKoqqnA:u'l'
+%XnLf.?sb$KMH*l5<@U7tJ0cG<HKPH]kdGF<D5B:=dRL4)AQ66KGI-.<j2[rFZ-e8L%=<[h*NUbflDO-5A_EV7Ao8)"XNbm&cNa8"
+%RO&K#J(0`ggtkg@5>uEj%,SbO@9#gXZD(!@#VUnVaWSKo-\ET0.6D^`HT8-k)\#nE0rq]0UC/s#cE-"lCpi]eT<Wh6-OHt'H;I?N
+%nYXiG7RBo<QjRHCE@c7cSmF<J(q]hA2!Sp5ISA]EJcHT!&ZRk3A8'^4nWsH7"GQZaS8ta%N=qei!IAQgQ,l=%=]&$E>uj4W7??7*
+%?M6kGJ/'5PT/c-cCp_0,j9[9O#m2iH$`+m,NQh:($_e^;%o\K`86_\mfP]K4^2].>s&7gS^mlY->68nIqaFI#jA)^I`Un/$ck2rB
+%F;f=FPRAb^ib@-$Pl-b+`a+:X#fL&S5*>nKc$VK1S!rtUjT&oQSYr.JSe!,bQXn?\#W#Z=3o>fP6(/b<A)Ro7#j)A:h[[($+I+$:
+%$h.g']!XLl<AW$T9@UE`I&qM,p.dCUBYnE[V[5F<5p]]oYjlOka:DL&/@d@'Nc%.S'\<=@HV:FPL<M?o">WZ41K@SA6kQ%\]qpU8
+%bZ!![P;`sRmD#4Mi3FmpJ>fYJ(^Q=A%bF,9`j*a/FU0Y1e;7/[C=*I*K+V2h?A`bd*R+6Zj1rqqkBJ`K9,@V5Z6AKja)P:^$:+5r
+%m]sSq=r@aS7n93)TAoZC11=t3U;fjl:K==le9=lV1FkAiR)2da*"`"dl,.MDbHC@o$TKqsRG8nFKmDDG2CC`O`pjPKPu(JA*[r:P
+%1Ui1qaC>#VL<i7=-L(;s*YMOSRMf%#_8Yb"UWKcN^l++$-r/9$"V0l)SE7_CXdJr/B=Zq%L*m_g8]lHT(A&@#9LDD,-Y;\5G&LB;
+%5Afm?(u1NoF:5KhUacC8Q/en1JZ7?K#Vm'SQCRcod=<oI/<dmFVZWN5E^%`oRuX,WW%Q5*[G6!bLgJ,<$lr1"=O"r$*_p"FU-R1,
+%K,!%L.Q(.b.biga@sF\@Fi2j,N(pN$MXaQ6dOo3!EBc!87I&Ei6:f,:5iB%Y]hGq@otF3*`6Fj=HmJ]51+#YjP9iC+:Blj_Ql,d;
+%[>;SZZ"%8$V<_]"`*15,B2(-#.<)9p;-]&b^74e4mN6WR45hFros`c.+mb@GS6>i=M\aHOf:cQ!q>kPRk$F,2*;DukSM*'86`g*T
+%NIATOo)%28X>>leqnS+O]#B:u*d).@<VR"_%C%1JcoJ2$n.a3HPsTs\ah]*O-e%hO-1Rl\$qMFm*,qRNqje;#/5nXjEb+kg/khAA
+%:,NP`D21B$1\:/km(_-jkar?Bgj\+.`)NsL"]LP+_1>o&NF##+-H0^``'"]"M$r0Qe-0RabS!bRUNbk`'1K`(]F&Y,([40RO*26l
+%YZUQg9Al@d#cYd:6,1eodH\Al4(XsQr[[ig8SR#oTW9Y+H6/;;)$Vq\lVrIkbtQo/lED6UruafXMoPn"=0J>jiPV\)7+K&nc$e+_
+%8@BS)#uqaG<#DWGA6/bcPio\_VnYN7ZuK1[L(oUA^_A[>%kM9l<nqnN%P@i@'7"o+_4$`oKMXKt:%"#GdR9$.P#ok>+j7Wb:u:EY
+%3?-YrnNmU?m6Bf!Jq_pAKtnpq>CWYB#a9oA&-<sW:UH$O7kl).IctNJ6YJ0YJG?noe+QE!4>l+$,RnQ\!hg%KC0RA],`i`H:[OHg
+%_nP$P^iD"ia7D3g%qZ[@\%6T/[KDG_JFd?pQ6BH9c!9g;W-U_0ZkJ.L#/$lJ*_Qgm"RqeG=[EfjPKYG\""Bic=&,0,FegR(\'baV
+%%?5O=Ub+Y^C"BELmdrXSG[_Nf)UI/S3nfUNj;VRCV]?0i)()k!MWqog&,EhR9F2+@"AhY^=h9m?EbJW"fU=uq[d"TKSjM'D2)H_r
+%fT/R!!#-aK)\`439V&VE6U9<j$_RgV35q<A?%IB`k>_`@,eL"m,>W"m&Ch.'?_gnl1<!(hc]VmKnpOK63h8JK@C\H#^b1?L(W:9K
+%f/D7,*(8&o"DeJ9MQSueTZrL\,N8\!hT#ao^W?UH-heC)Wg$N!6*PWdI?!B+k'64Y8)5%_Fm2_93WPfs$(dWPWaN!&.KMI0N7.<k
+%,[kdSgfd#cW_-;E@bJ2-)t4*#d*]5>g`n4KL`Bf?WV[snLM6aX!Pr,]2?US2W([ULCiRaBCWS`Zo."1L.t@VP)G2;*%?)i+cZFpF
+%2J0LU5)6\)?1?hNO*\l9`.1fT[H=WNfid[+$(,,rR"/!H':)>pN=u5A.+2T,2!_sZ76FDb%ZjAE.9.S=-PjRI1iK^r"ssQ`9Ytsf
+%3/'1D9KRrtV/j*`<`k%qm:,%q7XgCJfF95mi7Cb3fOf[;0p_nP6_W8AW+-EP#DfpPXeQJqDR'io)p&FS_W:o)=CSX!/+OP&g[$0e
+%En$lXTn<@*<)F/+Y;!c0QK6b`34e=06KB@@(%<:6Do3i`'H..C;&7LLdNO381GJN#5Q^[W-fYBnFh1>>%X"2!YU$=r,7r,OXYT>J
+%$t,&#PJ2hD2CiH$9*"ujp^5ULV>N9!Qg%J0Ak>IMVjJj(7W@c#[.Mj5aDQ1E]"-V91b4VW4OJ:uc7X'EOf068#/6Hq/=5*O&N61Z
+%fcUZq\#<mhZ$I(F4N?qI$THUS1!Euu^.\^/\GZsl%qQ(Q\r40g)L5l%S$nLg<\P.]ADG_fk;1)#i\<L[l2ELW,KS.I^oA7VWrb%&
+%M>sf]lBmB(7,K%sGa&jDkam#%*@3BG_T0]9hPS&bn?NVLDYB@(Jd[,)(E'.'I5JNm(8U\Z.R6r$^gHZ8Uh\?]F5I=5VB)!pa)RDY
+%;sHan_NU]bV`$=j_T6VHJ"VF@/AM;.!Xqs,CSf=gaNLgYJ`2(ej__;;.ZZEDW1!Y93Ou[/R*Kp!gi2SV\P#+.9/??)>?HM@7F9%O
+%UETD+EVL&#7^JP#$](>$i\XfDB@BUjidHDC@M>-&kRV;2G1M_3gqB\JK,\(IP<$GRDQ5&!.Y&6_gr!0D9Do_)gP!pMqAT[YZ9PU9
+%G7W.eFB-g\f."-3L81-W#^*/nQ!(Z#Wi9F:\QnG<66YA7$!l]564mms&P4;U4-C)ZE7lL^m'^&Z/cW&%<&mRfmnSW\?+?\<"!:`@
+%Ve@jt"X4o?I2\J*m4nCFBq(f((X<\e+FcI\5Zb6qFM!o<#*?B3jCY3"+dp(biQ@$GFY@T&a93(@D/s*4[BeHJU**0Fdb><^1[WsF
+%'m@VlUtKe[_t`DJs'o+.s2q;.4crTe<V!5%H:0$Y71Ee\/j`FH7oj3H4@7BV8->-:KMD/OSpsPMAC8?4'+;jp#V5tJ($Pm5P_T"t
+%d=asG0#ZMAo&Djai)?["[KjF5*q$TOrc1!;lbJ>ojOC#c;PM8K)nsO+HP4A272Le/5;9reDHiqYQEhel4aj([eQ\7,InZQgoM$s"
+%cN(P0:#oPkj/.%;V8iuS4pD=RMsG?Ai5[,=>qd9F=M?B_2W)qY<#30_bE?P`b4>PKcpo<;O^8<XVpdG%^sU5L<';r6O8G$jG6rX>
+%;1t1EEg^`%a2+osQLGo`LjnGIOQF&HWOXH2Z,ANu4c5SoQEH=7N9S$&0=0I@E>(?9Md=@HU9SOp!\P#m0Mi%-\'Onu,$>KGVJ7F7
+%WT/ciF@Pj^c\_jT,&%qqLrc]l00SR#o6=&'3SJhSc2jtnT030hqp3uKR)NPdDj)_XJ4Iu2D3K?AKi-NhLVF*C#I8$6d^r,T;D?qG
+%/1_Oe_qdsU1#lLKaCH.#\1VGs\&^_8@ISY`:<ALc\O;UpRa3R).A7I's%]hg]5YBY%.kC\gB<G@le*KCZ2qcCd"Ldh9TnI;7Vs5`
+%\4'qHV-eqo*6=tV'4?a!SV1XOqbZj1$>3i:JTA;Z*;*EJW<oIYOCtSZ%?Lm@9Z_Qh;o`Eh].3)u]fSXj^..ZCZdNr[;C<T$"h<q\
+%3.J8-mFem(`(4$!K1BfA>P/U8Hh>d)SN><3L#J&UE@IoDmhlsDf%Q?Z#EAt-ET1%3\SCb0lo3le;tu$>:c/o8&lA<WR(%p;VZ'Z`
+%mZ8@lMcs-3Pa$bk.ia6.-DG-7&NT9?5cg*e7E)PY1fY9=BQkc?O:dn2m(YCbB0rC,--H+Ihoua/!s,s6j=/HG6H(Dk&/[FT#Q>R`
+%X/&@O%u7L)\Tr4o5R5h?PO+LPJXHO,QsHqd:h7`%/acd0e5C0:pm.FmXo/m@C-Ehr@>&+d$$[s*:El/Cr/T91<jnD/9B9AP5,hPU
+%p`@T4PY)T)%nY/flafOeEC$+\9DMF=E*$W?%"'LtXI\.TPbi194[I.;d$7(]3oMOhU6FGJ%:qS[*90L[/Esclf`J\;ZMP+D-7E"?
+%VGjoC+Gn't[dTp&9rCs%V6c5*=b(<_fpM@WPQA9V!)VGXS<.1::0qM<?pUoVRLJc3@1i&9M]/U%)M?QO2[^R;jUlKE@S%qqG9.E.
+%@=08R*#;7V.V`qW%tOBq6[>.oWTn!<k"kq[LEd;hlkK0C'P+D$V;MP+k6RcjBR\;9430(nPUc##+0_.KXU+kQ$P;2&(^s#e=lS()
+%c,pbL.ZE*^W(,>t"";G,`3DbQF;.7G3I-SFAM0h-Z,gN$P6&V(]7S=hJHPT=&D!8F[RibTV)4m5[PFh\0G!m^U],0s;.fVnit%rS
+%oKHe6nr(U%crWC0Wr#oYQ_$bp6JZI\fj+%("*pA(WCfG7Q>]'&Vq@F823TcTg<u=VeDqkRUp2iE)B-.:Q55@IgP[MqWp5Elj1@4M
+%*&RqWP+n)^eONk*'n6b/l$h7R\YUFR5]=kMUtth9mub9-TbMRBc`<D_h1cX'@6Dk')7oCK*f!"R<4Um`11=Z"5s!)1RXS_F2HUK@
+%`M#a)Y*WX1e<aHh9T]jAYM'+b%H9-oAD9:tJg,gk<26K(.d?E,]Zl9I?Z]PN14XW.\+hPW$\`1OE!d#-@_cmU'NoHRS5&)GRQ50c
+%l(BS,\T&`-jm#.m!\AIpM7o:],jDq;>Sc8^V?g'GNaY'Y!TN]MB_40H\+u$C@c^K\MCcQ/22DkfJ*Mi^H6>c5WN8W>\*15#ls#(Y
+%:l:0]/g-f8$<mgT%Zn7*K7%uW)\pm8)IR9Ug&OK1V$nJLPg:?Z<jHOqcmcuYa&r=()<'^R*,gDM.4.VZ;?D!AA5^OFWG/]K@G,W0
+%I:Eh`2$PH7hMN7_9q,8?DPDLcER-mXZmA1H;7\/)E'PQf4A\iq\t&@@*L(psiC0dA23;V7g@rL9cm29N`3%)pC6s\$hC>3R'$AA[
+%k#?JK+Ya.M-H"q4!X8@]0uPc1i@cj\,5WQAF:nBR).UJ$NVG62Ui'EuJ&qVF,1>J3s.kRJ)krhNV<.fS5JTa8.=k90K1(8mEj)2O
+%]d./[3e..*+\FYkU.nJh80PE<S/6Pd#ZQ#_W7ng]389gh^&lVWA1!UW3\>E0OXL+PcSbTfTC0??p1CVC$^@oQ6Ks/_nY%PFS7L&A
+%jPSp6i,(Zm(]TGoa`aD6Vl\sZG#fB*3iNG1@U(2-o_iPs`T&Vr/nn-);8]^;Q3,PcMA.1DLM[*L\%os^9=J$l!0;YDAp78"SdQmr
+%)/=oA2m7C]Sg2.2L,EXh=IP9Uo4k.3*!04nUG-DL6L)am?krKY92ohZC5s^"!Z>H4,5]gd/[o2A@g,UWKLCE4Ijg'W<C2j?RYMU8
+%+.t0Igd]Hsi'BjfFN]f6AtDD!(monh.`&[VI6m>?2uCbgP,W&g;OK^-V<OQu$Ib9X6;$e_*^NN0pf8u5'Kpk:@]1'Y5t=r)+/hG3
+%6J6YYC,+Pd"kDBH50oO(B2%X]mhR5E5?700#4YBYgs^X/9[hYu_$(QMU&mI/6$Fduk_*@'AM_Vp80'1^TS[@qQ"LnTF(-k2mGla(
+%lG`C<eY$45OVQ!82`3E6!ahsS,WD(Q-5#lZ4gH;:M(:@.cU_DPGsNn7G-h;N'<ls9\g>I'dmc`5OY:t_A9NegmU$[kCm6//VqUZu
+%YTcf0MT7j"oH.!JZ[4G;_bi_EoHC4WZMSM;J5p9IdTM5*fXU%<iij+@pkS!BU#]9U7lQoVOF5.9$;]]k?f'_BbcXE4SFKj'`^qpD
+%4?it7*:"(Xp2/dMli]?[n1+7*bacWp<-Uu7`/fJbMi'C^CUo&&Ep(!#ETm=lGZDP`WO[[7m"84n2cJ#f[*WhrAOrS-nR?2DpW(A=
+%8>-=<7o37h)$&a2#+]'I!P`GG:suhlZUlro0er_m45spa&&H;<"c/'`,EQ"[qP%]=:bs]FQS2)E+-ZUX+(q=&MV$$&*.R9V+W:n>
+%q,5S"!.A((N]^@P6DncOJ*GSS5fC&uFhqO"B!9ZU:#O9&(J?Qm)-'De<KrJEh:<*eImR_k>PeGd^2^;W,uZ37K2ZncL:<PUJ^CdQ
+%V'0PZkNN#07m&QO[96cGTMDh@-R@H/l^1n!jm#_k<%_$R""OWrYs5['eO_2g(dQ%l<V<BJ/K5HQ?,b`mc;AXq^s)ul%>P22a-^bS
+%OBgl!$M]OuD<^g=SQ21]U9O)q;.`<T*_Sr8I@Qe.V7a8lpd53;I#4aP@Kn;Li2Q">J<]1&Q`?3[8?\Zg'&FAPY\<^J`K'i&)=&G"
+%4WGiX?Z+\4]*MXPH;r[,CE<1%alXOrloJU`TJ0_A72)2iBF^]hY5&meP-]F2P@K;PYJ\YC:Q;?Db$*B[0TLD`&#5Vgp(E7Lca\su
+%mT;?Kn9q25N,uJ?^7H$D"=Gf;<B&03O!\50ALD0ui(/Cn+bYKZ:F)I1UjJM_b`GU%[68SW_F$2!([@=KARsST_BGSjn5<(:5a`7i
+%bdbbh_\$?\AZ=TR`!f8R7:hA>?t,P@3MkI#&0c^Mb>O05!&jbgDKJ%WcaX2+-A^Oc'PN_]6bJ1VO%-9>T%_X-pKa:IcqKM%5e@I9
+%Itih>5Wfmo$pPj*9f_W7PRJ?_^mU!dJWR]n91cuqpRA-/BKY<Vg:&;T^mHa32_eP+^Qm(b@[CLDO2#S+$S&e^\3USVFgn9r_O0O"
+%!d>:"p_]h2TEIBL,l)?g*ask6\[0.^1N+%H8aCs:Z"o!7$Mfgh'`M(h*JboP];cDbUF:4N`<7PJ0NMd!,Vlm!o0)MG*+Rf$E&?Ql
+%M3P8c#sJQ<Mr\=d7l)[H&2uD@QC.1sSFS]<0FQpZ/P87aZ@Db,T3.^sEMhp.,]@*.l9gO1(ncB2br7<`oYNE\FJ*!#?j2?BlJ;W5
+%S1#(D>!'=N7[?#*$)\cr1h[,8(5AV8&\q-DJr0!@"CJAh&E8q)UbN,d)Of[B!09UE#@;+Y1Qu!YC+R7+#_Z.'*?rC;^Qb!,dlK&,
+%]Xktep^SL:_+3-^mI;up4%rSqRsGY99tp\+**I"1jn1EE7d12+_Gioq7B$g)MpO1N(8"$rCTn-gqBf7&`E5_;2'pteT!u?k.;Z,%
+%<TURkjsqV6<2G'R_FJi\^FY(@,J-OETm=9d5pd'NCDG\c-!Q95A`Xj:.qVP&LKFg]]6QCJ&jo90+<.1`8$";(.R>5=D2-tdQmQ^<
+%St@BBe\5hiMFhOpc_*&J>jQ%/T#H+.SQ.-S[rcSp96HZ&p72B(Eq_?J0#Gb;;ELSh&ncR4FR"M<]Wm8t*J#s.:sH3b)N;26#6eIt
+%Do*f,Q.W-545]c\92?&js7S,+RRB8u\86(\qa6qli3Ma54*7]:a)0V_SW^$1nLgi`/N7WYW:5&@EVFp:aZ^t/==5a7i7p[9+&X#6
+%7E-n'><\9?f8=pE#pLo:$7'9MEpP-%`13,MMYPg>8IhqR2FaJl'>^@6(-\XSCk7'CpG,Zd'FD`X>m8GLTLdlBa0_'a_4HOI5/3.2
+%H9$8,KMn!9Q3jK\Ejk'"+a*&Y_k)_lZB7`r+%;s(i@S&6mUUS>Vi>:WnM=8B_9cQnA0$/kP"n!,d.Ts;oPlc!G;D@.jJ%qdc?FD:
+%X%=Q?;_agd=N*qQG6\h=;>+3e.\`W99_DjBh/KHhA;sOr"iFa?D-/AiP1%csSMq3+UWGXJjPn)\Z&]TK$.,3_i]W3gV#g@@6OW[-
+%s%pjnWE:2DJ!*BEKJeihAUpD#nF*J5Pm0W@jW:-``,dJ6iaD1<)XnRU3=)Zf]g1-Ki9iHi-aTi1IP%spBS]%6\Rg4mX::nsG*[7!
+%07u9[A>plS=1]C>SB4M],WHsHnU?K+mZ'u'6@OKTNM3A%L7?t0ARKg4eqhdu-mE4BbAM/6s7ti]pG.Zs:g%/Fh^T'O'n$p*9BM5u
+%r:<hA%ej&I=UsR9pCVc2AJQ<k'qm"mlL2K8J"mGhTbYDq@m)(gFXh&b*R1#RqVd!pprD-]:3e]Y,ITQaZ5OlkR^,H:7hH:s'9'gS
+%*8'EWpL^ad@(!(PV<Um,b1WHD/kn(%%3i=+e#*(=n\uKqC%rRDOgl[.:0%3HqoZJXMq/$kcr8VoJe]be<=5\/'\@^KGAeoX29htT
+%j-VZIMeOC*SP9p%5oE*:=&sm1:E_nB,((SM67/Otk\gLKqdjesNt=_co]f@CE(&(\-4qMr'MHRg"%%#"R9udZ>p5]YUK-K_P$A-s
+%1aA6P!in6B$=1"',4fHB9GU806J4sj$G))QT;W/3`)\KY056'H6>/9Ri]mf;s7q",f4j@>f*!+:F/'@/dj`/X-j!L<q>eDYK^4Ku
+%Zbn)tW&'pAg=e6kZ'njRUBm-SLo6"+a)<S2iP\/oXXPSAnFOG&kslM/_\F1&fc?/GWd7O3.YOV./u_$<\f]LkY0u:19"S'!Ed:B4
+%TI19(Gr.pG2LO0AA6`*N"q([a>/k<]H$Ze85I@T)"0/B&b.Zi<.'`h3/Sh8I^VID9J@m#dD\)bCZgaA1]JKN%9U[[8c+pa-HQA/K
+%;;Q,20q?`(lnER#Pf"WjSg\5o.Y5?I#$?i%UFJ^\P+LrfAEDL'`)JtpI`gs2JoAh#<08@r[muS$kp\fE0Yu^/7&O3@Aq.2"([M$Y
+%E=oXjXu;J"B''%ipMRU+,[#<C(Xt\!MguZH.bO]o2_)cOO\&AWCQakm#bb*8$)=(3:rA\Fo_45cg#a>q:1g%<64X./;&OO>4P\2i
+%R;L]*mBr0tR?E-=MLr/O>kQ1Q=L3'?+ioL;m$@ul(f:a',SlT>dQ9::+r&h#M+Jkfq%N^WISb(S]n:gi@"fnc:j7qs'3>)p,1j1A
+%gA1TT'ch@)G+Pt\Hd9]LdeSm?L@nU1>Nmkjo'qNt#9<:aSbaqY#$?.%otU;P@\-[F6p:CKm!T+^(5A6Zg'enP*Ru97fTBE(\0arG
+%M6$ht%]F?9*"ofM&Q-AR9q'^HY't2i<,71F-RKDk'MKP=n%1?tpS)F@'h@U1&M=J&*e8>LjGTV`aI^!6g6fJ^<&)J7=+H'eEuuPp
+%E4CI+RoAuQ3VrqAXf`WAd.T'B`*bQch^8!2F&@P9'.pX?67p1m\fX*`NGBi*6."j]J^1j'/a-3^kKSmHAb*`N`K44^kFQ.>G^4J=
+%QHRW=]8`)[BI&NAgbYT35XSClk,FEEUKdFPTZMssV:X/7L`HRT[=)'ukiU9&gXtLp9J%(:i&>Cc_gK<YH0`1(444;&f6?:2%q6_#
+%XBo+P9'a<662+@sYc:mFIkWGYWL3T7,,_HW5;9MaN4Bm#a(@]=`mi%V.=mK;-D2?73#Le:<mD\7].&`aCe#d#._"2sV76d.`Yde[
+%XGC1K5,TpgI^)5AEI+bD4M&%@NVg`YU$kZjgt-`B/.7M?'=f8O!bMNi2)]3+C3cP]L2Ip#B*/XJaq&K.o2gHU?rU`DDhD4@QG%LI
+%[UAPh1o+oa%>XRolDC$j5PM6+%$9#jOs.X2QFp*gb\qFdo>I5i7Mca:.Q'a\B4QdMBAg=O>XKoY-(?4;,@Z92ri'n<EMkc9GK1NE
+%W(ZS9"@Opqkl6g7m]e\:WJH[KgJhdCp'h665g)sgC"7kNUXq`2/"%i^5KrsKXG<=fAug7L_T-e%qQ\D8Yp_#%IrMT8nS'HslXOHZ
+%J+[pj7KSVSB+J5aj3XHLRsb\B8ftNHBV"$W`!YjP>[jU9Z">1X5fF:=#mM4G#X&`h/2L^QTe[g(`[#F>,gLRX&=frR]j=-!_aJ;W
+%*G]2e8I_/l1k/J"=B.1uQ.81R@Q?kR40FL[J0$lKeX>PY"<ccjYVMEagIfNaNh`=JG7b:*2mqDfVItAm3H9F)X-$C08?!]^7AilF
+%ArHGhcRoQ;k,DQ`hQ$iP=R[$>(r/:maS[k0"jKG.rWMj)T;%^k;T(KDfTKHGi]rBB3=)%1]#?3sHjt/jFVnf>3Xi7W'U+W-_\%#2
+%n;`5R_)4[2+@re:CTI@W:,j[EeT8:O95=(UV)L;adu<8P\o./!qf!AY0S&i?`FR;C&j:@o+T9O8c'UF5aQ@5HWt@&KfG(9M@UjUK
+%P:DGag5$LKQm^.T(L=e3I86F0U2;!HgETC[Q(SYBFXXNF9=qK69t0dO=P^M,,f="`Z"E$Y$JeG4+It)>\piqXHfu]5o9jM61;3UJ
+%G`1^"%/rP1gYWU<r#'Ef$VX;q5">2K*7+E%d]V1=hKj"7h>-n6-jV*#I/e6*j)dHYD*WmOHs%64\)3n9hKn&THA%.YD]d.Rq$hIl
+%m&sqX6KX5576@0I\3ZV`r?khGbr4-XORKa"'4rYeJm[Lm(j@N*/>%\6\U&A+D]T5%Eh9^FoorV/?g9525dO3$5QGF^POg@_e8FU[
+%4Sp`?c0iD-L0;ia=ef_f5>PYUm;ALnLq(<#i^E&*!IF!tHb>?bD8pn1AMLEOZT'/LaUj#&HI:Ls'hR<A#0^Go$,L8"i,J3X<(eTe
+%qaA@K.L-0GB7j%)jWTB_2*h8]0P93c(_E:P!f]HJVjHUWEP=9HO,c"S`EIA>.LLnc7Jul0YOc:)&LcKJ)lWTY$([Kj9A4N'WCm)M
+%`gCaqf(]4Z3`EuIP2cD\ro&*VB>Gh]D4#,OSs=3GTf$4?c_5F&:\+QCZQ>#.F0Eo8NG?uE$`TY,.8P*jO?,I]`0,[]_"G1C`R0t*
+%iUD3gmWFBLZE#.Rn7Z@O$_E=H@K;3\,Q$U(N^G64%irRKrK7P2-F4H?)d'6G82=b[9t8DTkm>*?d3lf.kZk@9'gnD\.3L#sZ0PWC
+%fJ)B.&A-(#Icf[Wqi@GK,OdY17tXZ<dQ]oSV\"i<]N\65;4p8R'^m@eJNbUtJOs5+#9AkHGWA2:U5't>*==$#1VlH+UO)=FX)CT-
+%Z1A,AbG&4neT`C5G9>/FPNsJg8;?J;/VdP#T[5,KO_gIXfU-XWrXo:mr?00dHr"7KRi4NQgR+uP#3)Su<9=%LU7`nA`,<@4=[[tV
+%-n\=,D:TOm.3U_>/<JGI3F!%_]_"O4:=@Mi:IQ%VAP@N:'(RRa@^MZS"UDpnO[tK5SiCj<,rMTQS?W&?T<Fl.,"Wr0#U#W`7!;4T
+%F.P=R<(u.4a-kH:.=6BTs5(g7/C1>8NI4kF$7^ujoc'o;@<T"t`N=k8A=%_Yrm7bTIoM1'<#a,,H\E]WSV,hV8'bh!l*hmQq]%u-
+%Csi^D;8SY.Dne6p=5)bn.P:Sj[;rEj2E1&EFt-nAhZ"'+N9@\GW"lG6+6o$7qPK>`';&PL0;dUn,Q*juT<BZWLSD>kWgDX!(eh<K
+%YL")O;m57pilCpP7#kmT[Wrn>BWfh&8C1@raA>[nY305++@-^SJYgeD`.jS`3OiU[oC7KPVOPNq3F1-uokmX>ONTf^'TiYkVhuS5
+%O*H/2(`"*UW!@LNNu!M.RkRsJ7':)brAfJh9G)Mn.$F0)9S9_.EPpNC32tP\E%k8oM9%Z0W1G*sS/=C<G<S!HC:XnJ,)^0N2^\t,
+%pJ<$hm3L$:L1=lLY4I6hMjpjiG>LhZ*K(G-g/>IKFjZ-]p7Xj_Y%!2`=^.V*NA#+a%pn*:?LG")T0N@p?iKuTs+-gAePH5$^\j_i
+%s8K5$r]g?7J,I?:r0r32H[Yl8s5s@ZgV7sUs7#Ver7aI8h;A4n:\rCIktc\c6/Hs)MiTsuPP.TI1&_%%rsq?nlc26iY=IW&rOMn)
+%Dh%cDraYg#5I(0js#pCGfXE<t_DV,a`qQ@+,aeW/p\ad#EsmHm:]J]6N(Q8Z5_)fXUPgN1dKgas67lTJq'7`Vo`<cAO@,1)!Nqje
+%9XGblJ-2;N8Gs*f2As=ZLc'n\M0a)ZF3h04$5Q,<*5Yu\j%Xfn.>AJnHn\-83pZlF#ng:6Lj+ai"bcVc2(8`$fl(@M*EAD.jFn$?
+%iR'G;i6STVAkZ(d#&4eR5#EQ:3>L*Mq6@,3kR-DP<'H`e3B>8_Ml&CO)@45m`CPfs_)rqrHg9u]d?k3U8Jij=<d5DR`8hr7q_Kl&
+%&gU'%G?sm[2'$6G#m"SQ:Jh'f6GT6r?c*FmWXQJR=ag4r")$^G8kC.E\4m#:J.5m!E82igGloGpFdMSBH*0K@[N)h+PmC/c-mM.$
+%nkoE.S6nUI*qor;6\I3tWFBkACcc,eo4")Lj_[E)(s9mFLe;amAXMsKA8hrCKre0k"JQ"(81?'6>cPRf%KNg*-h@cFe-45W^sp6+
+%jSlRJOT98Q<,='6NlU11IY4i7Z5.Z3/e]Gl5T2N<E?[^F$27i\G8IkO2@/I*qc+Ve^`j/HVJ,f4dmq/Lhub,^Od$hh'r9NL(lJ[(
+%W)>1mVP3#,7:ahun[OuYH`<o6bf#Q1Ktb;"$,X*F@74+RDe]ru_"C6[[d9H[b">X8/6'jG-euZ3g!S$,U`hH$Kri_&K,@Zh[Y#<g
+%g$T)4</c!P?DJ3r:Vhc)1Bh?d<O5&LiMJA5QR3qpQB_k?=oqYgQED7GHJR?U&FTAemEa2%QfCJpksm@kV@#uK!h%:U.[s#/75>E0
+%'Q2VFV%%ZMXG5ST:#BAu/Z&MW^*!GL`^MjO3:p+!D[c1VWpH^Q]s*uqacs$TTFoA%3Ptn"%ftf,p?pmbNX:mFq2T,F#GE5)gCA3T
+%0MM'6rm<AIhSCeJW$@j+YAoYG]=:s_qE,_ulIi#]bIX\B)@7hQ=XO[?nuDmo!2Z5MRuj5B?"L31hGZhBOee5hGpGS9.#+dZ8P%>"
+%5Ybt'@35JDK)'YLkT^Jj5d1g[5M][LjuqoXlj!O-1P$+efCt>Tnb/!b#+Xg7\c)ru/Bn/[.llp^9'q`c-H4<B=H3B5=B^/U&-Qq'
+%>QCi1_V^XL#m/ReWdjTN%JoqBNktut;&mp47E"`\m@t^ejBP*&7P';IRbl`&QYu_o`+NaF!F]Hhik_j7AXC=ee*6j0ZDtq014VBQ
+%R`dledQX27n#,c%T:R+kEgeJND=ElMqSuPPJ't!r<6ZJi%<RddL%H]7a@<FG&km(Q<Bd4:"_h/e4fM<j(ka'\^qDUndeVq,=tHPr
+%ID!PgEg1iS(oA6r>/:MMnTr8.kRRK&EH>NA,2FJnmT2!\S0(<[`^je4UojJB?la@_bk'?*iKk/M*Q!(Yj!ns-6]b4Ieh@EN6Q%q4
+%k[ZXDeJH!F#YNS6UlfCOV;R*h'16.D4XcRSfYfQ[Ea3.JO`+>u/%GD',]>lgX^W!bd+Qame7r7]=U2REpdKq^k]<$<1K\)tCJ"s0
+%cr]EtXZF0o/0pk[4m4H[Ae#h!>OboFd<C"fDE:JDf^hPI6ruIli03ZFKcENi@<RX1RV3mq,3_Bbp4^#ck/m:MU>kRE6,g-W4m\0(
+%+/-_+BTg-ee:[b4CBXT1G)8OR!<Njl_OhHt1jXfue(_3%I*cGs[00>[,8o`#j`^G9?fpA`3-d^]'`NH4C-:g4LD&838@&$Agk7@n
+%+]TWq,@FS`E6h=.4^6@^]uk[XQ[S&oo'*7M5fmC#J=J5=+OTIC0m_Cr@HB0gNV%]lS760"=ssdW'D@<8oc=dR(nbN=9VF.leT2`p
+%,WL[#jK_X?7HH#.B43Vc^P/MJ9lM=R(j*A^`"^f*_+gVII_03\Vs/MMYcK6<I9j6$s0s-Jr>BTnHC7oCjL177\#:43?fHu$pF63H
+%K/?sj2V=LeqpER'-=[d].q6sA(&e(\b7dmH%DK<Ag_QHC[4KScO3aj@,!;9ZE1,&DiqHT22fPKlD0p)ukD.>O&'ore]>UMOV$D@u
+%Fch=F\(AF4c(OEGd?\7`m@ne?r+7duRmOp\rpaP=.4gRa(NhNtm*DjR0oi8I24Jon/D!nk%HkIO6gF0([##0\8I_W%EV0TF05\^8
+%pt99ai3]!OYg5KIOSM1h_In/m'[d]S"C#+cQ\>QTdh6Ps?-<DnbE9pYcSDDE(-qilK)c3dhWLqP;"KIKgW_-LI/(%!cYSur<G/a'
+%RYWo5/L4i,X)>6_7)k4>?UpjqeW:nCZuRRaWkAA4Y<Yj7j4-#*O!f&+(]d`$eEnG._K>e4[DZi\$EX0*Z+p*UA)N+t)uT%3l<HQu
+%*MoOoGIA*kGU<*$3MKe]fTh[-o#KYKm(j9V$]qKds48UfZAfi*]aG5%XRGaT^Vk_BJ62ZiH<ZoOj!BLu)=_op'(41"TG2fG$*tHN
+%p%[!I)O@;%4Ed*"h)66?b_j@:A-f\]Ke_:fnE@!=-aVh"p9XFCU"M.l=_K<%'3U\W65n%u(Y7G*o:@9t;E3Z"GApi'cVk5QnTb#"
+%M9W<?gO-udDD06hX'6<hi+_c>J(@92^$B,N6)5j#I^.`dZi&^I,s\5Eb.XubGeEH.N^YQW,O]F,drehK0k/O/Z*(s*@c<0?2qh_P
+%^43"([6K/PXmq)2H%'uc\3E:G(JgBC>C!g*S'Sd'@ZPiH:-0=M'<A5^p:I6G&gt[VICOFb,*(Ys)cp6[^/(A*e`Wqq.(8[Cqo!B%
+%It2JFmY2[p_p`aO0b>>Jo/ImI19\IOV-pH9RNC?U<R&aHhYj!YHi<m8juM7qH8o%%adet$YhRqADscep*YO`3[+l\:Vp"@fVEQLs
+%\<0S=@8SE30pigFNadmaajElLr=/,HEbVmLg\\ZKR9enN'#\(LR9Gsk6%8P+U$R`qHD7!GkVH]AlL31[4Y<oa?RO<Qhi"B9TG7Kt
+%Lr0?tX"dskUPR5#ol2XA2X`KPZu59t7Ig3*gNI_Bd=rE4o(C_smZ/95,Pl:;`::E-IK&IbJ;a3/MsbVDpp3@@.b:S;D`Yh74ETR0
+%=$;Upn^2!fk[GP]H&.D,n-Lnj>U/LJ#nt5JC"sk,YHca"!B7amX%\jmi:@s2Oi.$CLq\?bNnKq4_Cb?ncHkP<*5%p,fs^&;kHcB8
+%BS1:mhuJfo,V*7"\AYX46d.4cN83>q7OMZkH?VfiYBi+RpJsq]K""dk.<[3G<19Z)?C,(JN<EB:.`.7F%D$diE?,Hm`((O9Br6fF
+%TFfQ]V7sPT3P*^X,ei_bEf*bg]+=t'(fk`Y7(Hd]2?HnJasoQSLm-e?&/C.#)EpZ#-\?4!EhG?8()L!ciOZ6]6VA<DMr0P>?X+6f
+%_77Oho#;M(%!0)Z3p@qrK!$>U5o^+9qi3?:BcZ?^02',514)e95Ne<:#5eiS^@T\Ndn`2eK#ZM#L^X-(CU'\/I9>WY!DDM]f25;+
+%c2!&<q_UST;JH4/a^_,/XgLu[q<"'r@<t?n^/O8lk&?QBX"Nh8,^Ws3O-:@;>,SDWGVRU`a<"@u0n,:`1Q%C@]*XZR#!m7r-\[>,
+%$OtK,A9`ou8+![@UJ[(Hg"aV-IaqKCZ?kRTOsJ"GRm(BU>d9hdnAD-PJR>h0W.R<MZfc>=X-*s[IA6T:q)<RT/>\=a^s@:`$`pmb
+%.mEq^&"5N-BERQ3MS5dZ!TZt7BT5C$O(+TlimF>L+c*E:%4J8h+3P0engq]">S8gLM'QR9EPc,VG(P)LJh#OsR3.Qd7g?gqK42]U
+%R&obU*8kF+-pi(ZQL4W[&q3^h_c;8JA<b[El3FH6Qn+A;h,gW:,"p`_.REq;.>&s0%(o"FR'VC!Uu'"VV!HhIW(t.]C.tCFM]%Ob
+%FnQqZ3HpHt^3"?(fFjYZ.(W@YX!+-9SHm*XFCAmi<(7T)"*P0maX`?a>BE-s8]FdZGYehNXu]!;QQh>3*\:OjIL_2[bFd:GQC&;R
+%W$99-H..:t!V6esGB!gL$<T9!-Nu6pRk@4!LunebJKJIRMXd<(73F`j_I/]%&W7s:n@<=,%j0)TZ-k&s&`uH)kj/H-Lf)KqqEG'4
+%">OWQ8%"LHPI1DUc3jIr\RgDb\3Lcrk,Ph]@7_^lI<kc1GX*bN@dO&jEtq&D(fdXLp_.*@Uml<068^>HC]uFlOdm7=J[g0&Lm^+5
+%;sFA,Fr0g+ef`0dXA+rD:0d&i`<HcKn<h`W=t!dk0Zieo<V8dCC/b9In=@X?U%SW;@)RaF<JH(<P4hk"cFgo1=9l9JG4AC8e@_[N
+%?AdZq-s\7DnIUK&SI?do6pJX$&sER9TX)-<kC0KFi-FWkos@9Xp7MjHB?d@@-T$)LBLSaC3XY(?r#Em]9H_b(o:WD*,Wd)V4W%u`
+%9YA*aao35C9$s!!&CF$PJ?,(K]$ULW\QIq=MCH<$1f+fV;HQJ+Fk+EpVGO)==-WcmANMFE%\PQeo;,Whc!A0&7uSJ*?;2#il;Ck$
+%ne>*,EiX7W&:T[Ia]9r\Tf@aT<;61[`\H<UC#Q]Y:EgNf@D]@ZQijI0^EJ(]/TG.;-!rN,Ke_6CN'cGY8=6ZH;dZ@M/qYn4iArj<
+%'p,PnEKfDiN;\30\s?/JYADM>'8DK)MEroa4B7KKkn63SYYu>XW46`Afe#>.cuJc*q%Gj^e.+biG)EcGC8_AB60a7T6J81Z6ie`5
+%cu$>S/.ira(aSe^$TGkJk]kMdAC_&ZbknD^S4U*G3ksZ&OD<\uLjQp]5_]?AK;EpLl0Z"[Eki3pF[=Fs?^WBfVta@OiQ(9-L/%T(
+%^Nt#iIrm.L\3X&EmEHBj-5?-0="oAF_U(Ou-/il0j,KI"<SX9cJq/'Q9Gr$*ALTL0clT@rL@RH`FhFpk`0s!e]8H`-&.D_(n],RJ
+%F`(@S:-N$FPoB"6/MYIWW5CJs%%2h0[Pb42mJMegCcd,a$JuDBj_5h2d3!kO*)*ge5DT0`XkeMVkg'lObF3()LEbqNe^++:P&GB3
+%[Pfl+a_m@tR[+Q!?buuUep7s!<K^Z/b.F*jTG07ZA5l.C;OMQpW^".I;RG'r,*M4^;2C>g/-RC4S&Q8TksRAK+b\Cg8Icq,"6LB2
+%nkY&Q,jLE:q'.03Jse%VgJiT0eV]!W`=!d5Nu6Y3@aIPrW:!b'`aQ\@EJ6S!FWUcQrNm$:_6/H6('N')n%`+_e-(]SUf.Yj_T%>E
+%U)=n,ODRTX/QIB(3$#cVnq=!5o#bg<d>PK\'$:M*p'bb6U?2a_We`-U%uqhfKbT+1M"s5Hk?[&"&$]KDcI3G%7+e;sfV'f%ZLrZY
+%Q+0JUpiM'/cUMQMlWI]uLfMA@&:$I$AI5UgC0OU.JmLmO.CqD_#qtJNUbR^%cF6l":b^?FaD)@!(*>:.P87\l@iC;jQ"u#[/?1t9
+%jK,CM!;VbJ"hG$JAeE(Vi2TT]KfT:n."VEknl"XaZ'6meFafE@+lH8n1h8s>F?&UN=>HJWJ^@E.23*8Cg&eYkKJRVT,p]^^B\Pt.
+%38o*L/_JVf"lu)pU#W]7V)r5>2,:mbNYFgWp]Nj<<qXa[riP+62`LeVlSO^M@1B3;ATjX>;-nPkHKO;W$.0*WF1Ps,K3k9S1o\Xt
+%2g$/XHj[lg*n#YM^oe3O6q@C`^AX8@[pG@HMe@`W;@d7]5RD7"dFW<$82EXu"G%3:Uci=i":OFRm#0X&CD%hS>Br%><,V+RU-sK[
+%cZA/N,&%8VZFLGdD+1+*iiNe]Se`p9.;kX/ZH5.WeJUgF"h7H)Z$hMDQjjKNr@E'(b"iSP,0nYOf-V*2CtTI5D^3Fs'Y(2%6+>EV
+%r$9<L"D\;!\&C)S(l:6s'@"2@Y`:?49L:a2,0tu<l0ZA:5\E1rEL9T<"+c$KTYe]ZBYiO+%)HPA;7q`WTi%G'kl6=r5c7`A8ZF!G
+%V7s&6oFN'TqqO)8olUr0f\X`*E_r`6L0Qa`.d,7X[-fQ<#I^rc>6u5s0sYQkrf1Cu&::=>5S_81dDoM2;&Vlp`$lP&$`V4$]snCk
+%b-GGWJHaOGZ!.8M1Uj__`l$gKC1I.PY`'8Ao%>'p1PIWQRJ!YQa2A;`g>Q^Z2F@KoXcm6MPFBus0,*@RiG1F1Uf"L:0A(m?cnuB\
+%J^^+b8$83R:#2I:/?(]rK*JE$2Q$V7guRZMb>.'`".$$*JaY-Xpm.,'oJT9N/g[^KaGmMPo`BRd"<=jVj7.pfhJU<=N>F2=SV$a/
+%3&o7[f@PE@U-Dfkp$_nO5Q:&RJ,HpNs6tO<di\VKDuRperq*'V78cK($0F&?l+a>m.Thi"9&/n5eFq]ZWF*$ciadRh]G+'<o5655
+%iSWtR_0_B^0bL:6>*>NX%@5tn4$NA9TDtrs)C`*OiR#?qg*#Dh#rYK,^#!O^Dgm/uDJ8o#HlA4rA)i\6WueD6BqS$C3q!GqU*^q&
+%Hl$`8_MrrH/\_)WmG2Xj0_Ck$#g)'hll-HhVn00l6LW[2M)=Pc^af\)Gd#A!rVZA,f)m;@S]<^oL@*l3U/1POL_H=HZeMA'Q3Mnf
+%[k5>kq47E=*e8Qu8Ni^O8K%XQBD<BL0#G)%gJ$cn8DUT*HVO%TcgTZV4FuZ5IZ]3bM\9dFlqZ<F`fBPWokm^=%,pksnV^p-8MnIb
+%4g`VF=QF9XU_8m[1rVC<^N6lFoPBMWkL-KIh:bo@maG/Uo1i53oCG%fqd&5+rRrTnr2Qkh\=.9-BWHOua2!"\GFIN\TAR367j_<F
+%L,:E?9NW<P&9("+@2[s>Msl+DkC+LU@>`_Q4*dS8XG\tJo#856S;3gDn$L&X5JM9SlPY/Uk.:Hs*^c=SBcB"C9,cf6gWF(JYP3rf
+%-ou_.O8jC2KG[$X1?s#=C\'JL^U_rdHFiD`?+9cU[FB?T"BGs'`-ZA"HD'GJIDj^pK7G@9C&W$P$\B<7YV9O,DnXW^Dgm.VYMYma
+%e>4MDk[R_HLYH[IHT/A7k52j#q!R<hme;jOLAX*o=kYjh:lZJJ!qYNqpmnkgmcSf^pYIsVLf2?mGkKh)X^4@r/<'@A>Ip6XbPf^Y
+%hF+27ZMkV#1h,'cGc[8+5nr7H(4Y`CgH0hZA)V(Y0$(fkVqk24FV?_U$qn@af&M%Ime"+\"n*Z,`1?%VB+Re&^lEP"%cf%qC\(Ul
+%^V/Al-5?@cP.H;-1S&n/gAktn;;P0bh\P,Jr6G7)[%qNO$0bPZ/'r-E?LIs!"0_H*>C?2:488Wni_A:QbZNgY^M'AHj7,H,"obAF
+%^A%GoHc>H'oW[qBs89A+nAi:jS8nH;k!6sbd:Fu.fcAR05klQ'o+!gbGPu]#M]6GsGl>29f(f7-GOB_sLjZT+`MXk2B0ZF^T:"tk
+%m.V,8RDI-*\nIHur"dGQT\#U]_j3XEmSiCeg[Un#r'\3=9L<kd%_IKpnM*L<2&OQ1'&$@pBb$8+D[Fe?l!iOY]"jUH%ffPnlB5f7
+%!;_4;]b%mK\>SX,6!TpOR*m$g?Y4b&+a.FJGlceO8CJ(`eEA;CP]D[/&H3HmfsSK3PFeTr\XiBmK3"D&2JFL>[aY&^KM`3*P2spZ
+%EG`RR/gQ#E<\8/G5+O(q+UC[t_MlUYcK$_oM\Hk3%/$gb9\UZ%SJGehq*"S%KSAo%N"^irYU(JeU^fU_\<ek_:l^&=_R#E4ZgkdU
+%[pbG]!"P>NJeL6q2;AtrJ"mdr)g7\B5Upgt96*0h@17-fJM%!I60eGlC76l#%-U.sB(^tJ5o,qpN/2%/9F8>?KF8W*Jqs\/*_;`h
+%D]Y]7\3&aY9/ibXD^).\J?Q!f]UER"FCPp?*7^d,$,OSdK_n8gPhM,";LlJk0uH#A\If6]9ak1KFfm0\MKC_S'>^?=<ip,AXEG`f
+%*_dnTD`JE$o'f3gVISJ?K2lfD\!;RIf@jKdZH0=H[Q"Pc!n)f[)DdmqoDj^rBt1s?]USs)9CU0"1SbR7K\cJ9SNBE"E+A#s8l<FF
+%YB",W,2(l%0tjirI#.EuGLA8Q,6X+Tg-L4YlI%IDdfA_:YSK7GI#fo4PLRX;9Xp%p&_sR6-@!>E)5_Jnj(-G3/i"]"ZY6)0:dB4D
+%<!=rs/&GJ-X]p6"j[Im"F5%iOdBASV^p[]5iAcA7\sRF:VD"/qHn8r]Ad*%oddicP5Z87AFnURaA*tmF,AmYe41QmUc:j!"P*GI3
+%G-1/?o,u0bmA89%9aN96cQp,@_"oJ@:?Wkr3"[_bmES[!TqnFM/VM/A%[i0XTQq'SB].<4apE*)m&Mo=&)'@YQ/@CmEI]E\4=M'2
+%/PXbMWjK/i#ucudK_2\Z-?1E/a>`,46_JSAWiEQ3)PnB.oB`Gs$>ph[JRIA%"R#$R4#EjmU'lnMXGBngdZu'XJm/:45aL:0Q`\Q=
+%1@_]LH:ch%C>#a9?_3+8,bp*9r"A:<O%jXd*jGp[*Z*=I[U_I@5(mLBK5DPuYt5[^]f.[T,iG&caC-(q&N\;m&2$Y/M`<Y`O@.f-
+%,ul4+g#0[-+Z;^n#eKJT\9V:I)$(sPeru`U%53mlY(Us0q%%MT&5(pM"&WC%?m<$4n-c6/G)GJt*^iY!)sgZ=ORYahR4>#?4<$NI
+%>qGk-RF7\gXSZ*;$>*A@r#(jQ]^JLCgl<\(pN8T^]3=J_7o[=gD6Dr_hjD_?H1q/qV49$[><+mMjdF<L/5N<,+!N#!@@`0gmpR<K
+%Q)mh%eAJ,/(XRDcfJ<uZ?1;hJ?#TTfKCZ+?rS0],]-\TaoFR3*?u1fTU@\TZUt7d&]!rrDk]4EjIS_lmkC""8f)#'VR1r?\)TA,4
+%Z%Adg1e8)8#RHDVJ-JRMTT?meJufG^%\)aLO_6\5Hr]+68\SJAM$gu_&ui-(a"sS>UbbYs2]t;;r=):HoKAIZKq'WViX[9G/0FX<
+%Y!X>g"6-D]7Lq9b=`Q4T<(Y1qcKQjLd)QVTUs3+8RDQA5GHF,<rrWuX*o5]3P\q$6SS7:26V<;*p+a)BE?PSE1bsoM^e.=cirBl_
+%]r`Z]rrPtlFcV<S;<l#&#c+;:``e*sFc\1@ckK$V8f`[NWte.RAYkc^W6_5V8!dMTQu[-1pG%YaKGi)(W2eYr0Z=qbH#J"3^WLEU
+%9I&16MnTEgNRGXggi7H"Lk00h4#mSb.IoG1Dil.p(+fO(_!-H7*'gfkftiF=amS\HN!5;@d-)J]h-6WLc'.H#e"5Wm%(T`W3[Cuc
+%jFO$r+Og`q[+,WWR7f\dHDUtV"c)(l3=k3a:H)8!R=iXEIA^g?mR@XP@U(\AqQC&9eJDV;?KKn^VRJbQRC#Ocg,N?BmK=Xg)@I&F
+%2[9UIY>%]P%q!i-NO1Q=Yb#\mHUSi<E/gZA_Z1[IKs>R-Ld[@aOJHa@\qYPSd>VTf7Z(uBT[Sl%52njEIr0gV^D\e"k7^A'-A[Vr
+%%TURS,gK>N*)B9E!?trJC2t17-G6u[Cclq'kpe"FEAZ[7])7R^au.:s\)q-J/;?Q;!km@(*Y%Q!OdH.rVuTf!F?pHXfpDR;hH'cW
+%/V"M(.g`CEgBYT!/<rd,/UO7R,r8727[:]*UK(PM^nTg'C\MpF&UKqn2U_7-bP$MC[HAtQnU,Yi:_#)Yc.GshV%?fRa7\Sc&6TWU
+%2akKEASrYj"L1h(/-GO49Nmp.g]]#6]!4mr>pYo`%3AJI`ePW*SsnX]3Pu0BlL,G:Ap*.3fME45or02t3PGS@FgDD4!<uEDE<C>q
+%ZiubPCi(I<H8\-SPhRP!'Y5i7ADs$_H84R$^cj1.o$CubmK"E'p]q7jZq6o8aN+E;%:<aoeUS0%_(fn1c7CiW1o-U9eM%2*+d]Ot
+%m/RHG!*,kmb"R)4KPad@\sCKKeDoakU^ER##s:sJg1+o8(Ej^jAP.@p2J2W#CqH_Wq;+6qJb9MN1*3J]R7proG_!p41Vtbc-,hf3
+%b3-PpW*6j%cr.b51BlsQ\?i_E_g6YGRl+!9Pb9&"ese'8!2pX"XA-\:T@pO>R(-PQbK,i7rmeaf4gRfgMFf:9dX-%`.$NCV:K7b!
+%I2_tc'R$e'mS4NJa%@Y_883'bKu2?3eabPT7/r6Q;FPPZbhHX]JO'dMkYON>pO)?cI18pC$NCYQRM^t+npLP?-L_<)a^>3>[_.uL
+%Rr6Z[[IMJ")%W,+/m9r40RNnodj.r/F5lhkK,j4<MHd*i^ors^l3,bVGd;_=Dg0r%ggekgSJ#Dh[N$:ARVVl=E6q09#__"VBg_3m
+%ft_`I#-rp4o[j8_BSm)rO3Q&5hG5J^Nj2D2$p1\1V,gH;hb=8nf_mLrYS<>r'nJGX.$@fIS&o/YnEG]tK)/WO=(*=);L(#/BZ&mp
+%O+#BMhto0i-$IBXlfc3@LN+HSJl?13#-p@ooEi\ha!7BcPbqh_Qj$=*H/'/m=?BB6QpSL4=S'_5YT=>M)kPVq;oV@#1m+*AV!$PE
+%TeLWL?qm?a@Zg#A;FZW]TSeH9P[-<fc"[r@[;K-JRfrl&S"sg!GS.''e5;GTrc#Gn-7=]P.NGajl/@K&XC1Ye?B:YDDA('2IGXFK
+%`@RP<Tdrhp9TaDZg*FUm4'-O>Vm@6l5uoop6:88.-lrF2CTN8L+jlQF#'rp/Q@:3omQEniY6s(k.;Ko.EE2:lSu;A@E+:k\O8Y$%
+%+hu_W@mjdmJ<G,]7De,AYqFo%X[:8q'@ii`2/U:+ZmJ\q3AncB-pU+</qp`d\eqa?K2N#N/a67hQ4/'UQGB4US95-/#5G!O"!qd\
+%@4_OPUNDIu=,<#6TWs>s,O,a"+-'R@rXdc`q7EGSPGT,ujok]:<D"f=Ka3#iU@UXlm2l2J*J>s^#9J0$8P75E%$I:i^P1L@<$8;i
+%Ml[P-iYac\&+9V8!d=9X$O%Yn3NOTG)aIXJ=TrqdZ+fh[]?$-/p>!2QbOauQ+h0j\/N2@Pl;Q"1+H+<9oIR:Y,S!!YCM`-3^S\&%
+%;=Zp6l-QHZot<F+[Aruc9ghb.]dpp;17roVP72%pb[Q`7]Sg/YOsT=,f]omu"[=ZfK_pFi42Q3p0&]W7QK!=k7GB+4^KjP55h(rk
+%^KqZG$e='9*F*]R,F-Es$N9E?kA=^Q8Oc9!qp68gQD%At7:s]P/D*YT?dOQXXr]ijI)r[9]&Fu(J]t3o`ngo)hhq%Sg.nn\Fq6=b
+%J7pirNXKK3XW5M6&`n)VF%2#CHsJ7S+QPiGAh./9_(!r7p)[tA+N.+=/OGYuH#s^A#HLW1<5g96Q4`RA-3]P\R0:fHb>,[^d!LG#
+%c9nmN/;or3)(Qo&j]##S3]g%0nYClHSeG+D0:]T9FhF+V3b.Md00eK=/L!fYE86og+tX9;BcI[q6kjEROX$BpFjX'UjNOcM#1X7B
+%]7<.$dZ&"Gb+&[PnH"#*ZELdLYZ\%3;9[H+or[iU4K*ftf`B`1P2`d@ieUPtpbd%,`*neHgQOkrE,9YZ7Q(]E2qTtojDCoDlU@4(
+%(?@;Do:h8;U2ukqYo7bfKo-QY4KBu0:9=.\:&(l9FQsu_J6\[IP2RBF+snm=HC#oL1E6@Ep619iO(?d472ho[5o%A:GDZ=TU:`NY
+%#_Ien"mFZcOf3eCKu-"(L_e$9S=ea.+:Tcb@AYDKkhQ%rl%qqq^WB4r*DSkoSGFZga?,Ne=k06W3b\-mS)be!H>"'+ZTDrgiBtRm
+%d_t7_oO5VeAc@X:W<_B!KY6i^9JnklRb2#cBSqd7T,T.dm._R`.a;iRjec"98[Qe)5*=E,<b2j[.!'END=R2(7R(kc66IZOXH?o0
+%)?;I8\`Gn4[TN3n4*A-)X>nZ`4K9rNqPb-Y[E;DUIB82SHEA9V`:,$L&F,cBrKtS2=:oY-Qe)sFh+;Pu&t+`K-o;GP=<S$*`)i`R
+%&Ca(m))5F,5b&9g^8W>aQTTJl"Q.fR.QSA<Xc/'h_0oeT'uJY)8U-[E#$&>\IhYh)UoVF5GH::0E.U-ErbO1C$/&'+@ndBEK,d(G
+%rYs18*R&X"LBAiJVTpcIf>"kY'nMa.d[FPi(<[6R?=%j]!\-VuMsGh:I$Mc:N7ef"2!*YXmfWZ\+ikPfB@s?uesrVA^G^bHiF?G5
+%%0\>]`YL'c-&]^KmBWf@e#lZfE?F#&>6/4V^6J#qK4LiN-VG=5_\_NFJL>7^86<f07Wsfkird2"?FW"X\W'>FqTI%P8$IZ0Ll1If
+%r@6*$_K&S4Nne):g"_RP"MANKKdqrnZKoEaa#XRfVnh3M=gb-2C2h9V7CF((4M%gk>;9c?d`Ic'UpgDZVNA6P$ilX_o,4L1/h`!e
+%<O_2<@qX;o3B_Xjba]Be@9=*(:?5nmU[T:T0:7';dFU7&lZIU6*qmkE*Cu-To;Y'NN2/.S'qf-r"A9+1k,^eg&_`E,lIqDq\>B#J
+%a7MR7!U.3J!HE'C"LXZ=>HQ`M7iX.gO5Y!RG3"pD47\ab(8S-k6';k<!!>2Io+G?sp1FuCVe1OiE@r1t6Gr<:*j<dE_#4S^ODd$/
+%kCl@2fJj_,8(=e3<12]E?jl2'ZJ>C6i$ih2Ge#611Q$bd#.Z6LJ8bsPIqRr%&QHkN_Je&%6?&bX$-SNki7h1?j:.WG@8+7H>@ftM
+%8N3/2:\K`m2A^XT?$X$6?8CjEE]O")%Zq1K^2>Ve:(g`Pm0Z`)*+r>\3$$1OC^Yc$'Ll>7p'$0mL-3`;f/QPrR1:j>/3mcC_QgJq
+%KNo/u%VB1bD-Ag?UOKeL`3JlU6U6]OX?/A:?:J(9n&LepC/X^e('!jpI97[&K+odeOi\3/O$&U-Iainqkl>;B<R;,-&9**A7=(V@
+%qCn?ae&]ZdQYn.g^kYYsV!-b,TcpI1m^];]9ncmEiAoliaE/U-7"68/@u5u8iY8`<HCG157(eB(jee<>PqIbf3f\Hk<LBO!+[.q>
+%QB42$%!G#i_&ZC-i%hVL!@]6]B.1#:&Qp/D9pQKd1>69(^I21,L0ogg\8c(6FbZ%G5S7:V+/@n@^rmQc9bL:*Th%_Tq"3#=0Ok*1
+%9D_D<,C&k&.b?XmSm4=+bnr75dd&q:1FCOO4XdY74F5r0(g8@T,8+\0?cV+hOCl!UH/D@%)et+LH>Wc:1Y+*u6`oICc*Aa#gOYh_
+%em;2g$Sk3"rnu%gZS+<=B29EB5b-4O<^2BroHlj0!BJV2hRrS=V,S,aSnA`K8jF&\#mEt6J&cqghFZG_Gree+C\DO%!Rid6AHehJ
+%2UIeYeB]7O*_i1Uc8<C6'sj9tBuC0tT1SYlBfrl&&?<mB*J'SD-_qLK#;rGb]KLZS871]Fp-m1@U$Ot7,.;#i6Cc!q>:sKf7(d[n
+%8,,ih('4Y@8dj$MP%2^?X;1hjd]ZJ!i#qi-F9hNKoj=K;M>@<!"D2J#rZHb]7UBU(8:MCS+bon<'8$#)62VHD:(Q9$kktJFV[N"7
+%BBofjLMSEbb^oI<>M82/CWZ2u9&4R<+U$B"Bg;dc2mdiPTO60b_)$2kr%Or+_<<*3=sQ`rb`@ucj!fASl#r,S+R;]5S-YGq=!aDN
+%$"aT/T@[Jm7j7'qlTb?c5Q9Krr8g`E&$Sf&iT"qO`PDOZ.A5biFoV*[WiLQZUMD!SNcW:S?[g(4(B!/R9t)e4X);'J5tqfek5OWF
+%oABO3U-IT6JYAi2rdtenjDuD%rKAdqqZsUSqdJ"npU6(k2E+&u*^>8YI:<pPgR(6GSOHdRi_m8)Fn8ki7.8RK]]V$^ndckpJ%j\8
+%Cg#*ClhDE9hsQie2YDH8j*-(KN9f1u&qN[Fd5LsZG.e+^oUou7mJ>XN?`f`%bI)-5G-1qsb\cN%5jQGep$:FKpN:p#*6S&h:&"[^
+%.3?fT4`<L@]:O6A\pA/HlLuE`Fe9*:ajoO&8'L)eEDo(&CNUS#NDI9:GFc!%I=gC/a6\c(M#6#_L;/)I+&HQfY3Tu;g!n*hpA&I@
+%^\r6WWMJ9O-B"t*1j*bfplcbA!]Jp(B9XYiH*lQ"a'6.pC&6kWq7LiG4OUg/YHGJH$]`JfqfF>;H3j/#j7_<oB=i:<:5Sn.qln##
+%Y1p2U^$(5Wjq-"8ge<4MjQ=_Z7iF$m?B=pUS*?tj>h9R3Upb;"rTsE`S*@ulGTDTMB>(139g>5Ege>JrR1@-deQ\N0/'n:R9V:?k
+%Iu``:Y^bG%5J*!FA,F7sq`HcU9q-RNXPQW89XESLHG;3+q<iD$eYYfb[a/"o^.eRIb<Do9.^;'g=@ZXNg&OGM0m#BC6^X1?/buu*
+%M5DME6CE%N&sM'DAVG+eD8UD`8_cd2D<:"CEKdl0qf+8WjS=24pptlhbC8TJ7#.BP:2;dE9KY)!&9eOSJ`\mq[pSO:gO<m9n(hO7
+%j"8:L=8grPDf6"hPY,c6FWGuQPIiqZD#AClSj,(]DXB:g$u#AsI=5a55QCALV=6TH&X(&o:i-]<:iY*)S&<dBI%A$!2]Hc>eMDTt
+%k&@_NRn/"nZu'loGAaiL>\uc6IlFptlgBCjr6487_V*7?DpKEl]5GsC:>>_1[LM6q*nB(qh9YOEm_A)V,(t(8NTFT]:HNTj5*%lf
+%G+P0a,^ZLUZcTlUFJl>2N9i9TRpIuQHO0WO$(26+Y@c8h`Y-dQXDZ]i6p3l-FqJ\4p3^nYqWr;NP`t\19L<`0$62AV5EToBKH<.]
+%_2&:UA`NBc>5B`dn=gAgL7l7qk)fPA/X$l=^$5pA]0dM<VU<tsVOAeXLi$o0j'G.^p=^J#Sgi/mKa0h!KfTjN8Kh^?,*gpOF!q[$
+%BLCD]EGl!BK'oR^Wu>$7qkX55`c'EXD!aVs&ZuF8>[P-+;N9:]@ou"32@Djp[Wmh/b[`XMg*\O/LaBoT6'r+d"[Mpg?1TjKlV#tp
+%We^D@a&\9WF.)A>`4AbSbM;6Q1r3G>eFGE9W[LF[D/G*qZ<;Po@tK&9*+7-cZt7kGGV-JjH;P[a]R:R9=q7NiVZ2j(Dhe:mW]f)L
+%7i2^h]BNtr6iSTiIV@r-'LZgW8k8pkPN2UQ#d9qO=>]`t@7ARD['u&OJ_6f<9Q*:*Mq^d%SlMYHk5ed'cHBTTA(nF^Dj,F)9almf
+%YQLgdJu%YA9Hdt%:nM8(A68*oE!?prf8XhK>sfa62FUG&:;Z4Vr#F`3FI4VG9hat&YT$[(#Z2E3A-`*M4)"UgZQ8PJMVeH%'0lT1
+%WO8iQ6QhYa+o"5rG'putAVM=[[H*?p:iQpgBda4X3WpXHKh`W))0;boW(E@,li<_[3)d%H6q8DG"1*NP_<Z&HB(5L.O))RJ*%QLI
+%4^sOe.oHZsM;CddPpfl"F:;^NS"jhH=$\D<`U,/l==-tOC8)]"`QuOaA&];7B6",Je!a!7>;9P?+4ADmq+82Xi7:>t*uR%a<FU_\
+%;nc!_9FbD1'G$.@kXk&o+g[kEl/(%=l_?tAdVj$?U.sGVlQp&YDN0BiTVND^5c'qnUE"N21mYp2mg_ISPnZQ//dg,G,_t(\aFVUM
+%Rkp)>dq!i.>[;[3^ap!pkgF*g)U<-^],^(L-r`:@'m))/9C`q;dN$QEP0rs:pAj^`-;ca_PB"@fOs4hC7d"eR3L`TqH^<T0[B[:p
+%nZB=^QREk\@L9JO0Lj77lR!?2,NpfiABANgS#\qkLZ2XP-g7U2%ne6MH>q[i"0--KosbIKUhAIJnA:+:C<d_7#(@g]gG0&TN&F-L
+%1fR@M`nap=])4'446l</&c^k3gI6S2KbS-<htLt+9NH:gOG(Rrp.6GaX></EDiQ-;M<Hl6>JsjT;%khY3l%@O\hd%)%SZi7__1"A
+%,t[]Ver##.">isu!UmiN>uUtAh1cGDk?3kfT#`h.WQk0pK?I_U,bsG%>Mm7TYlR(8ZuMc_l:$gE66(o+kdq!r5M:<M5otYHRj9AO
+%Z'=WK%.Os6ce7WI!C/Js5RS!"!LNsqI%J^QB!JNWeu\BSD/f)$b6\;D9;-K3%6$4M"nO+#>D\N8#=)=u@AK(u;iJR(]hW5>M!G5o
+%,nN-<b,mc&fuss.5X@A>Xbe0iK/&4='.6goDEj3N0oK]5H9i(:n#%1XS-s!\Mt@h>g6Xd[TW<Xsf;BJ&4luj2a_2VkG1_Q@!V6Vr
+%0iE$#r9r"s,O,Q42,Fc*5Fdt+TH4I%JMn<@/h(rl)Y+);#F#XIAN"%Z=];'#bQPu<,9GBM'QIPn;a^%2ipk\Hc>pL0"6D+g^:"&$
+%-@pb;@/"hFP=Q^YK]9Kd(^qLYE;HN!lRi;$GK^DQGT'#\L)@nW,q'JdJH?TNV$Z`bLCHlL_CcBN!(<^k%TRa9GT+kgmLV`=f%6+D
+%8D86o_:&IT!hakq*\pW]aR(2HEXl5cb?#WIlT>%B<S,I.T<;UfIQ+)Sr(Q:0kV(Rh<!bTrEQgO_A[0<`1:5KV<j!_p9mQ!a:&mT]
+%Os]"lYIGtN[7%!_AY*XMfWGkc%A8CpD]:@<Ebu^g#k-5snU^NKDLiE8307)k_\(FE:=p()R$WLR1[ZE^,$?2(bd=SYFtmHEWgpJ/
+%c*BOp3A^MgeRFDhfTlSP1oB2sTb'\M"f0P4GT-,p\rlU.hTJ$o;*<QE0JS/$4n54ja?]lu>.`6r\EuG"LaE"$qsL7;*ic#J3k^[W
+%JMeLf]ZC"eQg\&#0GiX=aB#RMdi5,Fc:S9["(s<JDGr<;'KtP+Fg5N):Y^&?C^Zco&>$_]j+XaL!:E8=n.Ni]I'tc6,!"@*MUuQ<
+%$3Ukk(e!f;@gibcF&101OC_t98FD;nB2s<!jc;0@hT_gTd0Hf^)-cCoU7e27K0)4P.=bL1g<prk.o86NKBtm""8lR4@OU7+A/NRh
+%@2BC&_W)&,6a1G?^UcFu@0:2C)GepA@"glBU&421cX!_UUPc@%eopqqF?HU6%,hfpF9/n,<tV8fMQ2]q]E3GrBrGK&ecXoQ3CY\O
+%h32pt_@+7fH@B!/o$`I]]PFlO'<hj(5%FeDjF6L=3.8ZKa3SjQS>;q#PPXda5-2X!gBM]I.M6ANC>iT!+<].%./kr@]"K0g5B%=S
+%W^5mSV4o?+5p`AYdr=/eNuuC-YuRG5&GX(fAlL&gMp_6$Ha/5(DJ]MAke!s'0mB'2,1Q93%ZdGMQRf;^hlmT("@]ErQpQ';E<aV9
+%>QIY+M^buD7i19YDEC-Fcn>iVpDfDoh%d4Si?Ue*PflJ*?'iiZkBDb0e90A]pr)dRk!"%dNHO+<*q\%\f'>JVq]7,pdoP;N<YKL\
+%C##$"ZVQ!1DLL5e?+GraQOK17?=TrhlIU5q5&FrfC-Q3WnfjT,qVC`oeQsI.Zc]gRcSmN3GdY9sjqZ1nS?dDqgKPTZR-d&EF.)EE
+%a)(JhZ^jnJ).pM;1#)\fftPRJ@$Q/\D"emT]pnS([f)3=hVusBZQ8M%m=*)lpH*!AhjA8-RXS\Rl]'S`Rjm*.T;H[ggV,6MQeAN#
+%Am9362U<6%GKb6D1#(G>\=)`/A%$T&]Zdh!A%)8og"u)\,KoIr]iDaklbM6hBb-gj"!,]g%/ofG=CCW(Z6RA3l!/G?ASlPVAf#G-
+%_@:M"Ba5!fL2e5%,[/,pj*.E\"j!U3[c[&8C_XDb?[(k2qjHp1m1JZt/`.QrQ8DT.i;<34B:d^1MB!1WGMfQES>PE&FkM1h>F)ON
+%Z`hg-cf]cKG+J4f3,[U,i]U%D+alT(oCgW"ADH>P!c#>3ccP-#HKr9/e(ai@37j^FA'O:3T)tGKrk!!Fa<Q97emfU4+9Hk`?)I.&
+%Ormq[BCt?5;gd&X.Fsigd/gdAYFE#0X>bR5G[H4DG^Cs_<XojfqsDoYj16=)'5Y(Sf,m/b?`e=te!nr[`9[/ep$?lRH.X&(QJ=S8
+%rQ.s#XnK'g)"%94NQkLN?0>(<ZZdrWB)!t3HgWhb/:#uba*P/SqlFP1?`phWB(OOXbO9ee`dFr$qX<^uCHScs?)uS_L#2Y?J-5Q'
+%IJ%'W2`P8D)&[U*'>7a3]kZEYSo!tbni^_GN<8VD+t$+*)p4^<92?:'1*V?>*_B3K`+C8KX!6hf9f#/>O-kEXo>kkE9=gLCi\o$<
+%NtYB!2,pdb@,5,M"N;fo[g3d^3nL(nQ*_PD-IBEDJjU2UQ;c?KX,G"a8%])^""J)C&.qT)86[8d$*9f]OR?EIiIpk<)-A](c8TUU
+%Hm4Hff2M.\@h$Qk6t6DFWZ4G0cnifgStr0\235ZuW0f;[)u*YX"<nM#A\SfY!*DXsJM#t2W7m(7MpSpH'Wg-uZl%9OS^j0.JO336
+%isoJ8gF%!+'rIi^*_(A]WQq_*.2mD35&Qt-,Z?I0T5:ocpZ@f/j9S%]Ak=Rt#J_5V<a:R1`DV4`AJ-2ZjS9:Rbaq7HLd`CdJnXrq
+%K.[=e(ne`*A5uPiCIoDr7Of0c/W#sqb/:oOk(e$090-mV2)d$n9jdfr;9TR!?@s`g3D%>/QC)<(8;9.o<MDeLB.TNK]/"&.;HS>b
+%r6WuJ9U'Cn59h(:Y%Z",igM;F"_IgT(r2Y#&HmE-W94]'Eckmu!@V&49tDb8JYRX8']SAd;5a+.Ks?mNV`nt&O;76k#]5bho*fqh
+%gjL?0aFI5qb)RtB\AN*'C`WD-`k5DRR-@uopZo.>MHIUA8P;pi$7XLK8n\Fp(i8IMZac(Q%qCPkML9NSDBhk.\tV#Q*":1;;mjuL
+%"(b`XrQE&r[O#Bb(eqnL`mQ,Gr!MJ7JPomH3T`ELUd/ZkeZE#.3,s8-CX:nZ9m"umV/D7Ke8(0iR"D.A/q@LF7D=f>=JNDoAVG5&
+%>7YOPbti$ZWAJ8HF.2Fk1&Ld,;]NMra%2(b"\2JE%B>#9-t2Z/T((Qek?^tZ70T&G'#+JUU@C&'+':ji)D4Zh@6n(;8h,'$0R?s0
+%k\2k<RYTN#Ce4bu=U.KX:@@%_:1C:e`6VLrW0D3fmpu\@/!FX<nP*5BR)@b"S3j4O:=6"k6D-?<lEE#-74>:*R$3t6-BiM[N'e^p
+%,K5HeJ7l;gi(H\.YqQbieN?1=3%,:VQW2Fqco=G#n=FVj>WafE#q.PfSumt\H"eU#pAsbO!<T]$U_tR<5%rX*3=k1gYXES+:#_<_
+%e6+[X#4"+62]=njhebQO7S7]'J:p67knc/N-@f3)#Pc2fk,"j_DHk^q*OHeud:'fr[T4s%WDmiS9^0uLdrh@D=h5lg&#W<l;4pN"
+%K6%U>%YS><&L*MnR\6dj<8slZ5LS+\hG3JF>I\T"D&_V,\@]Y(8.t1Zn.Q"+9jU)?9BunX+k<hEHqs>C5I#+e8F'LV>DjiHi`ok+
+%9P&rq`8fa[6fSfr)7IU6Wp?+IL/:=LcfD)^PbQOmH:LkMX(7ET86!c?hpC#HGG9g;%i^?"D^G+eqeE*W)U#HFg`>`mA:@Es`8f*O
+%p_G$.U6K`,e1/$?&TNsNU]U[li*3Qsa.UYl<qe?I7,$)E"+[h6r2Z-i`3-\!.V<:$ajIqDa%"-c1>T^Y11qa<-np5"`FPV+oMFdo
+%H.3K_)"7g"\F%B48_/2@Tu`,@)r*(Zr+O!K,2#L7,oaiXPkDg'T/<3d1AQ8gbBq\^dgSs8gcSJlZ%oQF+0Np$BItR7>_?JTKRF3#
+%GmI392[t+%24k7?:NbgKG^^XCPk@E@Ad->qD#&1ocp2dj&!o0$AhV$cQC.96gVe]GXEC4/<0loChB5"7l6b;BWeI'q2QQp]0.9>q
+%[p1R>r5I,Ecj)6+l45,XVJ9]NN"\X2g"tJ4T)%J!r&W":+#1G&eaer2Z:##05!i&g9'>[QnN^1mJs.'"fqr+*W;UOeDK=@W1-WA_
+%OK1;UM]k>O!fEK.8qIs=ShpXW0D&EAW<&'sY2@BP,N1b]6VOuQAMAVS)9eI`eMV>$n2u_KYom*mn8#rFO?8AhF&RFlX`Urc?8Gf[
+%FVJRDTQG<n0cB?n6Vh#VlM-YpfNZi&a(gPbUM?F^aZM?,A74\3"Ms@e20XlkL@;t9^MS<7F+=7hZSF?ZiPX/k4MlcH@jI*tp-cTg
+%XkDO!iqS#u#>G%.4%$]JR/^H'mC3A-TnFrlk6.o_,'*(f:O;N<oQ5nP#a`CScXj`$V'amS&S@PCF-3-3n@qO^#e\FJOT$+F5l!V0
+%(2<l<Hfe-Xmf^R:ckPR"d)BIe\fI:h$&9@YR"D27*q(L;J?p!(1tHmn/;sEc*bqoQ!"Zu]hYF7X[)6q(<*O1hQH)@9PmU[E")C*0
+%V_MaD(iAcM:hW6[K;rc*@nHoV.aK9XPR!p4e6T\6:)&Kd?NSQ0B:+&^JL_l!8:.!c'HX4m6dWL*jT?FJ_Qe4mVlj]a$J4("Z$?jf
+%p0(p@_)=&6^faA(KG5k50)2T%I4W==%\!tKIllPFknRqpD]s0fi/@sZETlNr45s@=+XlTtd5tGj>R27bYYS'jjb).;XZh]"$0"N'
+%"(N2b%b-$,&Bq5749N'ob&]<)[%E%f!;>J;.NY0J"ObeLWU.1**(To4<>fn*L57u8]$Sk3-;kYlD$`Rtmg<V'<HF9A3dQkW[%\iO
+%+]<ufJ8hkKJG`.T9*VrWa#)'p#o,@W9TVdQT;ub*k[YaeJbinq,`)f_HgEco]\NcG8g5,3+LuR8nf<K%66]C#8X"8SP%7QHY?lJ`
+%=W#QFO8\:#/s.Y_%G/RUCU1G%W>#pk/r""+^/km_3@f&VNi3Yl$uffPUrR,=7@-.6?Y+Nj#hb2nX:(a7<*_0Y#<G!!,B'I>L*<a.
+%L*gX]BqJcfVE4>La%&4"*hoNfgt[QAEE^"sjONEXoY+F"XC!UI&D`=X'qT+n5B[QZ/\"m;rBo+S"?uD:d)X2%\G)D)D(^u=Dppe?
+%MGg-IT52ui5h!WW#W#l;%N4l@;sZ*>^&R?-pPGsQ=Zt*3#l>&`."p7eG$h!8F]Ra]a%s\"@;_HWhs#ObOm%0(b+KL`.qtd4!246'
+%DL?YjS79A]88t0'-KQU?VPppJ*G&e`diY:AS0G%]fr)VC/7PQ0ep#=,e9*suB%IdXTO&?,72::]pTsSt:2iY>X4N"ZmJJSjN/+kC
+%oIF%rOT,Ig(h_8FlbRW&H+L8Mib&6O@d3Vs%#.?A@9D363KS?o"BrGc3113o+7$1<HgQS]aY\s&$S_D$^$ZL6c8`W$Ge^3X_H6CY
+%nVQIPQn3:%W5:j(A,$#_CD_JGSAp@E*@c!E+UGg$aldsaU=Z_6;kdQsj.KpWVr8*4nIfEs.\&5A0#K0E8bap1^SriF)9f`-$h+pl
+%CU+*18G`P7QE$<,H&%JmU[#,-Wh\I\`eL`dLcmA?AW)Z?hNctQkiF"X@C!=*%iKo=.#i4^XrTR:mE/!'HGA(d0M%'h<Eas`VREK\
+%#`7qh7$e]OEQN<:XYk.2Bt7TnZ(P0GFNHVAoan,;iJ"B+IBp$u-GkIfE,m5;Aj,Ghm7%FpRsiK.,"&cY3;(&L'S'BA-6$KGAN71c
+%<^gG0miD5OGZhLYnZZr8)8L+0E+jP7OK?SP''GWF+uT0GK^<l,qO)UJnm?k92+`X"DM5eF@puFTc?:"#i>=Q:Z$%blk[3]#n.Dt3
+%6mO?(`l0^-E4WeT)+WSOhDnk12QYAdrm0uUO,VK*HB+p6,cmI"rjY4'eB(2hrpY<d(p6`;qdeq)o-TEA(PAW(rV3Ot2oh5QZ=;eO
+%@`\$-0_fnRpj*A9<2E+TB.bdNBkNB?(o.1;(GT,JZ6K9u!^(pTXimp5h!-fGW!tOHJn,l#j]=MY,s=V^:md4K82AG`,l&i9!&8B5
+%rhoMfr';:?]ssjQ"ij;JV0c2Go>Bm4W\*oAY%dKt`RoMrCN;.CPn7i\_UBbpfq!cm?;+o1U(!XDPHmIK)%q.QFa0UJ"@*n-BL/VV
+%ccA@qa#ifORBd`m,K)A<[mM$,GFF<V4&'#On7A5P4>n)F10CEXS3K]/!Jc%?5#ZgTo;m*F0Rfh!7gs.[:!'fkQFM)]d%sFS$D3"Y
+%@b=j30<n,qTt)j*gd[#mS5Z1@P?rWHaIN**Y=&!U#<OBXO-Se%lZ^!^j^O)E#N6(>@]R<U?SqDV!on4/]E/!>&Il?DYtYNa;H%mH
+%kI)qaPfRa__3%uQ3!G[hJQ`SE`HI+#PpC@ZmS$\:jPKN*da6`H:gjgOU4qqN8Q$OH&Sl_=)$A!HD]AY&As#1+/(UYrgU8nK_Su!`
+%%LiYX,l("o'&ehFdMA/l%"esT8EmC\2+oM4;L;%K_0Tr['G!QUYDP=,Bn3A&r1UV"ST0X6&edIm9F/BgP1Xr:X7jZ:'-U1i=:%fE
+%JIlQ]8T8hrLLjE?>LN)`=M#(Igt,-]ek*WZ9!YNTA9Vi(SV_pj=EanJW!K,-1Aq?'`]ZH:=C$iK<%*74E=/=<e-K)GCA@EGW%,T9
+%/SIsC7@tBoCck2oL&_Xh0;0bM;9N.<i3;2cQa!1T[Kd_n&$/YIng@8G;@TcJ;jC8nrV*LOPG/>Dr;D3Gh1[j.06<X>+#[M==BrI8
+%!4Xm5o\'!)r](T-,i[6;Z\m!;gssuZrM']56NP'l5Socka!5lW+..%u5uS??npmB,_0H[r9p&a]k.,euVoD=2+d@SV7\n\C$n)=P
+%J=*-33U)nm.1WgVT1kV@8HY#;/!aU1aCrCU>?Z#cl@KOt:;@>435S?o5%(?]7jc7-MpE(/$^7jTp%U#S+>(ki9O\5A;)XAo>`c:J
+%/Ns"=_.U<@0>eX%5KkR:I)E0H4DX8g(fS&(X/=?8fNC>Jg3/Zn>Bm*o[`_[iUT8ftq)sZSF!3nngKk:F[S>*_/.Tb'(Y/H@L58"S
+%@GD,"7iOX%SVk`JN3Mf7cQoAhN6`P7Ana"rfH*NHMe@tC<NVb0Z6GsFJmnHb&\,[p'Z2nb+i_H@;.Yt8!/tA`fab?^OSj](cHFaK
+%Eor-+)j7X6rsB:$<@"';U\/sqD\3DVS*u]hp0J(qG9&OU!%0JB"3V$o4;:=GYR_]L"q1=n/JHGJi-C8*Q?8':>coa+f1=eJW&u(W
+%5?#O*!^#LZ@Z\/CDHYO%UVNF)6^G=.E!X-fAThSA..&=(AXnr5B:["%KO>0q=L^fH`aXLR1KfTm]5a9DZ;^%a%22L\.n;`Ba!,<m
+%i%^Tr8X=l9hL^tU9\Pafc/hJVFoO3:BB3r#KD.lpgDWP?ER6-I)5J5@U,7!/4ChMHFsE5R=?j@E/Nb'2Yc\g1DP^T[MIL>9^L7O*
+%!Bc*mSRDdSK0dDZe$PpY_T37%Am:0*e>?JMTt6L^`^chMEEkgYT\/pn!T`%CcS/&VJjD"m:d6^eaZ_m37lVT6T)l54`.f.;aqX90
+%'<<&'UGG*O'ug)"*^[jR9"<d9)8b:g5d`?u"a[oI`3#TM-jlK%C$Sun+^_kj=$[1\[D3dA%d&;(:Z*tR7&#>iG`eo%1SK)#A8-q$
+%oscAI\[<lj_F:GCO8G`.'ATETQNYr_\i<-HI#R+FYVLju@AF-YV&N55KM[ioHV?iU*>B:qGSg`m-r*9A`j!s=-q$),$@dtN4>tN[
+%ficS*Y75Y(90ZY`=Dg"pUNsa_@Np7AO8#M\*J`G:j:MEe_$CR8I3CG48;P<ca5KQi)8-WO+Yi^nna9,3?:%m"I\<a!.&F_k$+!Br
+%`fF\CEh8lcb(osK/m=D%IMMko]i:i]SP;k6]I`n.#IdF(W[*5ZOl-I`J<,<_kL03X8:`c8qOr.D5-tXMGCOJmOGDF?,,5d)\QQ/[
+%W@=qfH7Vgl;J6?f2#&=-IS/+lJJ[qSH63<JTJoYsc$b1q'h4KE;q@!SQ<k@k=O?N0Mc)\<.3@EHoUQ,1m?4<B0Jim)F2)fh.&#NZ
+%Kn]1*Y9[*l%iG35\TDSO*CblF2be47R)9WJdKg\%@<-:)pYj?,ADr8%lCd5c_9gOs-%TX("RR?Q@1RIrG+:OX@3D[$3%,sCW4Q/@
+%bMg<Wn!,M%g@G_]:kVgc<Q%-b)Khf+jtE2$2=b/-+G"+@Z]PZqRA+L7ch.-]5D54/q-7Fbk'kaYM70Q<8l<oBKd,n(*B5U6O[$<Y
+%#:%YqNr#`GF1qC_(C&?Jc^hiW'FLtN66A"rO+U)t$s[g:\Jqsu;lCC+Rh;=2QWO&?k0%P$+FZraAc.PH?&#oZ_MHf?fd?=:-!l^]
+%#5#.04uF?:B$rG1-A20K-Y:i[:1;O1;YO>@.an/%=8S>\j!?(j4GZSKN.r&VWWcs`^K5lNc[bP<iP_M'KtIq0;n3e3!,sta5c35Z
+%(ur&d$tVeG4<SR$9Q_[RF2<#R#G1gHE34K%3%d+qC-BX?04S/+?4sHCcG/=oai;<\dGW`iO=2%K@t&^:>IQk*'.;XgDOL?#+RpE,
+%i`#*t>"It62Pt:7gc-%#-(\Z=?qY`r@4S/M5q6G:Z&bRMRC3"p^5,b8]jiBP[-)mPE$eEA,rR2!aEXB7+s)Wj>8[Z\3LlfKdMW%u
+%GTCThYHR\qV5.5D']C!!``t;pnrVi.*\-9mOh"_=1$%/NFkr\#e'.#,=n#PRd3R_1XW0?[U%f^NI-eS/8:u[ZW^pM%=5HnF$6oma
+%9-a[=#dXgXR"ZkrE-VXFEE<S>hW7s7g:bh!8tT_#AhloVMMV9M/6N>7i,`F<Bs3ad*'=)VD38SFgp_b1+=)O!6+RM:&`*D])ai<s
+%%m_+1@P&uGm0jDukh\JEH\$IHPpSbi"Z#ck0Tc?N)dJ^h7O5<qm0tV+Lh<@PPC,!Gakf(a)P_?A8=pBh%m$)r9D2(V+`X=s*esIF
+%Oeg_uZ/Ur+%&D'SD,$&\;jY.`U2jfbSirFhC\5m!#D<P/Ac,AR>FLNe`jW(Y!dHe;"4>['nn4$f.1%Brom$iOk^F2J^g'rk[@eU=
+%?k0C@\7uQ^T&jSJ?%m^jV4o4W$X@(g;j2jA3VU85P.eI"2-q1\rTU=*6LT!ELoD/GS&@-PVer'Al7'/LJct7;c:-[NHTus9)dAl_
+%*JT7Qd0,OW5d^oIW>tmQD'Z`#TXXfe0q"*[$D^RdBZOc*co(DQ"4o<^<KFuV>>UYhh.#N)Y+G5Ll^fhAO9K/b.FH?!0fkJ"JKb8f
+%HhS>Q2"'1ljWDbl*GRq.$bMl>4"N0or0[V-pYuh#hH*[7S2S8aUp'alY,T0TL.(,'cdYnCVO16MWu5bLF?YV>,$KM%JfPl"fGf)=
+%eO?/kp#lo^B]f/X1.Rsd\r)+`mMpg+bu>B@Ye$'"WSVq/Q"T2MZG8B2CmetA?CBl?:(!5as/\(7!pm*r&Gm@<>9t_E0;_\Q`SQ"t
+%Ad(D#`(e(L%YI/m1JhA70JZeh$Qk!U<X?*5EAs(d/$Bmpj,gD*.BZqH?r/Q%aj-mIL7dcT$75ZVD2O=N6)d,eBp'YPqnbS6k--'s
+%MM]^OWI.WfeG$"uJl]Rm=Z9>F3N)bn>:(Pa>Le'cCG8mn(!lt2#1FQTSUl/I6p+Nk'VfIo3t2li":XT7Vs99s$`MgdPf#V[+=l]R
+%P@V\.?Kj(0[h4-5*Gq)p'mNK^oN\$.pVU>+EceuZQ!SK@i_aSIMT3r]j"QM]l4hkNEZ?f?.!T-A0O8*=fL<7N@&$`OFp][d)'PLn
+%Q,=;nNa,=?n2u60V>sG43BKD@kE["\JIn9i"L0.=1o]I^3<$OU!mS9FV,1>l2'?86%'inl-[DrKW<Ung)*#+)?uG,*1c&,U'lSkX
+%APahZ&q0YQktLWQgpHGMmtPP\bRN^G.Tf<iW?Mt]BKTffCVd7>_O%4X..mqQ1ad@+2oj-Y.M=#_^>ON;"9-3Eo5Z[m4Y7QZf6.bg
+%ZEt67Pj/m)""kJ:mAE!7"_gEY3Ng>I;na"\TtL`r1/I_BoFXfd_`I3S;rF*\o-!f]2h;LQo94eh_lkR_F&<YHdE,#s;sfl[AJhBd
+%.!mRMTkse2TnJ5((*+cDZ&l!A:7G\fJ/.4B'Lu)*(C&Y_!)!h,:L)I"dA;e.PB;2.hnT@+O<COd_q`TN.jk6r$ltlbRUbKBMeTK3
+%@fjk\_ZX'mS=F5*lC6CFrFk+s)3!!]CW/!LCHDh8c2Xe\qKL3#Tb%^A)+1Xs^n#'j>l+Q#-M'?Ie9!Bb3tYr=3Uo,(2T9a8WGe39
+%c4HpbU:n`>7Q+6J$Fm?iEto8K<CTiNlF0V%]p00OTCcL$SRafl2@B:0YeMq^l%ngj#d^PLpdgN<'6*:X!@2o`&.ZV[Mm++i/A/+N
+%mho*HAi7"C&^6X`)Mg@+EcQ\/iA4mXk&!1mE,FeiB46@/ZS0fj&T.^KkA2>%@+%j(a"V2D`Ci-\[AqZk7&j\6H<.'7N#/BA1:bSU
+%ikW!5Mlmjt&Rg)]EF)p3K]X\<hl!qd0>c%@T*'OH$mk$nb4@?pM]IG(>i2jtl9rBh7oM:'Xb/bH\hqQ0`#b(!$Z-o;4QdnV&ljgI
+%m$M5DWQZJ9@HS<+B=JO?U.%M@1?@\=[\X;I>IAV#kd(A)#ip$%Z\_+&>0fTA<.6^TX;"b8^s`E\!F-,p`p\P-N8rRl(Vaj515&C8
+%NN0r^C0Zl7*%H>K1`e''1!`]j;A;]F(I:7rLT.kJ)E%:DKg77,UR8<P]'bT0+/k8F)"gmu"(U37OUkV7e7%oSQ,-`+C_5I=]PiNF
+%j1J&+EXQM\UFS's]2FF/Ma$ir,,@D60=&]C^:8fH\BEjn%2%c5?s/CJ<7-IKmc?"]7(n/dNtM,cGRo19Z\>.-4Kf-<edSq.hLEU5
+%4P8W_ZRSYo!_.P'=m1SdH*s\@^*q,$3j'R^0N^hAb,poW6q(eD66RP)5lo@V/47MaYnb@\&3rV.$%>`kX;])4<GMuj-(^UW<PO;3
+%3aJf;7?in584uW)5I7+XPV-CqDn2<);#nb#[!QU$$uj>$T2A^>/5nib$u_%\'@`bg%B`hc%gRoi8f1%n@7_kL[93b?)S<CW.:ArS
+%N8rW'qR%?<N>C3lqE#s^P9"foJQ5BuI9=W217d&dYVj=Hfog`Z-qNs/[no"`?SOQ$_)6q,"A.d]S$NV!AUo9VRDb7+E`"_!H<eF0
+%bG]7u_XR((J>F-u"8L]dOs4/E8MVPnP?^Zk?7!E4Yjdo.`PskE(<@Yk:nlrTmO(2.b=#tIBf(3*FFNY\cn1.<@FH@H5Z%q9)mj4(
+%fTLl1+oG6h"9WjQLoU5$]ol+&3r*'+I.VHsRL\3NZ%_]\L4&M>F;hhTi:6D&4$-r,\I3)%E%n-EVd]'eAoX;FViF_,ernfKK:MFU
+%]k&sDVfb"ljG)>OTiB:C7?Yapmt(0(Fc?>?#GMS#Eud*7_kL9]2_(%+U@2%pRrrDao;4<Wndr8#FVoB$QRdbLKAJPI-0)3qD'[kV
+%=87ga6-JQHF\7'lp'!ibZ(ZV'bh8#a,dt'.jbE-,l@CpYE*F<OC`A?PpJ'-e<OH<jVdXj&L@hd!Q_fk0h6`m'?XTm<$f)u@J^73g
+%E3.^/1e/ZG:E>C>MCJKD[/:Y"C[;a8F#!HJ8OrNK.8uB'Ku7h/Qj5/iZ`EZ3')Ft`QId:/c[?)1_0k:+`bkuiDSc\ijX)0#9t=so
+%Br]0@B%KP#j9/n2`Jc,i[$/[Q0)#hM%K,u1]h3f?j.VNJV][eW`\=ffR-KbjMtt@qrVA,gXdic6#TSVnpsD%XMpp9+1jXZ_Y?-KN
+%b0W6T#J=u[4Y4.+<X@p;ORFZe1RaO)]Z&(rh>7RWBL<rWVT)unHfA/U*<66fh4Z,G[Si(hM%HNDZ8#p%L<"\ALqt.`'Ys4%qOW53
+%.EMN;Jq5-"pTRJS:=Vn/M3Y;B`"=jmi]YM_nMO4cG0cGD>1$Ni);TBn&?M,n;<iGlr2UP0SZ5#pWBBjD%."IiF,jm1s!((H'drdV
+%dlc;H:pQNlnd)Z`f[:>H.k*A5I^.V=,a;h,IUn06@]74HBo*rW)4O=lP=CQ_Ze(-'`,W+a_0/i.@qdVd[0H`I68@Q^Kt*n*RZU%Q
+%2,BA0E!Urm`"u6)(_:("/"N)^7n*agX!WK=P<KN$+94Whp9Sg<72]Q:4@]lF2&8O>Cu#Oodo"RW8PeS/)V;e'\B<M&X1;Rgi$_FY
+%>,Z`5m*<FcH!_U\\sG]*\HU[V$/EG>F6QYc%,@k-\fmSOi2Kk(.W%NqT1R.umd!_&G\utVo`S!qL<rdkm>!>BAMK%.4:K'%&&A"W
+%$G-.PkX/41;_VH+;a2=H.8T)gjPI3'l!dCsEQI^94cl&]#_*Ds;H7RuMZCiU)bBfnL'1m8H,-P6T"-B8jl,!I!hu#I3FhkiG=Udf
+%`d<;aTrD9.mPqJ6=bk&B]CL_tXIH;l5tO0Gd\]@]?[fRWFf5"4W58o>M=;N_VFoYIWSq9Y."s)L]:4DMhe(dX=cjTFTXOp*[[\oH
+%:EAF<,Lgk?C5#8TO7uaGXXE4XDnIDrPg$Y38J-nr%iCo&jT`%ICWMslP2nPjXJ98*Q%j%_!@pcb_#-bOYZN*0!t:\r_i8f-ZA.T/
+%@/OuolmJmS#P,ZM^i3>/WrP>$*2o/kL-0L;+1PEH=VEt&LA<$cJAI'k^D&OpaHFadUM\VtLF\H\NrjKoams?m#5\kE5%HgoE_m7g
+%RhZ[G,`/.J,=F5%6u[ks[3W[g+B\^M-lAqi8#,ndDSCNtbYJaKXDr'F>D"jpKit\YkW9RF%Qd!2pf"qu'o'ah(!2E]#L:mN%CeBM
+%A7-u1XL`WpPBSBZfD:Nr@*CcOMPCuM"@Mquq<Om;e5uN^!/*#a\Z!G?)oe'#JRcO]FA\[9X&HGCoa+`)IW9'7_8@uUmu87G#".5K
+%JD"&:+l@p`Q:6qeEH0cf%c+?MOhou4-*\7e)C#(EClb'oBd(`F7ZAXR?GU)8nei`#TYG1,2%?UFP*1ZU)2K.X7JO6[]%'IU0-fsp
+%R[PkQ?7qRCh/s"FKaUU67I.7rA^OU2q*q!`-Si'n#U;4M\8[U@,DHMBKA?*:]\ZVX%-%K-JZ3+\QsP;V9il(u_SZOI(q66#&b5'[
+%)GG_@=cIs]43=G42s5=_5#ITN,IpHCNXgPME0fim?Sr/t`b%Lmc/qb;(I;<C?'9XP!F(5Z^Za5gg$EaGW(=dL6KsHJo<JFhQsN9+
+%7dlsUjr**LfL,*=mpR%5&?2AJ%Bp"UB(OI5N]'-NDJ`'PhS:#bF9B!!K!qRr77^m:Icj9d>l'H,PT\/.*Vg0*eP:*l"]%3.;kg;b
+%h?Hea)EHOBMrH]HiL^]0nGaFN1_lV8kBA!.H@^:_X1H]Ak-k)_mkZ%>llZ#p\"Z8(/rON07>J5QCV.'<:d2'M<Y+3#qbmTge=YT7
+%jF[Z5@lpb3"dIYsU[$%O^.2*4a=R70i+I3Mda7i'c=js(PKpP?2F8QQR)LWkqn3FljAR^\*I.lP.J>a1dI[E+,e2Vd0n-qlnd$a2
+%Zd7ICE^.?nC9[d8,(;4Nmap(d1TV1GeI[MOZJf+4lt';-eD7nbg+Y?>h?Bm*,2QLPC'.i]!>9I=N@M#4MTb-8[SJ0U:s_3U$iZk,
+%a3<DR'<7-6JYPV=rYC<Q"MnI&^.i^d?TnD'J,YA@r;!Pr_`LL`1/gs^g4hm.4n7P[c^RZ)<hh,cW@!%5>ZY@5SBj*`7;DhO_VOgt
+%%)"d@7n:nTR&n"XG-7eOrGe_>[T,J'C2,4E"<S?W#$r2K5<`'[Vs>A#-J!`07T4R#qtfpT$pRoa*4EZ""8E@M>!:>Rm%+;r)=T8O
+%ML.B'%iFn`MoLjg]/eY'%B=4-Jh8qIAlY_]H?qrE5Mha#Q\Ts,m:bK]nm)3lqk-?(31%ZSfZ;f"%KsH_GD\[E=hPX/k<<T=;eCP"
+%G-<,p3?$n6l/]&&P5%IoR'.\IK&EG])QSgTO^fR2qW8MVC2\*!cgG^QdsVhlU;0*X_N*_T&tG>]1UK_aT_H".`$PW:j"t._M*2q6
+%&,cA=HLALFr6h4G4qX?3A\#%N;9o(0"s7%mbaM_sE.7Cn^_T5KouVaQYFOUrg8.mcW5<L;.2](c28['HULMQap=fh-AicH`e;^&^
+%IY!>mX)o,_,4T#OkU<`/1&D:15+aMJPLqBJ1oskZIHpEb?'"c(b"jCG-*HIP,,E6l$;-g8`;l9X(:5d7P_OKL\ki,I+5#/\"L2tE
+%:VV%Dl8Fam4\\4.a(*e_=d#"<P-GQ$&ALusPN3hJoLtE^?HuEAEp;[75+:Fr(!8it,MC'.A8+38[q%f+NLMqGJJ3MaeVTm1`@0`^
+%8-G/FM.o<!/GRlhDo@k<f^u^>1m'kd,H"#OpWf*.pP2nE_,N)NGPsrZ_e`X)2Lr\eR8E/0hB-$VYi,\9?2K<mT8r;8D$2Z/$I)Yr
+%AW"mrSF956i(0EGbNF/EPMf+ZLm1V(JX$D4YWS^[)DB(8Sklh^@_Ig5'T?;Ul/8VI11>tJ];oK,l00jkr&^+?0JnQRS33S8M=ZG&
+%)1qKZ_RJ')aaBP-RU2',oFcU8<gL'AXJneq-1TNKW6[[G%u:*)*a5-ra1KM$CX;T[fbo^o6dpQKAPMae.)h?%IM>[9q2@ODBTgU`
+%s8&5R!SY<_>_MuJ'r1<0KEr`VHp$&T)ps:$S>1A#*@^6j/8_)U-JZ_McgdPR;eJHLWHei_pIQLn.3MsoVQFiA7i>q)dMD[je3J)n
+%$>nk<7kl^pQ/..A.8LcS+8om#`N4s#!$mE:O%jDa;Cbs3BDQ.6OI`.D(c"FdVRP6Y,!MgM*t+pVG$a_olIm^IZo`g7$38AU;"j!:
+%U,r6s(*s)&(-UAu&3t+*nu@K2W=b6%al'/c-F(S2I+,n/Qk0(t^\HcqWp"P^HZ^Q\YTf/7WJPZu:Pk&,0LC#O.j$4RFpO3ac$:9]
+%?2e;V@aV4q<a_^G&V/mr.4O^"_U)4cHLDY_&kbeanB<eL0$*V/B6MJs$ga1Zj'g.GpnZE<dh.Wq4M3:qr:T`4J$J#61(eK:8qD4V
+%_g&iLll+0nmrT9hS/.\!8[AM!<8I(>TXoH7/7BXCb#PD+ZCHO'0;0%A$1b%B2XNYucgIk(g/n(_Mkoo$cBLmAD>"j2e)g8qhd,Z-
+%l`r$,D5W.e=%ZSiN`?+UP(6?D]B6Z;0XC4?0<_TS(<htsOg@CD]0ln'gc6ek0Wc'$YQ/RM?/3PXW4@\hq<_:br7[(c?7C[(e;Ho2
+%7OpA+"@jJ]<[XU]1L`pE$ne3eES+$n"?#JdmiD&ZjY4aI,%#B_.tUVd4`j0KaH_:S"%jQ2;qJq-?hZ)TT+I_`*#J4)0a!p"f9gVH
+%ghOaY4FJhKN0/)!8f6%1J$d&9q0CFqYF`.h<4$(FL8)]ToC^/)CU5MUNoMl/=/"YPKYSHOC/s_NoH!O6.1^IYfNc=&!D#,Cr6q)s
+%aM[YODM>bBR<4`@btdEN@5M6r4u.5.%7;UM!=;qSo=9ZO#-aD%<]RO<*WU%GFf+/<SXOQd7[AfugT2l3^4#G4_ps`<<Gg]&!HBs%
+%lLSs-jkF<7?=,cC3qAg^n!ul[3DLA=i2hMOc5J$m,m+XSC^@!,M%iqR!#Vem^!1"fGu9aHkh_U.S]OK$24NAKrW&uhS#'PV@ED.B
+%PF!Zn_<]m/Y?OL/i(N2YdYp:Nl@L_-_cu?re8DjE=h/njldGs)Cqk.75YZ",gjn_Brf"O[>m&s\EV\KcbG,M\&3<(&*n;b;=bspY
+%p43;=jl#ZNRL;s>UuHI<[6eK%WS%.5=-%D?.L:sRQgiYS<G4_3)RlS9L8bp[gCfM@FR,<!NiCHK]%'TR9.-\HXYl,oF/6.JiIKQD
+%R+%).A211rnu,4<p?aSa\D\Ci!d\L4*kk(tE*M9O5g>OFMo3gm3L\_$Q&5QJOjCiEUL0-USX9d@H=.Otg:+)X1R@F]Q$]W#6OK^O
+%/UZ19@t*S\_V'YPmp,hFRBs3l5d%tDVjEOA!N^LulMCCi4<5`ics'0PP#VaE?ch)dSpp>/;m.tdS/n-t`\jD`$$i+V<7QY37Pspo
+%8,:W:>p;iDB#Q-^r?fRQP>rcEEIl%0f^P7AEL.h0SFoih,j5h"]KbT"K9Dr<*eK>"-qRKp&5Eq].VVat39-b*,:(/=\g\D50mo4.
+%P7$6@5<qmDb_>89#e/"b<E<Nu[7p9\?+\/HG!$n*RW/?p]La@MG#FOr8o:n+eTmtd=c4fqDGQsa`1nF>9bH/O4KUN<\.`2=!Q37?
+%+!0=a-<\Fpj`_cfSSoYEe_hCB,0COc[fG:k[M]JRdaBchqkL],NBe0/UE\\/4QbT7n0T#='NHVNb)Ra4&ZV8+bFmRB*#K3mdeN1(
+%,:rGdXq&_1`N*G"<Xn$0\Mq9n[#1=Y3K2',9+YQVU4@72;rTI61Equ(`c36pl*6SJ7^j4mChb1oJp#!ZMs':AP4^f``K1Y.0N>Yr
+%daB\<_9@I!FD9<L7\hiu`,JRrQ)BIUT)8>sV'oOSb[n6R&>]5'WTo_U1#eDRNPI)!YU019=c4m.IPI/0RUUr?&5u8cG-0//:%3BH
+%Eg=ER^u).kWNt>2.XDdUKoTEh1-s#B]V::5CGeBJq*!_;X&sBRgp-3<'bE1$KX2Jg`bK-R.SIAb5Y:i)V@]-nYBimVIhEQm0nkH]
+%,7LqLOt`OPU/hsg2I^*o+dOE:N/phaQfWUhM(DqAR)@iZNq2F75'g6Yl:=BLVUoi'[umi0mTa0G`fmPsY0Oa$/@_&L5.J%=d?c,6
+%(J&^;SJ(CMp\PU%_/uPe$!?cf-s5c9]#glf6Dgd8b>Wd'mLKRDiX.Fl8d>=s,8O0>^"LFG8V]T_r<Z3R@Btur7&]f"UdHAFSXr/2
+%=X"(EVO*d$F<@Lm^iZ8IA=H5)1.d(s0]V\6Mep81i^KN7S)^9d#:<!OcC[fX4\WPO(h\\?q/eqZ*fDUm+B;:[C?+>U^M#HT(u%aD
+%?"ekWL]>b*mlAom=K*%4jXs_:/=V]g=S7fFP(Ig10&URO0tJN)0;cBbF0-t^`><V:=L"!4Q1Y7FJISi!FTm"G$HKbZRpjRI/;847
+%7;s5Wc`qZSo\?tL*#W)=PZ:H'\&1u;r3Gdn\/*T[k$6H$N5oQ2TSV?]1r,uX/J>#br#@54f?nae!N2E.crm$i:\&P3\q&9u<h#/E
+%N$L/dY9QVefj[rnJ;M]ijNDpsglM$;\tTXI?/uImQ@rih)c?j#UIknN+Z52I8o99-Me=e:.a_rZb_Is[hVmgRksR'"%OBmPB99R>
+%:R?>_L!I3McS#h+*agd.(!KZAZ=49l'&@Y1,%m:Y_8*S>"0XXUpk6Q-R7VsN,*Ljb1<;1KCaBZOd/.e.M^GK[a%*fRS`"B<oU!UX
+%2gW(sROjA+GsT1q$nqE466oh9`*okj<uoB]Pf'i*ZE;r%CST\riebWkeX?:[Q,+67MDiE%F9_6rYs,arB$!YD6Hr)e,_7>a'btQB
+%N1n:+q2;]GWK;m;jL+)H0+IUI;UE5>L>6!1bS3rg,bImr$u.k&J0hKXTEtj@6MI7T!BD)"9-gOH7E4B(/ZN6]6N-Mo>gGgrPk;\Z
+%9hnsD]c;kAL]>;VB/P*mq6c\gk=LRH&)2URgcg$"R6"nNYOeSPImg77s-lQC+d($Wb'Hl"rC@C$>*3S4E`PmK@hCs8#+b^)5\sHs
+%YoBQ;QjE'`S*@&PUj"<a<[?CO'!b",OYW>;&VEZ^)O$b#7d>a"IC_n2d''86hkLT4mcX(@SY6t$$<0ahr8-n7"lAJ^3l8Bu+eD';
+%W%D+r`8J'8SN_0*[a7*[oXAHJXq`Gij\tSH>SrX7ZdZi1LJI-OEH^8^#ppshcgVmAG,!,d80mdi8U?>V@96T#gLt&u^I%-4fZj*$
+%*L#%Ni&C#M(T\(?N#X38Z2QILqnM>V>@kDt?rEO2/=bK,mhrc1D[lWiW^pj?]_1bN2Q<\Pod7oS6LMO'c-P\nhbSuIqIl"%j]9hJ
+%XahDZ:\'"?l@A=-i<*Ssf[LU4:oK'k6HX34E-l^B&H&rH8Q^Zj=_]f'HkFE5lRI`aO*d))\5WX79n?B.b]?5ej^q%BN.[o)!hhDD
+%o\[$>?q5aIh^";cqNit?pj1`ua2W.KS-]U'1[c&Q,+N$:U7+JohlipFXt/*?LL(*U7aY#d:$_'l#@&F!'2:-tE8U/N#\6M8?BIoJ
+%.(FNkW!chrX_R@80S#'03ud!Da8u^I?DC*/E\9=q2_[X""eAR*BeXOW^TQ!$a1Y&O2!.FUV:@#%&)g#(QhWQ816aZVTV]JgL>(4\
+%S)+SubJU_1^'>kr,At\35kTHKnN>L9o'PoP>5P=,:&T/SM=i\0]LPOp5A`:>X`=SNV;=lihYI(m(h3!kUbRVNm\gf8ELOpD(CR@'
+%i"4RVE`9!JM+pp?Bn$17&6@=]RM,^0VJ)62\2Ss\+[As+C9t'^h!Xn,BHMB,JBVU?E$g\4S!t7fa\%VDem#GuA'%@aL3tTs)8?%0
+%JqLa=K3a3""i*Q0oO42\GtH0iCN9i7+B^tFW^,.h$rWbmj4=]@G^#tc`f;Od@7!cXSGa).$]`Q,JlAI/)CqtG;!(4FI-:j1Bdpe:
+%+3Ah-T0CTZq*]J!\p.6O8`5G5Ge<8TO06$#\O2PNM?%KoF"H5FreGMQgLQ[GBZY1-'9ucHKF8M&0l4gj:UK*5Lsk:e$<0)dn\O=7
+%<JDVsl$>\IeRT(H:A5gb]no0i]e7_/8<W9Scj1cd6I(9Tp]"glh0(A3Q7K3ni'6_-!NG$ekP\jS8L6OPfPWY%&CH/>#XV*7b<SpZ
+%Hup;*pV"S&&WsWThCOtC,N41._7=UKbY)JW`/#"bPc[Oc>=S'<bdYl\@,T5B;E'pg\ILD68F()[T?GU$e2A-13J)XBR;0t`F,^>^
+%fNGsH_3;-hWVdtg^7C^#!gY[Zj=SJS`-E28F4SsW:<?!1)$'$XP"3VVX(h012llDA:Lu#lb!'`5l'!]K=n>*4)k`+39cLC&Zi'fm
+%35Tg?j@/fg+Y[6o_T7m[Z%8gd12f6Y?A!6'>Q)[iV@&\*/KZ>JnA1l2kTB!J*i>GbN@_"bKVhkOqB[]:->[;t=m-Dkh)%/3jL5gY
+%2fQ0Mr+h]Dm!I#G%KDgkA<Dl;cYAu1q?;+1Z\,B'jG[:!pWEtnY?MdK5PL0Ud`bm4SETJ!XtPG:`t[d3NGJ&:84q&?ZGtm-$l&g/
+%[&>9%iJEm@c&*g<=DX0?)QJd]5u[qOMOLfN8KjkN'G*gc9r9rA\ZVm2_gELH$FS%jL(uH#AU\4K2)=d-Bo+j'_aIPK8k0g6$-W"N
+%OMlGMX4Uuh.piPRqiHBG*bCV81+uWOI7pmH[J>3(U8H79`XLEo^$RbM*UO[\gW4D)`6XSAO6G9*1Vr#$7#kjord&qKV=-R'Qf3L_
+%=/i.\e8jh@Neo$j=YE`h&r>l5V-g@k!-eUe:1dg3no)@U&[0Fo*]P?MYe4_IpsT)DQtCTa0T*@B<eJ7J9-9LMWLcdmohsi__[04C
+%A715Kc[rBnO4i>kG^,W,G*mJ`gL_?Oqc:/\0J*M6;Z,*);)/FJVNtbrPFY.sEo=DMk-LTF^UtZc1M-"ci[)U?A=S9ZY@"1@J=*q$
+%(/Okm@_/ZkV+gk+:<ZVX_3bNAY#N$qiD4^#WfhLo_2$9ni?G9\X&CaSKOaqF]]aH<?Eif'9iEj'">Gu#j`5Zs""Q=RZr.@9/o>.J
+%+M%cH3bBj`$aX].nQ<.3KmZb)f-7[^FkuBa*kGL^AXAM"aXDh.\be7.jRHEFOo7-5+4[etWA.(m3Z0?ap_O$tg3a`O;)K"-7N8>M
+%J@7<?+)a#33@=<IXKki+P>s1d7SY7dGhL3YKVE]Vr"Xp2Mopbmm7\7$aY7_7gY<8EVif_JOI^ru+iZ8p4?>elATP[MO`!)M2!AC-
+%BCiKP^[[M'q'dksZ""W?mP'F9P'mlHob,rjZ"%\CkUlesD07#ie)5KY^ABBh-SR@)LMCs(QX2K"X8iB`'"IkYe&[Bii[gFp:]hE&
+%oB*]B^UO\87a\_P\^*hBer:X`=&TY>T\oaQQ&IM8,7(KpE'YG@X7V)Df$pt%M(G"B#g%k8_U!*E=0kcIaHkE5DfM530p""T;dVmS
+%%(nr*?!:W36hbT-i2$\`=oNu4O"*'0p^Vk@Ac_46V_qjk7Jmn5VJiNl*3T:-ng0MpF+TG\>m(d=<dC1t\*u3`CTi)\!AFrkmgrJ(
+%AO@cdQGK1>,A%?":\FDq>K1e@IQQr/E/..Xk']89m<ERA\I$9%Ir?",1b/6E?^g3.#_]DO>Z[Qdhte2I17O2L`W3Z=P-H\$,JB]E
+%it&.:126FP1(L0mbGo/6Wd+s#WD(\Ln38Zu"fDB]/j<H\IWsXb'i!;DaLY>G<1;UIf$,%H'YEnu6FI<,F_;UC:[f.e(ke8a?UVUV
+%?Pi:BEYD:r9m';=qA"E?:H=a'ER/4&i#A]I/L?BcYn]pfF`Xc:NUuD>Ac<(mA01H,Y;KY#E<?C@ijB`_93f?k=UGs\\>];0/qt!U
+%X10gfO)saHkl1J"esX9qD(3/a%f+^oI#HgZc;5[7,)O=f1l.%"kd:gBj/s/)iNIOp$K2"RN&/Cr[slkNs/*]hl]:8$qpfk@b`(I@
+%D#%0Sr=%\1/mJH:o]oFE+*6-c5-2dp=Jcrr8m7S&3(qHff\nP2Nuqr`I[]H9>o)Z9&Au)K&Bp<=]s9:odVm_`P7@dIBXHs.Go.Mo
+%Mn\\k,+Sid1UQgFHcFe68u9E0,F?<!<2>SY0gc*R::>G0Skb2"(c[V5"1^f<s(ej>L1d'>osM/%o2,/J=k&=ck#IbFq-9e:1d0T.
+%:Xs7EB5(G,Rq]U$IP%M]AbV_rK%@V6rE?;a[=4-rja@SjqRN4fB"gH/Ud(I5icSeSWT',Ee]LrSNK[DDa]+O,.s&J+*E6lXiI\gF
+%TrkJGa\r'1aD*h][qE!ll2m4dIE>Zp>Ub3G?E83a"`LMD>LD!8;ld=@N$Cme?ab#MmhTlmp:EcDQb]^gps_JPlPf>O.+IXQB3_K;
+%U3<Y>9kM.@/).Yei>/oc[IU3r\b`_.T%@8Lef0N+blrUtGhYO..c/N3Z+]]SZ4?f&Bc?2a_*\dKAa3!rS#!cS=it-ml:MBSp&HpI
+%TZo\@pn.>\BCb\9cF?W)bX60_5E_214fO0"XqPR)MM9:7@ES`&-tM/.g(c@'j$&I#$6kf%R+:$r'$=Q2;4gY)S]SlsChQ#QAb.g,
+%lhq.?Z3knB"6/&+QD#Qp[BK=@R\E.ZR8jO0%7C.??`f6.R8q5V\mFSJ>ZV)A=!D&FD#0DQJ(9a.?$oa)++"W+[Qr4W[f1C7Yfs4k
+%R@h'1p3Z_D-5^H6gI:hdm0oAh%i/[^O`dI)A#Q^;fERu>VK\=C6Il`qH0&2aB2&i[gHA+q?e(`L:k%(K<T_34d1C]WVE-5ECQ[Jg
+%h=9>=\L%k0=Wqk-CaHHd*TZg>n$JlSkPJ#L;>5q?@gdG8I,FXb_q:%@rSt8,2J\D^Dd*i<lJV9sGNGkIchciFYTIrT!sAVri,J&N
+%Ztg\Mpr]l:[SNA/<"e!gcu]#]$sj+Y8XPNd%=GLsj6_KnhF><Ln\K"!TBl=^c#r7mH`S5>2.I8/H1"K=a4g5=4eC6Rdn;nd"2I9]
+%P63W`\3A&!Z.t%Qmab];U!@F*D=]kQek4b)btf^-^$jn0b^<sF`I1tP(SBF)2M"Z=9m2#i[kD1S*W+8)c3%@Er!&J8ZS'"D[,_,A
+%96QnjM[7ir6J74c*S9W#f3s*A`iA5p?>k=Ib_1:R<u(8=Z@)G-pADDelJK4f\?:(&DH^_T>aABK<IYocS)8Db5Dm1M?#s<r-0cK@
+%bA[TgWiDd<mM#+JUig):H`b!5[Iu[$HtY)7/2lY^Sicb+E7C102Elliq<r_olRg)cN_>H04)TKDDG@n>msIbq4]"IK3u%ebY'm\A
+%haP;sds%chqU9Yfr8GhC&Ztp-=j5fL('0QsnkipqH2/jXLL*10WH6seTWQ%W/u.f+,%'f4j0+JY1FSbqkOBt2o<-60pY,V%*54)&
+%.&FS8qtJeIY(41ULDI1\DlD8J<NVgT?@6I@AKK-8PM443DrlAcF0YOa<.[0g^7m9#0m=Y!K(>T@<rBC4:/nE)&s/kZVq[ONW?F?O
+%;2sqTYP,9)9Dc;DH#c]/H7l21dq<<_\Xa3PPaT4V40n#^QKkbQX^=$&g>:^LX%6LeI+%8FcSViaRj';Q7QBkSHl#W00`-4CF'J$k
+%V^f+B:Png0='O2][e/-nSUNa&B2NNrdWf)Gp=j@JiN(=D:E>I^7K5H=e3-?-]O0LEH(E.o$fN//$?D*<Y>O[VQiW7II[/`q1sTc?
+%-W(L>dC^7j\nBhXN;rjs]>*Ns=92_qU*V*ohQrF=]CiOND._Dm9eU#Kh3qRUbK!IiCHd[ToSlksh3NoD_/40Caj.nIft-<W`&^Ka
+%b4_BH.@R/QF\BOMro;gAIqH`>:)1QdBVf/sjS3#mG).T7orRBG1&@FShq-d8Vfg!3?]gt[0g=oI`7Wnlq;-B8GHFm=d2gU5pE+Mr
+%leCcoZT_hl@!PA4g7!ERqc0cYS"=ErQP$l$#(3D)`@tc:,-4MQSB5e&"4ee/Y(YPa'qLAnD@"`N4Hl^@#*'h>]\#-&QZI_DZc5fS
+%$`IAI/gr2=N81dX`DE\9cenQ[ISXqVYHN-!)F=+/_u$]"lMKBng63OpmG0PN[.eLpL.CrC[&9/shP+SXd>!*oihe=(G2f#JAG(TS
+%>21c$+8GRPF\:St):-D$jaI!E1d;<37sR-Q>Sc36cdh@Lr\CprlYoKEmJ=80phDQnpk]h<rYfC6h4`@GF*Cm@M!i0(;7gpI-'(^P
+%F\=X+3FAISlZs.GSW\B7j0cWlH[Km?G7F@A<t1ZF?F"E.h"jc]rX)pen#AN,e"aC:X\5OI-K'hWVF8`BM7pXGTGpZN-^287kc)Vm
+%Tm+;%\o0PfD+jOr9$s,b=I1E2]9n]oJ(aM<&CPLc)nh7qPngS*Ao9F(nPCmqQcXh\jOeP:b96f&Y+X$e]Z!dG=^mZ,=fg[Y!)9dD
+%OMtUlW7]:no1$TMba5_BTemq-P0]V_^a5re^(ISlA2Xmt<hGdJ(m%cOBO;3iK_'iq>VcRk^?*dMh^eoqaCtbAI(_)V@J%s?+Xofq
+%O\G<^qd_!4&q3rO:EOr]ZTV_36*6ds3>#Za)17+B6k7+I>H4cX(k[u$P?s(aKklEVR8T<c#"K+BU0`Ir)0Sf@NlZaX7s+b+o=c#>
+%bHW<rR!GRC/oY>E]m20(6#FOP!^b./)4!sl)EB)ViX+r4W!JQYNI[J,%%]Um].`!\6/TZBr,gFh-E@9STjBh#^/>i'`CQBgCTH*(
+%*"uR,S3uW?oB1Oc?:>F*DC9ah"K:tZql7/`RoSIs82,rT)uFDJXoo:e.aSY;.m$s676(<XXMMD1Aflg(e'S7GYI>tlCFeF_CoG?b
+%NY0GSPZ>BMSq<TRn:qhbi#Yj-puU8EJ&cpj,-4Gn/O.k)+H7ZJ1a!5ao%="JptW^PgSboejB6p?#\jiX"DheXILgl<D%o@S"Cs_U
+%$)gP;EI\X9AD8HJ3%@h\4]T7g7KBd1;bUQW5(3I51&:bWZOA`RoC6:Rc0@%4M1\-X5A<ao1hgK46ZV02=]NqDN>e'O->Jj:.tV\k
+%rF7De#a+CWT1.[^N!elO,g1RQWb@c&!s^'dA52s[:jI=2c/MdW/E8Z_J_V>jN<_/;]M\/Mp/dZC<=n0kojsa0j2"?IQ*.)u3#HY(
+%C-7lYOtF![-k,Uo-UV/<CenTbg.1'<j-Q.Y9:N<pGG"f>(bX9^5QQ%?rXpt/7cJ7.T:g$'p+T^Ad*H<MfqlT$g#HCn9$\u_rpk?L
+%Va*-XT"+RuGa#RWfHVRd<&j`oOjLK]=g5Ce/*./-YMD>3a5fH"o>7-PJUW>WrQXD*1D2bqpN81_$!cn#$W9A`r3d6>>\_A/[2c3$
+%,lM6YZ0@>l'ifSU\po>>@7b"am&i[r3b7?;i8k0W(h?TOL[HqZX[+AY8,u&aW\G[p/t%!?5H-24)U&+@];8`Nknk(sW[?JV9m&Hr
+%cF9d+CGH0oIa3(tX<Idh#e8*YAN.8LhFHg$Ht33jbAoVJ.QWc_`F@\cdoL;W<?n)YY3th1o5UoACYNPO`!8"^PB^?j0<Q"V+K+PE
+%M0je9"K494R.r+-XL?bS=2.raG0<$K^)Ofu@0k_2l/Q1]j:V?/:Zm-\V3K1MLG#"N;rGf,QdA#:AtLr*KdIXPAA,YR,BUML+k,DZ
+%.+K[@2T&rn`39;M)[F\^")`-@N)O:GGo`2,0qEJ.bmN"i,$FT=Ms)mTI#:e:qsT2RMs9fpP;2bIXq5f&4=3#-bs3gs;=rk#b<ku0
+%9\i:)?@V2#pb%\]H`RnO!,Gufo`S>2/lf#K*W^7[OUimFM+q7tX*qf;mmm#>Y,>]m(?pK^U)""eq4!raAt;3GfUpCdF!t_-Xml.c
+%Z2;93br%_e/nXY`4[tZk^n=ojMI[*`P_@.r8WGGqG+n^/eCJpB[llIU(=JIX(ZfJ@\W^AoRJ(-%;W"(;rncBhIW..SU,k/<8B'4V
+%^9^'$]j4\t"#'ki#Be=0ibhTtG1T[CSpKE-*Cb.-8:oFeM5b\l[f\hX[,jN28i]UA4h]62(Q)c.![=9X4._<O1@ak1Z1\*S?G?:u
+%B>VD["QZ:,:tss7m<Ye(fW]ujqCSuoX=K`SKKf?ll*^:p`;Qa.]&)X8]KkHdU:Hd[/"VV?U&`b[A+TX8]mTQu0<SlDFU2QPb^-/U
+%N=4Qp9R/gG&^l6DNio4(4f@#@aHQ6B^tO%QEdL#PoN\IcGW#<R]0/r"DHD0W0ndS'TDn@$j+9SmGOu9\m0VQ,>%Hh@33I'&<$,ZN
+%Y-``sQi"HLj6,GdF^Pr\KRLOFj7r8%@V#*O*?!=n8q)q+>3-JXK<&l/.HbD`fm&)*d'9]?^u$*'b.Lc5E<Tej`6,_(fAiNn193[b
+%(c(7sRKoDNhZg^3a7XQ`^2jM]l-I[_Vt+QC`p&3g8Z>KQ@U7/Q1:&"(0[:5o1uI]"?>$u9bGPSRaD3c;d.Mi+:A`O]5'8n(lSZ(K
+%>G7"R@HY,96%9@@dhmK,0dj+k"F@a8&rm)HM<G2kK(!5"U5a,_^XKlqpNUlM><??CG0"iTrU"h:lRmV;$)u$6?,dcV[PUbX_Db"m
+%hJ8cA$^3`q"Qjo/?a\LmN+:/%cWNEgiVgC+DE*0RIEln?/a[j;q8m!P?HgG)AFEIWI)4-!$J?<[q8$uVk4a5I'2QcB7iOn1pA;2]
+%#;U`,S[6__F9j`$-nj'*Y/n<fEIV^V]l!jQ@+#bTRL7sCpGCT%l.7bPJ<_+B/=7fQn.Xp+;/+IE0?a'[>4MUJg(N=INR`;LeQqb=
+%hHmTh/sO./+(niUQJ#QY/B'M1j1ISNmE>EVYIZuFkK(YFl>1c<'h(Ma8/"BTr&^@"r;>':lG7*.CbCjUDTB0@?f($QI7IaGaE(IC
+%=7iP]&LJY3a^Z.pZI1NXVcgWW>J/33CS\)K\Y%m&67%t-SE=^gYdqXCihtCVDfnD]F?pp`Uo0$^%:l0'QO.9FpMJ3[FR$@Hn\dlB
+%(p6DLgknP(.7p/_`o-N]j7`DnD^?#+;%pb;DSp1]GgX[r0(LL2aiJ\V]2ndY+"PY"Ip'`]Mtb=g,*e!b=abSU8$rgkmaU16H%DM%
+%+.19_@Ip5OT%H#iD4^[P*Th_oBqW&dNFAFMpfm^mrT_;/NDJg[$Q1aL5ULrI^7AS9L=HifAfO-"-EQ'mgo=aB5<'b&Z4s5;>N4aM
+%hSjs`\Xm_9,rpB2Ohl8QYTaJCd*F&[Oo7Xf6JXShZDd339EACZ.IF]P,3A[Nl\>i(VPd`s^SOaY+?ke"$sdq;IU55*ZEF_*C(5[c
+%OldHEd>_9V6Z8)$.R!<iNTq3j!C%J`hqJb9jaB58(Ot^f9;9>12LHk2$c_hq8&&[2G2fK(>]cpr=InJl]T7+4m`(*'s5\M)b=MF/
+%(9>4$NAoZ1D"Apo1Wp`NEShrs>=F=(Xs"YSG+M]+`S8#uiW-P=04Z34]0)\_B^JF7(c"e=FeSME-(NBEaR!,LIQ?(^:Y4s,)-;^`
+%&-/X$"%4$@RP.&3(maXRFO7<e)E\u^OF$M>B0>pjn+Y_dA\>D9$B7Cp%VL*UrOHB4k^-!j=XI;H0P7\9SeI?i?.hluQZ@Z,]2_Q*
+%W76Y2]mK#?>lV0O9ng6dX^"f`_l)Sk+ZQai&H'p6M[cS%[:BI`r;00?:o(3UD-29pGW)'qY[3um+m`+-f+\_.o6I)o/]2'KI;jdM
+%ZWgTthP?hhFR><J70t[;b-pWUnJF=(D[C[]+l5ZsoCOK3ac%CgkK*DVMr-k+i8edBbK<IDhX?.Adk$a2[O(S!0'NW=2cT.%\\<4d
+%q"gE99>3T1ZlSWoYc&?G%+0p4naYFS<pu'6)@hD&RinX[_QWX[pltATBT3qZJ!Q*Fj6OAq+4hdbWkUDTHH%e]bBJE!!`:AD<_j3)
+%aDU1/CR88sV%:;`hgH:Pc10T!^-=I=or\5MH`K@'mitO9dK?eGiaAg13r%8WoBDLHe=Q3[\"[)VJ<*uq4F%!M%O8C&$=/baWL4Xr
+%ZRI.q*'20Q'g@>!h34fkTAHLj*p*4Sm?bkghum[BpHc"SU0Ob'/%5E;(JlGb\c'ZCasiYhdZ:#/Ut8JT=)/9f`S&Krgi!5$p9P=0
+%iuo@B<Y`?<WWEPq;>P=&3ne_,8&T>hn\<j+OiID"mF/'pMY$_P7+%$YQLMVJ9-^t5?9+jp\0'b?8h9D%jCA!UHcGY=m'%(2e(]-g
+%lRt<O;E55Gf7&3bfCp<3-ND)@bgunJY:`@1q6!LXPFaLGPbOf!CP%N[:6`*I]rgH2kG\t6mHj=*-#<O]X`k/Mk*(5^)=gT&W,=La
+%:+-(U.tNcrBg)0Iq5E^D,c,n6T:C5,/"j,=N%9e:PDK+G?E]T+IU+H`\V5GIN]qPLBg]&f.i[G0Ffb98JS4F_e@oKLFBSK$SQ+(@
+%lLHr@,M]%Ql[0QTG[Fr0*V2Bc>Fde3nab*=c0siJS8)$^o%o&?A4o/'VhE80<"ZQ"A'!fig",IbN<SR*C6iBI?r-,)3u%UV<Fl2/
+%QsN[/Zh,#tne/JsEec!B&;ouPWH6s4J4tTpolT-/e+fKm`</[UkfJZE+,R@m/90M"!CucIYhN#.U<%$rjp9HAn[i.E*#EZ.#mSK)
+%\B#_F,76Fc`%;GY8c*=r:ZiCT'`lr;<`5Lt?04Re-.sVg4p$Muhl6LnaHtV8QN?Xn-s>VXJ9;M8lg.WYL;@*i9L@_Vfc7W&-=6uC
+%S$eK"N*0"KY@e&+'$N4<\tgfGr>DYZ^j05j@_fU>b!o+K8gj'9H0?/3j?tP\F,"pNjP,<Rdcf\Lj"[%4F'<#-C*:i:-n<9mfi51$
+%)TEM@+F"Y%;.F%U[-b(M>e_g;W4=U0bqp3GU7rXX5]0-m5V4Zl8*IR^,,)S9e+m;195LUmqMPg86@DW_;=QDl=/O3NTO15d!Zs.#
+%fil]MM[9;dTUT(\/fB*Fisu((&'(5i:pa+k%(K1.VDSTsZ>:`)*OL?k2'iuA1;<W'B[=(X<rFlEre<hdI*p)WX[5f?/(-mrHdC[!
+%\2VnZ-BtW@%#nIk[?jKDP.2iJ8rgN`GuFq6(S%4Po?a]a2"#n!Z#324nTFanb,/HFFc^`-[POZk5Dtn--Z;pfVBcGj*EG"tW<VNu
+%WIVf'"2)9BbTk;NTU>OS))\X&9?/Ru*YMR+Wu=QPE6lrnT)=u%p0H1\b=ZN%%h!O!0jOW<)c2hiHr:tWbhh@KO@M6fLOcr%Pm-MV
+%h?ma=\kLIXFXq7NglF!!&hiYC103;^(fh]=0D"IEh<5m\]nWCLlRJ`)Rpm6g]b^^TJRTXCrh=pkOu*oL[j#X</b=N=kq=4Sn]?\g
+%e3(AbX\;V&)'3Z5J[?hNZOJbe26h,*$8M$\,R-#Gm21#k"?DZKIg)LgA8LaW1JIf(Cu)r]Ukt`^JmJn_[:7jZ$7u0c_aT)/;!OGE
+%Qf7hG1>([YC1;paO-fW@^q9^=7EY'U?oRVM>O-C%l?SH,*gr:Oi;`kk_./Hk(SLD]Qq:CUWs2/\[-sL7kZ@<%a:*`[HW_X4N-LQW
+%EW%A9Df?)Zr$!op;$m=aQ`N]h%,.d+p'OQrG_70Z(;^Vqqtl!hk1UTt#-FVU*+FK@/!U.OLRLia3$DYKmsF:-=jrTXn\199%kfdW
+%E.KL2UhD*s$]&(0)AX)/aEX2a,A^2THEdNfAJ2W2<3g9X=ZeeiUH+GgRE]a4_#LG582c+g,[<kb7^38H!<N2@IRR2nZ,=el)AuTm
+%fkAM#i^H,131HHJIToBF&pDse8Im3H%TOrF1d[Xr9*9``('XVGfNHs&_f">SBnX\`j7hNTY*L>2j[6IsR5B!#A/'JnX)%rP6W/0V
+%P<--P2Q'u_WeOUgfXI[TZ\@SQf$K@pE?fMII#;_u*6ot6IiS6B)JqRS^R,V[_>OoA%ZIoRBK(i'1CF#;*EW`@!m2J4UgLk'HS<WH
+%AIE:^_uQ46=QEjC`IaCU"2ZT_i6QS.,PhQj!u>p`ZFl!F6bRWC++u6W/^/+f"E:9ST>)phM@DMdmYa>?ZGK\ObSV9a(n<H0F:r*A
+%&Am_PHc\!go_j\"#9M"^alG"?k2#;1Nf_DW`d.;Ik?'ZE`\)H$dhMC)AC+2XCmCNE1=8WK:8U4&:UR-0J<j'Sk:nc35V6!=K_rQt
+%*fLP;nlWD).9XXB3bu!3/?QgsZ!sTjlP+cj5=!)&>U7`nJmTYpg^6],(26rcV&Ek-cXpZt_c+sf1G$nolJ%_V6Idc4BXeM,F=fJg
+%^qL5OUs@GGjYsZ:[A;j0&'0*W2P<]!-^.PF3:<'N[tiU(+SNoFUkraBi['8h!e3-JId.LBm459:Wb)iR]7<t@((I\IcaIaoBEhB8
+%iu*1QC'q:[4rdm-R0'0o$,/FlWq_iOV'%L_37tGH?s9gQG6nqI4SG.N>dp<fjJ$5aQALVAn8-<6Ur`CIT?'tp1kZE'L5bCUgXYG!
+%ftY&nA$Nf]o)@ao)TDl`g*b@+X/ZujMPqE%aCL*YBa#b9!a(H"J-/ILe#o(8!K6BQZF=4'65saaSL?h(Bh>OH&jE62_5(WX38@i>
+%+KS/bHq?$9;,e8B9*.(Pr4T22m+WtsfLNA#PEeVQ&tp(55C'AOX:i0t94M,i4\3_Rl>U0aj%]eaL7=!`!*RI&lGUG4eT[@E"^0Sl
+%3u`NA;f'BLamr8!ErcA+=o+5W34"cp;JfC_RP2`MTg#eCAgJb1Jmo<b#C3WA%\)O=AO3Wm<e"'T'e$'"n2k6B"lHrHB?YZP64n$,
+%jTA`uZa,Q6\n&F?EK7A*Z,ADJ&VB9J8DYQPY#U'_oiV-9]Yl1c.D8iC1m;WbiQl7[CR*8.ZKO*G>9<77=>*Xof7kD^.N'"@UA4Zt
+%5&GpL>)''"c,V]Sg=J9lF_7T^5CfA<c4=,!jK.F/9Tsi],ChULao!u_/EgU+%1/unk.nEg"Nthh3M4JOQO8X2("omma[P:dbA)9s
+%_f/&4?,q#p.#a\`7)A%qjlBrq32Y"pfk4f-jFs"E2!DKerm6dC,T597OO$t9B5!+L2j(5m3Mk-T=X9H?Cs&0#>uBm@s/cS0%hRqa
+%FC'"X_Lo"$R[)Q?&?35YHA)bR*kR9pYSMS?-/3mR\Y3KJ.&5VM\b[([2g-0ubM]k^:RYA9<PT*]'nmqM3g0QQB*(5&#lk-bgS(CN
+%o$FjW\Cne5+'"Vn3?Xq\;;pYK:*.W#*Ib3OKD8?W-*%;7gj#C8Z@PVD`(PEAk$gdBY\9/0K;ga"B!E1C2d@349h5EIbRTQ5(0,nD
+%c*HN=I^Ttli:]`NZePI3QL9HTLFWG#4m)d=%g%O)gulb]8h?jF9i_Ri.CRc>NV1=GK[gE,50_$$B)XR/]VneiAh1-"WL(6%.m,/>
+%+7q=63i(sZ^t^&J8&SAWN_Ts%@c))&Lo)OP2Nq/q<OUoXgnZFc"6+hs_mlIZanJLN06`d8B'%0<7"&*=gP?Zq,$0h;O),>Ks42$G
+%PeeA/F)ie3ZWM+/Hd,r+P<%@*/ebN_2qKPH3Ep[#i-AEtG61p$^YSU#1SuhC;d?sjgWS)opZ:&MZ'9C*8T=%&TZR%%29n717n('m
+%^XrsXV?DacM5?D\n&:pW^T]/_l`l89A_SYl.E&n%bImG)fR')S?@mFq-f2rsD-0msS9j"7b'#-6.)?:h!u^3'-+--"KF+Ft=j2oR
+%"Bp>X=FHGs72!PE3>b+)[OC"lDS0g_c_AkJq1S,nWY+c%A91[gX42&g\(,.<fJ]aCgBLYk,g0PM'e]7$4UiKr#SnomW"cXN#gO+r
+%V92bajoG*e(P-=8nL4FN"c_'t5E1*[FVacW8E,NY)hERTIc,70c2EOhTk2m)>X]nNk&*>k:hLHme,ZjNW]2dicE"\@YJaM=)>Sf_
+%diKN=_8*.8;,,d%S;b55+VMOlVO"6%B#Oc0<Ss2FNiY(mE1sO:NWLCW8)oCjWe"/:@raf4P\[(5G88J_O%F;tAHj?iC3^P8ahGFP
+%Hde<CaJ>5om.',+Ho3TF!Urhn?FKoA185#4,qcc<3<*fS&Z_C;g<fP*nu!4pO&pao.Gi<S9V0VXF/8BA/DIZ2l*(Om/St9-0ZU"Y
+%#'3g5kfUiuh!]7d:%NWZBRZEHhEf)"5e7/L3U%:NEfcZML4b&]U:>9Qp^I.4!F[4jnZWdF^9$n:YXH#c;R^*:HI_Jon/77F%U%A"
+%F=7fubQ>`)mY+fboFLh/#E+Ij4q*_%8_pHa(N9/q*<AmhA%1HG7t';RRE9HSZ?_[ZG\7,]QXijDC`Ynb/"HOj!^!mt1pUK4#3:3F
+%lD"OWZ7<TR;k^Ch2e`Geq1D-.?[k&f#O]UC4mDN/-8[4TBQtRRa0$S4%=]$3;H2IoR7.<:bd(d&#pn*?K6,RElGY7-5P'"0H8+8:
+%FsoV*hkTYg%c-Ijn$R6?]bU&`@+H1XcXEJ8s-jKM&Y.m+^`<P;:n4`)Og8)-Z-+H"7D1g%[Nbg\Z/?i2oEroP0VISi][2!f%7W3F
+%gH?BB2+lsf,B;CI/grlEaC&1><Xrb16%[H;1gsr!_euliTaftqGo`)e*_h^QXMs)@C]'R%mkU].iq/)BLY_e(D[o7GYW-AT']rCt
+%h6:?n3"E#0(<+YieYn+ZhJN_>&44)^lP]]AQf1l.W,)/hgug6J`6fMn%EP1Tr^=s1CY@bI86TWuL17WihIGhBFRV=8hg:@nj#9:\
+%f0FL[k`uXU@:3I3CpJULYdj\`5VgR1Qh`YW69'tHOOa1]Cl^5:(#n?3=D9h_<('rAARn1bf`K*dL(Ej#,fqh54Hf2k%oKq>5Jqf&
+%<Fs,Q%Ks#8WcD[;EuH".fE*nZa"ZEKl^3(oO^D*C;t#lH6IrW>b>9!CUrt+k_r*9%/0j*A6BR@A"(2MG)Dbn$XX^RLDZF<9=G!UX
+%V?*c-?*OY99<=f'+afr^p]Q])&)%'S7V:8G=<-+s8K2]PV[7&1PC!A"`K9U?0W]EiQ=Q*+]L6&,4QNBp1rc+Vl9f@")'igO@U%t&
+%QNU]^9JJN[nAUYUMip14?K<%K:lT[/<el:S5MJ!4CN+E*l)BVY=3_+Q!eRh.SeZbn_g\(pc7fA4IlAVL\:9)5I]1i3/IVfjJu]<k
+%#2fH!9F<Z)2!5UB,Q(e@]T1-YYKa4*I>KQc+n"RC)%N-N/7j_klC9fj4dPe];lg#$AdhC!Kd_^MT@XFB<[Yaq6UZb#G;X=-r>Y0t
+%`aV6%at[+"&^S<36t#q%Z5EN`I*]7J#BH?m!q5,.)[c,MN66(+cXosDfsqjBjX\:ulX5R4Pl]>Qjb[do[gjB$3m+]E\j/M?DF-7h
+%7FKY'c._BJbfM2qohPj/9@hg`SYT-o5er[*[M'YkGC,A>`R)SJCiR#Jo34_V,E4#+].^"E?Y&i8RY5,SGt,kUOD!?s[cdL$cgqWS
+%pXSk>UV?+385g'r/;J>efuZ5E2+Q`LI+DuTNk%TqfYWAf2nS+/^i.pW9>A6C=Vt>uH@=K]]_CY`HE<k<l[0F1XTXYN[aC!+p%KQq
+%RJ$32;fe0rJbn`_l[:t6m7I$D:#Bgbc9hi"c<0jcT+r^F05+!2HeVTu]lJMEb0s&]Z#@3j`\[NsA'pm>;-oX!o8A$lp%;Y)b)pr6
+%_ok";%f6!85/5sd]j86f`/ZghB`s:b/IRa,oVt'Gqeb@rT6>5%pRV"Q!ShdVkIWVHc?B^l`Notj1S\>e+uRG!E&IF4I8rkK_sG<3
+%c%=Z^%T[']Kq4^G"S$h&AZuET-2F'7:J;]YERpD07fYI@1ck9lrdD6`!j/h<f<6K&_Hb1m+=:S;V@`!D`N!/E<s_KO;\+34DUb/@
+%IV@Pb4EduAXL>SO-=O"de+*W('U:@_VUFLt7BF6QCMe<$=&n77(!K!8(m#=`fEaO\\DUr?AJ+gr"5(gZ3!C!]7Pi['LT2T5%)k1(
+%,hYL1d(TSGDSo$8I)0Ab[nUit\[`s2QA(7<Udj6C&h:%Af".Ss8YAEZ;fV<WdS6Rm'`ubhg&si$\bK8D@)XOq'f54_0mLhk()p'o
+%*4nX0c3?MNo@WI#Hk"2gpK\PeDH=L+N&]I60;J'N%\7EhRDT"U,+`1=Mh]+/?4%,M(BLS6_Vn*O`,pBsfsVD9"l,_h`h=q=`b$*o
+%M`6hPZ:^)uK4R%1TJdWTlXl_Gj8*EUqI8XhLD=7,%:RBb:eAPuFG%k`alF:&"!g*l*eP82H%7ZCi&b0F6X8D"6h/uZGFMBhoo><+
+%MYJ<fnk'#+ifo+Q#hMW`1\hk/W6^-hd*C;QV.CRB[+L]SGOJ<-&b:Wb>R)FkI_ip@A-']DaE%h61P'qdG7P2:QLfcrAaEaI"qRTF
+%,Q<M&AYjoop]@Pd+jO:&)oE>LRi)<`0>m<!!D)?di"GJ<7B[#8#p:H\<3I5o5,!lV%G*M]`54OV9PdN-TUfr`146iXD.A).IDg\l
+%'al?)^aco\.TqL"=5bQ_B&[FNKb&sR'B!(UQOJI>[m2[T["aO(A@T9S/<RG>*!l%/7uG1GD2[c,:S[Gu#l$-O$6kKe,;Guui;d0a
+%EE%Ju+/=S0QW<2\/jJN1cf2k*5V>\YK7=_0dsre+'J++n=p/f@/LsGL,>T]qN"Q/_\4uOt/[AY_Ks"\-blXS\dCYJ-pP(CYW_LOk
+%YaE(9*$Ci)CK@h[r&l5GY.J*i'hj#aUqlL(d=3"#AH_T/h-=(FE:2uKB-;K`H"dsZ"-ELf7CIa9-(m[\G4P3r&kh<>997c>=GMWA
+%6t6YQ@)d8l08*mLZBfB*fSs")]Wk!.<'u)u0k*qFJX--5@G-6\1.OouPaE1W9>gA>J;0sP7.sInUq>M$hdIB^aCY(M>=9GsRmYlC
+%\ZLDh#61*a[gu\p]jfQ:Ms#nq!N-<mj!>p)c8\DpXLcnA'@URqZ1[\3GZ7'QFe8ZV(P-FS..>mqCZ8Pf20N)sq&D,EDBKguJ>VNG
+%+U=Je^aU:3oYC9V-'!##P&4a^YkYDO)IU@K/n$Z#h)U?-dHj>b"ZiDo,'BZQZ8nS)?@0SS3DeJ:prAkldZ!&GmG/"q2^E]OA7I=Z
+%_8h+")cKfp`OWUmS!>Z!c-),-)Pk*&?oTBbh2Qlr!'$==82NLJQ59J>\YES@`#^ZfAn+gX6NHRL)MJBK%4A'l&g0AHaImm,s#n-'
+%!gq.r_M>p0J0p,[#Nsr/.h\2AX>2_;*3MY/QeWe<1()M$T3BOH]_(K17[h4+^qhr1&!fgIRRB9K3<qW(pYF^;DcH9R2F4^("r^UU
+%/1)`-;1o&@kBouq`_k><XZc1qq1'`SnV63/JfnfDf5G#Z.=IiX*SkJm8u";d>5Yg^/=p(sPpgle5(kOAe^(ONg"UDd:N%TGlL!h=
+%IfBRjBtb!HMdOK5Y8F^srM6T^e,<]!;I#j7(hR[V7]@If1Z`ASBI*25b[-bJKER7Y[(lFZ5Mi0&D3f7nqsHVsU[9jY5/ZW2hb1QJ
+%e#\Iu68JS<e)&7Tr8n3"%$H0C&3'3ap)+NOc.9(,de3_#L^ZnJB'(K>;%&+I,9G=XMAFkr(=j_%qYY.qgK(MdMh\MSSgtT;,_ll_
+%['d[g#kFRaDjWu0A=ade0rEpuI=)!^hlW<9=Un!/hX\HlGdJRE[=<")S1=KtiJCi*)R:@[R]GNd2[*P)\%I*j>^GDiiUQ(ta5@f6
+%Q<>-F-?G6=GFj0Wc4BU%11M=90;mOB8d!/>RqLSpJmr,17XJZ,gaOT`+__D=6bnB6TSA:)n>6ca9L'DibaBS-p'-03[8%[nncKs%
+%D)1[:"WUB=raL"+B`;#P(2;;i[CGRp:9m7mhs6%,.,\^+e25O;4eu^mMB!l]\?gH^@;:u?,DWJbP`BK5o_+^'MA9i*PPthWh.<E#
+%qQX2/WRO#c@c[r(PT9?+&#JBrSHt!LG4W['5rX]78X9?5.S;:&Hd0i=@e9PF?^ARDANTGZqZW4$7WJd/&?MAQ1&@Y.@rNSaOMsg^
+%n<1F4Ru=2B*$b5IQGBkT.67fTDQ>H/>51OTPA,6sdRN*]TBRQjp-GUkWD1"WH$%J'[W!/2$c1_q_)K!2LjN"](pE-C(AK#-'e\uu
+%pe+_Y?r,H59]`2HJ%1OO:[,N([YIWP"?^q[i$&Oj;G:^^.10#dT^:.AaL0;IKO>go!G5u(+(!s2=R[\/8s\U\]85[/,.`SZ.WcG;
+%p0MY]\enN60^PApj546\dpI`AJ`HR,m9d^oh<Nit>V1lCq.I#S-D8jVdfP6b=D+IR&N=S%gp@-;bOg7e9iVpq2q\#Rp&o5L/$=Nr
+%XhiV%k\6F]X;j)B_e%Ki2iE_0$chO#]SBmY-iSY:^_[r&k'k*JV2qta%GRW8./CurrL@2G@Hla']G*ejL1pWO<Mnb9!^/8n_=KTa
+%;+WuMKY5-1*K&tppL>X+niHd-8hQo@=7(poTVs=U7L'u,^WL*+@!%89mhQr%<i\X2l=X7Ebk'#D?4?-0pI*G\,"Fr?<mU-aF>DS0
+%ct"F[)m93RBrT,5(h2n&Eb)1n2Ui3!h^smcZcS*,>q$9,>jW_Oc:7`Y$pNg8Gnt0NYE&Jm]?P1I(Qc@n"5b]KDmV,cY.OLnVr?[g
+%""1r@mkb^dUA*Di+J*_/Bd@4OQQKS3j#ae9MAL=$VpKH]aZHkGf5fqZJCt[gN97A)39Mu!lGEF$6j?5^QAXSaTHf:(Nbm-@<6P'R
+%XA8S:Tl;q;OW[tB2t0V?H"n*6m"m$M3`*h]2$B'*K2laJ4<+reS"m6Nf_Mo`jkagC_Ztfs(@>*e>*6QQlp'uuNP?Q)e7*;T!sNEd
+%$QSNS3:8nb6u>Ri7WV.EZt6s.*$dehCs/9u>gi3O,g*K)eU(1Xo'Udt*4Am$Z2LV<8Wo'InX>6MeGg_&R(m*A3N(?Nm@(Pb'YVPr
+%>+T&qk-TY=<SB`&aaiS5bkjh1Uq@blN"f"?#2dHV-6D@mJ?fCnO6GMQ:WX_7iJ>c1"Y$#U!Znt!GF7t(n+ZG9K/;8$n6!EW<'qtt
+%MP=WnEIBaGM5TMn9JoquOC(+%bsSm*l',CaaWpiWEIoC4B31][B%YK*)(0@MVrM"W@msMQI'Es(;=c>7+\e]UF"*bLDX1[?]'Uo;
+%bZW_ZIV:T&_CG`^$ZY/UUd0EHihdZ$#7]E-rnh9*P]u'(g%;XRhX-\5BR4+.eLpMWXH_j$KV`97,A&mqd98GU9(pEM>9(XMTc)q:
+%+,1bDC,7&)8dm><2^I[67;&$*2(a^q1KsS`]]&g*:XH'NHC[IiRM[@o1#u7d8t<m\_Su@40->)DA2.EE$[_^)1"QjX#DOFWW3#;>
+%R:,n@n!2cqSnr`i-chPl[8KlWlt*KP%e8*(S:(*QfiQ#Hd:DcPn4I6?%$)9W+G)Sl/EZJ[bg^Q8_:t@67;M]<P6HZAl1@[K8T#@"
+%E6r=d@Dt#MpQA\5ar4D^qjJu-D-;OJ=_BR$<qbOTag/Nd#uo*[J!u)[N['A`*DVUZ$tI)+0A;B__CP[+rCfAoPTFQ:%VqU1Y;AKM
+%rccs+/83mbe%$pE8\NC,_XRbo[B2(<calYXAstFuQrT2g>)#(UQ(*uVPJYYP<<e*)MrtuVpc*Yu7?/3&53-<d(BNSul&.fC3$BIs
+%67BQZ4F3GHOWj;V_;,h+M.L,@T4R7?c6(^taF2H-C;_2>bH]4OfK(uiaa>3j_!<P!=:-`rIu(_`pR-Cb_,OP7,'5QB14IeeS6:;d
+%k&^@&<!l*=f.lj:p=$F,e3`nh4e<"h<DJ$n@W'MD%.<`,XSRSd-Ta5M4V`p<7EhJbP9njpN=,]5]'u_1bWe=?)RaQjLIE,.;b"XL
+%?2aTLUtaPc@5R4jG5![^P]+iqR9,c[X0nk7H4QVu&,aZ_J,R:"qhtK^rp=(mqY1$Sn,Dg3J,#@;nTW%2J,:>fq:GZ=0E:\1+9(NV
+%J,Jr\`..Rns7fC)hZ)Pis7lWQ^F]78J,(btqZ$R[hThblc*+n]h:I/OqhOn?o,lDAJ+<<kJ,+"Ir9NDCZ1r,Irg3Zapu?jNr6,-;
+%&H0'[gQ2C3O8mi3SUUK`4Stb#ps]q9UGi)Gs8'X2\dR/$:ocFkDboAtJZn=JpdY]6af_99b$P#g5FekGoUZcR4qmZ!%kkl2)*_XH
+%.,:Oe&[XA4&Le5.Xh_su2<dkHQV+QqhEHD?gCO=Lc\j<)s5BZ\X*(-<T5BRKT8^k@*[Yk8V%<O"Of8JW8\FcWr3p>9j1'_\>)&m\
+%]m%rBWh7fA'9O`@"3d>_7#7u9,5GYk5O1D">lJu:L_KXqq1_V&ZdkXQ86Fs=R,r-Nrs7?Vl<+eR-DWb*9UKdpf_6SArF#r\Z`3H@
+%j$+78TdG4na4L^[Jsroq8!H=]!@Hn+M*g`tR+NhHq(.P:$->)^QdNS=@1Q,b?<['*22(3BDP_^3*bVjkefO"6$O;SRVdLU33,`ra
+%7ie_7>h$P1h>kHB-H(o)F*)5sJ]CKo`3[_#Pod!a2[5&p`X$JD/k4HI^5^f)\DU.&D7C3E861UacTVbT'>hctau9T)AO_6-]1r9g
+%Fr2dRa_,7kD]:7;/n*UnUO^Q$AC0iEU?QoY_8m$t&"fsaZ%4NR5<d962hY+7TbM[9a>WQ:Xm-SX:9b!YL4hm"<_`A!(Nf<b=>Fff
+%euAq!&=Kc=S][;Hpjj"=cr.?Q/LQCQMa\j#0qp4(HoO<Eo`5br_`B+\"GF"gD&/9:mn>k9&]lZ#&f/peiRhtT(0I?T7+hhL+f([O
+%ALAN!Cf^%^Z:tV2m5%_J!:Pj5Fne<t"YA]*PB%S37O.i5VM>p"2XFEa:ea-q<F@sT0S,MK'=(cHop&8i4prlOAI2LNRghLBa;Z6<
+%V=\OF5(^dpLu7g8J['q_.:ihOp6d@1G_on0D%ieeIT0r%QBR!4>?<N^?/#t`YglaYaQ`&6Q+Wj@d-tMYl023SNt%%^l`Xt3EHK!6
+%ejlg=-Qg7brIqk-952GUl0`GX+#b,EH^pA=HnNtM]WZZr**:PVfCFQ6V;]9jQ6123WXmbG=^shq:CUDGBTHr2O5f2?UJkZ`e=m%7
+%8;m-U?\!46`ap%_bVjpiqW!dhpg9g--M\u3/m>[0*MC*PB-1V7iBs`VX4>PE8+[!^9[.Cj!RE9MF=QTJ";gDu?DWCJo;/\8?Ye!=
+%SuVHkBJTb.e$=Ji(oMpCLG(>SK908BG)iL&VJ5/A]8g#tn^?@%qeG!<'ej)t^<;n7B[8HAar6A="8#!bR`9aG=\$9_IaTSm'S;@6
+%-7;B9T>Q0;`%UZX[AVanPOV7.*LiDVaq/_h(pklH:n%c<$KY-5QU)U'<1Fc7`YOOBY7;,(C[[.Pf#0.a%0B<V',J)Ofdc%7-EPnF
+%U=NuT^(+?gn-,5W@u7XjiV%=7=bYE!"OeEoJJgA-]F`Wo)6Z_Z9J^c5/6TS^e3RiYH"X2(/aF-q<sLdlV`AN8e8H/9UG#dQ)%PJP
+%lUNA-VV*m[$&GY`Z4a]N#H*JCgM2m/hOFOoktTEBa6M).2-\DD*3lXXLY=p;<@b!dSD1e$NNEC!``0Q[Kr(_^H)Lm&kXLT(<\kms
+%i<o:>Or9LiH-TeSATKg";.fSg#d2S/eS&f'<3mLHPo5Xjkg;6!>FF:]d6o=^)mmWG@+*ld^nXQQKFbD7lM'$#'=h[QS[rW/jF>hQ
+%&HL.1`72'BmA;!K0fK$lT[=$=ACo'%4=tUk'agR]/-]l)Fl^"_<5sit!P!'*T$8uA0X\O=XDdL:9O%,A\Rj<D8\&WMSF&ArhoNCE
+%nZ$11E9FK+C<]PhD.^\HSc-`B"ANlNfec%oR;b*okiFNUEAc2pAWLF"e(n)'ZB&+DbuW(,%sntIReY819ld\SZ2q:K.]]*r9,Y%d
+%.U^7-2DaeN<".?rHj/7>%*QRn<gRic+X@eh<]IK9KMWq:qZfp]L]mtDHXn&3"6'K'Y/XO#ZQKHQcL2OO\J@/<S(<%@MpS%h13q#R
+%L[9+W:kF#o6G[2LQ.bE.O\N-p?_J#PieLO0"hD48C:fpSCs0)Q3o#P8<inI?@&sC+\ba0o]C/ZkYdKWg7'l([K_,<09G.FB4;ir3
+%(+Ec8JIlEl3]`J/UVc2F1O5(O`u]'Mqut8-Pqqbd4$'U&m561BhgO,e@Ad<'_iIY>'B\^`&H-ea'$;>tK!'32!&n7DLq0_QT:s6i
+%a*KT#.LkWEp*QS)\nOSWYg</g$0+dW9HaV2r02%dm9r?HGO$%bnMUEk'FJ_-dk8<JO'M>ea`."d2fk:Sc*_Kn;>=7?HBui<',Fl!
+%PGdu>fJaI8O__=n9]+l:KjYXK?qbDU>VcC%6;YnZSJ<8G]5ggIGZ6W61?7%-Qad?Kfiu_4_C^$e-luls>sZ2!S6Aq)_Zu@V4P^jB
+%UhR\.QC]?JR^Gfb?JSd&X#6TZ%BcT7Vj`]N_!^teZ\`P:,0@DTgP*aU2LQWU1QiS!ju<1Wf5fsX$TV_V,)[4aPsoG)MhK\oU1Sln
+%V5C;:%s%_fpXct+o$fgP;gZ,N4l(CkF*LQTkY5W,eqr#%L0`(?l[HfNn9`gAVMhP/5"93Y3g"M-2s&n%$0.<^Um.kEAbQqL*t80Y
+%igc0Y0Q;G]eR%laZ.g:0X?A>F<3?*?hB+f#YS?"O1*P2>c"+9KlmhFDb11o\G!,HW*funls#tXN!?lPo^E7W0T`\J*r-^$+pp85*
+%_AnIdS+j]nd`2q^[6V,E.@)V=.tu*j;X$&NN[5KBF"(MINce+r1jB&:(?p1gVX^&XX&F(4M*N<n7JIC5EF"2WQo8;*J<RTqP.WP,
+%@#K\q"\EMg2"=Qpb>opPKMOg+1gQhFDAqjb2^MT_[QDl_pt"<tm,Y!4Q&g"KD0JsRZq,2'U4Obbb[%L/HakZ.^n-"^lh7#7dZ'rj
+%/gCe*iksBiWG&\5jN8WVk,Z)F,igi3?cSZd]8ta\G\Q.h*1"bfE2e2gbeujq<]=bh^IC0R:*uZ/hEGi</R5uq\YZaJj7LIIeO!Ch
+%12LOCB=#_(#_&-O=dEC(Q=-l<2U6L8^O>l8ojTX+FBn@!YAS#r]4@aJ)T$!;V8R$.+bQJRXat>rPFpBCV5Ag2E@Y1,1he(+(-d'$
+%!R9uV@A>2^TRE(+2f5IjA=5V.ln\9RVV"Aoahl79nnR,!i*o,'oO0*HrIPL)8)8cEpO;c#Dgq1PgAPrKL]-nLJ,^2lqqWCJGR9Q3
+%>Jk!SEgrUF*$/@7];Zs1hk%asF_!LsDblAjLA5KdnZmZEY<V(is69r\+k)[,1Y>bjl(ZH71jd-5V`T$f/nEmj"X_pJ0Fs^K;d":L
+%mNi+RPIS_3$_a`Bb8;Ht8E+^ua'9o/=K/e6\'0bk$:5B9,EIOYg`f\UX\\R]5JBVUIiPBKBuY147rcp&"N`*MN?*A8%d5c?`3@J=
+%cj7,ghjRgV;=g]rY_EC]!A.4Jfk$aaet$Y!ag2RI`O"nOi5'9F0B!7CiMuD<cShk:`\_:[8k)kY0D`@D)i+[`HBoGGZL,mp5]2MX
+%Ri=?_V$<eh5]aHE>mA-d-[!/@>sc--j;u5"Th$/21]6f/PsV#R4t;K2?,$bE5X4PDDV_mD6UE.Cm^S-,2=llt:nDI"L!1=IG"[ei
+%Ir5Ma]sAfsFa0t3%459DVNBaib\f8K_strYZNK`]3Q1"fDAHUXU3MYt_rOO4DYJRk0,M^m("!4GS/UX#5O8&"]+\aT3Ssi_0(+4N
+%Jk*n^2-lY@"Dl/ek',e?m#o[c<gIMPO6ViY`R:@5BRO6Mb1b\Ch3pEV]"HV^!NLlpG-<bRo@TU@@1`dQ>,uekKh:0TQ1i1HY?5Qr
+%F_&?Dm2k"iK/@kO;n/*[)tQL9A9U@kZ,03hq1P.%l,K0IJ(k^LJ6u+l!8pru4]29?VIpXGJoLM_Y6ZX3J3;Tn/GK&pi8=2H1CZ_.
+%+(n!,(g-Cak#rgn,')>=[^fC`f3tGs%5D)k9IhT*@YGd8/*[j4X'6*826d/45c@=q-V@XLmpJUKoWg*)oiu?'"'OoPVUu\j+.'Xm
+%^e3g<VAidh_Q^3ag;gc"=;JfOE2Qe?oiUe.;O)&%B62!Dn-p(UBSCGcB,-R1*K/`Md&NV5g#gJ(0R&k7ZK$hMOVdG/SU30N@r\D"
+%K8]:0PT`E=,E<JMO%%nTG8^&4Y-tWYj)<o67h_>q(<:=`nsT&[fNF9lN8i.nSgCc.*bN1a1?\k60Y;?/5Vc7faSI91P7%Y;*^]Y#
+%CpXbak1t$m224cZ(Cr+g63_F9*f;i<*FsgSg(D$^&qoaZrG]XFi^3/i&TX<)<LiU'J$.?QZ6alq".A,4Yt8G1p$C_]>YSm\0'g?X
+%<b]HFST%;W(b*b-%(]Q"B\%oe(6Kqt1l=H'BTWsa\JM6'3nGNLj_e]n80_`t'U8+3)M1<%<Wt<f]r!)3<sfEonQLV1VsGXAPbNJG
+%aW(<FlYKkAn("URAM1ZPEH<'!GW#E)d+`Y5:JtT+KN"*]ad\lL*1#$Wfu*%o!-qrsEHLOc3YlJ.RIu"K?PLt+89+<8R4sm(=Yh%X
+%-+pQ]\:0`p9N]P,$m_jDOa*0eIL+$uA&=!if1e5FefegRs/pdSm$)._Oq/`m-SP`f6J7<)CCFqe^MYhIQ&TTS9.GfMTJd1=:R$XK
+%5E%>A!pb5Z[)V*7-l$Rt)T[;3-BBDl.s&?&`1di:(9,=_cGA8H3t>2q)0AE(lWlJ?/ZOTEfBK4bZGtY^=.PMl.hY.<N#kS@hASY.
+%6hZ_qK@$h>99XjUi*;a;PS=uR^T=@`cDFM4/E:q$b^0Z$7O[sH23=[ugEQj@:ji=,A1#")mGMaSn,E#Fr5HGKiNN7Fb9-`JT7?gO
+%J,/Otrm),&T7(25['oOts7d]8cTh?N5Q1G>5Q9>CroIL7q=:^rs78JTiU?:&TE"[N4eDRY*rgRlX8Y_Xor;,1Z@&+E$@?@;Cl%X1
+%'%QB6Ys$pLqj;WaZ7R)oaA`<gHWGBH7;A4dI/-5/AI]"Kb.*P[?j8r03A\!:V@N?:8E^RKi(l3ss8HrtE-tcFgGU5Bn#u-`['HC;
+%g'tpqd[TP7((L(-cWi(kqn:)#U%iWFaAN,#p>^2?ZgNpDjEXnV,AUs+U&fNqZ=1TA1*QoN9\FiH,UY<Tpo,W6YSMZ?e81e<YA([Z
+%_eEVrA6RGW2'62,0fDk0kj3&()APV#84\OA2-KAu/j*0K*FbngWE$O`fn5f"pbE4ar^=)/9@t7Ufked6no?W,D/`YIi7A-d(+t7@
+%?:3@fd^cXL9^iFl"eWh50pbZ=V04,b5$k+,^edVTqn(UHFQo6k!dnLV!GXk*X03+[cDi<i,SK)?liEO;3P_`V"g%uKC52%!D'Y1n
+%7C(PmTg8r-j:$H6"'e:W[V9>0Z#W^nZdN0qn.V]3rZ+qgaXEOJ^:#?R[rh\PnJ]:^m9Zg<.UEC=hN\i'#%=0a+ZeN^Hu]9gHe$&\
+%s.[W+3NEDVEfAK;$_cI7+lpauAO&=*0F/n;90I0%:!X_=#X[N-5?p^..TN9e1TJ1LEFBPf]ci;Gl)VFVbuTS5NS]#Qc:#BUd;Tft
+%^Af$lM.I::7\f83Wg+M.1j,R/dIA3^qeECHk.<1IAmQ0T?IW&61(B<,dR&g>',]hCG;1'E-FCi%KI"huTge:G`8'<:Bm1N>DqpE2
+%2`%duroSfq<ZMEceO%Z*3UFgYQ1aQKKG9rBr*jFIk/eDM2=OM`?)oak7?Hid([Z$sqe=N?Z/+T!KTd;5jpJtE".W5>pE3_k[79q\
+%poH-+;U'<dh:V.3V<G5\IeimJ'e#LGMo(A).%.G'>4W<b1lGrsO2'(d[i?(2AlJJ_[8\,1,\TX_G$Vrb4"$!un4RqAcdetl^8M)'
+%4]nq+/B96*YoW0^SHJpk)i@U[JFAN[51,lE$p.(7UJi#fTN9>Rf;CRb4_hl/E0BmIqpDjN`Ti4hJqY@)M^./dI]oOIF?n\%J4\!j
+%Fpu3BPOKriiC/W`D0M#*,D<Gk%RooLa7>o.+"^8%DY]e-4gN&pc=@*880S)oGW,Bs(Fk>0:Mq<0>4Vr;2g1N.K?Hc$_@01@$6M1S
+%Hm^J+rsPHi3sFp*5b"X%lE(t*mC2SCY/G&!&.A6b'G3)n0T_p-]?(oa)2Od<M6"1&9NFlA<i[/)%lUh`G.k/l>M:[5gjj,U=_q@K
+%5@!0Rb.9]D._qDhO>*q7JLhWTbu;UR.9oc27(Km9KjK.*bt<LOX0#E(pb&V#@8g4_AVR>9VE_*81T"P5#o=.$[TqTl;ln!OYG/*#
+%UDWmY-fHU^]b;,.bCR9a67;t81eCdqg8>9$:8IX8Y),^^$?]jko!\*XQ>jkHjr&24GSpe6IP8_rf:It;[1k7b)BsDg27K/iYa9;m
+%>d6:s0;R!jOI)Un_W0![?t*@RjPUurSQe*7.OjU?E*U`-5agMm>Bq*b#WcUcff`n211jV.n@U\&"M]10D_2LQDK>uQ"?C5iVa)@E
+%0Q#!Qb=l3&c#0Ib',nfE_IZO`5T,=4:f^g\g!q?@@`h^u>0B6DK*/dAo5!;<l5ZkSA&oltp:CLBE6F(T@%.@L-gfl`*G3FoXt-E+
+%&M;?sDqBVR$+s?8Ik!$u7u7g2?$C\jnW1Hb@Jm+aaa]JDbMmMbX7J?3o^,5-q:rsZ@D8DkbKd;@<Ms/$0!jHF%:SW>1t1n6B1]fq
+%'/J?Y6(_R<753^LnCh@1;!am3C6;p2PP^/<!QTl(9ofb!\?lHDi7*\Tm[C@1lP%B[k(,6n%LHcY.02q;4Vl%BoJ_VlXd07-SKY/j
+%6.PE&A*R79c"'A;R6cpPHG1:AR2Rd[BkrWMkr?"m"3Ca*NRfE,r<l:+&`t<2YXW7Qn(4WeL0$?!kdY=-:^@5`6$tV<UW)31A]OGY
+%s5K0\d\]7P8<UiCEW_@nCoCC:4rTfK.+1Zk=n7F5bl[M*(RX\<88OV9>f=Jd.FS$Y^r1#2+"u-kGf"ETG\)ZTpZu5Df!E],/eDt*
+%fBQ<!-lJ<ZN]#g'4E[;QLcXoI%Dpf,e7dO?aJQU5[O'-ob2eJ;%#6<8O3fR68C7Ht:,=p=Dfj*h928%l$8mQXS0"1GWN>:'11eph
+%Frg5KRE3*S`9VH)M/;^ibV#&T4lGaF^(P_uS`")]_u],j_bOpDr\^BghW2`IR!0'W.66PG+\tbq:#]KG7fqd."%19(mBfK/+`!4.
+%Ycb=Pe*7EqD[nd=f9RQYoZGi@qEi7mN2X-4S4L(D)]E`S\IChn%U[O"+GnN:X8B!pQU1Q7iY.=?B(C$/7FJDL:qs[c5CW<@oa"p&
+%d/\/4QE:e\^.Ra*R2)>QiJ$WEG#i0si0M+l^ZLKB*LUJ2;d9A9QNNG-A-6CYkGo,pD/[9@UtmeMQac:[Nq6e),FQgraLuo?4IH\j
+%_=+XR[^8U)CK_ho2q\j_\*Z,4Vq2"@,:!nne/8Gi?@Z1:Gp=S@;HC;f.g*[kem.M9E8/8%-@G`\6`bB.Gs=N`39's$qo[Qt^IgOZ
+%&Y+X3kU(E<es%C_:F=EJ/:kOm&YG]8BI;\Y4Hs7c5NmX$.,]'EYXab*e7-H=@Wl&";fbD4Uc[*ln>GPH&C5*$*7Y_/?J>&g10u?t
+%A_WfiJ"h2@MRpC'8NRKL.\RbMp.iPC:?#loH9lHmY2^/,Yj;mRq%cH3_Mj=5cr[iS#C8VOV[q5]YN!TL^-6eHBSZL9Y0A(gG!i](
+%1L[H@e';`Q<'`7JN5VT*+g_eh5&SJd*H8<8@H5B9#qo`LrL0%$@$_[SkrbXm$X9hZCbqsM\D!LN#e2bP7^h[Gs&fg+-$oBLMc)sl
+%hrQX+WKV-Tjca:j8WE)Pl6k!+N)7I_R_(:d>aMo7fDK0iL&q[X.k3Sl,Wd>G*On1#A?8+@k^i;odq)#[jln[UK(MSlh$<OuAY;(D
+%Jainf"*?Odecl#$5<f2pA#t>GY0K3_EHAYC_sl6q;1+NEc":N#fhK36f8h#^qt[m$:oqg4k3ot/'>CNt@PD5kAU=g>r<1Hk*h>+h
+%':V8Vo[UoB]5j4lqB;@a6$AWN+"<h#C%o>6Ud0&u(*rt%\f_"?qgP(GT.G>\^O@_`Gf[gX7`)EmNpCDU)JTNRJPpT?<Y5>EJ"<X/
+%A6bkOgdi`5NQsfa+C$EB++3p5bpHtC3%Ikh"N;1?jdjY*CQBX=4dQeTlEhDN#J*D'8tPU<j2lZs6!!`-']#s32kJ<lJSq=*>rg4<
+%gn0XsC>l1'U>-dJ]L[XV=1(%O-r9P#ELL^),1#6D0LYAS"1fr!Z]iPZb<o&(,4?\0g+_)k2<(%)=rsF2T\3$Wd:or08Pe&&i`n%l
+%KBY`eJ,rkb*nYWeYP&'#@<=(\fqoUOlL42]1i0-A&_eq7.J1F&fI,X1]4e!4N.421Nr(:?2+0ou+p?.W[h>.kSo7]JWm3_iFg^ei
+%fW6r4_jjiZ@HupZ=0bo@Z@$manTK>l8JZ5#+L;kNRAUURVaen(qQUoR,[L$Vks[XJ^&KfO5-JEq0N--^/&56kaF*5$oal>Fd$aE;
+%R@`XXX1d_U+<#Q3M9*94iX:tOLJ4i<cT9-pkp:&&",,bpgNu%/(j1\5<Ze@JIBjE?ZMd1BBYk`UWcSKbPic?Aq$>3^[R<($*@4MB
+%eeq+Y,$2G#iO'Lc6,rsdRD+/@DN9UZ!&k.4pX=YqH.cF)TBOZTodOZlNn=onC0l--r&8HFU/rZ$k;$I'cnK0fMauSdb*N+t4RJ_6
+%6VgsS/C15!e?OaTjBLl2@PN'`YQEhAjLJjSId-3>_dNV#-'<uWHa(<P85YkX+Q41F@MG4nghFqs_@GY[h2g#=\H-M;3YgGTK'B1%
+%8G0ID[49*PQ"-@LX<eOaXL/fcEE7GojSXHP(k.c(&pMGi_P?TolESXqemZ\-8>o4B6t\(!haLJtA?J^k'8b[AS+i?CHrbRARHjb'
+%Cla\\=Z/Yj"Wg%Y7neX,\VBhK:l?`i)!1+>O^WDLHYa,-iX9OJRkO5S.q;*+DmC?]O(J1@O=VI76;Ntk+9(kq\Xpab3JNj/#7rTS
+%abd"\1AL79G^`\b7^hT1rUIenqff#)RlLdOW6<FKGHoE^,JgZ)6^M:Q?GQg[k&0#q)HDo$MOd]J4?.4i4bh%3@SMJoSF,Qifbkb=
+%&2q#^G07P`?bYG8L@1U=p'q"8F*b\aT`Ate*a=rn[=l!a.,6upmjq=mc-RW`F2k!C.X?tYN7`3dgk%X.4"<Pm<FY\f:34+`q:!K6
+%RLql@Y_H)OPoi5,p0<V@UF7(Y/oJ]UN72jYD3bPpeklfm?PXT2%c]T;NID)kj?ENbDZ2^m6<_52J5A@`3E_D77ll[a1?>(D)U,gL
+%KPC%[0[hN?Df7NuTTea]45T&[b+aU@;.pFdk^i#86f^7d0,"V.Y+Xe,$93K-%s^4R<iuga2:*q9.mWi0[pO_H^#"D%"EH'j4>]=d
+%)@g3H1TFURA=`XmW7kjqk];r?DPj&=4#l$(@;'-^($,KZ/'f%cV`O<?!_0U[GsS#\auB+.RW*A,8KZ6i+k.!^'G9TW@%-9N&8fiR
+%gm"on-.hZ#9Z&)4WHSYO#fIOX5uWb%0_p^D.7MRu:fsN8H$;7!lWFJC/]r^BTpsF'=KI,f=aTVGhHT4(V%((Ro=7Lj3V?'ClE9r+
+%3mUtJ$\W(@nL:$pG72sueA+L]FrGVi!RugDCHi\Pf(;U5JkPI2`"+q22_n-cWRZZ9O\O!/0O[l^TuFp'BEZc(Kl(W_^iF#^H*\0#
+%iUU0KWH/oUjW_*bBA<=l//&rd5CQ*N7VMgt^53E5[/+4,8Fd,)Ubj9$p)qX(7u4-LY7J8Z(DOKZQr&0J/9^.85,o8Io\GP$4,2W7
+%K^h<s1'MVSaoNc)cFd:p3sV`tIGuGV_l1#R?nQGo$@"%m%%bi!S.:aI.Fi9@VqB4kJJpJ,Ca<HJq,p^`l1V_]oA+SR?Sprfa`=V3
+%"$;7l4TI;Mgfm$NLkI45?tMW^A2<Ho50b[4b#kn/#VGr6[0NEQL2gLSJ$,RHb-=0h?NQU7'+6f5MJ7m%+d$6LS(ie=;p&8-1&,V/
+%2%.\Kc"0+]jj1@OI+KD=P0dJ?*DJJZR9oja+LL8pa<ihf*?R=pQjP5+*0.S#(-gh/#l:l<3BAKn`ccqmbuVNUe)L`=!,"OB+d[k@
+%ilK:&JnS,(Ae[#Hlhcn7mooS8)r`otggVp?X'uY$V.7(`P&h(X<=tB=\%V6k#cCI/V>8T3=[0=s0j(WZprF0>!SnQqYs"G-[l-7D
+%[oJ6gI`W=YADJ@Mb$e=<b8UC0]np@Z;'WQ[qM@]2SXP9O<s$_#i=V2MpaWP]e[\e]]/PTDaSe[6%:5L0b?B;dF0dtiQkE=-&%C';
+%<u36F9p]b@K&$>Hg+Fn0YW.VGNL^5mTL-:99J#Za=hi_)mt'i`hE@<kDU3/i??0*AC53&)j-nk2S@7J8P?>&L13qc[^G+oN5U_4p
+%Y"h`%p(B_)YZdTf-IGn)&W6#/r0('I7%!qe?+gf'DNZ5OaCbD$`Oap)f]S`^ARh%Y^T<]!ok`%(KhrZ?`NIa`5CT00nta''A4*+]
+%5([U[E)AQiOSLRl4Z.m)&EL_'XP^MH#_Te7`QAC>2laODpDl4lios4mEWNqd3,]W-)#G4cPB<`qR$KrsJm'9g&QlXL&qt9>DkN'g
+%>Eeeia#'*1RO?$_DciT<>o_*GWBO.$k?OY>F:\pX_*&d#BHVWf\QBF6qSrfYl2&+!5+'642k(s`P*R'*EffCHA-1WQiI!m#,b@<=
+%T5D]"rjZ6H6>DYI%Te_sjhP=Kka\M$G^"96df%[K:(+6t-6K\n3<juOio5C,#N*4Xfo@9`[Gi%'Pc/n34KIZAclZ^hj[f%^pq`jT
+%?XE1?4h4W5A.*@WI$N?:q%?>fF*41bGm^EQ#sWb=ij3;6\p=2JFdeD>E"k6t4t@^%(X$c/"he=.(D7@FMVD\Cin;Ho19'2J=M.D'
+%93D4Ln+Wgm,:J$m^\Fj&PLhm8k^L3"J<!I0_f(">;@Q-+emXZFG&sTK31])nN7f:q^h8[F>ko^krVS.M*0RhtlB=jNp<amGdm@Ag
+%^TL?[oOKkP?\.%n_"p:M^%+3IhY5rMmA4C_R[4](NI,upk8$4601*o?+kX4hD7jZ0GIA_.KWW6W?LF2A^<NMgjVbCr-G.,r(C08N
+%P91l5OgD>U9pO)7rO2!5T@JI)+s2N\#)7elFmQIG00T(M>MpVR4'Xe["]Bl(3@^YM)lL5hfTdua"kA=V$_4c^+dKcYbJD6$#ZV]$
+%Pk5/"oi=E.&O8CRRrqNP,Wh8P,3>HshOQ-P![l$LW^[+n"6<(qa4HP-FR9Ms8-.>Ij^1j&^b=gQoq4=HB>g4*QZF.0Cd\QW>>aNf
+%]E`<[-7cag%;_0#Ai$T+Ak$c&,gULF\3A\3N>+$Fm;$Tu3_qD@4F4f)U:k:K:0=YC'BjuelqeNnn]r2.MR9ZYFDO$qEOQ#foq"XW
+%.HGM+ABp2B?f?=UGNkK^neEl-6u^be(%3;9%U?Q'*u"),I=58kB0/*A.H62Z`-,6KlW&R.3Cd&$:MV_:Xn)l'mXrg>OUsoKc8.a>
+%YIdJ^W%LCD-oVl+&S>MC;S/oImd6V>2qiDbF+<TSG0c<+FC46T(&StZ"'8+]-Ya;-Y/`Df_E-N]TA+L%):36g"=]CA1(l+dE1_Y:
+%^/4#0jYC'09MP7=6l^J?22dekO77&ZW<;"`XElHT/TH.9)WDL_l1SRI:"e+<NkJ?W<0-.I)X(TS2apXg'L0d$jnZUqpRo'<i3FJD
+%ER]e(i'E-iI.YPLIXXF!35M?Uj*.\N6Sgec13$BU'81W-1$^HsSqG.#>>4Br4^4ccZ;05Bo4TcHqj2MP-Yf/(bKd2m+,cnCNr\7a
+%l=*@6MCe+"0@8_J?ll%kAbr'&\)!Q&/6O`Y)fJcH^fZ)VDUHS:P7>JY&M-p&"t@?XG]l'/V?cqDkR+hnEsB>D^pSK[G"aG.A`nXi
+%:4='VS.%h2Tt$'?#Kn\Sj^j#6fc%IQE2p;diQIOp$hnam&L_3&^\B:`0e?/&N;%MD.Rn5A#R*j@Q=fsG)lR(d_niWp^t-i9jEV&Q
+%G%$V'H/C?#&ZB#4ZN<9_2lh^9%!0_^!JrR$#*N?!$Z"6ZMLZ3E7EI#"k*>mU<'^QRo6G8I<:<"+dt:tdA]%e)HP!<:+)SsP^5\e.
+%m<450&%l2u*4J4Q(eKe@5au'p$hWkb.b4;CWptoXF#r(aY:n(KID1r^:*4AGDYITsLBOrY4aufUV>Ofu"PS_?"Po6Mhn7M+LXg]Q
+%kokL7[h=be@`A<"aW!PuRZIiq1JTP8VH2o5EVqgQm'%r;r-eZpNg9:C2I^5$-m=S;>.9Ik]sd;=@8th"*ZKVdH,r,VilfVnE'B34
+%l(c434Y'BF&XaQB9?Y;ll@^AnB$[GqQq]+!LaTfM3a=F=dl)jBU(o%cB*6UeIHeSi(`5TogGaK!J>81'Bl4S6f#B7rjhWu:^enJa
+%*=)P$fY\RqNo,+K.QIK6o;&JK.oG=l"Q":q'Wq#/TPc0/Y:e\G=WJE<16QCI#;d-K/EL>g#QoJWEV4WgDL&JMj`KGkZE_tdfRqt^
+%Op">q4$4$t\(j^KrY*Sgp8^H6?QbYW$1i*A+U7%m^!N5>B`,<Y&k!8VcJmR&h&efJr9l]93<n<!P[U.$+*<2p^_a#hVM_r>?HUD>
+%HY\X,s0s1I(!Lp1\@D@@nm7si_.7<kd.oBZXuG8KmU7#-0+7Jr?bYtn_7pG)+5R-K(LKPra2cPh5iHm<<:S32G1YLa4p#QudcurX
+%Fl58Rc\bGG@e&mRY]tppbS/;lP^GJ>hE`IVOR`u\Qcjjqga[:9kB2BtSu=#P_HNDh4M(^l0V>/F[_9JD+%NYBK=&QMLf?0U^P2pT
+%]n*nl(>3t6Te!kDC,H:ip\?Kr[YLkm_]KnsNa[u250m"B<s^((I]"85g%cb*PiY8!fl@)0a,i6halcIsihpg$3m]o0+>i_,EP#?S
+%)?fN@F&on_M6V7ha6&**4Z.*Zf@,BGE5[3t-i&1Z?0e.cGF%8c=M?PFU*ZT[5=3\S!U/&_lW2MeF-]P5lQk.XpN+Ot',S3=1]1P=
+%?k-h&N994MRB4K.%PY&!6;O3qZ6h3:eZcC%Im.H]Pht$Rn?PGtDaji#Kh4H<LLGIrT,G#?#F/!c+]),_q9aS!"g%3Yr;bWE!!ICE
+%cr[XgaE"1&Ie6iXCS9q7<NGVR.S7Tpa:t=`<d)+]L>)aukEH%tb\b=_Kn5T8k4$3&b:0,,J15b!LXfOcI#ScH$KYS[^;b+ZYB^SF
+%H9$7K7'K]$hVo:&P#Xqd@`ZXTn?.BaD:]TJ_[#SZbXthIK<TU76XOi`mH^FW"B@_HXN2ELh;OAD5@7HL/>[ImrK&'US1-N'/&F@B
+%p1ZNr-JVHL[VRV"F"G@e(AEr>LBM`FBo2DHSkK,m<(*jG0gI_S4sO]n[6"J*35`G>L1kr$Qri"cajQfIN:97FS5S)/O+gC;R5)S;
+%_Pk4qkc<<oZt:<7ArnVj1FM(+Eb^eGB1?30]m6@HIB;\d33&KY"4X+!=7%ErPWii%q/r`XVq<2+?pFr54ZEZhW8k1QY!ft:8aIIe
+%iMGAp3gQ)1A&r'A##()p4_R)rr7El70^Ncb$abL,$npF[E^)ij\6Z5Em4@7'nHGA%qU]VU/,dV5fR^I640gIHCr"5a3f8O]UL*))
+%03<;WNH.\AF0353<P5ZL3:9?:Tb6Mo1[(7&ObP#LhH[^F-<KP*22kk/#2OtS65s"M%pVlMIk[StY6H\uEP6-iOY_7Fm:BkCW$K$W
+%qC+H?h>qOko(s1G)r?,:AWQ<gK8HQe87#/rh4rE]Yk-@ncO0E\m8T]oH!V6^>*98YYE>];;a7NhT[s@;!T)MTY%Uluo<l@;X"`;4
+%'WfV)cEG\["dW"nD#.5%6(KJ2[mG65ouY/,:No]p;s'+".:t7@rLPlblMhJhGoD*i=0HZIe#V!KW5*a"9,+#_2ErF?*YjHMOBn_M
+%DQGkd^\7!]0[;*\T(9G9QnmX2T9ke]?U^D+2jl5+MpFGo?lH#;$!6["=BQ9:+?75Cn2^s*_(rrf^afR^?8h*c-NMo+>($J(^"hkO
+%OjK*MV'JBbcaAb$lqLq8Xnm,WNPa)?QgcrT)+OATMd\`,LEX:l-/Qb9*&3.?*<S'E%NSo"rim06a/[?FnQa&=S/Rc4.h&1$GZ/V*
+%;_:"6.8bH>p,\X!;#OhCs*+;*X?:*;h]NZ0KMblY&SR$_Qg-fcpq9oAQ)p(3jR$9->\f<@pZX@CZ`gKgB6#)kj[2u140XKcC@0TG
+%#$U:XUnIk"c.jbJ\/D]:#o8GQTiKmlNNQhI]IXMW^<)\)B(_NU)HirngL98I&Mn3#moIM.lmM1uQpXQG!ntmmFaMV(0_Oc?B2]uS
+%4PkN@/`rlC>FlXb0d*+%4XrNH!>%r+aEQ+<:DQ.gTXJ7Zj'a#Lnk'j$!>O];MshaZYQMj%^!K@&6E:.4YYlhuaO\SG*<eTJmAT"`
+%0pT/:jiL8BC=/TCd(heVHrf05L6AId/?N:k;A6R(lI"Zd4@[e1bn_s+Hr]Y=.?2rVYlm93)Ul6IlLNAt*dDN&n[;@d5h$_I"-c7,
+%%QIAM$tiuX=AX3VG48rD(E,FSp3Tl0:69(!<Eer2Ddd8F\0=po<P1o9V2)(d]iJ98oOuDC2PJa=BkC+b]5u$`(7GmigV2p8Iqq(k
+%Mu)\'hl3)Rnh^K$:M@rJ!;PE^N1>+)(5Ea%q`5A2Hlpg@jRFS`\j4m%.\3/5j7D@9;pR:^cV6a";40j`XV1@R@6(Idc)jH,Lja?>
+%3V7HtX!50-V/AIW<b'Al>T5F@Me2)H#]*"]"CMoQkWCAN*+VO`aciu]E\PHucDTS/82l_sl[4JnopRe+IfmpZX?fZaO7cU+'AaWR
+%mQa.$LPL1A[9K3,ls]Kf'/tQ:(IYl/eTtf%Om"\ob`i/09%rOH/p&#A>NHmJT"un??e[J/"VTUD!d!Dt*h]`T?DN`?@gsQuYXn-&
+%A35L2.foN4X-V[2Wku8Q,r6(uA]:i^WB#"A;k2DK:,"qV*5K957@La[W*8FDE&HO1DNclT)'c$jcZUsYmsKSoN[EqEnU1eZp?d+n
+%<J-3<#LFLN\0jA]?U!/3qk@XQ4\-B4&0#5&G?P*(*NmSR[AK)UfoqPo"EAQHQ9t?t.H%RW%T,K^JF(-n'&%!fJLL]<*?.(%9K([,
+%o;C]&Xk_JF2GeB5Zi/U7/@4afoW6OM@'uPt276i4gQADd4H"k8Z0AD/%l;#e?6q*J[Wg6f7>^*`/e!o(&]MoV#FEX@i'8Y%^YYZ/
+%PBc=-rL0Tj`MIa#W*3*-s4lpo$`<G@E=Xrp*qc_.WFD.64rKbZ:bnp%S.0!s(.KSGJIj/T25XQSdr+qHR1F9F:<t=RS(h?skV36a
+%Q*O*4=D]*XJDX:ke\)Dh@<oEC>OnOD"kKrE;4D-tGS_1YFqoi<WhY!KoCZrr$D_W/b&[',[6nrOFZUW"c7@!a\p8^Fk6U+a-![4"
+%DQkT5$+DtQg(G\>T&'?V&"N9(<d%]&l(dJ-?;BY7](.8hhGNgPH>,Cj)"n/3EQ"iS-dA,-10?PKV!Y*bmalXih,?e'img.+LLhN#
+%kXJB4l#S)n9.[(($!f^20KJDCbUtRd;4o]?aPpX&S0OZmd)i"C?=_Br^75qpb-g*mf0QE(*;K#T!fe*n#4MK.&<c')Ze_iJZK/%l
+%Qb%Fm6dOAgQDj>03e-g5%m#\b%\GjmjT51J.SB]3b0T,5D3]Y<VKO]lXo?b(V^>ACm'dl3N*Y;kHp907^6aW<HbO.fqo"H+IAThc
+%!Rt0f.cN?]at[<E/TO&QpSu5a6<'OaSDl@tB3h=23`c-*J01c40G-K&2)t(L\MQAe91nVk7$q"p-ku)/baVmlU3=o'9bd-=@^Y5j
+%nWTg9WK[FG]-i.aX+\bZjkd=aZ)p35UkK^,KMU/iS9Akd-(S>+NaBD5>rcogDj9I$=*!Sd16'i;09cee=Css(96XM$\0A6@7l%?@
+%F@^^5GD2J"^bH^LL&]qk*/O8M;/J8OOp*:O04sItA;R&nd&gV50^.n]k@6mC\_ADsQWaR,nWghKNqM<5nXr4+gtX7Q3Eq4cBAXp8
+%aU>/$N$qb7"O99[A&BS`2n@L3g+pc,d$qt&,Kkh[E#n6\rY,r&-pH%iVC3cK:GIB:a?/#0<n?lACZ?>$fn*eUD2X'gh]%sA,=T2k
+%p.B!s[5r"d94ml1AS%F*YSY7i@Qjk?Wkc/.;@m>GLuJ,204VHXZK/p5QE-%AZLT!iVFEqJ[d[GU]Hr[kcY&e#Wp=,r!gjSfVg80F
+%S%H>_'FRHhWC`\q=-[WQmqPQm?I@nYK;fC7<EC?;)3jR5FLTc<H)5=NVl%AGpC,5J6clI*V5bLi<b\8!'`=Jf(LSYB3uPrD<1jUk
+%<.Y_NZ#<+D0&JMbV@^<Rd?pfFUskd!(JMPaS-oJeefYWW;B4NIoi,pr]]6>p#"=5KXrN'UgRW3k2W,l'VA)M3.u"PbPP5rQg7De]
+%PN*5k#_dA-&aDe_\E\2f]+')h?M8K[oa=paZnJAWANZ`>oChj"_:4T)iaUG4*)"pM91N9ZC#3VS?>q-slhA+SS7EX?OFj(4WY4/j
+%f,)ecZj%L)b4/Nd$Q=iIlHuQjpU0)KpIghsG!HhoQjSf,nImab;q\;=o%lYP><g;C_96HS>-F[6jF<un=mj?r]"QlW;Y=r@YMrQA
+%UWCZ:k^69b()oVpIH92TG1Uhf>ZXng6ZO<]?e?M1$S+.HCm/l^;OpjK#3#nZ_'7e\oQ17Da,[cGMW2BU-1P[<+S[6>?b,)Gf&hE#
+%VXLH^!h!SQh<\(8JR^iQ+mMsgK8L)T/O)K1.Pf6"o).Jb<.XLpJ">PBCnKP9@3`G\a1ae>+_;`>s4h%=j4)o?G(k4*ph]-\e`73K
+%?m=F?aW)^mY52]@2n'D_USb*kNLf-&6if3qgH8dILnhECM!B<"H,d2^4$dPuU(@O[Rh_ii%^@JR"U[EaJP[?n[qA4'GlKb1#O1_M
+%\)9\N;=FS&mK\3%ieaE8^b5rM6jqA[nHFlKZ?bT0o?6!(W\&(uLsGNP<+=IFLTl/NG/sPb.$]@N:#%:PM0@As\WR\UUJRJcGkP+W
+%hSE-0M@`%#Y&&NrOso91`X4Xd)7^j,YMIKB1O,hjCY2Js3QUoY5%;AIB$4:*lBs)b/7!(Tj$5HLTbTl7gaOTFg.re<:e@0Lf\6=O
+%Y=X!*muaddh1tN3pbg2FS1)*PG8N-Qn$#lB<a@'YBL)EA^2%+acNQYN-;6aM4iaQ,hLJO-UbIqNI5-R%5VfJ!!"MrW32j*(\Bo$d
+%MGf[&Y7Uq4()2YVF]m8jb!:?O+E4T2VX3R+2=O5:SeuJ10T8C\J)+A$*p8V82W.W<h[m>:HtYMq^<<CCjhl.%7_;uMP`IOq;'mA%
+%[VkVX`2S7C\l&FlUg^ic;5\3`.e4Zb%5T$0(EQV*MV)Jd9\='Fic'?*p.a]0!9oGYS6aGJ[p%[$HhhjOW[rpgO-X?8P*,95GR0g/
+%NoGLQGtP2"3NsCEe!GJ\&ZblZ.6O&`!cN-1IYspDYHbmaE_D^<U+u:MY]$SVB@!SWGi(80\8;q_6E;^6/L2f@N>*\3c>C!Of;[$T
+%G2ZQJ(J"5Jci#TdboIX*jO+QI;gH/mr6V(;!+p;!OSQoIJC+/5bd2u?DD"JL)K@ZfVC-Z.K..LKYAl:!(DsY`L!2O9b5l'XJN[64
+%MW48Sl'*b`o3T=uQnCdKB11W1Pf(;o]dZmO3^kn5HS\^,QT`pS[7Q,e`SC@<'/L[r_aW;@gV*Aq?l)mPf?b5(*j;m%j[6<MXBTTS
+%a6hW<cTmFGh'q9mrk1f785__qPPUhATqaP@A0F%3=k6:V\4rF9FfC)!^!?L(mtFrBJu,B_W\Z1XfflHqBQa"<DIASHkOuW"'![Is
+%+'>6\6=Jp:3ej?epjK8a[ah=\8g5qVYi"Ta0sP`=fm0K@R<#`T)4'\:?B&jFDC4C#@$P5].k8W>k2d((;2*[1Du4F<;#WadD7nD/
+%dH0El1b2>[=DfA9TTWa-r:`rSRKT;P1Q:l=1&[1.CF%a[(*cPG5uNu#b6u1C!gW&[Y^S?(caBF<*5R$Pc=rqRC7I4ZMUO&"W4r_E
+%eh"=r]i_:ICQs_k^Q40f*HDRii\1V.e)WZ[;66k`2BlG2^1/.6IhVdoV\jLF\ViJ!FRP>J;(SrK28>Y@";Tg(hti&%6nWG.$<*8C
+%[N>;s([VXL@=pXq)h^O]>r2#2B$GIr@n]MAOnTcY1C"ct2*F'Pal&4=E3KXjKh0Yt09GAp69#t\P3P)RkTr;O_TT"R@]?EQU=(L5
+%eone1S=:A6,6ES%]sHK_2Ie@$71`&#B"uYh1FHC9Ln7W;%EjVF#p&'Dn7]K7*8!p#DKJKYQG\94YK@pDlEC_F"B8q4rQ>("(ZhZI
+%9?bMNE&)UOPC&^chC_,-GFnLD!7Pc%)96=YCJ5AU:64BJ[n^<O#lh3]:'5@CXr1*@X;@!O)aV8]637C^"Ud[N_*+%N[1&RlO)9pY
+%X"JKX:KB.:rRJ,b"_D<^o5kTRD0+-VY1P`1eC&d#a8<b7jV:%TXKoeUPLiu%r"sOapd4OD_m0?6=O;]g.=aHBM<a^[j7mJ346,T!
+%Yg4\[(nQp;l""TaX8M^^=oQ/&Me]Cg=)&2pn_Co'T]JmD)t?DM&gm8Ae2rJ"S'g-JE96[H2]hX14pWM;8BsjA[W"q8ICLAP@'\J[
+%6#a4*TpfZlRe*[nhn3P'NJ:7CD>b"%hKIM6,s)T`JprLP7f[858!Vu"eh=>r+#_i7+bMTX_%;DL.FEc(!ldS5H@,+g,%>,ShH>%*
+%CEs;mF75PY\Z<$A1=o#aXIJ6k/bT.EP5nPs5%JO-KI'FF03,tiPsP:)ZCpX]4M.qooStFGh.I>6=48^dWh3`j.[V.u>?A1FZ,pQd
+%7%cW2Q_qFOmLEqTQfRdFW$U^d#V0qhY:8%>$9,dMW*JAF`c3Y.Y<i(`9A\jF(q#!Bb>6@5p)P.)UXr=D=1*u%S[tN](@u&GE,@g8
+%-bh)`/>]Bp>tS18LggQ;M+45bMR%I'(c*sc7GRX.egh_eC')u+6F,>YiX/bi;#*g"!B7'MpB#mY`j,0pW[\h5(C21K5cut"k"I7P
+%VtkI3e^'jYh;(i/TPW<;p5iRZdaIlF8<Iu)FCRSlqk>I>_X9>I-A"cuAtm;J4JQUA&F"0$a6aG@`oA[;s%G\QBt*/#>W[MApRG/&
+%[hk>t'[aiSC2::a%E9"6Sg&`?U.+.*1r(Xs1K0/Hnn'M%2DCHdb6.ZMnf^Bt[j7.'=c7Hp'Wh8!<L57f(UCT/1T7TfNBM'M-WE%1
+%[G=m7Br,mi^5i!$'F<8-<Tb>_dl&_C:i@X`d$f7D;fmUUn$^;1'Y2J#@"aJNgU]!f%W$#$->*liDgC9KKkeW*#AEkCI?EerD%QqV
+%6-6p?FN'!5Z_iFLHD,a"^Oo0ETZti4I5CGU/l76ZXr>)^+];Z_La-3H(W+8%BD-/TmW#H/,4WpBBZP,r.+GCMncSgUd[ul&1kd^k
+%?kiD(g';D)V?Ml6m/_b;N80Z+#aJGYpk-+R`m$^eM]HA(9kAY04adTIAHacjKei1j]pr8D4.X8@0lE$&Q+OD)'?)e)`C"C<?6m5Z
+%rC2@I?:5pkli6Xhiu691iZp/#98DC#U..[J[s").8S\YfSE+bor-aH_%_EZV:!D#\`3:JLrDIGFhA&ihUqkrfhH9B_0$)tF9&'G;
+%5jVG3.kg^DXDsV<9K;/YX&j'KF@@B)VSEgQ;6Z:;;BnH=63kGf!ArQUFmAB7PX5KLHj?(nb(/criL4aJ0_6.+_$55!%48r,^(h5C
+%"g5VT6?5um4%3)."B6q2U,&X9GYnh#D#-jo9Jnj`3XuAU"^@Ein2\V9egpC$CnmMIAOS];aV&s6e4%W_?R`pt"95k=7qG*kOGnkB
+%GF@&8?]?+=IJkVe]ul6201FL!QSJM&K4Wl0\aXO[;KE(sEq*AX9:.Z(oNRM6gBDg1D]hk[*ZaM.7#Sgsod`\K'X%mE;Aun46T[7V
+%1UoXc!'9"Oerb*K*%5l$3luX5QALP-[r=S\M@i6U45Y!mqtmJ!rh`dZ,0`^3VbM#EloPP'1U8DFZKs:5jJ1(]AHjiAbTI<JDNu.U
+%BZmp;Z<:abQI4I.3p#U"7P>BpSRiJ(Jj>;V.pe:@F_.E@A9Stbi/)Om1FB*gkFsrl#)G99LPR_9@-pRKLpC)g!^n*t5ac@lFk^JD
+%_B[Gu0WHc--)YpiQ*Nhafk)6onO!p%Kp\rI@IDOKh97[>?4E8"SRqm'1OR>!LQo/IOCa_>;:)rW01$9o3L[B@M-7<W_QZX4V5i"!
+%'-F_J>3',[\[tal/X2M:.+SVN3$Jbc9*p&P!]Ni'^EMcH%E=$cd#,N2$[/N7'm=G^s4<Nf.podN@UW&23kU]%1:]u%d3M\U')AbY
+%I]6l-'jtXaY&#Q3'Ri]cJqeG7%0?W:i@nW%3\OR=*)kcJo*Q78]&bd?jrTtA6X6+m^`E!.ndJ.QF_b6RGM?e?7Q<XJ)TU__XqWHE
+%h(nnRhL*krL51'0FIk!Yf=Z7rXr@p+pOJSUPi#p)9%+STXkE4BEi3)#d4b)SbrBqMq\p3]5EB$Hq4!WI\0Vh<HLEm7@=eStf1#QC
+%IGoGUq^)B)Cs#B?j)r[t&0uG6F+5cFnB.oeTMo(EjS**s?%NM0=3dpR<<kjR1S$:KKfBh=KL::92/<BMhZrCB,$FU>72'fjVt(4M
+%^7RLhc^^+Ef&Os2a:]kl/FY[CVl)ZXgMe'.a`cV21i%$NaJO];M(7SOddLE@Pr`+q6N#V++l3je]X8N4-n/+Cr7ZP?`se[1(>R@h
+%S@NG=aXZ0l&dL(2jgM!@=)QEhEqbePA((2?C2EbFm7Rdt@FkuX^"tu?<sGeL`FAN;1L*$s*:b^QQ1ut8eCdAbf&$k^[b6?uW2^RV
+%$KW%#TODQ;4TSHab-;WC(@o:%0X#)I'5]1+bS:F2SjlZ'A0ukGKu+XDXAK2U13kOZY\P+"TK:\\Q;doURVUEo126V=,F]BWJETO#
+%,#l0s,:[I)kTk6!C3-p_V7+`e0!U:WUThDWXV>6h[jS]'2003mNn\/D62JRS?jZO<>U`"65'HB8\\mZ4(s_f?<)FHW+'/]\_r/8#
+%RKD`=n%`c*roJHaH0(sYS*W2L192Yn@f`(Q3O!mln/'&!Et)jZ$Yf[/`MA;t7LI8]5pR*U/*B_:9<h25g-<E$j1I*+IMo!3@B0>i
+%cuO@Aq1c#t3Rhq&oFq"0d>pR(?umkPDPo4km7,\dmLY0B1^c=6UI06#2[XPPGM\iUgLN^beoW-]`JPnbfYk*qhsGfF\kp-2BCZck
+%jXeOAS8Q"bP[(Q0n)AL\52?-bW;[.3&3#IZ>=33cXjD8A:gWbpbfm^iM0,61r<M_^E9:*.(RR;?jq<cT'KsacaK<LA?0W(T#WQOF
+%<lMVLl:iBs\;%Ysh(0qN7.n?a8+9oi[cI/#rmYFJdf35FWrZ\U*r&ZK_.Cp^(/d]8G`#M]%bQ1!_Qm1>F,mt!MEopuk?Yf>K6gl?
+%(q2W0R.TjL$f\F9>W5W)oiUcfm0Sm7booK]j=[<3D=.=J-_f1b4?^(2-"#L1)f#OLh,UqJ9V864K0._s0J;Ki=sUIkT:ZaV:>p3[
+%n=ZI/oj&M"j/J&1`3pthCQE-f[ntEg2o)GcpK@?=OnZ(cI7ZT&;KC'CgD66#'W9,+Wr&A,Y;'o$7A_ii<h`%-CBTaC]F3k(7aRoO
+%O0.k'/t.,HF;%Xf(_]?(Ae82&QbPlUZgI?o;*]D]+Fu[X2"/N?O!n64.gfECO-3*LS(s$rcj79E&uoORHq6;4'XX?e5l'(n(qW^S
+%%2s:X8&dN'kd:gJ/`q*&>GmFXfp7)cm)Z*[Pt7=gZ#paiA_5j=D4p]TQ`gY8nGkqZKiFedmL3!F*&3Sef9`^!c!<T&LXO[WM>i`<
+%KLk.#fq22Npcg@`]/XKJlP6=dl#09R(R&VhD@.;k4`3M\o<q!pE?K:Z-tf2DW1-\aAa[9c<_&9)RVVT]Q6[Wbf'S\N&rC^lcL,Kq
+%XYF0+194Kp((%F@3EJbVp7d:42]97nW$R!3DBci09+MH0C2c8k.X![5UFXWs!Id,&Ja!O-m?DbCMI&'I[])DkBUa$SmE_9U5dS5P
+%HXE@(;S0[&>oCge`$nGkC:jS4(F^q(#NXYI9^2?VGs<3#ogO'13S27":R0"(jXhL`UAL.dI-RE.e4e.2o"4>e'Doi0%S6FSk:h@"
+%O."K#CdT"WI8!`3;s`l0P$QH],A6[p2EA.;@,u_$a<IF_h(,#U7$sh=1sqZlQf6OK[d@(=,]eX6ds5B^M]<@7hVbk\:Km8%("l77
+%1ogDu9m/QVj&"pJ(8*r4+C7c!'\k^X\OS711NR/<!$2B]%F;2![Q"H/;!3q_[O6k<TSF!?iGC3u[A-&@0%\gh1p1#$mgt*QC7N.F
+%Lr)#b^NLo/qpTKR^A)i=o,;n<)N'ck@D1IsF\(*/j]U^[IGqAVhJXpd=O+Xf37W4C]6QL(6,rZR9l6dpC=4)p(6PBi]mEfE"OESB
+%&\2ttos]f(@99]bV+jrDl_T?n.<t$dMd^,5;FJE#9%!E)A]QuO?*3k`@qdttA(hs[ll#$H"pSrE]hMSp]m3'cI0F:;:\>Y"Fc_i8
+%,7Q?'>D^8A!.Q=[Z?0g4Cth&HCL4Qd4#NP5S/h5.muPb:\0ORScPg>P*#qi)EE&*:MAYMG,oVX-YeL^k\6TGS,GfpI>#r26Km)ee
+%92u,DGK^Z5/HL*[ZHQ;%n972h@>XKFma^$3W@)-^$=^9oG@"H;4*Q^FDYDg.[o-+G@G`SHGDNINU+gK,C6*(Q'qE[7Dl]nBnVQr3
+%5_:M',\`,)?Tjj"#LG6q4(r@06GU#m/DZPR<JS%R%:G($p#u8-`:!A8kL+Q3oiU!)dKOrtDLfeD)k`t7D1*q-adoS*%[Ei"2I/7B
+%\c#WHZ(C4Y:30T"-[4o[8lSY'Rb3:]=ec`-0Ui<!J_#6i=7jnQ'g,)VFXr[X9+=CU*5\mc8fFecZXp%L;%*B20864e)5qSi9<uKQ
+%e^gQ-fagp0jS7-#.l-O!)!)a!-#i/0q=RZ\ECG2qIXe<FJeSC3L^`%N.484(Fm;MRih'+T/%R050oo$L(/g@ko<,f\(V?nmb]j6T
+%:1Rp#-Kle0*V9?di=e/bbU@]=?*gW%Zf5+ae^5=i'%r=gQgLQ#m&j;k-DnpE@9?d#Yar4>Wb'R(U4dqSJT\-Ibr9YBn2nkt25K'!
+%\N9PVis$XYTcC_M[T*%#$/d@^]Kln+\'P'jr]<BGG5l^F6qE%dHrMqO.REa3ME)hB7EhPq[D&h00d4"Z#6Y-.V&%j?#T0HLcRYe=
+%$uF$jh?#&D"#Q9'e$Zee28OIbefh)"6;<;U,7Mp6A>E#r\"UH9g2q<>)9W%WB8IP#O%jDT-WmiCJH:CiOQFWtXb]sd<6^"?eJ<U]
+%JU+a$'UlLJXl:5oMYF!'IL!l`LiLrhfsqcsl!(YSW`8]S%4?#Q;U0AQ*t/D1CVoZm6K0N#]P_t'"5R$QU,r+WHb[fJ@qE'#Z%H`p
+%aXmnZDf<J/6EqDKgr#<5<6K%D@*;keQ))i5,/50gibiV`Kasu"&)nh!:5$k$X1\m0$JsC]p:^(U2Sc/[;H5<Df!#4a+u`obLT^)[
+%$e60Qk#/_>6n9ge5;KMQ8k@?)j^P%^HZ`+k8E+)jl7GThh:_T48R8SS[cMdQ4K8(ZP6o)#9Xh0EK/%_2(9=UN^?Hl8lJ6du264kL
+%3`d-<<['a`58004Bc`qQ`e-]0?nl)*`ia:(M=N@#WUBskj;S?VrARrP)F-I:-\]1gW0h_agaqK5`]5:E?JDb"3u;9]bb`q$U6'*]
+%e9L($IZ$oYmD."M*%qmfmtsn!@I.^?[qd'b^6d!SXf<o0-]d-.d0SQT"c,C0@Ufig@C1d],G^,"a=2*&J*iZW*_KA%]1%k95$c$r
+%NADFkc&K'>cdBIn\5gHTkCu:';&5'V%7Rac:%;VuF8-"?^-_D:mZoU97[c`$T5MSO>Ep+7GDp3.X=5R9M\3BC/)b?.\M#SK>jk7A
+%e#=pAs8"QZrDH)<?M^$5Z7Cmd%XYt?Gq%S=Q**!<m8"<]&!^r=3TqRW91a(!V3(D,eg7bdQnWVb%>?Nj\W<<c!`'V[57EVWbck0l
+%DPZ.R2f$gGg3%0'9Cl,)+p^l'P+tOfQfJI!oVC>0=!pZ.F8tNGld%-WS/JX7n_:a;8?%P"hbuqr]U`Nf!="EAV$9j$H*W8u8m:ss
+%;5Pj7oK<R-ld8Fi0F*`Pr[fTOeVgXp^1O]n)p1tq;&'ZVT;^I<!`S8+1J>Ff*NEH!1&?>O\].<r!3o,gnAtN4U:<cp8!J*!N9PIr
+%EjE2>lO%p>C6`f#O!Ib*,K4Uf2&+';h6afD`_X:e6PUi4fT;sOijLm_W8*>&G'Q1+Ql=7p_T!-2*r?mf-F$bUnPY`7[KP!@\)'LA
+%cE;<,%T[6M\K_;f.J/F9V:$&Y!7Ck/6SKT_X^ZVjbK]'cIN]IKAc@oA=ti4&:jYikp3XAD*U\5TCKp1()PG.-+Vm]e3='i@U^f9X
+%dR!*Ih_Sd*gD&X:)mnht>s=@Zb.G6&eY4,3*<ZV4f+Pjb4&XL:eHh9r3Rd&gfJm8iKGO,X\OA4$6JcE)c=^V2Cf/7-\]intaE?oT
+%k`I6:VO")*o''(dLH]V$ZH*Hfht"Lu1\ImP9"JmGRm(^Y!B'na+,`9+(?bIP2No_QF[&,S_u$!:apt?*mFsMWpjGarBN"L8ab6#p
+%04$,o-2>'`eG6s"%eZPF*TE;,,ch#QXt-[jAClc&<&7-CDoV9VqLI"sqgr$b_gX5;j<mO`^2C*Sp9W'SH&G4>2gsO(\Xp&F=EFO!
+%@8q0UIb1c-MS$PD[4luO&$U16b.OJ?64X(o\,qFI5j?[hFa#LnlA@pdN=`9O]tnB/o]_'pBW`Rk^_MS&^-@PkJSYF47lMOs-`:U3
+%.UK4['o9J8np,$t4@<6%-A<%#gQL:Bm@JuI)(>o.Cf%4b+tp^eKZ$QoQn4:6n0"4<WqJ\U(Gd<5.lFP]^Ms84*F&<5,D@Hc>@>l=
+%oj/XG*U@::SbL^1Gjj37ZgaBpK:3/\7ha)d5PJ)8>OTIf2Esjj%t/[%OL[e=@.j#XpL^Rg%YQRYf\)B`f5ck2\2)X`D91$fDteCJ
+%"`M.bnX*bqgE61GU:NfuJY&W$R[r?pjQnKP)oM&\WVSKa7ON[9WKENF)`GL.L/U6]PaG)Z?$./'.tOc:h8j&@hAiMt`q0/cX4c6t
+%lb7[GQ['m5qB]4jk("kaIK`3GhHHP=`)SJ'<a@Z\B&D-(+PG5LRn*]li7i7gg&9Y,M.doJm&:L"/PIas`/dQVna<)/feu*thc,C_
+%^5*hbA.J5^0H*)XXnIaK1)e/m3Hi#'Ffb;(VeU++GC$lN>@d*lgbsY^UOrFV!L9*3._"WHNs8ZrluHNd1q3h/\+@,eD_$1k)EU#l
+%l9f1;jP7uC*SJrp_f]7Sp;u\JS$H8MV<md:'!-V<Zrhbe>gT&^*oDp^IZ#aOaMm/1L<e_LDOs#)qhT]pg^67+1K<aU>E6S'AnAVF
+%m_Km"UA!D@PNX7$!$-4*34#e(YDBC9g(:7lFX8^5rPis"2>32iO[!LprPcp[>rmKlTL+fT/CAgH6d%b7`/GRsG++7s`q)gF_"IPE
+%*1Ghu);K5q/'*T6'LqoMU;%N,d<Hhn&(P(fF^TXmYjo7Q-g\*<1h$rlNX\6C8r*!FA(b_E\)a5t.H<%A=G*8hIfc07F,0?='$UNp
+%;?W!WHtGoYfDo^f0Rjc1o[=blIG7dB+.<Be!e892:!Js41F"o"]?RBr=K52THZk@&1"EHd"`_cOj/b-*hXEHJ8`+odFTYW)<E(j9
+%h,.08/b3ejfTG!E;<g$iIO9RX$c"TdKmm8-mHL+BYbEju7l!hNmjg*!P]X,W8AYY4G4[u+[tD<BONVK35((_Yc`1DHUlk$XSSS&1
+%IcZk7keLeZ,o9H#mNBrjN9F2c3uY2dQiu"TRrgUh)o3Q\\%]trEKFHEalO5m3n-@D$V7!!Wdi(-e-*%\C7U4pf>B\;iUjmD]P9B;
+%1Su>)lkt<\Rh4T)-`HPh10%aA2=eJ.D,ZI]r(^aZ%_)RdQ:>-ioQ%qe>\`b1#!`[U^;qjqh\A$3)X"\b&'EHq[T9I*o1]b\J\/6T
+%pAPKaY`s;mek9uGb@\5j+CH%31!?\a$t1SO+o1:Ado(cO18&!S'"qDR"3EkHo1BV'/O:CHoPr`l=Q;GKqcb\a[a-6n-hS)<VjL<u
+%.*uXX*I%l(l.;qoODeeAih5Fn>%/$KUgS]f9tW@nJQUrJ0`ZkV+fe1k];/Z2iq?k`=!N'SqWuA<MWYGQZ:HF6_&b,kef8#!X'_hd
+%8C>Jt`f1L0/S!!AphEZ1m'`Y#]dJgsJB3cL->cpa8<3=MJWpieF?N0b[lL\BQ+#c5C+8,Qilio%kZ^37g?`g7p+09crP8N;91r5Y
+%b\S&P]#I@jU26BYG*>n445bnGgaS"Q_?DM:?HTsFlkZ9NF.<OsW*ZdNX0Y751T^gla'^k0S[[fKlK6>Kn>lUjX?*sNPc4@sUq!=9
+%(1uH*eOe];%Xj73>K$W*`C6AG".P\JI_sI,COu8fE5t/)&"83sCn[T\[f1p`\Q,q>L#k8-E4GL$jQa45JI,l;fIWj'2K).t"X\B@
+%4?G$(Wq=mkDG&?^cB'+9JRp_:5k#M_^Sq,0V7`!JnO)H_>8?r=.;4M0`7<-Q$<na&Ne+%&E>>7o?%AtS8aL5I$HS/hAT#Jb:%4c6
+%YHZ:k<^7e;\o-E>W:_KY[Zl&YBD!5,>>Ff;4P5%:;2%G+<m2:d#F/6Sg=:JN+N6Np$KB[fo`uLt[$s54[9Ntf5`#,=JOpXPfrejJ
+%^HU!1#$gfP9&<KNKF(]N3RaYU3SYDHCH[QU]8$VlP"L6U'\V5H68/\YAB(QWmaeFN"ucEYDRU)rOQiVJ2M/BB,2Z:FGcL'F%Cu:4
+%G$:9+*`<Lf_rX)ti:^ibBA-?:^[ID6h-KQ:,3(`6&)e2uf06nC/M@=G.-RJ'+Z*D_mGJd90L*:!R`&u7^"`)p\uCdZRDF3:5e?.`
+%G%#2G2n>o3D>ZX>YoufjltO[IiI8LU>`"(CiG!/;Z]8nuR3i5`#nD'HQl_u0,>*<j8,%h1ehO9dAj2.g[II2\nSUa_d+D7n\f"#K
+%+h4h>*?/6c94S?#NL,l0n&fE<Yg^s*jJRts[;QsS,FY5,7CM$/.RLe9],o4@&"2O!Nk7h_C(\\79COjEktG,]]':HP'uV.W7-r,A
+%cM<H"cGPJ/\LDPf+u_@1apjFLgR<\%oZC2[[-M<<N*ltA'#Hb0HJ3KDMC.$il0m.2d/YZOIBoMr::SG%l?jR"TAge]dCl4uZGa/N
+%Pk=16=*%d>qH`2U,$TM0Wi;GF3DJV8k_'jB0g+k()/a&(^TGj5G3b/(DS3>+XW)S+hSUWphPJ3lgZcJOG[qr?9?Wu5<SBu\M>t-N
+%a^kXJYf#FrZ,nDGGB*6oIk$4#c4ZngmYe$YZ9g,!+>Eo>Q)D66RtanEno;$`Q`X`FiBG&e'-N=[df<;$kYVjD46^\%a<j`bA5Lu3
+%h0oIQ2AE#6pb\a$,IbK1[YsW*$?+bFg)F.WH8EtlC09Xc\rNN7[OTlU+3'78Mgj)3"c9,UArBiii""=o(ehW%?W-i^<(M(`2tb`4
+%X_'I(5^>\aK"=,0l9,6Vo18beia`BPb=E@,*nqls37cGoKu+orkSE]hM%:*@c#/O%jqZFVTm`3F=+A%RLg/9NXQ+;J:A#AJ.Gcs_
+%`hLgdh=XJ7FC2Qn4*QIpSQ>bD0]ni-jSuCamWY=IbuTfsd[Ro5/<XTQUYpRfVLINGYjUA]`#>J<e"SRo?-B%T[9<nPai,`>]j]CV
+%IRbqo\a1Xi_'N,84dUI>eJnOkef.?=)B&)X<4f4S6,K#"doCX]EX%2lX#Gf+$`6/jQB!;GM<bW8A6r/3;(>5[F2dr[+XDaBdaG8S
+%e3.HC2\pK@Jl*.uFZYX7oOBAZ56V:d$Im-M<qZ"SCU`oD=MCmK]i'riDlIObjU3aH,Q"N?L5TMSk@iS3DOAu^;Nmcm.J+,2OgQ1q
+%dMh,)n%l'!g)>ei1;5tdh@W!:ncld<U9Err0'sFDqhi/u2kg45]YASE;%<D?AC+dG^HfTCd%tQn$#[L85?KC[48Fs_Cs[gQpoOOs
+%1WPu>CKRQcom<G:ZIc6#r=J?gI``6I2G7_!8!M?H!bHJ]kd9.AXg#0:%Ga(E1e8&7>#j!?U`inLk4QDO@(e.tW7HYrE<ED!lR/uh
+%o`:K8Ro2/fY.`m'BKrdmBM'r^(4:d?B>9;2)c/C3<@L'L:mG7L?->,Eo/;+@;&I(]N%4-hZ9,_NOI5;^:I/P<XZ8Y<NWHH@hj?(?
+%<_T>Y[C0\[D0?H;!&sp\?eu42VKq8K"^'SL[<iFpIib88CCR&ea;]KTB(Vtg2naaM6Jpb1i`7n;hS)omEK7AIY5pE7R2uFYArIA#
+%W7ki_`]E0Zg5:i3`si5T31`c<;DXB>1G24%hs2'1Gl$h5#EUY<0()lgWJJ*<<3l3ugni"B(Z2mg01.JOs)_a4]-GIRe]`f%!.re+
+%U0$LL4uk?'<<:FJduL4nFt;8#U7F4KDmP7&^NF=n0qu:8I:P^GNd0NRb&SnTeICkfd%c71RKL8o"H6,d[Q&p.\du4m<>ElFi,9PL
+%4!Om4c'uihj5*e6I]>=:YrHo0c8?2QA\'&p*b):l<#BZ=K"+`tkTP)I[GFrXa5Q3`#,kZ1$88H<6D:9+*QhVB[m2ZZp?7OF><".1
+%g7/"^YhdI2^#/[;3:Z#rk"l'hXL]:E=%i0+h,:NTFR`"JgW_ukhE%CdN1nbd`c(&;12+`.n5h)hRNBB[jMq5dK4ZQLe[ll$SasAA
+%A^U]5R"q]N:s@-@649)n9T\6Po(tDKmrq#e,->&lA1j,7X9BfjAW1aFL#1<gP2E&rQCPT>Rc]ZSd1P'[iGZL)4mjM"+pp=2$+DY,
+%Ri$]U2][u^V1"8Sm#B8PTAMVY3+k&<=_U@aeP[VpP$'7"lW[*(AsuO-Xe)J$Y\U!l.AWbsLbarthTT4&4H0=@%\PEC@p:=ZN%k5f
+%#Q#7di.3n`:[^i[5Wh:g`DT3082&&so<[j8Hp<\:2j/AKQ[5]!8dMMG`>2nGLJ-q3[00BZKH6EWmoq>BDi];K@(^2PB>H6M\cDgG
+%YK6%&V&Ji[]DE/)BYV/>#LMc<.bp!Ief)L0VUMc>I4P74[Gu;kcNh_HO?*&.7JTg1[Rr5Q-YH(QE48mt%(Q91`8N;A$/s<VQe9P3
+%#1ssfhJ_b-gbDWTd$S]"mT:aL.qJ<XH?sSsoBun'M[kRY;:RAW`f2pg8?f>1#Q`e4&TkJDoMLg(KD->6*?/"!.8<%7Y?M%4#&u6k
+%9\\)@"d"udHlmun>?^7!&>uC8(QR.b,C%U=h0e!pqL0JR\%Vp\FQ"bJ[F(Vk57OnGL4-n/K_4!51bn!3;oi$<"=n"LEmP`^#MBJR
+%T@h*CBqal-\pK&1(g5:U>%@o(h2'B8!SMo?QCh("[gjCL`VlHTA1c"DWdrV3'3QjOAhG5-l`$HDkHX]A1\s]paD?>SMj_Of'<U%,
+%qZKd`AiXEOXdAIX8C%C^i;`.5T'plrq'bs)-l\b"CM&U:2B(H-A^S.Y6=XECh/-'[5RKe_C*>M!:h8>HV</CTh7t,GZP;rhmEX5U
+%U@2,aDi+IlMd2BWY#1I'oM#KOVlsIB[?j7d2D2W31oso4[t@6dSR>Ksa`5Ytp+Z&oM1N'N=[[6S'Hg*tJFCd<X\.T0M6hc"XsbEL
+%3u<-t,i0133M*a8E13JW=r8@PRmYSs_D)"pLsbNH2F0QCLa1['#%g#ENO\j#0k^-9qIs\'L-k9@-L)ft9Q)dH5*u@)2G&G#Q?s3t
+%,iW[g1cG1Z9$-Y\2`IuV!W'#UWH$>'Ld&f#YIP9*4+mc-^TolY%,C"B'Bmj#7fK&`D0BP'e(S\PF6e@(Z,NCUGN722WpFV(C?6X!
+%"HB51p[mrkq?RB0ErtSSH[BGc,PoCn-%aM"nOE0.c\$V+GIlGEB&5^kUX:H3i"gpJAI;/A0e6V1hRq_ENK7p[E;K/s)AMV4hB\Ol
+%`V89i&T;37`2Y0eogU-Z(\/@]8ed-sRkE'*J2Y#_"MTcMQG6sEYr_"Dq"$T/H?4L/ek%;l7FJZja]0n9CXWX8(l_"/qnI;m5pc%B
+%CXu\=G$+]khX<_=AkYp5\o*=&M@HD-"T4fkFg>k_RX[O3nNG_5;s:Zk/1n!55qLq0UhV@2iR_rNHUVOq+e8KHG>T*fA2YUE"Kb>/
+%mt0p37=kS$g:P9.$A)a;DcPare8=:F!VW>f1pCR$:%4fM(Rn;0,`G@i/ncGXFp`P;9BofPU1JCb!Rhd`_5@P87qRO0:)UiMIOOI1
+%Q$W&AgGB+n6IYFk65IaY6sdZf6$'.(0&CJ2G?/TWllh&U%-:LR2LXc=Hg<*pFn/;8Egt3herFqD&CUs!QB25Ed/p8G<>cJm;M_&@
+%l%&GW_7ngpVD#bOo"Ai&3Vr/K3cE8PltT%HRFtRrAM.b<1Cnm:jCclT0^(bdrReThMg^!L,p0o$F"L[;FcaGh@!r7IoR0uX^(thi
+%!A)D!c%6-0i)F-L^Gqt0Rq3fh"E7e8W#>j)gURReZ-S]*iuMec1-++G6ci_MU@pma"MGn`aKCpikN8_+^CR(5D99rsG1J[O-1MH4
+%^r&\h6RS(!H\02^(7u8%SF>XGoqTp$3`/CSO!O,9'H!:1KIq4)JO(59l@k,:2bcl"Q-P28m+7!Q#uuf=bfI.['C?!%HpOG6pO9`%
+%Nj2-.6m&JHm:\%c(OHZTVUibuoima+^fX8rqeM&V<+]J%(e=qO=A^-sn^GZ`U6F1ErZ.2e&F\;`oU<cF+5W1iXH`MlP:'ufj(0c5
+%*I=&CiB>1kDc7on^pt?Ser*1<@`AgkiruNf"qZ5mX&Frp<%0"'@74*+;kWiH@hLNU:WCs5A$A_iYG'-o)NWVsa#5J%WX6uc$QF_5
+%FDN28B_:'pf!NlYAdqfZdPGD&bJ3qlAn2_1M=e.R4GB-&S<=b2Q=&<&kf),Wo-OPuKJ/$^*m,$0eG%]0Z[uEn5%/h!G5oj+$7@[-
+%-$=(W/3JnX%ZqVDY1OXrH8$/*d/_P#_=h3B\oG15[@*EPZ#6%_]?+7Id%/T1I+JVCi+P/].BFbSQQAe#DW/6X?^gAOcG3nqW&Ood
+%`d'd9Uq]#FK)5E.j7&Rqol2flQEI'PB2`n@GBYAp$uk]e&2dt!/I/Ukge=Z:RjX^g1U81o%$L'Y6VZ?e":aO)2.(n>mV>X```FoG
+%luU)L^K[V^ESG\81r,L]65dB?WYmm>:sl0X7dpA1Y;U?+F%"3R/(@P\\7J"g&_LsVg+S@e@ceQ-7nO0B!7;ra9dJkWg9,Xif)Rs%
+%!@WU(@uU]>K/M<7(`N/r.@"#AG'0_ugL@T&$J85rZNV?-\hQii$c4t'0YEm$CQ"_)1S*+>8Z`$4bFS=W%rU_3b`/i!:g2;WBrYrJ
+%LOV;,Xa>#b6MW/Fn$:[WG`\?bVtS$c[6ffFHK!bY[1?6j;6;ll$8V<tCE$a?8;j@^JV':=+LNP8#U%Dd!G/_O2<iTC#E*?MArPT3
+%nKP-7S#=VVYhL)D_(Y6t6"'eZn?pTlB\]Y258O,*7=Xd$,=(GZr>ba^G1i,3<L1gg0h*m!T[Li9Wps@\dB?Pk4s<CCe9(_qLQhKT
+%\QOGkMK:<>efOMrPGZlr4/ha6-U0jTZ3/\TYaPpB/p'-#hCf78d;R'i@"4rVUGTD1J;.FNhIiWfZo<rh[N*pBV7(.$WQee8n'T88
+%7Ks@[`TX,:qMcq0o7";lqE!`,rD]aH*^fAj$n0fm>_7d#!+1"4g7KHs<?5j[D<aaW^I>*]gMM@sgXXTWd!&.WX(J>qoaO\@[*E\_
+%2STd.4l@o%l1>g<^f%5#+NMr.']=Zh=2S?TO$CtFs.u$PpXu5*&h<!D74,#,rV-&A2aZodpX$E),i;=s/%/kBG=`6i1&Uoo&3ff.
+%p$t@@W,T1C0NekO!:OqS&T,1q-Qp0>'+HT+lb7?=je]-$gT;_m2]lFAJ=l7;J(E4L[:a8sbf/WEc8m?hbsA`X5Ac;g:piCZ5EKB;
+%);m*>NO12Y<K9!&-*2101[sIdbcWOX4d+po3SB#0NGXAh.JLO8Mk'*6,F)Z`<#]*RX'!?.MsqU6MBEE_b<[N^hL/GU758`<J`\@h
+%p+eGJACRb4*9AK8LtSeGQYA94(U?gjB1eSn$@ElSG/+5]TdCU[`5@jCoj1bFMK2d\L7=ZP$Wd'r>RcT`XD<%U\<*W(he/b)5K."\
+%qKuOLYZ+^'eDjY_bI0s>)Rhe?oK1(scba&8&.R'jFtlst#*`&&b%!"o_fN?m2(*3!kZug-%F7$l5[/goM*g7[KWl(.Lqcilc`TMV
+%Y2(&Z$Jaq2UZ1)VQ!78CRk':L(W]%cO)H7!;?YKt5SaXfVL[CJ!8h?/!b3C:J2-m/U\j"a>]'Y8:QVK_M`:>>=Ji_tRbWZ1^s<Q5
+%lZOB5gJ^2=gL@E0N6n.Y1jb?f/ksU-NkaJAp=2_kZnDGA5sAsgoFYQ)Ec3*d0Ec!jHRIg4Fg@nT</VYjf`7?sCFNH`=g*kO4""qK
+%/9MPKJ!iMj_4N5[W1NM.QT0^d]CuQZ'-!uW$&qr\DR:=g771iVRtnN?f+$C)50+fDVdVEnKXUU?L,g@n9M:g+#C)%S.B<WEoH*%_
+%DAp"3R9.<)/c&-o1WU0;1tV$Zgkc<"+)<7Uh2PDee,-BHZ,KqXDEcB]2m<+9L/OpX?q(EU4W47=bG_";=/\s1s4k)nO.YQ;pAr:1
+%0*Y&#QuOUY:aEQ@7](Sh]`4l73P<pmA:-eV9L@X(%gI*e6d'WRbm\KIbP8+5Wf7TJ)$f_^57Xff/8E#aP-a_oB"]?W)ETLp&9bYX
+%<j2if8nO["<kPIK2D39;(rT;uhPFY3FFV%-Gt:n9Gl8]f0UWH?-"*@?%QZ,#;`>>KCq5')b?";'9seJ1eR["$Qa'"iSA(;J="$d]
+%4X2a]W]<RZ2B)YX,9)nV]X9qp]R_!g(&UfG0>.Q#W@Dm>P5nT`X/_q+EbUIJ"70c1K\KLX\a/1No]r]8nj7'ZZ8O@NLr,p2hIUe-
+%#l2aeU<k?^qNeU!O/hOQ5hR7n?*K[\mreX6q-^pP/sd2#kjJmE/#0+TR+VC7Mmd7l64NHA9>%LH'UaQAY">D?MdgG35)Xn9*0f94
+%l@.W/2kW6:;;\hOZ#6bZ-$<qOTfXiI-@1=8#h+tP&oA(Yr*7'*A[g"S2".T5K!!`i,cR,AG(tI\Z++<#JE_3*r;(?.&<IRkG-8XC
+%Dt;)L+`A%#[MY#iL1[%:a[cDXY$:KgYL,Kq!6mX]8*I.eZ#u%`h>dE`[/1Mh%>WT1fFOApRjrs:bG^s'MDVSLfU6)Lkk"\2"$d1X
+%e+#/12(&Ptmromu[&_$/GprpTad7;.>g12u,0X+rOI]J:`dJI\]^[g0IkU3gOOh^U':GB!!9F1uM+45!#:X@@P%$:+a`#c@gmO3A
+%;FmBV3o.W5I;>HFeuc4-RAD$HN4`U#+V]2>\!dp5Tl=e5?]<K(!Z'D42t6lh8nAc4@\V<rmt'.mnRg'&nW.&VlHB%cci3j/^\PVc
+%romef`W&"!h>d&X^]2L7s7?9f+9%>9qnjNTiV1*>nLsq$huD0o5+2H;YC?5X^\de]^]1/1q3UE6^Nf_ODuS4PIt%@ZqBc)\q1&D+
+%5JR3ZIs_.3s78#EVdJ^Bs8+JLpA_jUq0TaIhgG5\k0&VNo?L63hHfY/WA""b[&%,"?Wb'm[Z6<&q"s4t*m?@Yn,2&AobUOP?GF!S
+%;#PlMTt&W%o.RlOhsh%gZN8b!ie(i-/RW`jnM)&goNEkboSaB@[8('(\fhS\h<[[X%++"[4+@U*=T>(+8JF+l%*uc70$rtI?L6<d
+%A%-QI)r1NZ5(L?CJ+<",j^7rb&-)5crV48prQ!goh=(C80E9MEoOf3e^J<0@s5dVeT7?Y75Q1$-s70fPq3QU$j2XB6r1!`]LVL/g
+%s885`nTEg*HMuG;_RniN5$J%ab0@+#B[U^D1Mf\pkAiIu]1ia\A=*h1!HU,,GrP038-W+fd@;XJ)r`LJrTcne?!:Qs!KA[Fd%Bb+
+%:H19[iM@8e7d&:^gE!'Ikf32arckE7]l*K5.?"gUL3_Z3.VK[L"B0#.)YN\2r(5eXVbaPnbjX/1+.(h=_EJeGg54QTqeboi[Ellq
+%P<U"7p#6FAqJJC.F[puQK?CiI)UTTaLH.OoXBg0q]nG0`o.LW=:ZPX8e'n?kQs"Vsh)q\af"2=%D=1DAa+N-4@mK_SBc:TgRQS?j
+%_<45p[K"7-AqfO/qm\*KjnKr\(Ze[.5AA?UOQM7[15tYr\?U.sg6hjE&qk.O=YVj)h=TO?I]HOt;&)nB)A,<Gfk%8@N7@"5fJJ`^
+%gA?4a+$_d9P-gKu]nf8DYo+"X1+#IrMkf!TQ91'0^#XQGs'"4E`-oBNQXt;D/,]9\JH2<-oNAi7<[M_"jcarWd+#4po-(k,)GY'<
+%&G\*-QWoU\c'G;_O^!\\=/n)hMqg!:%E]N*hS9*]^iaU%X82<ki:Q"[R\dj_P9+?[L,HVAMZ`#!gG425WX8I5LAk`,di=6*o_m)M
+%#JG[@-hh4G>/B>1d9\^58%kMlDuESW13DpNh@88"A+n6@fs%iC<SK4kbW=6*no'NJH:?PI/dLLXf=*hU9L_6hA*oUhKQ.sh!147H
+%3Vb@LFp[9i!109XmE5@\bl,h%O(n*'X1?o$lkaRj,N?M(Uh@3JdflIJ&WK4@eZ,JFEh)S_l+?S!Lj:*Nf?GsuR.KW#<#Ao.(WI=O
+%p[E9A'i$it%:J7:ADbUiko&,ZGHXsCR$FU1^sX7a(:T""ipP]!OJk!d^8dO1=R=>R/K2E=<i7tQ'5lnY=`eY"hZpBPgB-bi]"IsF
+%<'r)eLuFhm-*%HHN$Se_.a4`3/fp7Uh,o#akoH>7hR-*oD0l8#qt=Nc@>&X>!9fsH1)<E7_g#b\UmB`.Qg3i>]!bgL)FatS\T,%"
+%B,.60AZdGCn650^aZHa\rRfY7bcU*;104b*/^/:T[:AJ8^:&%#/sI^nPF)+,#&+Q^efDE_5Mg6[q[Q(H>cIqcDS('80]VY-?.TR2
+%=#L5pV`A'BWh7$ujdQ;!"[e<H*Mi.Z3raT@R^P+iciR]mSHGPWkJm%LHF4+-=PV/:C4OoULY('ohjBTO@.`@<HBfkF]TF%\/Bt3:
+%g@+oNI(4eEPN?hfHEK,S>)(@]i/2*UVLFJqdX<"agH&p[7,4-[$QjHq?d$X-04VI2Q]?Shr`&0-]R;QNk_2S<^mEKS"79%R#7#2K
+%3':.!I@<PujjQSU_i:5E`<\mt2gaG#R(]i9)dOWj7aHInd;/)jMrX>5L*tluV6S.-pXknR]Z/2PNWFCc3uQdH'B4\XWRYNq3nQPk
+%^n9A-f$'/4ZXqsb$G?NXQ%dVV1]#j3".1QsVH`e`GBRD(-lD9sp6rS\+F>8q5;oQ(%;'^Z*e)=JoRG,$QW;E._QgX^913(>hBkRD
+%m+AoGp1"D1m%Xo_cFA$O::8i^S;\DRg_M^/FjVdg]uA-ng$onH2kM^N0"tkGI!N6o39Ki$+7Ags<0&i.RC+C/\27EnMKZTG`pNE.
+%1bntnj0Wj51GCiQL_S0#Wo3[W%^53n@c%s;Y:c37(>%GmH!6$E-2XpZD;7&F/Le,R4[Mk9hK-=&,Ru+23dP/Hb_@+UERrNbl")]j
+%o$hBD*G8@E^6:Cf<WQ,.Q'-*(G.+%]/N&E&]7I-^14#F-4BKH"lN<Na&YbIdM>i"8q8UCjG$o')GRNOu=7U&C8_:oP!Cf@*75nTC
+%)Q029NQ.;(iPt,8^]l$1l^56Ba1Z]]=&3hunGTm%]dg)3Tln>4e&d=c>%QJDIbOr2"E?t^f^KP??k,Z_b=lb.6t$BSfuS/N/8V=E
+%,@9Nj0:@9u5J)&u9^X1b#u/79qgt9f%2LB:=33i-B5G"Gs2+SLptH_TNAnXZ2!TYYc/Hb6dc9Dt<XU<u06>#IC27H1b*uE96kUYI
+%oC0asP<?K?Pbg5fU?1"LfD.C3BG`g%;7-4Hpd$5-eo\K:DKHK^"bCbhJSE3co3$kbgfWWH=gGfc>e3]%M=mZL2]\EWpeuHs'$&a\
+%>j=-H@_)[(7!?<1OY5J+7.C"-^0V+Q@.rH\"m0B''b@g;#?F:>Q%S4!RDj-SCELoeGmoG'B(S8.\Cldm)BWP[8r)*A8Z=EETPsh:
+%Z[/-V.?fLQO=\c/>4oiS*`Cc1qA-]jV4@$\PjkpR-q`P3=,<LlDJ[\=b:(U[5;]B,Pujof4@Y`b!qp8Lo:4HP]f5WDDd>GViot'=
+%70RQfo.6Blc,/\%)DK>*\W?lFOZNBCB[)'ISHD,]gl:)lI9r:`=k["1^U3'660k(R\N/MS'bbp_$tmR$Hc)4&#,k0nF",.@T[9R[
+%>HQ&F9gj_J[+"-WQcEk`7X_e!j4tcKlSo,;+QJ_;TAP4ii`90G4S1^WUS!G$R/9fiZ@ILm&cVZb&(J"Toa$hbQi4rWjs66m*ujZV
+%0o."oiN$T52$XeV?jtuXDVc4V+hLUc4`RDSWhQ^?'s@Z!DD0(`@:HB1ogK(.,*b_!Xd9lt2?d>:B%\DR;]VB@QL<kPVSo+<>442&
+%NrA('?(17`P`6OA27%eWCWe$%7W-(<pH#7"r7ZPebh5mSD7]L]9\2O[HgPX>_*5ol",*i^iQkFlj_t00fpYm6:sIXNR8)SkMGb2b
+%MEneZgc2'PB%[:_5bHI^<Cb=tcnjmX??'e_L6>H)llMo'm@@@YldD2d;tr(12W:8LiQ%R&HN&SOn+g<fpbpW)05u_0<LG)aT,e+(
+%D(u(ahGr6h5CG6_huA^\oWQ$fNa,,kleArP>PC26iT,C-3]o4HKMun9.kN*<;32%.Ph1+hUQ]7i<WpY3TUD.o^`T/1Cb@2#C#l73
+%`fcbQ1g.HYN^ok#NYsG(G'C<u-SUK12OgR^7XK28G>)(Z%9M?O;KBo*),QO<VX*M[Ll%<FKjs1AHjahFhRnfd%LG?TgOMnQ)3]qX
+%Am@Ul^Wb8-)b.Ws?D[d;cHAb0DAYHY$'XUbT"):@PtcD1@t&YpfG3h%PB#:/#pW(PDA95_k.WeT*!s*j)=Q1k-USVn8DV`H;/JH"
+%VU*$)juHFq[*b3pX&_0lUO]P*DD"ZG!7iFrgNU-t61Z2)*Yt*7JM1M;)9*(R-TCaBE=&&[cK-[(0+'+_93_4,nReCAE4E9?]<`9'
+%OaZJ+eo'kYSAN1tR8eCbCfK<ic,Sh=h:7m__J5T7gcu%T%G/=gG2'[AAI6%LAQQHMp+j3!GPo.<]DPR!(c,(Jb)M\TTXne_Y=sQr
+%NL=(d`c&X;7i8e>XYD3T;"aO#*Cfci1k=Vcr4rAk`W2?P2r8-!I4"unm,?"Nc1Wmc!-Ct^L1WFe_>4$._KgV+F"R,U?cLgsN&g+!
+%!9.V;r7tJ4]*:FW&;SY7M(d/Z1l%sC5.'B&C>s.T;DFHs'MhOYlo<iRW5fQ2ak+e@YYF`6r1"';UL<CWjEjQ3\Y^8IGQHOC%=sr'
+%_+<2u-MsRJO^X["+h.CMh'"DZ3P[GUB4XfUKSttp_/dNHh*^5MboL581G)60:m>?G6"Cb\b_VM%bNN8s#4N8%S*T'M=eS4cP_Q<q
+%3bVJu)7_%L]0`Zi_811;/(lOkZ5,[n21<rYT.71d!<2e%gNG%b"rNPF!)3XreDag&FTN$1LhJ_/^\cKgiHoR&Gq%O+'3UK9pA=R8
+%ol<A\YFPraCkm,(Y.lT5\$7bkI#/%mY?]lcq)S@TicZ6tJ[Hn%]J?m$p(QAKZZ2,>pZZEcq_>l4B(VLD;&+7iW3[gpq1Zo<N>$)C
+%O^8D?E!*Q,@kT+D$eE-ic3V=AT7J5iYamHF^(!,V2m[rm[H^-O*h52#p^S+s&<%)kFQ56!M$&So[Upr/3..(rC[>I3,Q6YGX,6W9
+%LQKM>"E"C>6B;1@bPMG<aif+]N*6%'0p.s^[,Q=PHR@TD[:!1?T-S0d^'JkO?QeQA:kT;?,^=_;$_BkIFUmi!^<bYpbGCt,$>1@/
+%(nL0&p_B#$Y6`.Kkl+M.**!T94VT,K;`Nel>@J25KXkq\E[kDPLWg$%h#5=HhhnW_AmA>si5nP!;"9_<A0(G3CG3>B\!iZsToZR>
+%oF>5jSD6Hl2b/]ic](AO^m!5d92iF(,.^%Cm;ah]\6"@;@>rs0_WnXu<NMpgbZ2i;dI>GtmO;6^Z!QC+-1#RgiM5Oc6&u??+lN+j
+%\o>e+!Zq:dTX=?sq+K9g9K4HfdY3b=qP>OP7:ohA)>"4G2PV)]%m$T3&Y$-MO4697.e,8@pA&j+Y9$qO[VJ'gLTo\,hP>&=<`0Y*
+%NSJE8?()bfgu>dMGr#^CGkdZ,!FOq?[eL7lroXPV?LHil^RRL$O"ZQ$l/?E,q!O2i`,R_]fQeN]WPa2YYkK14alAD-hL1GHom'=t
+%DuWT\`T^&V+$YOEl?K0hS:AScnp%/uSA<1oqVb[Dq>_meiPD^Bn3N*6b/(E0n:Hg\BkD7'R'*K1BmN)bn(!PtDFD@tf1";Y9_+UV
+%`F$*S]o_.WZZS^SB!.?\9[DMjfouQiQDSot\FCV!l/QsdYk:4#'8H\OiUD+PW")>O_sqq5.Z]AM_ZB[S=MGsD%kbZF>rXk\#9W$>
+%F2![?hgRT"[Z<)&YP>UE*Z!%8NL^jFC"8fAp\?mq#TO=?`^;`V&@rjuS7=hV(d&f@X^anF%,[)=hD$E@L6'A?o,*WSL9JWopD=Sd
+%"6a7!I14<F&c>##In0r0U_&RNL1=]P0o9mDGT9X,a#(pQlI/W`NCg#OEg7T#)Jth`m@Cmps*I<c_q_J?\rJFUbEUS?hJ/B`U)R&/
+%rET?9/a)2h6n`&ek3>EfH<Uq*H@rdErgpDMa<MkQ5$A^+T^N?GHKJXgZBSM%N3/a]#'5&_f/iI(pNdQ:J>MpXUpjX1*%eC5SL%;m
+%2PIj3%CaWs&qe.Ikr+k4R*'H\`[E`p47qM+gF>OLC08(<;NA$k@GH22!liKO,7K=/P2bR.o04#),C@9Xe(@W.)VnR\/il'M"!__?
+%:Le!<T9lejpX@C#huiVmIG8U!$.+[,,'B>Sl?LRAiD_jtH3J`^S?i"s8&1(:6eUMi473<mQWqJt#\IE;L[B?Dh5\/Pfha&_]o42g
+%"?ke8oZc0!._YE[P^IruGuAenP+%>na_M![1iC=n[6pgjcZ;":X\mK-*WlDn2[hi*_`07i-c8(><qTttk+$-e2(IW8#?,@LFBc<n
+%?tqK@1H5gRR@_!U0@B'H'j9*-Ea(2<J=Pu^E5bs/1Ha5B/mst'n4qs.k9]l8M\Q%D-64,8GY&Kt=C]14Sd<@:Hua&D);kD"_eX3U
+%B<fJ'0ij0SRsN`%bj7L7^W2KlC-,0N];pXBF_89.hYfcp"ToTI\aWd9)S4=c+i6d1_AkgQct,uQl]"JN"3cB^B$4EMP$+oTH[/s;
+%?#+%u;&3WN2UKW\1/Afro)"k+NfImfE_HY8lI+;S!XsMZ-5V0(a]ktcK8n?e=qgt+$s-Bc2#5fWMrl\;i?U,7C-.8RHA$nO/9B]j
+%r_Clu)PR["-@R!_Cr1^C69bPSYbpL5[O]EV$n+hrG[_i.FH>itVR[R'A/D`\0L[C:\P?FKZ&;dfJ@i437+"gY=I#6UQ#;Sf2!$5!
+%]jd9"T(u$>@8[]-OA!2bm%,=t[80VRf5)o^DI\;/p:/?"3'\X)ef?,g%LT/Gp&p;CJO<%U;bTm_b[n9g7I$'rEs'RlXuU#';MWf\
+%r4c2>2>iJiOc5l9$=hZiFR^)?E2-Za!!/Mj7-@>l!egH,qapJT?9uKg'[45jWp3&dGS-soh=(KKd3g%O;2EIQRk"FWSVsqVik<7b
+%n>$*=YW@2[0n'P2qQJcmM:0QE70@c]"i&rS]ZJo;<lBs.JP05b#EQ@:/"=s:NY?%_0i>p7&SES@VN#>XH3O"KL0u6?++G_)GM*]t
+%Z+6YGW8F9h4rItL+!>2>62[X2cS^7Ai84nMP:]Qg37E.m0/rL\&L2%)^3^Q9Wb,ijE,K1^lOM<?=:*lj')SM")dS<U88sJ)K4Nn7
+%io\[bG][Q;fsSArn8E:#"Jgk*LkV#<'DY/D5B)G?ME=@*G]4Tfb;RZrd@8h4]eCZE3A'ejcEIsp"f!.sbWdhlR3fQ_q^iLlc'V`%
+%j>[Ii3-40o>^Cs5h9,j24A-`S89JoP>2^N1-8St[i*)&G9.ubP3&fuEKlHD7fYU9Q@h18kB;<`/L'qfWAeNNQ+2s0J/1(.B(Qn0P
+%JSFt8[Gd>cT0TiVSXIJ=\)j+V2\)K'->N\Wf9V"<ZSS)AH#<Ji2jBQ;i=dcf@T.BhF/3b>Kj2]PCt:,r\3bI%UO'Y_l&3##9V!I;
+%a5Z9FFSh@U6k7`/Q,FlRLgk0JVN(>KlM;fXH)l-qMsh*:5UF"YK,C^5lcDGr\D^21!%UEU'<;.;[1$,84eI\Kl&ZV`>l,YO'EZ$o
+%*aW1o&A:mNYYc'ok?DIQJ1gKqClXsb-+qH^?8,kd2Q'aa#tM094Im05$U!L0(`L#+AhA')qQW>n"4D^Bl&u/2G;nS<DQ=97hB>N$
+%,BGDbYLm'*^HKAe:j2/aj[m8%BaT:,VnM<th)H(#UH3&m!t:;mm/a^1Fp#S@*EWLThm(-i8WQKWLTc_9T?L.@,W<BjoL.',!8fKu
+%g.&)N*k@/e!W\>aM[1]-i"b\0iS:6Cq&^C*+H^T+V6F?2AA`C7&1fNLp=`7dENDpc_V,tg'WG#4Z0V*[O:WHI`o\>=@K6#/gQ$*?
+%A.Y^J;:\-J`tWJ?E"mA'...VH!OUhpW9,V]iPn;XQ3CO.WHQTmocZ**5/i]JVM,b#XFl=?F[?r/]e(:\l6#6A.YkOl.`82YgO^&!
+%N+<<`Vk$5'Eu]C9ok1rr"5PQeN8=XW%ZPPUOZt'Z;,cDDT.p=oQ[)$iBIVX"":V)M/[@rOL\ATXo$B:4fKl73kVQ18SZg]0kiNW'
+%@)0NE?7o;2RFciW%SFDd/rf.1lWAtaJ6?oHT\GfQ_q)2TN$;1Jb:Ls5_Z1/?Lp@kTD.]m2,&D.YP;n0O@0!oI10HqoZ0Vl0aAN6K
+%&,e)!H'\O&bo=?*jBKJVnOOO`1f!\ZgKL.Tp]QT66L7Tl#79W(qQNu3!Jt%C6f[blgJVW=X&s#s.k*%R'#0QZ(iT'],j)g+hEeqX
+%]@\i5m$7lF4UTpIOU/DUP:srMG%PL_?5e)dM66Pr*I1LQ3V[4A(/oW_YZkF@s-c<S(TN(/(KQmk5Y/':f>,)dH'`73OR_(p[mZW%
+%=WHpa:9-FN:dMKB51G)K>1D@KV9%\iJEqj`@qb+%?dnpcZ'3Dr(ime7R.M*GX+X.INnH_%IM4LUH]$7PkD?p[\\NorNP$f<A;pK]
+%3KaU+[^6o$f]tI)8o3t++uJbGC2>Wr)n(3Tn/Xt40,M,p0U=o4rq?ZI\e'lC=lX(=5s,Iu8qanPMbj8I;"F\)Wc/mj]*l=6q6`Nk
+%+'6`;URb4GkS%[N)SaZ&(*2s`__,QS@_<C2ZGj;B]toSq]uqOWK%!JDPD3FHM^=Ds\IAX&YZO(44&5OPW.pAIe]n_I`%5MsBb.O,
+%HKcE9;H;RmZZ8m@NP\4?akApmo+6JbGV0ONB\0BIU/.`!m]LL0`mTB9\j.tKPT-U!:9Gj10G[aJ![]]"(gr4fDe:9jbge#SEj)Ot
+%+W#^s53Q-MM<ToA#N_arI)Bg$qWY/+;2VMg;&g!A4*82nIUWCiD7>b40OsO57]B!4(ehD]cJd;+r>97$p5P$4!FF6SPoYfe_[F8^
+%[KVl!j4*!l[LnP5+VmllnE$86#_on3S?=nljI!3q)d&&DbrCuOp%'+)Ui>4ofL`3G13U_#bW$G<*02m2rY?CYWMFu3DQI+s!PJOs
+%Zs#T`pGQ3@</l9BiVmcGg_K!cYmj>dVn.N8H!>uZTp>:gjo?(J"'eDkF<c98"47#%BQoL^0DQ4hY(p!B*+#CWg^j__d^Eb=`MQc<
+%Ido8<:6H7TYL*"9iW[/"-Gdj_(FN&I=D;baH_X:u5`IhnMHlB3(3j$sS=cu+a0/hE#[Y+;_=4$!co-IglNmd?(/s%$,jNA2C,X=&
+%L@u<^4I$J8SZBn\k,PN%Pr_.)5`kl>8U1^6b"K=2-?MFTL?2%M]6/g.QAs"?aV;"Eb8$lAV0]'X]mtdJg)1sP,/D94c'F'K5H=*&
+%YGg`i%6q'2'1n3r-IpY^D@cm@j>BZKJ_ZZ-\Qc(@am6#BgDDtEk64p@2poS2UlWkZ=!di.T+#)TdWQr7Bm`;$@M1if7;[*BI?@+j
+%4ZA;Nn+?^oe/9^TldE(rEfK[/Vma7g.2js--fD(hq=t@&]7Lr^FHe!bZ>]ut4q7=:DHpZ);Rsf+28i;qZM&NHmPnf0$</90?q)hA
+%gtTr?Wp:WsC`2;GS"9m!oeW!+-:e3T7AE\E'$[LmgK-cd#"qR4O`'e,SL%;CU$uk2"sAVV7g.p"$;NLt,^d#!LneZRgPUJ7eP=8s
+%R;8.D;9r\3H0?a5g9baT-JlV*:Zafl^O#jo`Fnr*_UsTLGR::pqS6,P;P=H)Tgo2/8@W]d5mj7HU4WJ&904Xp?D`oXmckLWVg2W.
+%rB7\g3"G7P]nX2E[P_3hi03g:!J59U]h?c,72<lN<t%k.@51=IXg5VneXIJDiBWV:,;Bbl$R\@:=,@+X$BHAj^N):E*PGE[9LMVJ
+%i:=KfV3r5g0)U!PEiLc_^X1ZM67jqfkur8$(V1;..X"Gc!4p(Bkd\JUCOt44<f!=@'O/]KVG37d+^RjBH"Is,fpb\e]8kHlq"l,#
+%O<1XbeaHgiC7W@f>8F[K1'@Ls:qP6l(>Go_&?VqIC:@BHeEuO:#6U7u^LM1hfI@q[<\YU+6u"i`n[Cr`*]I"Ac,qM;(g4p3&s">H
+%9n-NQV+L&R-nLOEYa]!i^8tS4:!'><GE)Dp2hu@AlWqCfV8YocK%U4?C,KLe.sh8td6ECF+:-5LqLq)JIfC:D!K0YjH7:Q19e8MI
+%SJ05hg/Kh>EsJ(p%lGU'b^QkuE12_IB:u$$L9eF&.gk16ODNC8Fn2]&^NX2=48`'en";X%E3H81:\_qY!c',?';*ES)ufgMQI47.
+%JPol\Aeela(UGQoUTYSc+$-$R.;M0r</9o4ZA3'%os1=QCcIEb&nb699ugT(@HjYXZ!8@#[(>R_2D1[M(-*TYBh"EI%$h6VU8'gt
+%q#hpa2JlRE:CFd5]9-jKL.WbLaX'k@;5k&1eJ*6MN!Y^sT>4p<Mq?CtF81QaZ7YG]e0\;Uk0gbB"t5o:QpaS[;#^+fjFJ6s9dgHD
+%m_OR9eL^:fDM]C+C4\1(c7=DB2E54ub7^<+X^5\ig.>[I,-3lQL3W565oG%"e3mt!>/%V:[2-AWe6;cRSno?iiK>+0GbhIL@/(g\
+%NB'6FVAsRb%NmU)6&c-X:5E)%!1.b/S1_Xf`X]d>'$J-LM:CP\PTO7_Q]a_'!t8il@T402&PtbJ\.p/Ap/?kN49j*ZSrj#>KTVPl
+%)umk)^/_Aa;h<gc!-RI2AoW'N+d"W:3f.+tBTVMbU&:587HN8O*1tG/A<ibP,1>.BWLO`2mJ[)K^e28<9+/o5;%p0O96h$GFIbJ1
+%%$V%:5asocJ^/Tp<UU(;+,:Fc0ku:GiNSK'\#E0U.H9jb18%'C*=4aA^pXIT<jHSVN2gr\^jVgp]U%8l#.c'F`;)c?#L60*9K+HT
+%qKGuZ24@*U<YZJb8s;G(h9>X6-V4anQBmdmGMk#:=<=(O?m5[Yo*Sg1F9&U'q]+kECdCN'"p6]5]pbDX3$u0Yf!SA;Tl[g>W)P/6
+%Zl94J88Q-Oa3c=_KJZ\o^`;[bChiWL3r&RbY"K3q?-<<ND.Z7d6rqL.$pf$NgR"R9PI=^1bKNGe\_24l)Qs#g@;MCKFCSo7jO_W>
+%GZ>_%_Dru02d3`ufm7\<b"SA`)F@qG]]&^t3L-'t6bS)b<'lAkE__-@f_L&DT,HH>JC,i54pAndZ0V8uim0AO5qPIEk%?$uOnEqZ
+%#9G9FB/YH30j4`qe>o[b1Od\%4<\2ZIX?TX=WJFB)D_^P0Q-'/q'3]MH-L[+4/WLF%14GO3Sm/.E4VL5o0%BQ2hlZp!H]K0bc"-6
+%#>YFd4X$PZl92HL[Ms?C$*52>Lap,jX4:#\`n';aatR1ff;^CP%-&TXM[aQg#AQ[[B_HVto=d6iRpo)=SH.nm_dJfdG["$J1%W-6
+%/-p;+]T@Ag<gP.:W$;>H]pl1!h%g@gAo&l((p!hFH"Ni[m=3T<+`A!IG'X-hSA?GUa8rC@%tD3Z3.W(QfZB<[(25#q=<4$lJZ\Li
+%R8O$Z+SC]qB,'^_2lsF$"ZWN4J9DnfTk,U>5_E[O_F3m\0SquhYPSe<q\8,=.Z2&01k8%.dXi&a;'I5)_G7cYTID#Mc+bQ10^oYI
+%47o*1W!89i:O-Yt(KVaKQP'RpJ53TUPMhWNr/W)Q;&Ad0f=<b2TJVCf[`l^01_ku1"']Jc/K1goof&>&N'6_`B(U$P:Q*)k)[XKS
+%a?<s^Wm#+JgNg-s3"tEdhHs,T]W\H;@t2hh?<@L./aZOG4$7mLiRc[Vk74m`EH@<+1h(ulIT#YV7:hnD$=85.FJM3#:^%hk^^/.L
+%+bY=pM9p0T.!K$^Y-")m!.,$^Omi?lTEUIFW:NLfehj^CdY1I>[JFCp$d6tM/M]L*khV*sGf94n!.NBq=#^mHqRALfg\p[)E.rMO
+%!e=WN-n%<BYDf0.Tt3PZX3PhaLe-[!g^r7C3/OskdAuXP"*EVS0RtKi`8c"dKt_kT4coKHZQOL8e&ChO`gpQ4'mU$Ph0'$6\6+If
+%=_1gY)o,dEpbO_s*]:Gt+^&ZM+R4a9.T/%L;G!$":XWD<ecXRE#5a4fNSi-n#D2YR$_jda`1a8X![[;5pjWLJ?P6<IUlOWO:ntL%
+%!f,'1dr;e<!OW>AK>;TC"d7_c=uWZV]sd?%aKUUCHtqur6oD<0e+e^HJLCr:)(6:'jeLI;7c8C$@k2)K.0>$AUc&!<989b2o1<_2
+%Pe]7\^ED`]N<3)=&#M^jUg-<(1a?u][Ond;E(.I_@;aJgWJJZ*itCQs'fd.T#HS;<("0@)F9`?Z1k<\f#LjX+bW!(GoPt(Tc`HTG
+%Jo99kBsNC]g)8_D7/=&NBN;]uQg;sJDlSA>C$5s)`&U*82)_Pmg5`DV_fa-o-h%>EnS&?18qDE6mr)Z'BBZ'MeE9[2f&;%&-CohR
+%-BiOQiaca@Ye]J,@VR/pb.SW)%h3Nk`sY`rA`&',#F2b4Z)fDRG2HaGAo+2JGm-*<?iu&8;H@./Iq"I2W&\I0S@ik`MdTf$f28?Y
+%.5I!;HFX6u]W*)o6s0R@W]!u_(7G(I&'q6Xc'9NoL2M_GW&G$Ks/@<jp1sZ=<46l<bJADTG9=:b@+kTZ17)k!fCn8+N9cX.3Wh<T
+%iiG]FRj/1[VJEdV!Big^Z6GIY?D#1(K3lumQqLaA96+%$jFjQN`g/0\l9D:Q7G4GuOJ0\p'[<lNW*cJXg;-^%$ja613!]dq1#5lj
+%Ud"Ju?eNt[.>W6M)2\H,lrt:jCKC4@<$aLEN%AhuSYgd5lc7CcLcg-A7em$:`-+ZQ;Q\mXL_un';P!Ot5[sJrEEY@9p^I>mWo_/u
+%!ml>"WB,I%Aid<BYH<?$r`hVILi\1=+d=Z4hY=oR0e6CZoj\c+LEu5W.tgOfQLnLW8no?.Rai73J/OP4XO6NP'bN"pAXb'D&o1(5
+%ER)e7f57S:2Qe03E.=HjHR*Ls&<neE7l/g6.O5hGCggkikf.Bo3LILL)ol;j[>)[N!(YFN1@I;%.HkaR7;DD@9JQ\6,KhKB=]c,(
+%NE8fac[VoDKmGO\JET]e#+,Zt$GXO)@(8*Rc@i0'CBdM/:^NA;GDIS#U+:_3`^!1b/gK#rhWUDaOAMQ,kEN2Xe(-c9h.EJ/%91I5
+%']:b(pk"H/dR*#ccj?<kM+/$?]7?ISl0T05kKT$T+o5Y;ZAU<"/MVSsi\Y?\$hS-_)H2u;D_@A9gEs9H;R1S)2a0POa,EEqNHs\2
+%mJ[86p5g9U;%ru-W,>r#BD+<V9Uc.Zo3iTiNCu[<NV+QI1o8*19&o*;k&dGSd!\FH9$9J*/":!VHaO5q)bZZ!/@Z7:KM<^o#_p4u
+%I,$h61-mI<L'k+mT[i;B=MC!4:H,8Z?I=t$d-.Zn3+E;<KO3`@71%J[r2.4u"66Xb=:q7OjRNm9%I8ZITLE^kc('kN`sk"6L0gtu
+%R_ChMOS'@SBcnCb'pFi!Ff>%1*RX;KY_0<X)0rrTXLast)(@A3+?cJ#oX"pL7/RmcE?bYb]Qu&fTg_hE_@_oH_03d]iWGj%;5gag
+%E?U;4Gbss_egUg&k@K1824u<e9u8']h<uO*1dUWg,Y4g2('U)-!l2/+&lmC9V!MZ5_/mHMmmFu&;noW3mjuc4.R7r#T5<K]a'X&T
+%W7XHLZtR%\i=\*/H)Fh2\=5&9He[^n$K@3l=g4%@r8TU,$SO,tEWpbOKo9CL'!VRF[A*73&.QV#7[$cV.@m&A>4a+CaKTGePKm_c
+%'H=>SN8Y`qm,('8noTjI5k!5C/qAX,_8,aS$8CtHK2,ui?sdb_5`g17",JPqDoU?'C#qKC'#2EK&>-U0#NmT@G]mV;ip9r@ql*H\
+%;aXfO`P3PWH,KtIE>ZElo%OSgQ#.3pcs4\D1mG#iO%"&Q=LSVZ4YNk2$SuCJOYuo<nt3$_bD:t<\2eK8\eK,gG'5jh;irUaA<hH,
+%Sep7=6kQmQ1%a'#)LEfmpHJdn[EktUh9#o1`F_.J!+Un=m&qUk$["2e@&73iA!:@*pfOkKTNORICk7:,5)b,10PZS@n,.,Zn[7KJ
+%m0kU>-D@o^)l]+Z7l6b+p+;+U`SNu+1Etf0,eL[e:f9;k!U=hX<%uq`"e'@aVAWtmO2rg<6i$UGaIO(7R5J`g(2@G&WXB+0lc..G
+%jlF_>Y<2ihD9U3HA+_=gKf_U;D&FgHITP%mM-R=CJ$(&D;Ig@KF8F_n[RBsBbVW,V#QIb6FmHe!FQ[c$S4<WNnsP7[d[SWV/knMq
+%C!LVVHmEjiZ+Je00*Qd5"Gb$VA.t9e6p+E4%^`h]5OX`WGGP0X$%aN[iK8A0VC4XT)3<:f,>%HW:jF<n*bh&RPg0C.o10OCU6H_`
+%VamKH,H:?$J3?eA+)/,Q$LWJHq`sL2;Lf9Wi<NQVOb.s+.mFT7:F,-K?2BC]IAC9n$/9*5pQ5`1VMq/#j[UNk"(hGLDEecm:R(Z2
+%]DbLBJ"Z-Ml2=+$J:hCJUU\*:Lu9[aE0N:@8g,0C'-7;mc=.20fnQ9?_bgp'X;c.[QoKt#*+UQ@,VG*t(e<PD8!/ci4cZ:Va-4Tb
+%;%VeS3oiS=j<.$7'JDK4S/`hP%ald:+tH/LQBQ@4K?26J*6_8<k"0%E-qA=mY'CSh3==acV/m\gFrhoSNoE2lTq@Mqcq-=_;.f#7
+%8TYY"H5&D$Bd+S9P9,CCNhT59i_9q=:M37tUNk:@d*tpWl6p$4+E_gk`B"?>4c!sGFLdD5?4ULP7q&WSK\1q4fRl$6;8hfenE_Q`
+%G*GjNOBaliZQ4bT*_"rr!c]S:\[1SV=eP12AbRU"GEg01M!7&.mlcL!*T[,>V#QH1JO`#B#P#Wo:>o'sn3R!A.$St><.'d7I$/5,
+%ME2d^+<SNGO0Xp=$-K#Jj\a\$5m6d-R!FqII$!<7OR,)cH_,pVO.r=\H-ljGdKeIRUVQ+c$hYp;H5'IECU"pl>E8ih%q;b5iRj@2
+%lrf;@-sV+b\:'IV4\FlY7<TaUH&E4j(<uGLoQC_%Qc^B-f!%c'io.E-8b7NA@s>_qSHY2)1k*?j5+un%0C$%%-@TEBI*d7OH5npg
+%&,_Q6U<.tIo"\OVi45?q0dlD5O_&UpiuGTk8"S%h&bNj[3YRJ_N2-^PdZNd9j?u0#ViG#_,:i)2_0$rK*Ece]%'gQ"m)VeG@'Deu
+%h2].X'8Q"s[lZD;*a!e;_V^InprFXA0Fj_bM'jA)RIYU`7NQi>OdU@;-,E.V.eL5$/rV/)k`Ib!1UZk+JU1k-*dOlK*7uKCp;!bX
+%@,[[_]16K%!t4mT1&T$CIc)A6E0a;\js(91aHo(GWukHr%ufm#\,/Pq5;L5SeFEh[qN8%3jL.;Bi/aE(1V*M'_gg\4+5-T?-%N=:
+%^enIs6&XYe\)<oun=YMT<),Df/3N,N*46`G.M!&I&.e%<#G$\V9o:=sMPJV==V]tqTQ/K839kN(2*=WK*tQL:B,-Q(hT1=-a[sM5
+%W-@g*NH3NG3=2iNBX8[X>`NPP&'?RR'q(iRb`ag,6,Vi`G4VYkF&^OIkj:KJo,M:g%XL@#g->l`TqgVoK0%CWalo[KoUq7U71VP`
+%nt9TR4Gi@Q#%h@*pl8@Zq>e'[)td4`W!IH@Y`fc6D"1rI,d.70\SOPb6ePb/]+1>04DI8IkXce[ViE6,#<f*mh5d;?eq9RF;0hK+
+%de09sFk$D:<s^tRM4KpPc6?g1H=f\/Z_L.HPG6c.HgRWXG1:UqWkU\F`BC0B*VJS:[-E[_G"2_K#IV3sZJJH2mm4/G,jfg*!.<-$
+%I*`WkWXta9$]jS-B-"psA7?%HI]B7*FQ1!*T[E=oLa2o1W%GQn_+W4>f4\;?)h-AEhW.P'nm03)61=A9)tU/*Gu39YWcK5(4<HCE
+%O8>Ls+jig)d<BlaUQ4T6k35GYoj()\W470)ApmKq4Y"/eeR9PAA=k\kht:]E9"#81[grhV#;+a:h;&<qhP6P.c_A0ED;_1Hn6'c+
+%W(q`)0n*(a5)LR,<Kp::b=?^;UQ4r@k4?d6d4*<6BDHJcMBd:@j7[VL,e8efAFRW!0Sid=c<"M5#nQM4:q<]5K"m?H[<i*c"^5T>
+%@;+iue#/k?(B5baSf,u<*O327at"dDe''cceOOZ-bkY.?6-/N/'fEQ6?ac\*3;+u%>;]S_h:.82=(G4$7]%KU./B:B\_Y!JWRtF-
+%.U\l@;@_Y#l>NoRUsXgrr;e8-24,5M:;^F4::=,5]ErU`MPk7jaN&WS[:fqE[\-7L^l3r"TIDTMS$k-B@&e2N)T$*eG>od#8t;st
+%W"s5:XAud[#f0fjb0F4H<&`sUHgRTQ\-!bG%95P0RFqqp!]NlO]68@43Wua.)3kojTG156A25iC8Sdoq:h91Jj\+jZ0piL5?H1hl
+%WrSkHLE$]Tig7uoR+:)s3878SSViFS;F]UL9N<CO;_nGY*OlE#mZ@(.hG5tsL^%V?Z[GIQ?H*JHJR)N$68#_F+Z,DrFc]p'Dap&L
+%8*pp(iHqhP%VCM)N<FRB74K`9H$1d%[k;1/P;N'_<fZAETJ,9_AX-(sqjP'oCTCfHRB0'*Wej=/I3#SZ?@b7W!C(Euj`MeYrQVC$
+%Lna\_11:r&_M!nFr%MIiiZIU3iRFq;hrG2h"Q=Ks<_4*K`W2qXRub\qCHnX^[CNVMY&lH-=ml+fd:l&_4+^dFf8WR+j5d\(S3klq
+%DrsC1neD-dJ6K)HB"R$i=LPOr,eBbJkWs0=Kaa^i_u(g*QMUo^11f?a"Msb_cfkN;r`h@CjP%R"k7'-I\cSF"7_"[aUjQLbW`"=\
+%T1B0V@mmPLQVp)#Eat3i8:!45]<7->CSgX-'[g+',?I#Bhs8HV>_QIoRZ^$Bh']2`WM@Ir7]#O:V3.^KiZ1aI)Tq`MnO899:K`Cu
+%QKRqTHHth6Q[Dqef.]!=Qn(qmS0RiVD2t"8q"SP_)IIus]V"=9VheuoS!l]j_CLFo;!7.''"DC:`.;IhoRe-HQSI)X6+Io8ABPGm
+%.<#$fq?kSNP9-4E7,"nUEWHpQI8t>k]DF,CdattHM-:XLoZNWQigedp`C7/t('mD4E\W91TYpC:M;oaJ]No,'Hkuc&B')Zo"D45d
+%8H9G\2DuA^.IDDLRkE*bcTPRCpW%I(Si]FDTe^tp4FO8)juSa)pB.$lgJWA`EnT`[n$/:-^:9"RH8/_bpM9ol?mNh%Z2]_3%E)>u
+%(!tL3`CU[_n%C'bpNl58`FbFIBaP4APm&4H8b`s#-R`-ZmOA4F<H*[fR)7>%1a5EOaq-6'8l=nI&-L>\UtWE,>::*II*%L*]7S,P
+%#ROA5ajI(I,cPisQ)tqsnJ(g$q3p9m-%W3g9Xof*e0Gn5#MB*XU"n:qOBmAcM2EAg$Y@pj)mEBB#c*0cVFV])9t:9\.l?,hX_$=Z
+%[19&<BV5rHEQk]RPnhR-D0[_-goM.VMp#-K;-,8Cq0Kq#\k4Oec$%/cBuJ/n]#9X'dVRH>3V6Yn>NuULY_usD8_J/HNnYj;=b9!+
+%/]DC8.Lt1?'MH!tRb'fF)&TOBlWUD`X_%k?CR7Y#F/mSp5!g==I3jm+JbNYUr>G7^"#Ob)p&Jf3b'P%CT]>qC]j,fW)*@oVba,VY
+%LsPYJE(\@I9fM^'<I)9Uhl<?@KVnL7qLaKN00slJ^[ui^c^=;dMi<j]kHa>N?;W(^-3l/776\pmcUi9YT76h)NaEighm&G[#\*"b
+%(Vf"C]0t>""&bAcE*.hHTL,q_XeX`'TXgJo<p>bT6=p=9(^$%Lnd\@Z9i<\6P'MaP!q)?k1c':T<:Y5(lW2'K4mH9(&2q(uV7Qm<
+%5l-pHTHW/A#&&R!ksU7&:\?'U!&gnP)>nd*^J[%sO;d3tY7I'J<RnI)\o_Ks=iaAe(`0^n*MML(+2Enu/-ZXX5:bDg^fY_O5;oKu
+%]&K\G^l3Tq7Fr]9`0/AJN'h^"0cMD_/`RNhG]cDXE'ma_A!_on;nZdR;S^910)bd.WmM*VLN0u=Pj(NH1/cbZitI*_rk=3*'U(DM
+%Vduc_6LE&1nA>G683K8>dPl!2JYDXh]e6$EN/g()Ll9EHcdmihFiZO'pO,VP&*LVD;c'Eq]%';R$Z[^;G#ZpI7B,%'I`T@YQ/ZTq
+%d%rQ!;o@ER@P!'3(ccc0b_9UpMOA!&Vp'SL,%MJATnYqdMR6ILnf8M9O8"q-1;Ja:EPps,.l.R'D0SqI-k-PTk@'J7%O:!@'3>OF
+%QR>H^8[R2IbXgs]6EU;Xj^]/E%N7STi[?ArDQs7,@GoXnEgopEZ:%k?:;P-`huP&7`heO\IS)8,[&Crfp8n/2M%Ln@.P!`r\Ps(!
+%P5K2,D8\sP].,I5&hKM63JSB2k[m<oq-IqGbl@"t?_<Kn$_1eCX"8f&60[:`iF,54+:eY,$<B,moT7ed./TQqS*JYVX-?1%fO`3'
+%K'(gq'Rn5?c/f;29*u>aPrk/QGBapP#V9^$b.\T"n<=q%:K"fg,aGif:m@Z/QX=iO"mf\X&uooMl3Ohg-);%<<^YTh';Ugf.qF(_
+%,'QIB!f&cu:%XP6FXIGd'.nZ-e;=\m9I,O+V)rN8ZX_eqJ@.fLflT)!=3_/0_>QN!H7hjAdgm3YH7Y=_)pKU9!3`mXrg7?Z^H+V@
+%XiX$"L^4EN&I%)r?<SUL@5]kXCg4NI00"Vi2noYq9tr9[NE-&mD,ts2^_4q'ZXTO,IX`/Pjqa&<7FgR%ms`_>`;o@)V^FXWZZbV*
+%BD%q<qOlVi<-^Xm_*2PQ53U33'kr`o[7@(JUF,D]IdVj>mST8D6,E:ilh@=ar1G-Ze/CNN&jIc]5H#SEFcfH<b"'/,ZSM-)MXuJ[
+%o2-HQ91\Ae;lnn:O_p_U,cs.O`sq7:9D+*R9Q._tl%dJbIF\H#FVHWp6u#&!,'RPt;G<K$*mfl8_b=9eN%4^GaoX;be<nUtR6,KO
+%0=_SXUH,?*q[q!%-M[[N,(K3NN4sdOJ/#kd$Xl5XoXKi3FBt(`Gp1:E3XA.TYLg3+EH]<cG.'I$)%cH8I0pMV4I<e:g&NBpKLmW_
+%g7YGPUCujqAQL,--\9Yh!cbisb`#,16+gBeC<BttKFdfV'9&W_lt3'c)l+'W]P(j'eW"O$.`I9&!(@5HW"C8XJ-#K:E@3$`g^%)?
+%6Z%Q7<"jpm?KS!Q\kCcZ/SIWA#L:"M1@V[T79[Q"cM/^N2S66bkJ^,@IfY>6[$j1f7KgP_nkTQg1,b]#YpIt]R^-*[P&8\b_]3g-
+%4fnbiRqYq]R0A)aIiWTAa/mu^#4@ST46H2WF+D;YiBq5IR"`32]Hb$;Tj0mN2Z`feK[[:jXBK'p3.<>S6n"G?kh2upU:Q+E.HFaf
+%-f4"p^f#uDR8LB$9Bs&OX[psLCTCD1M^:G/!WL6n`L>j&BBe\p>_3Andk]f?gC(Ds(n#.qUBHAp16BOmjY<t7Qie'E18t?AP`(Zh
+%6tIG!r@<-m<05g0r#-Rnnj2jMCssZmUj7:*c;?n]`9I=nJlg*0.-7YG,7!M]@/04:D#h_ZRM9Ph*CO*D]9]ff1Qr'*/s2iBh*RuW
+%O)TEj&O5+@7=DDKUXWpDZ2#o7:$\]_%k7[>H]]DL?5Q>o#J->7VCQDi<QPJ%0(=;F(ifgeI>*eooGgbN#)6ZJ5#YW(`fPL'1c_nY
+%eG4f\b(DTD6p"QYO!do?$02to*)<#t1dPP),I(9u/]uq\Mqi.;0%='G<UIP5g^C05TFef>c+-G_Prjk)F9B(&`PIg,$8#U7]N]Q4
+%O-#[uYeGF<6lhR9&_0mcJ&,nHk14F#KRS:">`o9G`ueP(<&Cr`F@fp[&3=/ecgqON43)e@h<56b]_X>tIpM7J>SNZU?\)"piRcla
+%QA[Odl_/KgpXG@;l+7.>cR/atIPY$(p'rdMlRau1F3A$-m0^,2oEjnAb;A4[ocbj2FRqdE@$$TI?']il$^;*.bW%RId)g&n$^u!;
+%[7f,70Pa/;"T3.g)KX;3cWo,$"sf(P1q\3_KT[ie/Nq1t6nhXnYr24:\QeTnT"EeZ<@IDPCSpgP=Yh984>nZI(RPNB1c)2)GtAk$
+%N5Qa*lm\0G.n-%/P@p&X%QrcQLpWn&C!rDT2>uiU]J.&<UG5$`cUBaqOPKs0er<#uWB$$H`sbK?<!gbu0d's3@1`oFZ(5cO@4`"C
+%&/`2!G*\Our?e'f1[]_;KK6V`P6G^Ml^"cd&IUi1XUGqQAEpk:)pGm8jTAf&Zj;o4P`RoGXK!4eUZ`0::cg=/S^6)]\+ER];)5`s
+%S22(qoT5po%UVWRoNeprW6"ltYWo:4bVu1PQZ>W/L,3;YrRE[tm3D\W6-"P1!KpE*C^ub-1o(YnW+lp!T28AuJ5q`P?oY?nRTn32
+%Q`rJDelaQ11&TOcEjn-73<_H`30k-5@/ts?<FmL9JjEMlQJ`^SJ8SO:?4M%T"0;V3^g7gF\Wg@>9,NQRCC+7F@<95jpE.Sqk0Tak
+%T*jRP1o9\W6Yr32ZPb%r<KrpD&1>&HPD*77d*.AKZ?^aUW<OI8rr!fm@.I/FN\BApo+EacQE?E77H-2bP,"7/0>27gef9Q*2<pZl
+%8,2Va5<8uZ:;kQ=34^FIDTpMi3B9T"2sSND3kAo6DVU`!GB=6(8,-.XhG4=OM>/"L+r,R4f*LF"'E+!ALC]=*j3-Ha4"eLE(@=%5
+%g'MaQqfAa^Z#^3+,D+cXT=rU2pFNHO+S`&ScinMi>+^gbH<BiYcM@@8q=3S:1Hp9WDk"X'D%8\(Eki+,&E(Jk36LHQ.s5i^9kJBd
+%UE:@d7*s?3O7;oMLZ`JiGQP(s6JW0@fgVQOZnn.9dbE"$QQ3b?ZG&.m/m;;5YXSrH-)mBJ21:"@@fVh!3olQU+/iYqV^=(I3P]5l
+%0Zk]CE8iQ:\bXUNJ_EgqiPJR?8a<Z#!(3pOgP^(T@Fik@/Zp[_5pc+!5)"KfI@s0_%C$3ZOTL>-Q`oD=Ua7^G^oAV?>FuH2?Q[&h
+%-d]^T^-V\X(>5f0:!Kb#`ak00IYW1ITmi4n8DIV56k.he''_KOWUBWlS0/G_!!PV5@U32`"#7RBo"41iRO1B2A<i!658slZ-8^C=
+%Lu*6\nAdT]dSCF.#<9U%q!\9H39)IEE>Jk9`d`!&]gs[2oNkM+W_.)QK8?N?))WtCiQq+]6)*/,pJ6F1M'3L.9=5jOQ)TV-@"QpW
+%mW'<#8M7i5jJ7tV13;GMYkjVYs03niX<.;e2#5n*oC:qiWB.UtLX#JC2W!I0rHUL)_#X]=93]0;.A^a]o=/ta&>8J))TR6S,8>o@
+%eKbub)(?9X<7sKZE#oPCo5X^(i-q0WGGk@kjoqDDD5#?kWA2J7e4g9j[]L%2/X'lP!(-^o416:iG"+1>Z/'uAKSg*B#3Z-]GkNCB
+%!t?`BG2J:@I4MV*n7g)E%^%.^!LR_BLk0?NU\ba,4N&A_B]UhOH(Sg2:2'>`a,P`K](riMCbfM\YuO/SpiL?Ng(ANk$r7,kc5:(X
+%_e\mD1$=LQqi:$mTFQ>JV?\Vlo*PA;,L]^?JC3ganAgd2hTr<b0>DPI*DaR#ADfP,n;'#NJgLhE>X/0MV.==SYaH(h&D1^ojBgi3
+%V$_4Q>_<Dd7<:2YJG3llLB0;%]#cb7CF/jF@*HO9s*f"'222%&q:It/ct`EN/bMI=lU/#ELW7sW9sd^P[a0B4%kYGTc+]hHJfe0P
+%+.J6S2C:XF0gE*.IqXgjCnlGq\GjjFrRf3ieFNR34hMN:d##tl/pQ9^BbUm@8c$]@Xitfa#qrbc4ElO++7>Eq[tQG2#k7$"M^?+Q
+%"YV[,Y&&cKXM;M&O^AHLZYBcB3auAED)J!5F\,tgG_3A[PX_@Yg0u]\b=$92GQltU\Vt=j!LIn&Hu3k5\U`D`3[@>FbY=^gaH</!
+%DBII_j'@tfp:iPg%fi._d)5$a_XW"XClEH!c2N]Prnb]of^\pi*WCJrG]V=uBP,RL2i!mJ,MS/n?<O1lT*$f<X:mnWQ_GXmD`[M(
+%%"POrL5n@t.8PcC,<F:[NHuI@1]TI2)*1U2aR4-NPN&a[;#\a!)?TN3\<_T>@DWdh/:1?JMqK+Q"2#grR4EKY)$oi:%)ardqM;^H
+%i3ON1gkVQf+oHWoeW*2[Xu6^&&IV3)^9f'CW-i:\+$ch3@J0<F`(H*-VFLsBUKhP'4qG^lasMGC@hE_*mL48MTq_/'lPe'k<JLpI
+%U&Au1\ktD(.n(QA[S)X@g0N\IW6ol`+gKDr'DObJVjVG-8>qI?6*l3d!1>1&Zq&T.WP-C%%t\4OSdIDjFVQ'!g#C*sY?`RA3J:L]
+%".4Lb#,@_tCHnNI3\%*;\b4Fi83*IX?[)rUj0AE7DJ%An&\G(]"3+M9<I:@L;p<O'!0SPg:a9Qo$Af2#9B?(Q/oETR/iu;.d=Z3;
+%buT[d[M5.f_fn^aMaT:@BW>Sp>nZWGn":oh\'._oKJ=%jp9M3o]g'Bu3EIX!2/m_&BU4!H"6&=p'p<6<6Q-3Q?;&R@\Ph30PO?`6
+%%ln?YB]a7i1"9^BZ+$96J9c4s7ITe/.!4LWA%t7FiAlZ<HKZ)j%dns]VEc'#+(&;3>COsf:U@5WYUu-mYsmVAoV!rI-PtD_/J@Vj
+%bp\)7s'tM'Qg6]8F3uA^45c1#S/d1LHhWKar35EFQ!O$Y,0/H;?+X&I#['\(5QOI"b1#f#QZ(*)[<`IP-&IiHWcO?*$r6H[H]Q?/
+%^7i3'dK!ECi"LYTLh\sh+02!mRVY&b6"J0r-Y']WKN.8:R)c$Q>]'f]P7T3t;AZX9;9Lc"R^&>K6o.1VE-YEH/V1KIXor+4&\'EA
+%WhC%gD/uHU-8_V'Xbb4-7DMKrYtIEslQoeKA[*0'\a"a.[@/Q'-e"'U]a[r1<";+J<3!tPp/GG.bjl'JG+C/d\r+ILb,"Z5k*NCn
+%<9RnGMU9k'2Wm[Oq[3@j;Ml5h9qbU]m4HHpOVjn8C4#P[7:F885``rg@BCkp]f4RNm=$@&Y71LCc@XC`fW8IKSh"d/$>Q\Z8rca)
+%oP,,qF0ZUOlDgkmSg8ga\aH,E-)BcIICE3*HVZa[b3>N6ll^,`@gdo4V:\A;K-ar<e:nk_imC>iD!&C'Cp#J4Wp"3.:olD\1SiIG
+%.SC>+?K,MNe)%8,\HE*OE6H$T_UU4aGZ?`<:sDrF<`0$e[e8<W./K\i<rKIWJg8P<h7>2*CI?dUSZSl\X#uSj:/k;u2L0Qoa,X_2
+%A^2hAO0WjaZ[`oe!;KQYqc+"Rj.n[aN(GKS&1Fi`)oT6gRK7l=\dE@`;2gi%rDJh&WEH&?.Gh*+Ca$#uW(_gK^ls[0@'>.bd:bQ$
+%$3VkJ:e#3VeM+J6cn`'\FfoBoW.Ueh]WkML=t36+-&l?&k$3ZA*_F6/'YBctQ"_kbYeQ;jYiT03l'4lID7(fBbBH682bpMV*:"[.
+%Q$YO2`t"6=X/Oc&;+IK!'THX<<^+I#72`QS_>h:ejn$"f!TLZLN)3&cf"20'(Vkf?#u7\`QP-QATH6r$OI_jYcte'ukZksmcBW4!
+%/":^jCZ#O)0>'+4G&Is^mbg7;pQ^Wd2b#FjU5nu*]8@R?9)LplZ;O@ZAX$U_AI9K^=HI?p*b9q^(QF)?5=-D.hr(mp@<Ui![7'co
+%`BBBtC7s6^.YN0:gip;XLJHik6b*L*ZT.TBLcAC:-k'aFW&d(`rNCn]L&m"ai5=1lS])g:+Bc:-GY#n4Ui%*u4:Na5L?)2^6rQHN
+%WYPB1+k>,!'l/LeCIkk@6H_5/n6.4:g*[(D;2D@$NK'pZ"r(Z"A7mF2BL<-7'tUdR2;=52D3aU-9Fa"WO^"NL)q*1EM<r6XG=-tp
+%!L;LKmG81=hiQ'#L%oRW&ic[#*)[:WBaTWKL+D>?.n#4]9#VD>ieXLP8EdQUr\u6^*)]B=fI'0WPs\0e(&#fo;<Es:F+np]8CKRA
+%oNWR>N(2%Bk/,!WFG4<=kt:7DF+%ZHV(1VI/dbHQg70`:\HsOrNeB:+MDc]Dl^\9BJ6T_I@]oZAXK5[Z(sLct.*/38R=(ih[4Et2
+%/@Qg<!/HbTCeVSE=\^4H>O_iSNQX#&<&mcI#cV;D@d;mfGLi;3BMVMu>(foH^mQfYJ.?*E\=tcpL*YB;[L*Ygo4jSP85"tPg<+F^
+%pU7a?9hE=bP&<V3e[RdlG-#5'P#/Kf8a+#roc,-H@]BhCgS@mrC5WW37X9TMJK>8NMCr,`kn[+(SkN:B6KG;bP%C6drZ9@q#gP1\
+%mT#O4V?p+VE67l$L#4Q_*otOOP,kqjAWujlE/.tO:.:(7893Wt:9[InJ"s8L1XJb##rI6%HVUNX]O'"2FtCO]@'O7s!"Hc[L3`u5
+%pSuh:Mb8g;>X:0J0kJ-]6ke675QbsZ7(^M'k>h1?NIs-%'WU%2)\Ahn,#[*>[l<f+Yu=?B77C*"0[8.R4?4N8cTp%G+=u$j8po2:
+%4;b0fi!>X!#-'ihlngFl,DBo0%e>:g5I7BJ'%"i9&gotG<(kRcTu)<E*;`IR>GRnp1$q3q;=KR?j%&oJ^6p<J'?t&30j$(2P(uWm
+%Q*EFg!/g3VKWNa63b^1c6PflqWBq+3LJj[#Fs_eGDa&\/>>5clC1^`0?*\sJMc(VkROuJDV7`ldON\^`%"hlM.CJ$T[M(#Y1b)(t
+%H!UTIDiBklFA2A+FU(U"#_Bte>]`Nn679\u9u>EV&icP?81;Ni(u1_Y/Q$5i9Qi3OO@51L:A+g_.FC^4"K<nR#E&`mRF=C\n("%&
+%(6i9Na[Il'Q+]J)fm4qb,SLZXk7'k%#TTMYVG\5F5F5lIPp&F:'r,;4bn*jMapDcq;?nk^d9>HNE`)qC0``1$H%ishXrIq8RgfR9
+%^rmmdhLc)^cIK9OZ)q-a$ar[^C_:@2.-BX?iB+[(B&6SN06c]>YfJirj/\)>"2Q/i.KYZ@D@84&j+h$II]4K:&qPhdRqfb#%r`sV
+%gu$IMjA=e'/*Q_LT8H;s@.`bck*L?=^slFB_2>?Gcj-:A&Z^tV/g)rP_'2h<LYN5?n"*P8U-^gQ85l(@[Pc;V*H@f6I&g2:XWS&N
+%R"M*4VA%(Q[M@]4=a(h-MJ"/$V(JXbapC[>J_XXR9UOAOEZhiE<sp#D<>1biL?-JF`24"9VCNCZi(\P-GiG_jSWCl!h/WmhL-:An
+%,k#'Hpd;Bp[MD/R_4*bkJS8#lFY;Xiki&7nRhD8E1l29/VcC-?77A.DF"<.*MNTqq-O6[7Gg^qg(_F3<]T>,I#c08qF0%-<%9^>u
+%Hs\DZ@+EW^#b01LNg$1oQmh*=*7$iTO8TSd!\9'.p"qI`*FN&S2hs(!d3($`PX44439,8knP]q*?6(5s,h0%M`t5'-ELohn<Mo9r
+%g+97Jo>Tb_>EHb*UL/aHR3AG>%tF1G\(q$e#07G&MRThHglLf7::_MR*(Q@*ADr^.TE*%!XZG#A%3lleC'6?_706QD>ccD,gRMF:
+%VJoVW')oNLTi$]O5LCMtL%jYrpq[mY',Tj80C__,bLROP0<9P,b[9;Ia!\`=FNL'7#+13&->cbI"]Ae:SO+k%nUp?f(SGA\-,bAa
+%d7Q5hZg(Pt(,#onN?CD6Wh69?bkm:']6Q.Ng^-hLjZ679[umMn=&q,G?T]AR1dYFn5:+QAAsM60"JSjn1*T[Aclpf+d(g^(.%<]/
+%5/^+2K^#i6@cTPQ'$&2(M+K"W<-J7hM3lW0%tIT@f]/C/,SPsSQG(]l6T/5VY,`Kr#n0/t,@73'1TO(n:JECL?i_pZ+?8Rh%9IS(
+%dB)5?1*ge:%&%7[1Td8R(/QNGFu1&O<LJpnJ`MG1OVR53cn71IAeC^LPLG+_Sc+4o"r&L)R%^'WF/\Yg`$TS@71U^iWC[5rQNkOG
+%$YFL@o?+%e'&Y&0?%b"@\dO&/&k&j)eHLr"dVY[o%$P[?P7]*_AYbD,+3aYUUrg,VkgXn)<#aYe6g6qO_`cq[G0A?Hf,_rO+=q-*
+%bY`-]h'&52"noQd&:V+.YWlj;+:]`C\.gI:2I,7,c*4Wr7[n4u*ET[eZs0H%":$.jjk<Ba3cAT_=161h1[T%lI0eihm<&$SauqYo
+%moJkrnLZf7D21'V?gJq1Q=>`pQLD?1Qr,Krn$s[UZY0-GljSq@6'?%/PrjaF'G2rW/he]gT7FSO1SP5Hi)=bc+<?RY]EC%rRpaZq
+%!p:ET2*sIOb`)TtJ1R6n-mq\2]@!F*L>5;MCF!,X3ah#.R]^n*YXE2u4>9-@-:;LGJjJ>qLK<*/X[::hSg6Bn0G;dW:bmJ6<#=qa
+%BL^$Ga\N+^OWB`Q"@]qF'W48QALEiJ^oYD1%a<Q+MB.AMSQ.b=KN]48B#3pk/SLd+m[(]7;Hd7j7aY]L()\,BeX+D>-70`t`Hd2+
+%Yua=?7WI+7;mAtO@9OT)g\atXTF3/Y-Kt.+..J.i''V7Xap^Qn"8L+J<+cBcZO[%>!=Q$fMFRB9'rY#2ZC8mk&=Zo%^/cn"!0eh[
+%22RirJSru;K0]l-1]C-bH8N.A\Q.loC('`Ll<&^t,QWNW+W$#hb%f./)Q,g=ag3mZ!k;c8`>L4'@XZ2R"2*fM0JJS1=@B96aBV=H
+%MjU:U0L8348@l2U/`]kHPdBG4DW#YO@'$KG=]5E#Z^27t$:Cf!9:W8<U(O`Ai5`Xq=QON6@?;+lWQo<7N'pZi9Elk)+^&qo%-UuV
+%l9!NVS#]`3fU87cd(*>"+jF`VjL,fU_1M35Un!aFGE-^u:3a41EWh:3"BSTtB=LTu_!.8.IKF/$dp'#EV*fF*?L_$CR.;4JfnkeH
+%7(<>Ua<[hV9Fjp"3f5C^mW3g&'VN,:f'<-qE7WojFS-B.I]WAVb_2Z]0fD3"L<;[jC5'^"c5A4m'uUCf6E=f)BP1,H+N;pSM[W7@
+%N/Eq&'K?u]65e<I=Y6hO;;.gsHkCBA>"5?7`8jek;edG*ShV'(?3?LLKLdh9aIT2+1:Sa$&55UsK[PB,'e"/JLt!6QM<9-,r/Rbl
+%I,eC*dQg9QnRS%e`&t%F@L^OlX&->MXDS2l[fY,"!;hK^^f@o&XC<AfMQhpLO/#XjFeTAR7519bfLLA.K+g+]j!_eR>8D`Ak67]0
+%pW99V:/H\6=?7YmLEkeh8`\!UD\q"<kO*E\_aQ7KdsIe@/!iN3c`0fAfqe8.D147>2APYqL-W'qa?8QBV$sf5+J)u!b6GbI[WN6s
+%mOU)0K'&n\0$H1tX/Q%ScR[r^nIU>dZN18nN3JkRGY&5Mhb2n*,Gn6C^!2ToZZk\EdmQP:iT0L:>EUpF+q(W8'F[IMaeU[H*>lac
+%H,#_[o?:(R1QC6i"%bMDJe9lmiT<IAhEi\,!G!:+T2r\V;Wp:fDiT$l6pJ8e"RHkM/c$RDOYn/G\KV\$?^-<=D:*tC+H:;??JATu
+%IrO&,A15]5R=9mR(Fts;:l'[d&GaL5!QkR*JP_f')bi7HI_Ob,dq[hpU@=CL28.4l;L/G28>`B),7:FZ,/r"$=&mV*1+D^#e-0!1
+%Y:*hDk!J"?)!\I.!9+CERqVo!o%APlUdjSM19<B"?'4'I:FIh]cb7RFm/V9[<!sH;Lo<?@-'sM_(%ub^ep90GR:$C\6Q]1],[&\3
+%oq:TVR>(<*)OR'(M%OJPMdZMc$A^2@2K4@P0ZdN^8Zko8I#bnH33^ML'DEqtAI1hJ]0g&aI1kFY]gdCMMFRkP.:$'tX;P#H&?].2
+%dNifKBqV-C+c2E>Gst[B'hT1k'k?]+F7qQKY9ec+7*?Rsm@9=G,n*GrfE.hXK;^,?mHR[knmj`U#o)Ys+3H6A!Ac`#H[*aK=\Ckr
+%EbgjMN,_:t,-=2H0$BE!#0K`l$mgMd4".H)qpS??X\Sk#j1MPaCScpak/UiuQcrBrJUQ.?W&-jcRBg#(fjnfW<%H3Qs6?\!X\m:-
+%%7*:9$6K""ds;qkr=1je\c09/nu5h+<+SKo.EAA(X[G`-$Jsk*TbjhO1)#+3b\I@L"(eXs!7>k[o[#CA'PcmlNY>Y\$2ME'L!fOT
+%2H'`Z@E*YsMXepWML\6uJD2D:E/I=l]oqLsipVN%GBKcL$QtNOWtMDc=3UDs6kM@&.#Sh5GbsDR'2%NN6P9i#hFGNsKs^?+3(%M8
+%]MJfO>)@[O6Z(eDZNtV,?]1Cc.S@rB@E<s6V4A5A"3g[`.U88@"6Z#XU&h\>Tsth'Xb9h#D%aoR'fJcbnX?9r0Zb[.'&:f$a/MP"
+%-"[d0Vq*D0h]*>skSHFt6MJ6BMts)e#m)5qUPNYoF[uT;P(Xo.W1(hU^B"<XnBtM9.sRr<5V^`"6!bHVKF*OQL14?IS!@Fl,YR0>
+%<a.Lp;8kD=Q]/W$Te\2)cD?(#l;#c50OK+an52(Y&iRZ&fY^-7^(/kl3f09b;6[>GkU9hm`AP$((E4_IENp`>Jsob^VPjSsYS"t`
+%4Agd=1>G-`[F,@i0I!Pt9HLgI*/[MSfsELW47Rq@p'^X]k2o+^5Vk.*m'Wo=7k-ef8aJAG[a?Ap>@TR4=LVH8P%h&"]'^!A@JZH#
+%Z19iN[-0deB-mr^AHil/!'NfA?lA*464^A-HB[lHYEf).<='b5'Ak<'/q7dNHTn0EDUS_l!`D^uV)TnX1Y%mmK[ZWbZ!=?@a4>Eb
+%-SDH5-I.Vm&70$kEgJ9BSuJ1;?0]aY;.4G=I30CT+><Y>fS258!Q!7h[i([21+Fe;bm["e=)jq^_G9]LY-#]4/2eFKOBKC2G[9Yq
+%E5=D1j/Jca'I9Hi(0^m9CLQs:2NDN.%Pgr1)ur\i#:T)_e^pYA(hqTqJZj4=E)Be1o0&OZBjcXXHU-H$6M*Dd"Wu0JY>C4^d#nnG
+%bf<uO6X'+*JbkIEI7VSr6K(+;HQNm<%k6S[D"@a8qB:Fg3naI^(k5)M^Ikt"T]R>Zpob8.%uUMub6[I"*-eWt&QAaA)-)C425l4t
+%=%#@cpU,!hE.*@jV7!T:ZhLDMUP5gl4.^M2<L?M,-F=p?KO/=EV1%`K/^.P%k!aSP^,/dl?=J0B)uS6>[=jOd"=5>1H#QfKMK,&9
+%$qNj%e/082/pjF.=LO[;+a1!t..E>%;DCEcS[-,8"thm]K:Y)g8;[IN<fi>pcl(&tBK7YZ;OH=sUaD:'HQ,7\6;^"nhA&asKir[l
+%_E=W0?D2Nh9Q8?jiNp[]GG\[q0V3oTfZag:`uCr[#-"9*&\jYBZdfQm)Yc$.d:V3LnhfX((\=iq\uo`J?-d2'DeVmrVo9Tg-$r>E
+%c8NBA?h051huUoDKLT8O0(1dSQQ)W$l3P<-E/.2S]gZBd/2aHJ]ACFG"u,c9Yo=\1iF*eOR#(Q,P:9R%GD<ge(8RZ0pE6Y87f`34
+%'bA+H6eM8s7"0Z`+2I<b#lPJlrrD[U9Fhsc&r[G5<g"-I&fHEQ%kHlV50_P(7M]!cPscHmAZr^f!Y$tm%NE085<VRu3gr8E+.M;_
+%+FOj<mlir54V^qM%Bn&C8m8XdA+5e+Ya;#e[n69kBWb>"5j"c;E-2P1/&/9cS,e3_iW[HJ>pOCl)AjF(q?7go'(tX)&E3'_a[X1T
+%Um2Xk@CjoA0kr"kC*hhRR$om+iu4eBXX/a^'?Pu#B>aAKPuKXF0ek\g-n3)-<KO[,V1p@odNKnraMLLN'f>-U44pIR:#JlgPD'$f
+%Y@^cSWpthi3&45XQ9sbN?Pd7N_;.4FOXmN-Q<7[m="^<f/]^-W3DDh/b0[I4O]>_?Br)J<'j%\9f^MG>[]0kf<G,7o:oZEJk16PM
+%&_:R?_rqpHN`n<d($S51@9oilc\]"GO>e:?nV!Rq)15>b/C',nRdfnrh'&I^b+i:jebibGVSP\niZ+)9Ms>mn6X8sq/gl4,6c*aQ
+%/Hg-j2]'A!"#B%*Etb[ac2RK.PI-YmHDTV0%d>\%FI8IWb[Ol"GMUT(*Tk_/ZY`c!F,)cg_d)*,]\lWsnM&^B,r9g2KmB'M]TO"h
+%gkbdVAD/RG*9!3\r$F;4VhH9b;^KJ5Acn?Hq["\jlJs(<Rj^SUMi.W%#PM`GMWcsfm,HDu//pjZBI(gk"q\r',7t"qE-5bk$pnd.
+%>;0Fkk."lk$)Af_pa"<EZ,egEUc.+oBi?<u,q2J]X(7AqX#j6(:is].WsMfq1AFZ&6#A\k_&`+.Y%AIZ1QhBPQIbYsoH#/PY7Yd;
+%#pn*O.F1?rU'NBF%Vj$@QhjHd)i.<jnjO.714C_:D1+jE%K!\4fc9ZF33\@Yj;DN"p=<W)f+&'2'0-B0S-6#9&aCl&HYGB#?83i1
+%"5!de=/H-tOpG*Ye3KFPXsS`9n](1XB<\Z/&[.e/PI-A7>fY?tMBXA]T%&/I?AW`ek[X^[:H7:/c5^#Q[sHK.oGOWI&UGGaT?.<Q
+%Y4*)8\;Z3Ea6UitUVsuWMW$60dGd24<k'ZnFTK_"T[_fP"X@(#4`L:`MJGY/@]fUL`F\C?2.-]ZN_2l<fSm>,6seW@W_CQC85F$+
+%TU:o*H,0uhC2E6`>,bU\36`Kg-"''qBVhnX#;gk;4Z0%Scub$CLZjWa5aII.kTdV6#h^7&,qbgA50sZ$,dk3Y8)Sc/?j,O46N5Tb
+%"'/;+#"]%M#n"R\L1/fR+@Tb3Xtp/]_6uh\8e_EEGHdgKQ66Jk1;V)=jdef!/#81-qSs>Na<@\HOFV?dK0R<?O+@2H*.VMfmqJXB
+%/rN[fo`MoQ$Xo.%0[+B9c%G4pL!C+p74)URTVKsbgfq]/rcaFRoLd(oW$&B)R!]^%rRhQ_Z3V=;g8qH1i#IoF7IYVE[[AR<Ze@r`
+%9GYj%M-SIuqZlfUE?MhhWLHFgaOtMF,Q.'M<dBL9^'h<0#("=c#:,U7GoD8jZpU'-Vnt9Lj@Ag.;@5g!INU9k9pV.Y1sHm'f97Kb
+%M%qNi(rLHT+Ud\!YBI]u]?b41&=s*Lk*:h?pI?&$A`SfKG=,!7Ub,>]Yp9]Z<2@6:<<9I%<o@aKo(=F>8$Et^.nh_["d)Fj#65(2
+%E)pKsnEeUI-0XSSHg$Q(F9Q>@!+h5<gFGPX+Xh^D+('Sf%q4]i!;d,UI0CHPK[?p<m8<h!Z5SHr0TbLOYlA)INOIO^J*iMYP9kdS
+%6Sm&[',SV:KDhP3a_H3@cIqOB-2gu"3dGguM9%1%ZgZSOe/n.[lt7$/(Nbf9Y7r*#bUl>ddO<`$`CVcCUbHQYf0tc'dFF4O`C3[*
+%0rru=@gD\HIn1t[c(CHcY>,t>3SW/EE0^^^,3^j3K8H)rk71`CY1]#I`8e?6*,cfY&DrS=(:]X,ITSNHOE;,B2E0Q\.td]l%fA0M
+%LD:YYT=ka"WK=mhi`8of;uAo;UNYFoJMPAQkl[4?qck)-PVpr`=&'W+$aP"qr1\X8:A3\6QQAQ)(:,qd4E").\j3[N"?%<)!^h,+
+%"OnuNW[J'iCc_2mc5R[(Ji^9r&B==\[YBRK`$"FS@LUTa"XeXm^,.AJiOk06!U1*t109g3iP@Z.6dd'F@/rEXaQghNW%8(IC/P!C
+%r<=p8P<:Moo48\YWucNZC8ZJHM^Y^3TWmSJI5^hILd3[16'eadTt%mS]S!5"o(n-Q(qiu;,$Y5MXa2\&&;7nr#[4Hl/Jnh5N[Gk>
+%.:Y&P7&u&p1"\BeSS8/(:+LlKk)(9(*[68q@^0HW5P'J)/`d?4O5b=1,#nGZ<hUC/=#0OZ-dZTT-R6:aH&Il'WW3ZNJda@XH/;NU
+%!s0<B(l`$IVh0`R3.aMH1*beknU0CdZ$Gj,3[5?6@/9.:<'%HF4PC@Y2FP*X,2rgj\KT79'pCSlmgYD.X/Nf7JoHN'>fA!!0T8B+
+%itrXo6rB!7Q7LV3+c^W"p`+oR=)as&`9@UiFb"!C@U<.*YsU)0&9YUBclJj+#IrY+N:71GG_eI'Tp1=gjtZRT"XcIO<"IC..nK%N
+%Wd=pL]n-t@ilVK3oG+b0&D97c^^guVVlSaV!D7,2dDbWT,j?ba2Ec-qE1#SA?HLS5VK33p^/bocp63UQBkJq6C;XSj@G9I.MVKnV
+%DO>[XP,($1kSpDuXeZ9+U_N6n*j-b;NY37cWK1h/P/EO,EUMp\Rc]&gk:lRM,u&KK;EDr`>tIs8A[DqG?WYZdLFKXKjP,qfh-j4M
+%+T6L1<HoglGaO#oR]JWQK/0Bm18q@](O"q'3:Ou_js96YMT(a:WNU@a*=3HMk[pFW/ELYXSuQd4k1Ks@`]fa-gf7cP/`.,UX7*(=
+%cm!Hr&&:)kliuRRL9eM4"[lg]:sRk<XoM#<]V#l$I>A]8B;gpNMKpMS!K0JsNfgFB^sNRNAskId<)m<B_j-*`7)]SuGFnF[&%I6Y
+%5eY'\js\Z2?;=PjU5Pcm9R=BM,Ff`_49L3i=`g8%B4WPdL+&?l!Ya#+HJTOV@%;[41kKGl*"oqsmZr,W:r]\>J'0hF_&Eu7T&JbH
+%)\6;a)hq(tW]LV89^(:^<EF&5DP`;p=3Ep*=s>-K-49hT(8c&3p=E&ff'sVsk8rD*,a/X(*fq'!PSW%<a0TF/fW+d"_TZt_XOPAk
+%lj]gO=LaGR8XBm,l)J^$d/"r9RZ_G`ZU3t)PKGW_6MM*X]cgq(h-joj^UGDb/2S;^!l5`P(*c\FJ3#0e)bk9ZA@7dC1]dp3<AO\t
+%&dR>b3"unr#+1X6XRs1T(tD:ep/)S>itVuk>'5jVL.K-''$66'>kbsA6DS"ZLqWB3dQGA<aZ,g[m?*C''sloJ*a5.Q$n)u4/);`@
+%(t]qGBTrg+1j#E+*&t5dQ#phSP>?7FH`Kq;6I]dEZ6c?:`TH!VNjItb<QS&fKM,*LS6RiaVJ?tH%2<Uj+UZUEiIr<_@0Gifa>9NN
+%SAp&I:u:IsP>m<U9UT&uYG,%D)0q`k.C)I+]?)\/$%#MVHT)G'-JS6/[nlS!b-c%t7@IUidOM4hMG1Sf+?%JOfcS$9Pa^qCC($gW
+%77]:X4dk'%A/)2h((MZ7C=#ac:3/&p(snd2?r_U\n:2E'5U95j>+m\/dOAW(HhEJ"o;<?uVdQ4K&'>8Hl++G-JP\t>BL#_aPLY>'
+%ikl[0_*-Hs"9'U2U#"mH)R;E+'0oPCOs/ILN@G*0"k7tIJ[I+S$^J?::YKrfib#`M;0hSuOU3hn#K17G\mh70`6k6u=7H_j*).4u
+%<LCk.Ttk*hE#;tf#tEK7m[Z+VE@*[YbS;Z'Ni_hLK).0bI3n3m1o0tI\R/H@OaE6h7bTuOHH"go'Y2a-OYd1f'9J3P!OUM(0%cEO
+%\-3$aokc"[1']XS8Tn7"CJM:%UJpFY-J:cA5A4).2D/SGlW"LC.!0'\[V\S*2C*no&BDK]T^?gN@Fsr=g'nqhf%KVKb^'@$^6K9%
+%9"90YfO!8,_c&<Q:W&AT324<s]LLJ]7dN(.!8O=W*0I)bS.5Qm%/D,KQmRQh'LN(_&_Fu/0?0AHA&u*`a39)=OKrGT&d^jVRfUd3
+%DCNGjkZ*T9SjjKQSm/T0R0:gqKS+8cjb?mL9LdXZhA%oJ^j;=I"Vk,E>U`$@PnaLh+^<-Of4BX<B#kdp_CRKRTrI/gbJr0q($)&b
+%"(KrD3+2I)b!!V:.h-J.aH;368h6-!6[GUQOjf]hBuCK=UleiSS/TgSNJOZ:8?^+=/soK9ab)Bl`(hT2QAAuaW@@OG%JEV;U_2du
+%r%jKbM3;e3gnU;ZWYa(`>f;r,`ik*@PC_.)+c\pUr#YWT;?&KmPb&l.lMg2i,".lt6C^:Ej[VEXg6;dKPo;+BD!Y1.3VdKe[TRXD
+%c?0A*^'9EOZpNM6:J/WR]?6O!jOY;*E=H$^p9"5*FRgrAILK-#LIpbq7RHuY2tr^NY#P>UR1G%E%N?F3@+a/kYQj/!UVb8;4<5j*
+%4QQ,OY^``"3EK,]._JjTpI`G#=+jbZ"/:m$RO3Y,@AG;I;Cn,?)Iu9,^h9W6>,XGc[9;(Ci2U=g\\UhbZp+27";hPNSnkI@e$p%?
+%TOcPEH)[',<5YG1.g<)1\Yc-te7&>k[:I#Z$LPj`8F-Z2r2Rt\(qisC>U0lU<-8coAeBW`]P-7+P$qOOUisr='B$Yl<E&oZV$e[7
+%A6,JM&88/X=Nt;f4RC&"66n,G!8^AKY$B>+CjCkk&5[U)K).eAl.JlV:i/-n@WE6[#l_OE-=p%XS:55T4WiNB.Ktq,]BJA`_!+Tl
+%T2d4r3IY*J:jBUGr!h9SNo5\k(@4_XCnp<rYf:5<[9N^C5rdOEY4B`>=<WbWFQfh>Y&b)!JP`VS]&.TGB<-j/-+T[cnLYnNi#_Ft
+%6ffPfaU&hs"UR%k6Tkuo-Qfhug'C_8cp//T'uNsl&r?^qB`haKT[Oo91!FflRfHG5Oo\[je^I97A7gPU@Z:k-8=VCYfbb?BXAF,"
+%=?_Im+=kqb6^j,P8s04#aXZ>fLn%npiipJuE"=nNhR3H1_JkDB2WMs"?.n;Vj"NSV`@dc.DPk%Ze_o=H2stXK&!"Qck_rUjG&I++
+%*N,bL-S&Rjf82tia?cN8]eu73&Z*@+HsrSE@8QQ9=<2IZP30"6k-.&4?7jLdlE<t&d]_5/A*/*9TR7MCfPMAR^KD_D#,3i_AV3ZR
+%\"lV5fbO?a^Z2$?HW,Z[ccSV_nu*"i^Qk^;s&g@+^h]#(pg"sk!(1=+W)sI.OFb"6DB3_HeI\SpY4-B`%/8#N?L2Q,fp19t_`G3C
+%MRMR)\'"_(J)@>P/eChM=la[RoTB6gHtnJ_TE.N6'1UN%XgCGpc@i41/@&`\>bD=jF\8ihK$fGgieUDgN\Xb_<Y>3/;h4KGZ3:Am
+%a-iAek/_kb(!BB_'t^G_:hIVW$M$oEW!uUcj$JY*7iW?;Zh4D7V]^,>UHAnAbXS6b3qr)lQhJ%=p"AX"L(ggQBh=+H8<!DfeGqT5
+%F[F[!4Ii".M;4Tm#L_$/WAhgB*@lda6h69M9?8TV#ajeD`K'3Oc23;J%E^gc\G-n'Je$]W.*-G+&SNU_&h8!@j`ISpUu@^\S^67t
+%?9@i?$Y!4/HWY=cISQ-@.dg@f*`dY1e:q>0,JQ^l0Oeu<OZcYdjHop9c;QUW!$]_i;p,MncB)^PKp$)&^1U9KISedJD[,ZW[eBIh
+%Q&7HLQkhT2?4$P.P<f1`>3*VBcqc:n,[Lg<S6i*P#oZeRVoR[*fm_0&_1Z)TA!WHO?in:^:]dgfnj,(`$;J(.\i:q(XJCi+G_F>4
+%driO%20,H($dtCrBt-A34)'shA4T3G,VE4C3Do+%Zf;sa#Z>'CAW(MX'Xbn>2[p3Q"6h2D`@F$jEL3]:<@=ORV:;f=V.HYt['5G<
+%<#60n1aqkeH")"3NB(QNfOoq422"W.RVBpn',E%_?=E_*Yra.'E%+]9[,rFVodIQs%>*;-A#:O,3@l'\9;+u;p(2:I7L.kQfTc%n
+%A@$=dnCa=""@\7cC''KO+4lAbX;:GA>'Z4*-ja$-Cr3$j&G9^/7S0LkC8Rj0)dW'P/$NDF6Y*W-nHl'f6O-_=^ce>.n+?28UJIZt
+%$0jq`9@_0(\al=%?J`AbCmT9o=+/de2cmS/#=Lm'b+TPrU,=Eq+mIA]6.5`U)'5^+P;bIsUXQl%n;!@Kn2f77HJ\VY&Dg,h;re9/
+%K[l?F;%L"-Qn*OK4`j`?\OQ#adkt5,-ml1@Oh/T13b2N%AS<*i\INml7i\d$51q[^lj?Cf?\AO7=X6=PZcu)%,37LcEW)?7kWt6u
+%=$!7$R^8<N:pI70CF*[*X;3[SbY$F$'2=[h1p]b-3AT:42]r^V6,:$":!Fl8,A=cf$DAg6P2.ZWGO4e*"r'A?5GkF[ZnlZ?P'@I*
+%Qo-"f'n`?6Ch\:'o8S?kb#=ER*G'^BYO27``*V+.1!G\=JM5/M=o&,_1(bXSA[;c]`cEV`js;e$UdJ]ZfAs`nV[6R4;a-TF;+q6X
+%1Z\tEVEm)XRK$>&OK:=T-daD4rQpGij;A;-J\F;e%?Y".p&a\Lk,e'++\m4'A2gn_fBM`TauU=/8LPWbdIfnFPb9o*s%SiFr2'-J
+%BLti%:Cdm`ArmbP8]AmWEQUBoHC7S3`h,M-Ci-&?='hB/TJGVs4roimS?DFl%#J;FUbLgi]#0-33tt:B"!b7N+YD.aKp2H58gWJ*
+%c/N/[@qQ@p8H:]TGg&k&Z_B/N!K.[O5cELn,WHJk-gE[H9Ok73_6kK7UO(A+_UC#(W^l``LP;r+MIc>9k6ZT+53$s:PVIlHWk4o$
+%Q]i^qVh.-O`p`/f15?iAo`NRiXL(gJ[Z'sL*A9Cf_-:N"[0E.4bH$?@2h8/00FgMi-j&0=77KqSB(kHP[q``5k?NQ=U)Y:"SdBs*
+%;T/<01NI,^>VQmu"IUkk8('XZ[GEld.n=?3.UC\\`0RIuV%Y2VkB`,&Fri)<+Lq$AYJ@M8>,7bH3W,-'+]`3O!lpEiHq:43Q.uIK
+%:PK\]4WNX;qX7JsMfR"oT+*&e?ncS$,Bn"O/)Lh@]r(r1/e@&-Y#Gsr5<p7Q"-BY^:8;+CkUVo.q5&j?e3>p.ot)BbqtNKLI.NLm
+%h]ui6ZBZhN1W.`PR#Ob9V"@mBE+=pT>"R7E,_!6@WEh)Hk-CcgM%2Uu*e_]1=b$`&#[OBAO97TKWN6(+P"Ljg2))"D>JM4,q1Tke
+%BVG#9PSupl#F6:PTEnssgP!LJjV+I3BWi%(M&8pUciLHI&`oOI);*2m=;g4o.74k)SLcIckIQOeYVcG^"dH]#7`>Q-cP_FW;W:Pf
+%J1+ad+&eiu"TJ[/f<2:9<;44MHQYl\c`L.Y*Rl%a9m^NbIP!p9QqP1l8S(_@AYhT68hHB<h3VQ(R$DDAalZRe"?DIeck15A&B.@s
+%_kZ\NR6%"UMMO_OPmL=S'UYu+'h1aEIJi#0l(omF&'?_g$9G:'Ii9,\)O?Uk.6f[@<Ac=B[8I!?==e5i<bnN7f<AN3Ycu`ZF(!os
+%(qL[kAf\U>`=#Ko=jIEL%j`\NTe^>[]ZBY>d/Z?JW=L9@S&#_D*%HTK#pE)f)IaG51+3o(?ce1J,u`t,rXEKgc6@ttc`mofm&]9g
+%,h*69G#0HGc2d-2,`S<5LslD\$8`C_:AYh#nu.AsKAj,RU1,Y7a+!e]Ac%:L($OhbPg$Ambcj'dEJBTc=l&ks>7]/<U7666pc/J6
+%%cO36d*j.3FU2Zo(G9hk_INZjqfGN_42-,>'qTdA)S6#Ee2hl$5k?"g%NF45W%L10n"4T4Zh4+T0Al@$rpoWdZM`X`i+Kh$fCn;j
+%?bcO3mG$7Mr:0-uRu?$:&cVXdYF!jb`'=:rlg(mXMjGeB4]1`6oL=>\s5u&mobi,"Zf[T;pg<tarj.Ns4%Ug748D,@f:BRMYQ'TQ
+%f!Kaf(t`FEg,t:"/4El3>;,-RgR$jEY.5L$cis&VS7k8e5[sLOIHQFgQ^m=89hiX%s.];KMa7_(qWshp\u."s'K\(EeD?TIYsZ/-
+%#mS+?Z'/E/qF+t<mm<jWCT>$?]1a,7QB1fATBjflJKReH"@:*LQ>@RV<<@Y$e1\qKZ/Fp7g7\.@h^*.tZ.2JVUhDms=o2rEAgHd[
+%0\Q].C]^S6$cZ5nRBZTs;o2pG2BWns8)'82QicqeKo4.5\WpP8L"iW-gk.&r>0oVSFE3`o&o5lZRWO"l:(JpQ7$!URQ+h?8a&^$.
+%_W$ff+-S$ld<;Rl:::EDa$C6->LuL?'4r(aT.T*3VsgO<ZrdL?;C3sYN3`WnG*fO+W?p9@Y1Y/Vq(9f$WOQBRY:5#0MldZ7#A!6W
+%^TRp^2Ip5ffY1X,d8$(hLsANnIrj6"nFnN2P@4\M4Vd3jq"dV%b"tUg99oo:I^1kYIc&O-.E94\0d5r;8T$YOC]^rMo!n30AGc6H
+%<8Fp&e>5[-8d1*L?=Ok@&n',4Bu\:hL-eeC'Q.?I(tcK@oW4-4<qX0\###Yr'_PRI0_:"lbDZ+a`0pa"H/Adp+lLE7-MI7`H\':,
+%6nF:f1:X25>J=_^%YIo?*\/0?pEJAY#`]#-iglR4f\OZnjOUZ?qW`fEn)Ok4j]1BZmA#O,[XfZ22%43nO:?uHhDB5*N0hj8,F++m
+%jj&&bX03CWF>sAIW@9E$e2n9NIhoLsE@YcTS+C/<XI\JBOgsX%'ppoLKh=3eSbA+*H<ZR]^'n.mPktR#Cm*N2ouUag_A1!hNffrt
+%lq,rnrU'^=ARS1B(/"_#OK_#[AFu'tP#PO14`Ga2d&mro[?DrSX92?ME[aa"K-P4d<31=4g@T\cOjH$KN!Y?iMTD[F"?;#)WMehI
+%`],fJ%]#uL%M<IHBB'UKeV;k=)kCI\jrO['=;&lKKQnd&S?tTA&1_o1R._mq-C_jl6s+ie3Nuam&o3@f^B+m["YjlRp6fQp9rJ7b
+%E#4Kj;9KCN<n8Q0<[#t,6.0uHF%m`?%rIaSd-&CBJ"DO7P"C.<0&b0a+JL]C,](@FEX=3/138ChG/j:E;4E+%>tGn6b%oW+-j\Ai
+%E&0(h=i)V@^R(b+Y_cYts5=?5>UiJr7K$R%gX,8>q!]4T-!-dBG&^3#+uhIMKo/7@!O"cjFh?e)d]Sh1;AT,-\%uVD)2Vj[McWB$
+%9S"Qq78%A,*P7)q([%%TJEeS*'K,I9Kqp>9Di:3\BMW:0CBI-1&bt,%`!OJV7LT[P\1*#`KRO4YX<cA%*YN7MNeAIe_N(@i'nd8-
+%/Jpa,"XN_/Rg08p`&-&L-#p5Spp=SV!1P,$r-Z+J'C_>l1"["_X-61+%*=6cK`+9!-EIF:KB0Mi<m\)?']mo3)e34ESP:p/eB-2\
+%:'AUTnksU?H0kb0mdVm;NPi3(.#p^QAo"'l%ag^mXPQTiV#;@-CLeS&<Iqu*aAO,H=CdspkY+8L%DHm8JtI"s9JN2k,+>Dg$YAf$
+%kC0st;pSiHF=_^-=$A#c5.fRV=op#de/];m>7PgX#OBCTcUg?g))*rh$0U#I60t=?:c5i`K#8V9:iR<FM`WSpnE8MUQ6KlZ.\_Ks
+%AP\4)-pgY:=WUZX/)5]a7&]g]+Ah5A`I4l8`scZ*Co&^MZ1)-ZFU@>uJgd"'Z9m0M82#$_3n"@u[r8/IRpup@C"=+!PelLQ`g1_E
+%2T0iF^lrDYUUe.T:sMBb)GFTJO&1GY.Fa'^=LUPJ8arUQRdOE,P=dqoBZ1`#EsNN0?B@K?P7k1DLS<\XUu6pT:[t5/f80>b$Ag00
+%N.*/fXb+beg/i&e1XYEiQ%EcqDCB.pGu`PqgiFkNJ$7r8=LXR<A<Z-Bo+S,?9a1\2XX[F7\@bFOG23=@PPC@t?AF8-0'mM@m>aS$
+%DI>Y83-<)XL8RG_>EBE*=qk?L/e@'[>F;Nk(-AWM/L1,?]%'NNC^p"KkV9p[12(WO"K:`$9IFeP8Kb;#2f^LoWkVL`<_F*c=K))-
+%(ZHD34i`(TSFDgWV0^X^P+ie[`,(o^L+E&[KZ)I0&Xk9(=;+:EclUX)NH5KRL9Zk%H#;Zkb-p'4LkrFm`'s,WLdkO(TBi2L%B+T5
+%Ket$U<b469RI,U%M'FX'!KE'[+Q6U.FI!Aj(Fnj"""FVg&;63RAfS)0@!ad_ZBU0Tf[OHg#BJm2JG*Jh`Y%DKhOItGEG>_n"%n?<
+%m+WYQ$$s3S"IQ&E+>QFG!3L=jHM#KTJ$;@TXj.Fu@kuD]`a@q6:%k8]eJ/gjc&F>&X'&/a"9s*e,nXklM;KAd+(;K/oImdbnXdr.
+%74<sUTsHW:/tNFJKZTo1"sF:h%6/XmL#2>m(L&Sf@673WcIIWN1C%RgPpm"XL>j6]nrf=qX'&?3lTn]@5F0R<NKP>M:X<#/g9Z`L
+%W)6RACfSB@ff;?,eRC=&iTr9,`dli46'Q@``ENF%_G3RP%Ohc7hpm\kg'6&g]rkX,lnGm/D.on^_dJ?JTas3@`<0:[/JiPjWamK7
+%&1@p,No<UhE%Qh,p#((O&E6nrQWfqr34\ct=LOYu8rnjKJoN_*Zkl$Jn,ah?PB7s\ILIO2Tl1mo:?D"OTCaZQ$ssc44')su37U=d
+%SgEMJ1,)/#BJ!@2icgZJ]^Y*`H]<`BFjdX]eFR[p?>,+Xh8N^;p/`_E:a/]K^(JKB)]gp'4)R!k<V8f!h1W8h>G[Ya%U^b8-NL<#
+%DWWfD3jJFfR0uX%F`9@*q3aedf2K-@W8snlQ5$1To_-_I3]qFE5<kbj9sr"?`TDeajs;AN!\/91/^M'#`OHLc%poH>.*>Z=6u\c\
+%akR/Y0B\7l[Nsd'nK"I!njtfn=Z?R5hGf]]_'OoK*+$HWErTm?RSVkBjg`@*HBkcmPP^nM(`nG[cS59klM2Z6Xq7gAnZmG8P[k`U
+%C/B.c.<3-r46B8b,p0DQ%8[/Kiamf17K`VRJuPKc!m_,e(mBhRn]i$YdOH/c`>9eZk#;^U=D1A?7XjUDS$S&9iGO:>/^e??W-%_7
+%1\-?fI57ppllY`4S*;XN)hNaLG>Rfuo[c2$L63dgIYY:[DUNV]fP-Op$%h9KOKb2(D1t,b)LT%V7+_PTE`X7C`0n?%N!7NNV2[\K
+%keO9<=9UT1OIBd18Mn6N/*R&i\sUu^:+p+DF(2II'1s-2MdjsXIOf9;$>aCNa)`#gdN?qT;5&hd]`d\f=edma!H2He)f"ngFe$X9
+%JPM=[.)]SS8qj:o3=LjEiR+[21XY:3D'`Ygg4tFj#<sal1!SCEj/I="1^b^pb,9FVjauSI0&fePnaTKOQfk>6",s%=%ArbJ,kTFr
+%6%@,o?LUk`i]Pg9-q=N7`<e\`%JLHt'<)o-"RD9m0'GS.Qpu3t$<8C(O&""@&IR6.c.P;!@-J5ff1\l4,]l6.ge8hD<9t;nJXoUM
+%lND1Pk6i"oLNp8`W0t.+l=)9d4[8fp1e&_IcH^!EXeT1Ii+u&OQn%c&k0?i5#ITKJV)DIA+%1OGUg2N?cj-Mj1I46^oo=ht#t.1D
+%ju0LK//BId930DK-:'I`9FAr$hU>*5gae.L/YL*(:_bT$b8:O+67#VCJ:!?T52"eFb(Nfg6'YP:bNoJ_@iKA-n<G@fe4SG1(I-Q6
+%^]L.'r87]O3ZDP&("'M9Sg>(UC+.\T`s#$#U3<;^7T?EodR#F`gc%L*&Keu!C[)rG-M>k`$PWp<Bg&^F6Oh9DC++LG&Rd$A&7MjM
+%)iC,*"#pQ(Cr%BgA(W3BjsSNF/gc,6GpF691Rurj@ctkO.W9cTk!0?pr^[L^QVheF"F$mqg9O.)0g7R*g6I)]-1M8f4AV[h]d/X-
+%Q$ZLHWI]pu"?-koGKg@rk.a]DnYRa#m1nXJY`O@@&PO'\<=2Ra"(f1Hd\161)1('L#=e*I@/b^64!:AEMem;`[Oac?RM+W$>ffnh
+%(0qd>^W.6^]/o^cN"r/sW6e1k%l\g0:A*aa,2a,rc\"OZKsno0Du;a7(_lY+gn6<B@]SdAajBp6!Zr<e6!\8":=MOL\9f/%;NP!H
+%"XK(^=+K-r1qar2<c5oKbk,Gj^a*UE2n75e)38s3SWJ_5[4WNu!rh8ln6@e;OS`cVqO%hF=Fn`gO/-3!^u/QhmFnC.Yi0Z=7@8ZS
+%4E_'t-3iT6/V4jccp5"sN5fbG=-BE#9&>4O:6REcB![8(n!8V=<'eg\,dMZkdQ,0D.B`;0`QgU%\X9D,gW&#lo%<qXl(E#EE"W"[
+%r.>07Wl\:%#))NV8>E<,XR<.39gTB_@"hXkf)^:VJmY0:pqMo-d<mZC_<_)o_dR^,3FkgP&.V#1W&Zo#2!D:G;s4=[M97uE"Rp3G
+%OBU$qF3IX;F,1%Z,g+b9^gpW?H)d&9KH)CGkgD4k))c79MlUeDYbP*U#`pGV$>4o4)Gpi6+_`q<[Y\E("^3CfEh!kclMjk'hPWr!
+%0`e]64;;*741)%NEsil5.a"@9T0UUOESs==eH+/'JJ(-8,,4@9+MN0.Q1^g\I7'?8(Db$ML_Hi_1]>"<N>->%_ASXt=0eN<K5'_P
+%J]M"Ns7oC@3`jjZ8;e<EM/bi,-U(LNHd"*kqD-A>:qP&CWN>/$(4@]4O>\j,7V(SO"6,"HOSJ]braK9u"/2QaY?>`,Amh:AW9bP%
+%-/pGM1,KXZc^0UsZ+5"Uq"p?W&HY=KTR?*?k=(udp00QhU,,c6"n5W-0Lk+);/'d'7Bj6h)R+TVIQb)iV.0W7-<,3?1is2lMg/[!
+%CH8.\?5WHrYeQs"Eja>GBndlC#ce9O:8EF5c":Dn'&euUXrAu+_?5!D4'AB4YQ.XBn6=V+$NjL,I\_UOirK[2b_pu].sB?W[R7Vk
+%A.r$iYS[II`DiSdILDT=Ul8mK5j%_^$?[LUk%4ubeN2(L#,og@-,'fr_@H>'g&]2N[A?k=Zfnd%%'"hSAS'VQEu$-cYZD4Z.eb"_
+%=>[?&_^\PP7TR@J(K(dlA.O;p.'Y?$,;!]IAg6\2,W$W-+0-9Z;522d<"(>"Cqk!#%a[t>FA9V3+d0IiTQPf(Ke"IXjeG^B"/;E>
+%UXU]"@pQl^E#VUoC6&IKqSR`l&W.sn,o.g6BO-@Hg<e4IRF14"UEpo.b*p?s7`f^M/Q15o88)*=X(*0p1Ml?-Lu&!5iJr^%9tI9-
+%Ql9X_f'`/1cBTfsnO,?@6e-Ojl79G'kL!.Tm($Uc#gmJM`U44D+.sZS(p>YrUd,Z:>S>?[\u^n7:$HJ.,E.RAWYT.fiW2AJN3(j4
+%%bOTSN1i\hV8MjT!,iPAZ@VgTcbr&/dob/>6WL1^+`8#J'Cs#g_*ZN+=.j-eH),?dZqA]hKOe+0F;)/;,GG_F[gpD*Dke,KSQ,1r
+%S+T6m(P[c3P&(a6TW0qbeun.F$cY<oK;n%_gd&?UE#gQHGpDrnk^!gV"CS)8h$,!+of^T8#bDCQZ4=iO-j!MKp@Tg^=;_j:q<4UE
+%/r;I,Oc1'3KUO3N/4."`?;X4_AG0$%L)LZ-"t]OE&%$-LQQ"9ePGoc6O5ikbhu[':FE@H+9`,s$^pWi=dKc]+JR7TK2Rld^iP2G^
+%?4Fi].<d\rTC(B<#N++DBNKoMT=_./&&2EJfL!*CSU[a\Qp%+eN+!-)esRE8L%E1"B!R3U?@FVH6u>E9FIcgho'X1hna%l?!6#=n
+%D#hVN6j=p,XnCn?D7e9"%YlL9TtiGk$tW2&K2TiWO;AIt!fUe%=0%2Lq[DJaSTaZ2M7D=AA):$AMoiate@K?H-.+J#0X$n=L%Nb"
+%]Uf^<Q3cbXFoc"P8mEpM-CG0o1#+p:c:]ufO)?b\Rp&QHC2huENSs&J-@Rr>K?(k5/[Wl^iN-'17pb?)AJ/#mSK-URDf[=fBR_QY
+%hb8_K:@o*kBn0lfnEL#\I!Q#0J\5`*8W4s0?k,XPH-J`:#<"hR>+>c0UI9ma!,VOK>_,l%eFk/(F^dR2kS>!7i<H6(BXA^WCW[:u
+%^\[G`4e0G'A6?p@Ho+o'A$oF[.?gK9+m7B%7Np"k9_(YE"(d>0/65jQEL8"2GS+\)m^<7uAg<%A+/ROcd,GgXl#,Ege_$Nge:7af
+%gNqPgYZ7t>m+!dY>3aUHDDa+C$/HB?!d^,Hl:1+m6ZnRE.Bk`[/JXW%#aX+qME;DTZg^-$hp[:7;p+p#,-7*K#%p0j!"$+mSY`V_
+%T:U846@,qEjCs1TJJaFp>D!2cKW&f_NJs7,YZS*%AS[,a-X-MG0juidTSHJ%.:^,"A="K.8*ik`^=6hL0ML,9(R<UX,$koLRKXJf
+%94U_M"`XY;+P7[RK&K2j*^a#'_:f"9V1l#PKk3_aQI:i=Gh]6c8kSM((7/,76NY+C/]u1gj)4,A&n*8(\RD=cB$!.AeL2A8-_URj
+%HQaSm.5!J;1]Y$fP_q<gjA`COoNkU2a+>3AC_0ac/7i!m.gq[P'APjCe9E1[LbP=;BU$\pac<X[:T;F1-3I3;MnHj7QTA3cSoYR7
+%Oa8:rPGU.0?d9N&auIE5,DNbk=M+KV>eJip5Fc!oYd.DV-V"P/*YX!-PEo;fVB("0V1goi_g.&Fdc9>pU??N)"\c1p>?VoH.DH5d
+%T*$:>N2W(S%H_o*YPr'[J/i%Jg?6;f<L2IB@a1s3MdT'GQKGS/<%#RG,_4mAYf>Vs#4h$<AhYISSY<fR2S&>P9T)'L\N/)'s/cEZ
+%VInt1l1g-K7WIage<u@/a_1(hor>\=:/)]HD*T3Lm+mMs_P3HS?m;=`bq,KO1PhsPDS?sH@)p*m@sQ>Ci_gBDJSQKU:`Vm=<M@B7
+%%=gml[V/;%e83)r[DSY$T1"7)N4ZFLBNkQCBi4@`/C7F:=:dWTU:Ir_(S<2I%h=FT[r.)%Dq#IRoYSOiaORqs>ol-+I#@&]WY*HJ
+%Ak1H\rB\95Br6@caFL!`VECk1/?2uq4Y>T:=g&KI[T##Y66P5Dg$qj_'hE-f/6C2\bA0!IC^<ZnaIImGQG@2W\%19((32$9QlCQ`
+%`L_7],:rNo8u-256"1n%+?0b&2mSb=>d+/f,7si`:`@XfFum&k[,#P+Zttd1P_1)l6PUs?^^'e#p[EX;DN@8^h<B)"a_?Dn!;iBV
+%Qjq:pLGDDjXT>iCR3W.JZOeaph(5EqO(\M_*!M<ugea7D4lS7u3@nj[ke/mYd?4gi81kGu\t^1JD%DU,j;F9@7mbs5`_KflKq2$l
+%S]!>_"#.imY;j12^]H;&Ajo)tfPY<O\+"Apm4;I:BQ[^;p6Lm"X],H[]@M4NreRqe_7VAbe7MTTbPS\,"S$u1$'/b4Sfu!;J<?k>
+%3d@8+gd$2@A6C;fXWsrlFuef,+i7T=8C$FBk!leqHHc_,MP4E\^ck%'T0YZ`*l7,hK7:rl,VTI<QufaBhM,"/_gn&%62P2J(0<0>
+%E&2iK2UI;D<LCI'[%tRO`)\$+O+f8OfV3r!`Y$@*k(g=D2+q+0W$k`%F3)LY-(bP^eX)S9^UG]\1<j<picm/A][]Rr,IBe.[O%\Z
+%%H'b0D(T+LLaA[o+4`jf/qTp10C*I;@nQ><P\;fSL'4;jkD=aif>+Z!1t@fl:P9c4=JG<Xd+n^e+tMHb+@)<Q^7<oKCS!#IH1N\V
+%`BR-kf!J,Nf/Z.%W"o@ZEQ%IjPOUt&#opOA9273[`Ig=8I2Np:N#hYTqNZkCgfMrFQ,&$jZYPt+=>(f*>G2u#QOD@'Y-CTS1\s8%
+%X(VIqk'l[(N.09,f84>\h5:b>_5=kg/"8JM'>4PopZ/W9G@#^bJ3@E6I5r/6f5QgGk'3rr3-#m$4PZ.k3L5Kt,Lj(EJ#U$;KU7/i
+%;_ii<eem\1F/r,_&RjJ`_/nq2Q;tpfJ?E=2Og?@mkYjsh()J6%qebQ,CGLSk$@.jinh-L.N0\mcihY.WAt#?42%hlm.B-6f9WJ)%
+%TURqo=GnJV-RBMe3^4OB:SrM<M%b$%j@.IJ3\,GH]Jufo?j)ft#5J`Ff$](LP1&::!)[#I[=QuYPPLV?5te)s&8@X=;6uo<:V#0t
+%?iio=B!T^H^tj+L-H(a5ZP7r6Dr)oZ;6(S#+G.5%)U:/k5Y`Sr0K#YA^/1d^hTo)bl0UoN'@[UUP=m4DiBsZM0Bqr17>g0HaqR5q
+%(g/D&C>h]8Q;Ek_)"fX/Tp&`i,1O1p/Kl.B.&Eb^/"%Ke(q2kqXN=Bna9Oe)Vd"gNh6gRo1m"Qp!<&(,'?Zj.Rg^T4AIVnaA0\jr
+%:a2dc^P>6Ukc^Lo!C2iAZp$&^LigWNGoq`p72f9?V$L1Y^<Ch:/-VfE7E>b',kWYT3Z^mOlRPT*0n(_T2iD%A3,>TP4[XKZWX@ee
+%G#>maY:JDL*d%"Z"O7uZeWukYf+#f9qPAdEB9sAcCboQu%lb<CS@h"#H8/GT]&^:VO?SLQB9W:ZFq+p>%M19.0(_sM_"p=8.4X-K
+%Mopm_V%L\!TP&-PbpjoiIOYHTbRPFG&<34'<i6;'8k,\h(^W"8+#=Oe$83Y9QU'"OeY8#EPd)io.m#?R%-`LdGQeWd>e=J-pVI8@
+%8@t2&#,Apl)eV*s5,g(i/JURI[`Bg(MsG=ol;EB3e\@a*e7L>\/oKf@6Zrp(%k0c/!#e8\mfir_1TKZ5[t=dR]M`0H`"#\QQXYE<
+%N@L(/Z_o5uX_$T1W>PjMQks@fAcZ[]^`-A(>cYOB9>d,=RMls&YS#NM(hcs$K>17Iqui<WT0P.dk2ZpgCpKSDZq07$EGDA_7ZGAf
+%I5^3m>D1)S9]dn$E[_mncJW/XR[%S<R>[dd99Mm_PM"JI<7@OmLbWQbp]eE0V.%q$(cD<p?Y;XKXjA8_1Q9WEXj',RAc3dP"fUpq
+%/C6Q17MN\)iTI'JfTa_Wot#N@2-.o+W3RlUK7e1.JD5+&bh>+1[N1S=oke^.Zjf@XeXSOgP_#)OD=/9AD9tp0K--;XO(i8e92uK7
+%L*Xf($_C.Kf")IUoijLlc"JMg5[-[EZ9>)<k,+itU1ukF</Lr[Z:IT[*<6DP"at-N8A74AA[,dU0=<:9#b(o#bmL[,mn;,,88>ba
+%U"B!(3(0j9q[I!s"cC0O\7IcW!#/;H2<@0Kk/jS9WX#sY5C&gDQZ?_+G9tbuJr%9%-]<Cc`)N<\S%8s-Pb\Jo(,BsA.\T!fFLV0N
+%^R_&SW%1RWng;iDoQ&s^G,DR7&PhFOUtuN^R_hLlJXA-q8URO;=X7!'"`V(Nemub!7QNsG$glZ*nL7&2NXM^a>@*?t@%oSen"soH
+%q^pMOA-o*Uha`Sjc7JMP;8E-h*,jJ'G83S8=_.R?8`JpYl\]a+8;)4r.!QcpJsH7`aDVC`+b(Fn%]$hp99*T]WE5PBJpC;'_.6.6
+%qmXarmIZ`O:E8Oei7^J!31C,s)(<U%Vt9AgFso+CD>"@KL)e)^+\33^KZFNP`dYs7m-nhPrbIKb4-T0Whqq]=nb2PMc/nV*:JXF'
+%"P_+Lq!@b4d_C#Ss7F:&s5g_VYBi!srR1]:jI\X5j^3K2iqGAb0D^1tr+d)I_oXRHGgkFBlcIKQIeE!;s4]"$0B29rLQc(m2ZD=C
+%S\9?ms6NO1q6/Cgmf)79n%[t6qrP#!DpQ/TrR$Nf]tOC0mAl02o8B7!Va$gRrVW/.="eJFY5-t)F*[cIo&ff8G.2tL_E7Yfo/HE'
+%_"nmsYWa['lFZ*MnuK6</md">r?&,[`Ah`g?GCp]jrku&`Yd([];,/dm.J>9D_M+eD4g1`mi)[tY&7`'45IV4VX(]mIlMq!p,DjE
+%h#e#=(sTA(GDGbcc/kGdDuOkSlMe%nhgE6^Ddu=^3rY%]IJSkmg["[[e[IK@0AgU:o")KJD]-:!H$amenLq@ahgTWl^5]P1]\_IF
+%Qe-"7ItJORGP5qSDn`op4aV6khp]0N>X.`ik5O4Y'HXq2n%Z2Y[Z)`g];>Q,U%J9O]062^o&Z@KCY!h#h,aBUh7Yn)D_<[BqTZ_-
+%bB=)@rpJQO0CKjrYQ"4<?bQ=0S$OdH2TA$Grl)ZDq"O*t2toN+2dcOH`VH!1hn6XOfg#?+c.Wd+M8s^N"Rj"]IefIkY>7>H)GEB*
+%_=[Ef=]Z_QrVksMp!I=(QH?LrMrt>NR*ml^F0q<p(=S??8foX^UW)l>Vr25C]s%DW/LIcj2Y,?>/Z&t\9`K/,p@[apZg1u5HM^Y=
+%pnKM<LKPO&XnR8XQGu:7-U+`g(s'GRo_QhUhd$*Hnr3SI"0jKHG55"Hp`I6LqXqgU)fNVaieI@1Nar$=*/s8)mJR^gnm3&Q,Nn"H
+%SdP>b?6+,<?2sdH&+17k?C\cYFa!Y6[&2^WTDV:Zj3?]YRhlU^1#L1AEUT2Vm@(5"gK=Bo>>D)A1S*DZT)Rp0cA1d\rVufb#5c:Z
+%Y1NXMro*7uB?+*>#LMMFIs#ZLig&AlVrp"BDJoL=]5Q96P!?KPa5,Vje(`W\cd"2X3'Y$)BH'6$h<jdYE:aV:kJ)LnF+&',!,'8?
+%`jF@dn[P1J>eb`/p4.."CKPYe59@<5-ZgeUC(O0u9Pi'KnEC'(5.X,[lLN1AcRr:;i=G!KIk4I;NSR?*51aGVQZ'UK\p1QH`E8`#
+%j`pc?c+u,)iO1H@lKD!pfCYf^FkuM/4anM7+*D\'lh;IZX`Q]gnh'ap`U.#^MK`n+X7UmZnHHW+h:\6LrUR3*NXpO:\#$c#@.k-0
+%N?86HEuMK=Ed32:G;FYs,"s>#V>l=dA2Z6""(3n!^A-I%X"V1IH[55=[aGOI4?UaSDJm5fk2t4=?gkUQ2Ja1J`4,:L6V/>69>8&d
+%FgdRF_jVTkrsc<"A_=oXh4D<mI![O=c9L&SFu?l.3%akL\<&V#7Xs]W[$CUiM-iUhfgVOq2>!T[$,>2M?Mn>!`\tCmL^`'gDDs?D
+%qZlkEr8[$B:k[^jo"6#"M78^@r7+iNrZ<>FGU$_oJb"UUJu8D>o8"LahJMB%GfkZJOV;c=%rV-hps%pdDdT'+?X-lA^\Q^=[p+5?
+%*dHSF7;4]#hgWqas*c*3B"%_'#35etG9]1^?Wm@,q);s<f,(X)\9N.9rW&_n=5+S5I^aO<A<._]^MRI_qq^+S[3("]hT0#M%1)\Q
+%Sr2\6X8h!Ys6.0Vk@P0^X*=79__E`$@\H!]WS>K;G`nf1Oh'A!/@YfVg'd<Os51rTJ,28,\W(T<<0+ViIU\%^jc?$>?XBirhV[W&
+%q=WjM=8.&L/h[-9,JFuYn(kCZO+,D<^'C6WJ+in<4J\P9n*Jf`S#[&&XsmYig\j&i+,Jg.3kF>c^A")kH!\*cIql1VgHE6VX)dC<
+%]=A^kq=@[Sf,&'=6%7+-hDsKVkARQ\^*@a1E-tr0jITQKH"Sre?XCIWr7enp\\2AmbXR=sS_hgihjiNZO$n<eh:_NA3@rbC*ToAH
+%d(!.Sg;k,<ZgT9HrMto_fh]%5[\Blg`R<D[h!\GcO'u&BLr/]hZRVMaA-kFc(rTIPr^ef"[Z/!C@1XA[KW"\scSlIS3`_ml]ZhDc
+%nK!/l)gsW9o&OZK]RRLXM"?To=.ZG\D0Yg4%trTZp4!D\@OjP'#_Z:tf#IoHfSFfm"@Bcq,ri]MfSFnCa\U_n0&3?QH5i:L*t/G6
+%O$JN'C:"p7]:XJp[rPH>Em-HtpRcaGilH?:"MU_WCu-PAp4k`uRgEAL@e7;_eq1g0$9p*$i;neM>N(9^8e$W:FT%'/@X]h+s/GUI
+%4hnOQp$3'<J<(H?Nf7[:pcJ:;n8EeM9Ks&_bLq\1m"&\-O5H97\UT+HX81jHVW(/2GeB]0(R0oTCh"#\\=b`8'up^IGX3?t6!`:&
+%XEo7XW;C9R>/P^#TDk5oo;FkoYG^FR['f46,<E^HY,@9'`.rY%D&q3sR*bIpYQ9dl:&d1CA%AUHDIcq2-fk5uOLgFRYdG.MO_OVF
+%:WNc9drTkUFgF[jYlU;bLI!WmM>o]J';,1%Fsm6<54AO-s520"5FcP"E&6eMaXfic^]/.n3jqFBoDg'T^D14:".4%6InO$+gDIqm
+%$0U`qG%AHM1?"24?q`P(fAbPCZT#Y0s5(?"IX1JVjn3rmo:LD!XQ,oqV#RL?e=cbr9@c7V@q[[AE#?<=,IYr"q#9G8=5VlI?GE$p
+%J2;V6+oL<d7OfBBR;ut&a5SO>kaRN[m,b!,2#OVi>jjE@n`_+]NFYpM3>HIRGLQX@HrJ2.PL'!VmH'gUXtJRIjf2LBEW4Qn87FKA
+%[P7dIkYBa]:@72Tme=<,L?-ujDC9RKVsF'uj/mDd4Ru3.-DNaN)0L;0kVa+I*Y\tYj5o/O?N'EEg%SikAM-4H7&BjuX[b6\id>s5
+%2tFO2qL"6(rd]4MV\?>rbtKk8i'-&F`]cj@pGAqQ">,Z,3f[([+*fid.-8Q*9)56aa>$;tNHI3M.C[\$:HV8FS'/"MIf'!$"jr8#
+%@2quaS!m-m"T&,WeZ52.56's9`PqN5rFB5^hVYEX^YXA;\'(7B(N2LP]m0AKc0a3WWe9fYZ]/;UG!A,;innS]lX0hZ=O?PN+<:oe
+%UOdMDOPYnHoUF%<P1OVY4FgQ%]dP]RYPKn77&_aWnUW;R]Q7`acfN^3#>bu?N=<c%qa79K4j<&:.4Y<Tk2N-=nD.mKDJBI^-L]^D
+%YP[AZ`C$YQCkN)hDO5R3AXVrK2qNF%Iit,<]jC0l2Z;PrBSeW&TK><N4.$9+?TSJW2?pSDo1,bc?[R3?hR2k-UUT@6osUf;7D(5;
+%H=<_pdG&^6[N)t4HQ2A9D0bTf3I4n)No$(s\)gHoc2BQZX*8[a]j$.[B@2(<D;VP'kd?j-S&qQ((`c),n[J9(^u9l>o?Vpd[OYbs
+%n@3:G9RH^ZO6aWRUlF.Qqu&^srR*:GD%,_QhoeNO[JSA,c'oZn-_I\k9Z_eAL\oW`Rm3KMY.cV4aN<9a;8j3op9k$Ga&N!(jKh&o
+%'n7Iu\>Q.^De7LlOG^f<Y!4fZs!)j52R;kFqNu-c8Uf)L[R!Xbpm,dZC-'ecHm!@\<k<aUQ2(`"AN'7.IMA#%CFAJ^#MP3&1+,Ra
+%R31qd4/Q_1_fj\*F*Mm?O%FHMaSgBLU@TJ@rqc<,-D;Uo3taL-Ilc/i(G@_SY<Ku$r6+tpA8\6`)g-8#lYB\?k.:QdUFl#rgCd`(
+%2'-.)HrTF9fsoZ>C"Ie'c.U:0muBN(5MhcNN4Pc)FL6[\G0kC>?6AR-c"T#,VB+0pdIjEi6!NUMd1/4k5t="MdnB0Om%A]DhG^%r
+%[Z(UK]6j"[HFMAt^[Lmp]??NO8/=j9,Q66^hAsKm(D"TEr4.km)$Kg5M^NiQ2A2T@H3-"g$2E!(gTTJJ]!u'@Va&V3%/8f5kuJio
+%61WRZl\jZW?MsQP^(8edeh&V<I!p?_FY=HtfgaC<V6b@NnE/m4mVdbAS%?1@4PnDZE28!Z6&0HUJ%9q!*pI$\6Md$EJ3;r@)M3))
+%h:(oemFh<)ZWFoV\_KfSS@/-*\+9>a9Sfqmq'#%Hp@Ns-?JcdOp"QN3o\K,Jqn\t1@9$G'GW14rq<%UE5@)"7Ik]J5?gu+j(t+t8
+%5;mP%^6SKjIU^g?Y(NhrGOZM4_Z.74m(`kmRB=^1Omlcu6[1<D_rE]9KD^LCc8Lk^Gk<&+lJBE#78&,OhZuC_*M#[*NA:>R>.XU@
+%eF\aY.6`24rR9.0[r^JgqVk#K0A_1gs(iWQn9DUb<dOa5["[7,rsqD"Ch=4`TIjbeprbP'NMFa?[$a+*S*=F?ChuUuqE_3[NMNcW
+%5Xs3l7WUDTN^hLFBNc@od:bQZ9h1uCBJ^`G1i:1iHSh0LBJ^_Cepe$:irdS'HecTHSV7oFRsmcBrC.3kA&A3,;J/56K_tYmp!(*l
+%dsF=48)glb&dJ:-e]l?eqeF%Cc\@<HY?X*^UJ83RK[FT5rV]_%^SX.>Fk?WWX&irss7Q2ELi0pi42617rBG/=0rr4fGW^GIjt"-A
+%,P)U.k#U*o,P,M2mN-i%C]Vj@['^q_s8S).-$u>N0Rn*r`CEgLHRi5)a1C"hDT""#T'L94Wo2g5Bj,Fi#mP_P,Dq4oj@m7fB"6.[
+%K1fuu@mk[W*[,PF<nDa="1ltA]7YB6Q147Vfh>TI6$:&Zd#**=($dOgCE$L:W*p](//Wk@.u!dRC0;XHP(Gjgc[Yugk5+'<>09>&
+%N;\3da7Y!t?i/YCC+LH\p\LYqRl<9f,6i@E?L(DQE,Ve9qT"R']Dl\cbKG%0#/?^ll;+>_^Ce0K.Fm@c1@&q`lh;IZX`XNHe_lL,
+%fgai(D2mOHce&F:mGh-RR@EFI:YAd[re.1c/$JFUT!GJ?rNT/OYmAqp16]2*M0mD1J%4gK`TR9jLsRBtmmp9\-%_;,=(;nIoqQ1m
+%4uR<!Xi.V2I\)_#3$gfMVj,$M^H:a'h3WW!ft7%E?+p8GDW-*04a?pcYl,n$iVQEhefL$'k6?.grYtUMl2N^=09^3^O;QE@:B&:"
+%Gd'>Hk-+j;L'BCu(EJ>75+n\@LQ.c":H]iT)p/'c\N^,pF<d*n;_mi<2fbi=SV$kR7)!=?F9;HK)1',sT&YfE\k`Z_D=qfFFFdU;
+%LH<%0jVpdSIHiQEhM$*>6L2*Yf'ra*QJXt0V#T]Qm/$D,mt#*>[r8Irs)!\Wo-'^&2eQK7jjb80R^d]oIZSn$S8?-=I&G;OUK-S@
+%l!KH4l$`#rBD'36Ch+drmA4/3pX4EG9E%;kQ@;5%n1X`srpAh77TT8Y1AF$rmt!Hc5Q'oU]n:;iP1R\d>!>sT_%BK<"<?/309mUd
+%c1^o_Q5B-oY?l'U*p1Z=LRjA#iu<Ft2'X/LEb%7[Iq$ff]TrI<;KQG*K/fOfaT&ubH26(HZ`Ulta,2)hT7?R@?i@$L?iKZi9<10A
+%U.g_'It)P<a$(^0J2e;6Y:om$H+j-2c[Pnr[_`"9`V3G@h7W$RI=(\<`U!Ql6iYB$r2TeC?bZF(D?#+bn<nWhU/*0)=n]8qs/5Pi
+%M7)E.s8$O9'E.%irdXjLrZD0n7GjZ3PM_r/TE"4P?;a/jp=X.s;gF[-S5*7-oO"_k>]oStH<\j_83B%N0qOKN5AR55ObK/8$fa&3
+%@O>N1k,4SASnkZ]b)sX<=e4i"6GiN!(29Fc\$pMN+8fu(eg3o%FYO+!Z'oHlI^S7*r`JcG^T>b%%?Z-Vl@7qDBqY)IW;LAu5Y,#r
+%/L>[Z1mT+P(nR#Rb/q2;2W`N)c-u;9pQ9H.q\QrT,jZO"26bFlb>VeWI9(B\IVGH.JnloTI8t%5#$`[Br0WB8-N!_IYGm*(s3/*J
+%Zfk'?<M4Mfp[l-0cU,_WI7SK^(nOGRdM-pZP:Xo8T1un)/b-buS$$>e6`?99[^G@&$B@1`T/iM[J)6\JDMh#7.eOP>RI*3R;fD]^
+%r,&'<l?F,WB=1JH"0U140_d>9""o<N4n*@+,l0]n:eC$NiWT7c4u"A&+uAO4m;;6]#qF.tY0oT$isEGW\8P]',/Se$ZA^>*YP)TJ
+%b7Lq@I$!`>V;`&%>_lD4gqGHHhI$mY7fs4Li3KZn+to?WI?iq!En'NSOQQgO%:3)@c]?:E?\jlOr`CXV(8Bp))7/alP%E\IBh/OT
+%F0T+jHq[7pdmVB+XprlEKsG^qTuE(h'Tu.-haHR:3F=?(l_4j\D%l"n/\ZAR9&IiSXnH$d*T-*ImG#$00>3okO`0LR:4@,uG?.D(
+%ZA*#69gNr:ErDg);V'LTo2R-#Y:C7:B>12d/!312@C(kDaBce9;6sP[I2BH<)lgB9VPl`1>[LiEM4.tJH;Znu^KPUU]$T']Zj0NP
+%p!/S^l#EPs]:7D8o<bH?G'WQCPZl^&&\Zl?)g?RRq?ZqgipWJF5$_$@[60XaH<.qJA`H7NXaYK[*q0-ZYIKeTF?c+7.")V$.EW!a
+%f!jt1MQ8@VR3pdb,RQDeYklil9K]X,Uos2:Ph`n:ol]Km]_3l:XS6T3ae\n#;judh8c=b7htQBV;4jc;[h\pDJ"F;83DH(G?H#73
+%-o]5smuk]XQ=:YB^H-WIas8Pj06c(P^"`5h"C6U3cZe9)rZU+_G@-ZMZ`;4JmOQe:C#U4A^/o_TqRo^KhmUtBM_"Y6o!'NM^M5R]
+%Td7+hr^,"(qT$)$rr3EbeA$+4Z1pg>?0/_\IB#UC=a!`5A9N?^A'b#f>K#]Rhj#T1jAX&=oW95$(/u`UX1A[+s+7CF(:qV/YC.M$
+%Y<$I<<"1lmI;eEcom_J-df)k%.`'r3b/@r=(HF3*EDEZuhQL+hDNU*OSitt<.>N&(dIB5lVbKr^QggWZ-9IULjBMUgV^jV"rSFS;
+%n\"K?8CPL%kVn7qIF4bN7ZVZ<D+!'8TAE8.5b7]56iYIt?-W<`R;s'O^W:/l,0X?CO_G,D?8=[,FL`)G:*KB3,__s'ZhLYr!S?3N
+%q'j%k\-LFUVlFb>F<0rQ;HIs,iXW?P.ot3sc2!<!9S@eMEsHaSNK;krn*c3K+8q:eaIV]WG>07Ec;0YU#-ncL^&!b)oErs\@a8,;
+%NZ?L&O+o02=4:C,W7?@$.qtljX/EhtK^Pp5[MJP@o&E+IcnUfp`I#0,EpnpU)IC;[_T'Y]efWEX<;?e\g*3jL8lb.<7OG`S,l1W)
+%U>f9K[rugm?d^Bep-DWmYFiI;H@\"ieM#d-^3`PT_Sf&[(Y2/10:L0U\%2mlnQZeNmsa$[O2AA5-H/tkOG0dnXo2h\MfL8lWF$`p
+%\k4'@j0b_e$eko.J!T:uA'RN?488WG\175VN0A.^9M\G_bopc8EdpJfGLB?/T'&2ag5;'A2e8O>Cp'Mt]i4%("RJiDnP*r@hGMk%
+%pfaLum5^a[-Q6AWaeA5=jKuE_?(Wg]s1<L_6$;3e$ElbqI4,M<P$Qirec)$'rPgeA\P?.S.$OR.TSl:"6"Sl5]%'tt3#erRd/6=1
+%pLG*7HSq-8ids[j?KmDgkmL+1TWca0.(d"Hf2L>tQ>Efc71m+[&m<it=)`JNQL&3nY&?JR[mQ;D]MGiBEQ.4^^e0#X;r3ppM&oE?
+%)H38GrirH[d&p&>k-ahG?stbD+NP!D(*5V;<SIu]#14L9<`brlm6B)=Pk.=JUYdKTZ$p]e+4R>Q"P+tK<gtIb]Ace$F-*mr$<XPg
+%Ac9'p'"SOcBMBbj:\DPc):$.mr@n+\qcI[\rgqX+1Nn-ZK=:(h+o%VW6$@.68sFJVN@H9cS+nb5AV,K`mrgl8Hp26^T7=:"k0s6;
+%8)-%2o2/6&(`ZlpWX%i9<N=n1oSu(9$VPUBZ;[4).=HPsRe2bQ`BtOqH."46GI?(JFRJ5\mG_Bt!St10N,fcHORG7C3ZQqhD+fAu
+%7GQCem7M`arS8PFNt1f[2XqK)@AGtaB!sXfq;1@;Ib1l_DN7]lWU.N#j/=V=<tXQ^me9%ED5/U(GZ2\ZMSA;`rR'SLl+K]jdncRb
+%JJ;Y#)nkt#K@%)'&M9k1QC3(]"k$k\SoHr\>o7:Ri\W^boe8gTW8pP%QERiu^WWJ2^%,BUVhhSWI:R2Gf!,1/r&on7U>f/)-7<4\
+%PBg8PHlrfNFjD[5?;F)VG=\\/V5b(??(G+FJ1a7CnTgiF^5B5TkTKHbpUdp'HW<#9$Gh.eG:%Sg05X7cj1@q<-\XL6(PPX'TGJd8
+%Zej"GT?k@q-!Kco</u"a1Mn-rLgB5;Ed#F$pQd?I;AVZAgd(S=9tIQ9ao/\EA?andoHLAYP%=sra;d8a\laA/Zs::39n[gg:EaoK
+%Njg`W-IdS4U'Y&4W%UJU'@Ca_a!/84Hm-qfF^\W/;I&:?ENgRsH.(Rq?8,0A"n)Ljk"/pB$aF0eGB(db*p]<%n6:NWs/+'+I8ib&
+%@teLZ$?CXJR`o5SPLnVRM9i8b+e>>:X>R^8b2V]U7'RQ%O-9piZ=>'6a>,H^$FI<'aP-:@[GQg<2aV[ZO1dXjZt1#e\0t^g\B/\]
+%(i!$hg#[fIWj.VKKV=l<HGuh06H"-9!li3r\Uce9&E[Hj/PdD]+KF1u+-n;n;n_5>8=Ak-5$6D!T<$[K`5M,^Xf6Ws47a^6,/(H[
+%[(aQZ4l44kH;*B)jqC?FTfdl'qaksDQFW+SgaDH6[J<5Gm3c0m(9;Jl^.A,!+E%n);f^7@a`#UKGZdGRKm6s,9dk<@$ZiTX9''9C
+%[V)%:p@cf'546%u<LCJ6n._$_S%QI7rQcg1=*65K>k46&@I?$6q251F)0@UiEW(sj.$;s>S_"P#\tBB\bR@SF9d+Mt:!\SF@KLbI
+%)HFKLk[_BK73Tfms(?N'SZ=]DGeUfd\BW)jnD3_BjC%&d"]';62\2s(_\:lKni!GAM)9.kCI>G-j!)/sB&/2`I\3ZuRhIF.i1"KW
+%Ung(RA7/8OfR>,-2sH;+FYj8);7Yfjg1@P4&GNYagPt$jlGl?3I=A\_f^'@AB;(qI?CV.r+87^OqkUuMH6L[hP+BC.";9<s=-?A5
+%1OUhL$%Ps07o?L&;7_i09hEbl`/1t7cOKo-*(G8$cZRB@DS&`(o00S<hH%hLa1co2=1R$26+]m.RbiGSK3RSO%3G41Q=he-@dmXY
+%:XGoYR6I%Hf&eJP/ihWaH6EK4TOE1*-U1(hT%NE.5K*ZC"/&.OKJ@dX7s'ID0P9Lu@YP=pPPUQs33P)jrpQ5+ITqr4i`o9H\A252
+%&lYQ%gr_tlcmp<(h)21T+dh!:f-Q8/8kP_e@T(YT&IDs5,G#6)cfF_SqHD;oaDBP7h^"*JRFEb\4k%'>8T*3Hr]!sq6>dp-"2^=o
+%Du7\'fs05CqRqIB/"Rh<4eJdA/'-2`:PBW>Np[kC7HEKKigY""aGW+9(YO!Q?2R"bU5S=cLd0)1b!\,^]GH!Fhbcn(4==IJ.E_k"
+%p;og#!_n)YW\p0fG=n!l+Ps-t^eWnS?J(VpKVph(EOu$aNO%HK<P@q9`%&,!!Dc/r?*oOg1H:<h)Tm?l0.e.NUlEPZ#U(6PY9q`r
+%m?D0_Zr+nfAjAK/UdObD;HHF)#:G@6''m)X5RoNsok9AdY(jNm8-/($i$9npAdX#B[j=2X-)b/6SbPDn>_uu07-Rl^HM3n$"3qm#
+%<Sg7YHF_,=-kcb>374m2$YRABFY`fq.B"Ok]EE;tii$Z#G$u&,@Nnl_(@PKDkF+4];,g3-`D&q=m;8hV#`C`)4I`IoFY<MG/IoKH
+%6%1@GEPHLo)Bu%ZV]^E4&dWcc%HnHui`N3=ct?OojYasqq;r#6CbU0EOqYuI]eHA:D/P^5gJl*:Vesf5@miXOi7Pn=<Q2*04h_X(
+%$R17K1>GA4P+o53MT+g]hj"P,Y!^efA(EAR:k8"-%Iqg5l8'N$M<_=d:G+u^QITls:lN"?W\k^:Y2o2j^<R%N9U"io2OaVC?\?J"
+%Q-ZqDN(O/-eGWS$`CeD?k,)u`&O6su][-5P7-\HYc-,6EoUa^dWZ2m&C$b<<#pq-8UH5@0ajW7E'H#*kk-KD&%W0)57B1m]@a$-E
+%hBrS?)lI5(@M`Lkdc1tR8n$Z>+GQ_k`HmR>eW4I(`bpC-M5aoCEBWWt84/Z0!'Sl(PtJ>o]j0p"2E3NYlCW;3a?*^2V'D[%LZoQD
+%KcaT8+@PH[Q,Sslm!5A.OndJp4mKdDl-=$$X6m'L2@34%%+%;a9fBi;`(Egn[[Sn%?F&W=n23mAD*'@%nhWfh'ceclbu(!'I5@e"
+%B@(p$Y9qhri8\cs#g$@*:6rWGqn%sN9.sp0;ET[K%Z2NqWd1bZ.bCV3`R-P2_Yu<'eo"ZAmtl^G!9WC2U,G9r**'((6kU7D1dmC?
+%Yi!1K5Y<)!Aq(??Ug$sOs$!($;QG*r]U5sG43RVa@M[,T#:RLNm+9u=O<p)j=G(Dr](;t(@EtS3n+S[m?5M=EMDWN]4\?,]qL&eZ
+%;*6)8@PaZ8HOVZRB`Xc02fo,Nl`bjAog/9L:+Tko3go([*Llo3.:OdqBqN@^J&#oomN6ac;aeNXp5':1Br,d9qH:,gW4ffhNH?2m
+%5sJ$'O?JAW6LF[(`KPNk)IaMiOd\DrUpMG/8.@_%cdbUM`?dm,8FJYWi?Rg'1MLN_I'ReQ&B)@Si0Am2cslHhH-fhQY<fDECjudP
+%./WJ*rVL4lqsp)g\p\W)ch=[us763as7MFkqu8\tTq/@]*tH4N8J;=OStpF_!6d-SLI'/Fl[qH7dcEi(Aj?1`li'*_9BYa06^Vt4
+%%K\@nBat-&8J;?E`iO^r!QX9eK:l`L_#qJ_Z8ea,5SKIF+@m/)E>YV\h)bUmAkbB.MM<H!#"Ff[%t^RMM$!`l[^c2W.:(`H?rGdu
+%5sQm``'MI$C#Yi=2#6tjFIFc)+o&Ei?$:`o=#M3,5bDRe%KSdc$O>V>Uk(mpC=9sdZ"ik&!GF?l``)DBZD%hI*4b2Z$-B.uE]*ka
+%/bT_7Okb0As2X-b\X?i4\+sgYYjD>HF7%H2jkDj`ZH5<NKOs0j%R[Qo'Dm#4OWT6iP9pdTZsi6kNbXan%`5Vn'8Iac\;>jBD;<!:
+%kVbG8#N=EViu`ejP<8[RN19(;:Ihs`9(@"nRlu3r7_7Ofho!%I59,?"PO3Arh@1FlabVm&arZ4]PFjo:onH%"!;@g5H4]XA2V(1H
+%2qXN'T\m\.4:(s69fs*j#?19q$lh3G(^a$,3!]a:"$$Vn#KqT-$b-!DO%7+(=?ccr-_34&&LU9mJr,[o4pVlNCOHaHNgi!:)95Gk
+%KT5"-%RJ-,!sdfF\;A*7Emhll(ccKn0U/(Ya$D[FfiJD%jeR`g@ccZ%4:j*"V@UJc@=SS*k+mid0QVDm4<6;7S*\8,\``Zi++Tl6
+%3r<IS*8IFsT]beq*.XY;DpZrFFD.CJM.)R^h\h0O8Y<][YH)iQr'PtoS,S&SO9CB'aeU88aS)9Ld)lk#f0Kd,!+#mHaoMK(d>&6`
+%fKl:h"50)Zn8t$<2_bBfM4sf3W1C<d:p?L<rD:"pI!l"QDP"WK5jm^^6U5kbUE'?H1\9_m^cS(F"/'itJPQO.a^cFq^Vg%5!.ZG'
+%T7\82E6]I(_@u[o5qoql#O)MQ-i\,s*"Oc`!s!Vp`$(4)]VSC/jWQfA"QnYb%Y3\uc#F:S:RX6GSgQ*0"ON>Z%YEo$Z@3?U%o"#D
+%duu*g!pX2u*!"NqD7:&-KD;Er4W30DO?I=;&C@#UE!U:+B'5#d^%l%H^jGV_LVWY[KnBAQ@fIJPi=da>+:t/%E<(qnB&We5+-+g6
+%TmUh%4;l@u]ljCG:RX6KcmMO-!9o[O%Kc=V>Our=+(jL4@%X"G&\&@HHoenNYK5/nIcaRS3lDQ#SHD-+n>[N0o95RhSDSGZo7&aq
+%bQ%#1ooCW-5Gs`j6m$Vn:41K.Y@!m6roWS%Mj#Y<JGhq:lLY!>rVuo@s4@8eJ*[,Zp?'W=mI_RX^3OjHIIZ']gFp:S4o>6<G4E9E
+%\C'%;1#7A[manZ!?C^r]k4[PJDXNV:.>J=QegW3,UF>F(]u64I.t.<DKdJf18KC#H0)YpCaL=0mE`pJQ/2%62+(@m,0M]]j+u.,F
+%8^)`g&UFr:Og'WK6c.b!5=&qA$jSVN,KJ+,:?2LD_C-32J(lW9W^73bc<j0GR<6t/io"qbI;?A-(I,>YjAqmgL0fg=4-kfJC>DlJ
+%T_ieG<bd+S`&gRXQU*<'1_eUBUPLGcPXCqfdHa%a0:Lfs8.IY8#(hNd=^6$f[rR7eOAT3XV4`W,4k_$FTQUJ]e&<WU,a/&9#6!+3
+%Yo!5(jZ2f5%BB-rnfj8S2mH-"V^nf=TX3jZI:8S-NM%uN5e]*<O!#QIkV_EoaIf2_.Fnre9OoV<\ETT[&]CD/Whu^#MAZYLjOfL2
+%&@r(?+M`a,11>@QXZfnFCK`7cAOP23Qg!"O9_BSBE`>p;Frk`X<A6^jq$K0d<Gju47LLG2J\=m\o[87$N2$]<-M&.YWWX,T$J\jq
+%7:r7^b-g>V"ZjMZ46!K0)N\]F9\'1m+VNk0Lg%\-=CDsC]88UKKp@9-?-#j*;g-l8l7a/hPAu'a+E:jT#CS,V6t8l@Dr<8/0^,Yn
+%AIu.D%*1MdUP"nZ;A5]0Z<;n7KJP2VOX8BZ-Manj-s%HBRkl84Wf0X2bsm;n?n,;QG0;BNZhoj'PKkAo,_ka*<ne>nbIXR,QVW&R
+%<acC0Xb-HZhD=D#.fF*9m0WG!oZ*E=fVPp-D>?!%ST7ufdiqc8?^hIQa=pror6Rp#^dXur.GZ$O^XZ?A[+I/Ylm>E_gIOslT:ig5
+%hNXC)GD4#F71UYU_V:hh?aDZUW\p4JUr?Qhder:E2MkOoE,%r`<P0G3eKgqm`FnsN;]_L1H4mOY`<f1LW)^cfS*2=KPJ:ErWu$bQ
+%TNlg-3!K=VI!cB!mZ!Bb>c`N*NtP_YjbU\CE]l6VBhg\Jc^o6-HD[bmqQ,agM&VfnE[%]B9+2df"h%,Z%(`%!jcrK[9,;Gu=0[r0
+%7!bS\1Dq#iAI.u)FW0k<*#J2C#8O9O'A2r:MUtfD7Ng<r=-Pp>T&oF)AKXCRI3K@RW<ZIe4Zr)?+[!dBqa$NR^j@b-aQ`(B^k*0D
+%-[(XYSqE\-c]q-moMH:j$@0=.Kl0X!l8hZT,XoImgJh.SNe,#ddtI3!#q&#g9c?/[DJ=1ma#Gq%Bs\KiS#Vk7dQkoO;b8tBN]@AS
+%W"YoP<W#rK<KUBq.J7RQ=^?0tj_>6\<kod0Uip,W-&I&/HG_ATe^XLe"&:D*q9GXi&U:B_%Y)t'lMCj;L?PmO$LjhNWUPF'0ci&]
+%kp8b>C2h`V+\<qu4Y=Hf)JUCg02^PIZ!k#R$+PT+M@q<'KmG]2fdIj`2,BajoSd?moMeaV]lB"d3gFs$?961Z85BhOTQ^?''._+h
+%N8(6/"GQ,<a?(jIK@YJaFbRed>9pK3=BOc7I&h]9dOD)o(9a3,];4<CM@1><jN,$\l4tl_G9W_a[>e!X_:rYbOs4md&IktT+O2lf
+%m*KkIN@Um^"<oHok$q7*9qD6mm"f*!\jS\<rJiX;PTq/MDuN'se-l=NE`MKn<eNmi#s'=go!bGT^sbY1!:Nn,WBTT&E*d%Hm&`Sq
+%TNoPbQ;M@LP!C!Qd:!196+D06$lSP?<QR`\#'6RZI4>lRMt/]^OOGIW3%)"p!\_j(6@*I:o\7*8f_0LjBU,.=)^QXN@m[tsn,#qQ
+%a\;0-4:.Oj_Y4Q;n)WW+`!Ns]EgCoM35><Rl6'u[l8@qr9Lp>sG]]Wp]SMt\eN*a5e$1WjF0p.G5]IF5bRq[RM;0'c58:rM3&UJN
+%1S+=MoRSFSjSe$!:BdZ3"ss'GC@U4\mOrO!l?$Q,YiqC!%VZ_-esLP`KbOcK8j[#&1Q`oE)ZQ[5m0\He/chZ8.1.72f`FpE7eW4]
+%lbMJ\U#Iq=59^%rN*hTK)r2^1l);F7f#1,srZ>WgXt*/N.uA^@rkjjOYRY+`jE8ku<r2ku:8!kR-$B=^pFf+,O[dZ%[9KY2[QPKL
+%*^7q2(thuK^c:BBlH=Q%3+EjG$s!9a@m,;=b;2lP:@)s`9AKHhTm9/8^_X*/&E(S]@Xp?@O\F^;oGNS#nFD;$e'5%7':$8[JqJK$
+%37\Gf51j)/Z,iq$nFE,s2^LEi/e2cG0,SCNAcU[tAlo&PSB2PUYG9oQ["C2sHN_/HC]Q6HG)FAg(Uunk@"@h\:P-R[q_>rA8(E%5
+%5^,m,LiE:j[HT6<@Bn;p:M\b1,92`lrMI2=h]ai@bJPO$F2BtWocT2.7r1'nT:qVhk\>`'NX\?`s*jc,@Ri7\#hYiV>$D41$[B2e
+%+><p-mWKeXa`;L)IN$mQ,9$I`cJ]SFA0G4M/I)*tm#mQ+__sp'_;H29oQT"MCk$MIjHobl4a\]1aQt_h!=J:>"MS^7YE+lWM`@jm
+%GH]nD'sfo@OnX16A#Vst6:?.1j*mDa;A%)[?hB:M,+[gQ91&fM)!er?kr1<X-LP=8;Ql?eCp7Mh6?)90aViKU5OVjP\.9F]/0s_>
+%::&aRJef?:1.lXScL,iYRodOXLT/h>-.Xf9:g2(^d4a>*6$LSBEgo5EYn9C2F&E&+&Q'Ft*^k%:3s6@N2'N5+h!PG`hBI`?!nR68
+%(,-p_?b01Sa8)jT"&cnh4Et":"O`^9+sZ["Bntr+?Z.8qRV?L,J3St@5p">\ouRB=B7qP?EGS(4dL3_NYW!SE!1Ns8HY29os0D9:
+%$UHI0aU<mV;P))V@DtW>BDhe&]HIlGf=!mEcb9u0bgZ4_MYHj4<<@e]0+Wbe!YSbU?;Mc0c.=n%Dd2.??16]FXoKE6aQ3UeFt/!U
+%7DOA':V?%N!L1$a!.DhbJt1-YUa:%\B4::R"`g"iJ]G2?Qkj)>&JCl>`96m'"\K:4FIN]Bfuk:P-9\RRH9VY6Q8H1G>JC..b41qS
+%\%n\i^:lO<er<n#7<U>J8f`8/ajJ/%NU6!4$Xo#Yo+KuND+s?drlq=uc0*E??Uo>GE&XB+DL:_X9oQuQi9.ts%o=inUeYYGqY#/.
+%h>l,Z6VY$gh<4/\&-4tDlb12RJ&fFhrA;BZ%*m30"l6rl+'cjkl)@nq.QPKiR"').A7[n/!O^i$\&L*">NI.q5oKkSp\8s#?c&Ae
+%K^KVpG)MRCqpF0XC]+:dO4!Y5bpO@rPO_Xc9-hR*<l75-]5$->jDB*qf9N2M5X2CG@N5OG5Pf$FnhM`ti$da7Ekk^*_$7nZbWt'O
+%rdJr$9-j-%*l*9!"rK/;^GLg*Hcn?Pb#)ukTKA,,]Lfe%2f2&OqK9L[Ql3Q8h+I!_R8qICGi)nB07-L3ICuH$K91YP_AgJaigWX[
+%-W+aJn;Jb\kn_*DiUjQ\A0&T=&EG?hD#7)p`ua:l36B;5p'/RB^\rPeX;MdWSU<]7l5j%,IV/'pVeCk;oq6/B\_eNe"ShrBQ7&5)
+%ZEhZs,P0M\W'sjU;jD<OUBY`ui$K?X97PT4^jVs=VSQ#D1\O)LlDoQpI0iehS(&I;bk2)fT]#1=K)W>dn!noYqt(!cf440"Zn3uP
+%[_O-)g7Q9i4sDPeG:`]5AHbftHg!'Bre"0&(/pOnIG>d=,=@?;!\%.51f`sZO1pW_IoHG+6.(kEUYs`G)7P5K_bMkZ9&6N4N4(TU
+%Nm(r^E/pSq"YK(R>K;A:g;4l_=5t4m)dSA;'m5VuPI*a*niZAVpk[Jk$D6%YT;]&^=@P@G2XX:OPNFdi>B]r"N;26]*ZG,df0NJ!
+%:T2ILW&WefUtE"5b+LYTj)CR+(5H:J$m9u3[RM=JJCU514hs?*@"`fo8oWVqrk6YN&8a"Js-iIq%T'Q(g6Q%q+>bcqJBn;p#N43n
+%fqV9=$sp$Db=#j,Jb-UNV-B!0\)7pf[gfuO$s/"$Q*$/L>@s$]F`=oFK!->f74JJfi?f)),":N>E9KU(dK;\7JV.koAk,T7gB!W=
+%l;OtID+(X=\BLW7;=4^9&,pljbFtm;["Ig#>Dor!/<DO>5^D%GlMBjcTaX5MMZfs)=1`G%NT'gsn$KkG(-,S2d4)-s`bZl#!4."V
+%PF(#pmD]oaoWGEXL=PTtDLcYYc'2gf((n^$>G*>ZT>?H7"uL,XC\nG`XX.$(AC!LZ"gG4B.LMrC3E*dP#,C(3\KN]!^.*?71F.:X
+%6U:/<7L"p/adPNQred>oTOTeQ..3.3EG)FW+)0XbRk);%'YDbB@c2FMgM[Zl&E(-;],5dbNtHR4j[Zq$J3j!o/R<nGApVsl)NHEC
+%oCO_2ks5D7S<^9C\ZcZqH-d,>MUe/C0S4R?TPdkq&+J0s*2$r;r!^.p&-<D]k4$%@aU8g9%16t]g?o$NFP#GZ;;5j)\^:2Wd#2K/
+%d^V>D#JptnU)n>f'%cV7"IoC+a<S;l5*)NTL-=#PfOk=tfh>b^9r;2u?PU<$9L0).j8cd[VEbL`fTsPRReX):El[_tkd+kc)(WHD
+%8\&MaL)8tEccDJ4$U!FNRg&e!6Er]3pfBEIX8/>ON]$iaN%!LFc2*JQULAH))narVG+o)$:d4b(R/\&[,iE)0LR4P##Vq^hVF0"X
+%kpUd?7ehYW90i"h.(EeJhqti4,6fa8@m:['!'3$(bgEj:*I\mr8dMprW\"BR>9pk^?XsI%f\c0V>iBhT[KV94BE\9qTt:A$%#^4S
+%oD[A"7G/mLYrP,6pZnJ47cuef(g"Yt=b?6m<jdhk..\Gem\-$tK9fdP0C*L)%l4j5pQGVh]C?<>+2aV5'DI]=MY'+Y2W)`+?'ZcS
+%SK`?&2`eVY&b51X?6b0[P;.ZJ@bgD0A13OGU]'\)Du9T^7MO=:P`YtR+q!9h\=MuhK#HSf;41oJ'#D$rmM4'04ZG:HK0=Jg)gF&f
+%=@%j8aWBBbKIa)-nN;GKV@E9F#0Z5:IiMBcK&X`?O2H<YP[B4HQ^1]hjNg?nk_)G["Vc2N?s>\<&EJ=0aE*hm7Lk1>e!cnp*+Q6t
+%cc6=/INsd0][LlM5YpQf@c:;?mu2CQ$bBd=r_;@W*B"GF*Ln@M\S[5Ddr7)OTlqp/W<aCffk`m*G4;g4EYEE4V,P2V3%]Hc!)`g*
+%`G8&b//\Kl09'?g?M1uo\`_cFWj2IrOR6j"PBi<&a)oO-#n!R8<'eGo)7Ui0$QoU@c@Ea@p:=Tg>c8Ei(6g'/K1.=AIBWm%2!YEb
+%a9*!Q)ZRI@EDd!Z&m_F>g3Kr.",N1g$AaL\K,9G\p5O)S&02k">X8tkC?p>-mdOd\k<cMfM'iEWl13XTeB#GH@Wpb4WB6H;[s2J?
+%`<KVgRlXX>06hjt=:NmC&<jOV$Um]$JAJ"N0&r?P@i2)eAUMD/S45=;O)@Pu!SbB`ArLkfF/61ilMK[G-:%cGT\%Ma_g+CZ2+C..
+%2C#_<bkm]''1"D<1l,S.&/K0Q#0#-`9c$8&'=<GZM_*<uO66RJ>;lrg!Y"d>)MS<`iTsc):hMZbST$<"6+0=pe^dGc+nl%2L:DOn
+%\AETB@I8@"Kd-lGma',?It?c@WHTu1f/HspqX),5'MpJ731!Q=:#/M$q+;5YTV9V9!,O6ZHQ[rSj>lu3OJa>M^^(u%5Ro!REGX+i
+%CP0.aiLrrSn])c)0+UT]<_OeO=m3`6>]3u9Y@,0nBD%p*\?HC#Utc"3HO]S4T.s')neK:LAROS`PlJ_/_m\SX>Nd`5a95/:WMG)*
+%cQAQY/l9>j&dm9!?_J^3CK\LGb=Eg[?hY;lSi]>W"op(p;MR,2kI$d%NN?@l#.h4P)um;tp8q]57A]BYpTh6n&VN0966e<<c2?@B
+%OmuEUH#9%*F5:;639SRkN/YKGpU52ge/j[G@m!Vc?p<)BhjHWnq&I1#ZGcU%&hN/1nKpNH[#Y5`FXS:Kk*]jcY`N\f(0aORDN=k[
+%Zp'/s_b'Y+"L[MX=8=7)XY#%cN$ue_g[t`Y4Nd?RPnU#t(3W)@k?j8^hI)^d@&cm(,3nOl9gEGk57%$-6LA8>>Cd`lQUMM@j%t%g
+%5@Y&K(-LG\H7]c;Z#1YMq>QFQ0l^!^k4thl]s1=_f)%U&O(JT$a1IY][W@V@2UFgM.:CO&^P9qLIIHdS/V(LDIr&=4M''Ql^Ae[)
+%HfGB89I$YJT;!D8j/&Vj>.>siUTO9g]_)s9CUcak?M;q;RrX.f`.FX0CNmk2Yf[tADt:OnI^T&*/sa.?'E6XmY-ne@CN/DJl]q9U
+%<9\`4.]55..XGgT3U]p^)8aO^Rr6?YCn.&BBK7kYaZ;jOa#j(1#?-9m6gCc`gL]tWL,J/lPq5BRL6FD1'&3/dACq>ga9<W*HYMtu
+%*q*sp:6Z-Vi+OM7BP?,E$hB$(qiWb$W%k#OUS[:!-siYhJ[RJ>:3X[<-Fa,@hl\MI0EQ9;<Z&.[p>0;KhrCAb%Aql75=S]bOk:i8
+%A(:4mq!QJ%i1GYA5=V">&;a`Um12*n&V)ncAMSbP&rn6uf3b?02d,_UZb>,l%=AP\J&7]E+n4?/(J[BiD\kb<NFhj=9>lmD-bL.s
+%]AW[lm_E7g]R_3*p/Lb,p7Y:D$27#E+n)kI*hX!&15!T,R@nuS"EO\6Rlc0I+'m>Y4=j,9./9*i5UY.'jFr#*g1'a)PS4E,1O?lP
+%]Yq/,_"+UmJ-OKroJ+bQh)Rt+*tgPF6qHXQ4_LWnd:X9tQquVpN`K3A?M['q+p.(i9FE4OTJ,r)<e\;Whc(SkT_>Id9OI/K=%us.
+%-eQp`h0]Z,ht65:@be<jomE+0T<_aOaG`.###,nTJ4S*%DpN\SUCFYkkeZR5N3k*T!Z?Pq,^?:I42Lk*g=>XEJFH(.J"s+fRgsAk
+%::]II^Hn5q8,U)26eq6Img=UnEJVZ7Jb2YoE6]DRkoRYW/oE)H8ajRjD/)gb,8-dP:Le2;^U1s_&`C5g3n[.%Y:i\ao!m=q!h$'s
+%Of$f'7)/^MSVmR7$u@'4_"[VX#^^g`,.hAK(l.+(LkkglGe60@_qhCI%@&SO;/6Xf_0fdK/\)F@Sro[R]"j8np2)(fg_!%nhrr=R
+%i5Ta\j;FA*Al]d7BJ(H9L8Dmg4=AYT:]XOD9LFkghWEd3Y`n7)J-]m-5X#P5pX"P^@GI1(\&;""XL9-;+sLCQ9E?EO.I`"Bh#n8t
+%!L_"-'!Tn+\X?erO1tu1gU2#1n#5C8Df@DVQ?puE)n(sHJhoFm<\nd0P2&Wl@R$7-fkgi%D,N[L)mgYOPA8gW,u[.2DICsg9CVg5
+%_FZ#AYmeVW$E'ma?_Z*UZB*Z>p1pquNrSC8b+.PL;],U72,F.A*3*)3A&b7dENPi+kOU%0jCW+u$Ui47`0F]11Xkd76!8/-AJ9E<
+%XR<DEpW0"F607bZ`im%K2QrEh"BQ;U9TW2'0<jUOi7[aB2e5C9$H:7B3j@$gjI9%I5iFSbonY`L2f<tD&3[u'2sOmBO*5@Zg+n(>
+%QN/2B!8?Xll>;CG:ld^Z0RC*=GoIX8SOKhRGias^T^ufTTO03jrhB::dVbH^Ag49bEis>VN$-495Jg1Wgs0-#:>a[MKB+.!pk/VY
+%_Ka/U6ig,4?XWS8#IRLE63u6&P%bHU[WI[:&W(e\qtBboKJ/G%1oUPB<!Ok&n5311P8EFF_:5D#4R_eE#H9o#7c=qtHUdR99Irs*
+%!XAb)>\<gO>a>l*gm6[t\q!GD@LYe-P%Vbse@pOs<Ht&#Cqo1E0c9!!=7or;?>C7bE3S)Lp_=*>^stW/pRO$:"i<gLBgd]V1fG.&
+%PuT.U=[5\K(nN^JpRQDZZq!!8;$%4!(SH9b_%n5&KpsOT,ca6[7VYY)K'fAcFUF([,jq_rS2KG$UTqnZMq4h)c6P)4F@J[7N*o)_
+%]Um=!RYl^%*B_t1rB;oAIW0GfjTef5#lbh27#Y&#TohCl"'0[l6DW9nIdXVGqLrHQEXL=GqeF`Y+Zd&>HMU#_STED3=&pojpU=#5
+%B!`(H0A<X8a#*pg3(,;OC-iAC]DhTj&RF.>#rC(G&'a[*h_U7=EXAu(_\_@K:+8`(TUUJG+![:E6knFl*e2MC3OTWKX#rMnMKDL"
+%C=j0BZt,E^-fa>=b3r)*bc"*0AA]mj/5ZDEmUokqjM5W\GInEjVL`^o$d#Tm."_38HY#7MI;&E<)`[#^1?NVqNu$]BdA9?18-t0d
+%[nuCFaaTHAWb/YY_]r,<A#>fTh%)g[pUl^/j<1)AI\o?].Z)1mcF*b*,G2sX$7In"FdIU_Jnht:)QYbtm+5]&Z\lH>(dMl%B+`gt
+%[M!*'K$c00/QPQ(7^qAI[R+R33F9n8ihS5`^eKHF(D2FF/+#c3aum+%[\No3Ke;_Z_b8_N(4'eUCt9!+G&S\t+2RD9^hXjor,KIO
+%Hh<ZY_@/i7QEjX2a,Q:WO"Y>A`n*6Wd'h&3]9<Ya+9d#6G].qZ8ot&IAS_G+*kWaFh72WC`:%@:]JKC(@JI`6LnQh]l`9BM!P[ui
+%b95a1;<'1JXP$1eUL8M(-D3P5RcqEF>4DPk%Y;nDJDZD"c<$CT-EU2/N:<-@I@[iA5_7U@M8^V6+ANdb%KV'l_:]&.+lIgWhEE(_
+%f.QHX[Zul<D;8XQ.0-1l]Ja?N3].s*k?_0[Vj/AmloB5"mKj&TJDYlp./el#E*eG#<&UBk^iBT8R'p#rA[ed3!?>I?[4MVNDQI4p
+%)L(=qRt(Q]CVRulVe:X2Z$Z_G#K<Je'3%jKF>C>6S=mFMGL/P`-YPXogJ3pN+Pl$FOtk=?P[gA'lZgo&3-h35UI?E;Hik5%s*F>%
+%WD`P+dig%)eD,HsR.HK*#JieeW1sqIIpXn;;ZY'cAd'rp,m/PS*;5i:A(u4jRt.Nq2E6&ai"djeqC$mD"?`u!Cg/$An1Rdnko"7+
+%03pu2YuEeao<T>Ef39juBgX_Zs7'd6'B'P!D8(RM20lpX9heVR2q\.iLTTOf;cPcA4L*pn4jCUr&t8A>ApC@>Pl,0,0^FQfb*7hI
+%@taGgYjtgclZLgEG:0PB6J"D20uLi`e`Y927P@(qiA,<a4l`;QqU(B8VkRO9pfiYId^_%*&(Css!>_-7_f!.U'hYZm*DU"Q]fI2*
+%%Kj,rF2&gqAq^eO&`f3XY$4F5T`>3R*G'cr$"UM1:]:6**Ku6r"`a#Pp/b@+-1V79!=36]*!0dpqZ6=DGiC(8ThjK`IARn'be!+'
+%J1r_,$rl_=dLHGX3Ah&68V4GZMfOFddND^5%-t&j=mZejgLa/\G[HO+T*kp25_9\hD2a7\Nf+%ri)/hBpo%e!efM&i>SE3,fteeR
+%1^1=r"N?t7i-HA301e6m$t1"u/&+W$0Lb1N%;?!p%O?d!n`o2VRd^6INgp6V"\MaUZ"ZtVYRk,K"JBB%%g?@\0R#&0-;6<feHp^a
+%SV0@M[RjR2`V"@-_kCakmRPGkqK%2+@\%:1nsj6M1_]:G2EhH%P.%T;[[1kL8HOg#>#/Ur^;Sq];m.7NOfh$ZR\.A.;#;.Y<!OqB
+%XL7\:ZVeNY[e1!8/J9&3;"7#>),$eAfQo6L1T%R6'hWh7B8\bUD?f)W36*/D>I+/Fkl*"(TK4EPLr2dfeA18`,]IXpo)!IkeNq9)
+%R9%(SpC5`Nl4psuJ+l=ZX(o>FiZH'N!$'o0_,hZ<9EN:!JBO3>9C%5#A9)Jg*!S])o?nV=-l+V='-8CoY09]_q4saL+V6+1[@)WU
+%R0AtW9'n2(nZH3sK.<066]$U1:nn(2]Ygcs>&"6+23mr!Vc$fU:qZjsS.&okf-dDb3d&7I_tcIZZ[qk.W85o:ppVclQX=qd(L6AC
+%H8Uko+2GH+!?A:4X_lm1(lHgHqVCPlH_;/g(3O:kij'-NP24aJ]EP-c5R1.P)8s1El6'[LoNm`J:>T"'"2n(%'h6q5BW4Rg]9Tgi
+%LTt^^(*<^A?\.k1o!&$!H<[D+V"(Dnc:aCR$igo:,@o!#Y*Z(M6Ytk%P.#\V#`i&n;E\QI+t@5AkmG\FS.U9=0*GR(V4-!g-2O)N
+%2K1d>H[Wk_bN=.>XffEoUX<i'NE7!S<gW1qT#Bf%KFa<"W=+kM3(oZS*n%WEM(c2WX:"bV&0>")37V!,gC%QBDpaY'j]XJd#l+&s
+%Ih\%%fMje60"C+o1'jk_WmnTfrR`h:5S1j+f40JpWli5><Si@MCN.g^>G#b*q\6"5h@YK(C9$hFhZWlUkbHKc<hN6m^Y[["+f"^2
+%5Ro$S;$RmRGR[AAEV[2m_4SUK\ekQ\MPDbGVcl.2m=2UdE4=bOU-^.5ruJPi-GWNm,/:169^#J'D\icClb6YNIM[2W)$l$nr"H<$
+%6jjap8:GU-O9jT2ELsOZ#DK/01lrZ`0W?lIP#_5Nba2ErS-G.BJ9/V`?2.qU2'T@AIKCg&@[",K8S0_86%%,C0hGB=!gHnn="A_#
+%B#[.d((I'^<mhi7P%uE:R!]OYD:N?qY_0lC$hoao*paL12Y_3D.B.QL?6)OUZUUd&C1RM]MZ6aU*oI8"C2?U:AC]E1$4RcL3K'"6
+%7@15D$#A,/0VV%ajlHu]@q]*%;T/[e_"<"hg4^en(k^U+^OaVI&Eg09@7bd`*lY_?ql<j=9u%?@0eVu])gL=/at"n1QS;hs/8_/f
+%TOp-MOqQ;=#Y#?--lLLg?<.&L+/E5AN&^<s.@aa26'9=.'62kIlqu<"pn*$9.nQQDW$IYZ(.B$]G%jS`%Na`oAC_e]pn,%PVVE8"
+%iT'6):6)]`:G.9%Zu0_D(9Lg&UBi9OTO7q;Lg9a8G1"%EGu+W_9n9\FL])OXXg8PG)B.g:a]J(6G;sf8H<<54ohfDu/qC<[Z:G/S
+%,#eARc>MaKWrO!;.2jKiFL/'n8,:p+:q9\b-jA+t<k`>%rcGc\Ej=BW-10VRm^:Z]8boAjGQfT<'8p;aEDs5h\2',C7;L(?3.R-m
+%HY(QWZrN4^Esq29kW"f^.@c0gK"PDKW=H5CeZirf"'G"<VfpJ_[2pI);Cj;?jRUG54]"*UlP*$(_Q"Sl$;pjdkh<Ikcp7Bf>I)[Q
+%D%"Q]:BfRSo_fUgQ>JET;Chr>:=r/4cEM[R':-!?jf?0dH)C^Ke,.Zq+4U^^$W2&kf1*5)[5P']?:BUI.D)QlBl^DcFHbVV@r+e.
+%X(Zf'+LOP9b>^"N0rH2$KB3CO`>3nh$7Im%kt3b7'HL&QeSeB$pc0W6L*Qhe>I7:_focCDVN[s01ibFWI'?%&W,7`45Rbt-C+p"1
+%[=rel029J&#H!#*WJ?"uFXp+sYSI'9-K0V3(mO\_KU2F@ILcqn"mk^n(6P4["o&nfOr9t+*C>!P5*Q7Pidu+t+N`RQ^h;dc0__8l
+%Zo'_F#QdFI9Mk[6)TZ!q-(#\t2ab93YUG`W<X9Wgs62QArq05e`COWQH<1$[`j,uQ,Snk4rcsPS/1k+lQ#l\KJ[R*'QX1aeP\^3'
+%07QVC\n57k@2W/?Oc@@qdcPsF5h(6)"Mc@b!ceD.<%#44$<Kij3S,%3ZJ+hXIcY9,a5_km(XPF;,6Wc8ZF;EIF>"*)n@q!g#e-@-
+%"k:?S0q?Q[+7LJEOc_68)Yo<l\HS/rYUFFC"3.XgOsGWq/O@=m%?+s4$8t_0NsS;Fff(U%S"#:-/bVR_"B6<_Rg.R^kmuF_%!nVj
+%0j\pg+EH:`(%$j)+r4:U1DCb!i^4C\<Cjcg\66;(0!<%2]Y:kg_6m=:=nnk@)n2E"D2!/4[N:%WKAoK8!O[-^a)bc`n\W?d=f.?4
+%jYkq/5)-L=&_9t*75DI9@8!K:2GaMfS:agUm(l$&INa?WQWRk5jVmAB@h7/?L.&hs''V9.A=qpa"G7)m.f0H4+sj.r">b>95n`;k
+%mUM'Yg$NjC5]$4Q0:5pu]E,g_gMf`HmqS?!QlV\AB9;-o*D?0#aE;q7rDpqp(7\p).TO:LJV2jt.tE<E9:1C.Jk@bk%^_Z3-T`=4
+%KsE<<M8b)69Bs2)Xd<"L;%U*Wcc6=;Lt7]D2%Z&?[,t)<P9[8;5tF8AV3FBrLC&$oJol0,?W#3aHj/I=,ep>l)Nr.#e;*Sc,[FuL
+%XtQKS1XMO`^6Ec$A\pdL*_M%%#85(8ifEcU^6IW<jJ!e?)$u![Eb!5Mj9GQ\RRSf/R9V,/7A!)jZJM'iD.Y4_CH*?9)sQ,ZnI;NJ
+%.`qSi9VTYK/]tN@Q.[QJh9Grt-:$:N!0PEiVdpbS74\63%j3l=;$M[T$NAZnFo+4ePqkE`073lMX!T13UfCr&\N[E4@Ee1W@+GYO
+%9X"bD`hLi0q,ZjENL7&>-F5V!P!TMZAl200FacPE3*3#0\N3`*Q4$VX@G)!2O@:u9c!inTgEA!`gD6](F,qkK8m81o`/FYAo\De-
+%2QaLL3Y.^([1$NhDu;diTFK.2"PJmuU``NE42@#mOXD9j<nh=1BI2E<=HAo(#,@"<malYBnjia2j@`pkkJ!W#.SoVV1JHb#WU.j6
+%4-*)2WqM`n!-P_[6LLu6_+L,i)3@2V=')3il;2dOmN,)`i@SV?kI7H(;YLKuBmC6G9&;)5?Ph#fqS/*e?iLRJ650a3Dd4@>(Hf=q
+%_-i=P"rPS";t5oNm)uYRP%6Fro1/RueD#Rta.dRW"`7,IX*b>GO`YV_Q6ZL4)<['R!+&buWS@R[HK6mLn/ajUPCJ9d^g+m.O-A"/
+%AXr3>/IhMR4K^dI:$Rb7``>4)>R@r?j'h\2%Vsn#eU+H1DAM,K/l'k%h<A*T(:f8PY%oYW]LS8ZZ^,n.[e/oDas3@m#4umkVO<"6
+%kuJkZ<e\oYaGQ3cFWI9@eA-4!b&Iga[CpVhat'LdJ0rMB_(PY%(Z-4$0/<Fi/t05d<%8b&&;rkinGNWqa`#r;X@[!IcR:r\(p7Ej
+%H@X,bXd;(]IKCt+$*](nY6np3o=`LM]'$t5%R"ap^1tugJde-G0?#rTq6>Q/:g;L67(uB$3RZDli+r&C_].MT63.8]+DCl[jS.5P
+%8;!bJ^B$!B!1@*t]>7HNj%D]2[HNCh`lgI1I]j^QIW@A%ZUVI=m64^M?sm"jE"]4k!H=X.1*:a5:rp>M7#a:Rn!t.YAO#-bQ;aI7
+%V5R$qs6(8+=A%5/cQDSmUK!9ukYb::@BdPGJ@_U"ajV_`s$MAYV$C!\U<Gcd)*#<Pl_W$@*`O#>mOO<frk5JE2tU1eKmr@hkeBWL
+%lu6E3^nV)QO??3C[fhM\""gha_0'9/>LJ<aYAQkC.rNWR'dSO)Bq3]LNKsF];<PX+%Ora.38S:A4^%t"!7%k:D;-SVmF)8:i9Gm,
+%!nK<U?u=R-At(U.Nh)4FHTN7lIPC4\g:$DYqJ0,3NA4P?9AVVM@ba8Y&iL'GPhU'Y_5EuY!X`87.+3$!f)]n#TEe%?R6*`f*Mc:S
+%YFsJI)m>6)^d3%GJtt>@!pWn[Z1WIA+6")\s0?afOg%+4_>T0/g:#fc>qj/C@-_E^*aE[r@,ZHAX+P[4ZF7rq[Wg/1h^OhjrB;H2
+%^/mn1jc#2Q/A2_+^B3R[SO#PJ)EkU5']93aFY(>$\;43WhcDMT]%#i_hn)$#RcY/N9XnS'E_D=84Qr$mn&m.6:Z-;B"8)gc^k(8$
+%R1*ZH^,o]s?F`Yd:?18<[t#qHj4-Q^@A:$Jenn=6o;ooj3Y-E+i/Rf$Xr6#3>dJ7+lQD]eLGS)h_q$BPG,uYJhQVNbW$VL)NF()'
+%]qp0:kq&K-jc6/Q@o.<*D@j&Kr$Dq<MU;Z2I_LWgErl#4Xp'#W3LlSJo6nV>8p`8$!n\"Xp^*ug9FB=Y-GajK9d`Rro7jk/ld]V+
+%$]E`8hYfIFhY@KJ,i3KIp[t)pZI)!#0.T)fTnJ`fV(l?Gpkp/[ERD@L4tFEV+*7OV9!Cg2']r6[jJ'?3Amm_(,)Ed0E6/^=.b1iD
+%d1V9l/bX7bIJ!A8#HC(b=Np7<B2D[M__;D[-0sd9USQ,AS5`DI-kF9=_0Oes>kda9B(XT]G86OE*]V4qjNr^"/B:ruS6VUj5f$o<
+%r@R5<]P2(_iY;H'DM7$L'BgbL$J7KEdN=3bh<"nK$uP7'X#2]&c^I@e^$\Y+(S&qI0\EOf7rl1qJ_B)O?5#'5G#-E5m0:&4J_)_n
+%(+`*bMqRPuo9#/J[Qr%.4J+1D()]Ep;QH`!=1Q0!H=[\Pn=e'=l"h`3fk+]1.*\a+#Kt+:+'71IV_-qSmO#8C$.$(p=9dd]>%1mR
+%6,PFE\@$0WW!ejG]Ujenmd'r!hl?FR+O&dh.+\D?g@AgEeEVVN6Fe+CXJnW%Q&N-WGhneMm?74<Kf3fo.6#&P3=K<VH)4#^h_8NC
+%]a*dgg,t&=YT908*Ab$u$(c)#m<g4bK&%e@K;`hNq@s%.L)pSR3C)k=*'D(:0W'(gLec(/B$\13/lUF#gNN?*\5`i?;ab8!;<,W;
+%7aUZ*7_hJHmUddZS3KHfBUVd8!>`k_S>[;o1gmN3[]bKCbcqWH6k=$Mlp`IRXQ*Bh-u:OoY3mKlk*["kTF68,BZ[MtHWAkH'K*\m
+%/$f)l9%U1&XYcH%II-Q%i*$Erj8tTje\u>o1=Uk:,7G`MlON=1^j2gEm_f[,0i+cS_O!8a`A6nuNfnJ8fe\>lmI9p6Q-ZHV]r#*Y
+%DoLM&^6B)P<Qi=")t!9Ah$j0h-r2LW\&1TQUBO_S`<*T$a1HJ)"V[,eF/_84/Df0GA:3:mU=he8mLR47/DY%fM[e24%^RAI::m`H
+%-IT"S#0'!E@?6hW+?+C^lP<RBDDj10*KR%sW#Rf*DA3J`!*3'r]HW.O+P*'//[L=l*_@4hbi?_tL6(Ga)S`c!I`7_tdBX^dHaX=b
+%K<RjTc]IC\*If.^bhi'9.P@p07GAe`7ZSF3hUVWDMWC10Y9d:r[\`:>[/V2XQ/G@ci.1S"$n>VC8mG[a(nl,*J/tUVeut#G`B82V
+%L/bPuN8@k*(<IY"-c,lD7V;c>rd',A`]u2'^bMWs[07j#`W51\;-4mT?pUH#(Va&H@/]rZJu)^a[[Cm9RAuq6WH]C*Q&^[d9pa/$
+%#Ql_,L<Q=I9N@UsPT\IT'gM$UfHl/^R*=+E"]ikcZO7&,="(OX0[B5RnGG_"?lWK$Fli':<Q$WII64BgLOi-k[=LZp01i)RBJ-<S
+%'kZ8Uo7T'f6<qNn`_Q]g*E?U;]MLep<pI"2C(`t`5l1M_[`EV9hPBRbR6mgZ65q<S$G>N5"@UDXd'c3%$L_El6$iCgW`fnR%c1%7
+%RK+])[>4\\;VN&l'MQ3Y>d2lAVqBZ)j:sj.$Ic*q3ID_f<+*Z]AQBnXDu>!OGF/An21%o%nX<TCms\gq]agsHR$\GQnE1`a>&l>;
+%D4/'`i$q_Kg`pmW;oT_sV@0+^kZ1/*bAoeRcP-B@h;tB.i@N=NC'Mp_."3)YlIlG;2r*%gkAa61p_$9kBbA&CZE@h+'/ohu=BF@7
+%n,"uN&A69WXSVAak8VWS=#O(s/B>ODHiN>$OIM<=S[/h"S5,6GdUJl:0;SpN=^r]GEP+46\%qk[4Rm1!;e1R'T7l17\5Ss*b*/FN
+%k?&K1gup^H+8nu0K>uc?PfA!u!4n:3oDQ4$^[b#_pS9V@cSq5EXYr[W0&0U!fEZUEeilJA%Sgo3GpKO-K]h<sH+1V2EMYmKT;`6%
+%dk)$C.mEf&>6G2cq[:IbK;X20B2m0]LrNA[`gjJ+,?r9IM);a1iRlF)P!Pd3RJu#O'&[r/T;2/=)`\Vpl^4r-4:L5q2u#LU#?`er
+%`&XM\cok.W[CA(sgU!dWb"rXM7'cJa-'"%minpYn[I!YcC8dI_XXnK<K0DE4i#9S%\^@<sF:89@SZ@N`dQ94_\9\XW,mL[gi1>V5
+%"tm<\B"!*#iDDQ4aNQF7cFnAVfet_2o!@1=U,BNI!KXqm#_Lipn&CDH8%Ff<)<+OR/aCPh@;IG75.@*qbDsPaaA?3NVhj_\E5!*2
+%m'pr?F;lS2Cj1UkV->sTlssLYmaldh`CU7gk%sbX<ek*YF2-B;E*746jg;98`j8p"$Y$]nLqMa4UB'T-mldU4!*;<E("p!&luh2c
+%eb%Z\c1iF)41f[^m+P_m+Kcg;M`e^l3(V=G"_E67(Hj#bd`gV?r'/X@h)\1=a7hNSPqn'`$gN5EPje^f?l$F1&2D[MeS?KRP5>\<
+%!bKO/Z,N3WH.qWjDC%gKh\P"`E%B&4J%bA+:\BLmKtX<X>oqaGdhi]1J:$$2*UgA%Xq=\0E=BSC&70@k1a<1EB#21TF]O&^FK\g,
+%]r($.k(^AeDRZ.10ZEGlEK0W)hgOA1ZhDrNmegXP4@0EccOb]k2s8uRgk"]FmPT2)cR3h]Y>R5i4)W_phojuHd'If<-k;\oeYV2r
+%4mk7!"h76O75O8I6C/QA>=Xo\X&+@_P;cFJ@fV9=W7B&$)s4P5XS3%-`6@Ok"7*Ur2>2u2J^c!9H,Qh697D&un!P_MdPJ<"eW?Eb
+%.\EXCR!J2Hd#&e1)Uf`X!eIll8$%=+'WrJJ;*edR!5&id'\*Be*8nET2)$&6WJGbRUr(_Te`%k]QXYe&=>7%(oZ2"_#JaRNXVkt0
+%c`/$Tb3%IM\_"4&igeE*RaU[30__#hVqUOrBfBumnp<kJbWM5t"Ik#@f$\CO>W[.o1k-Trh.G[1^*?+B:@nX>#oRP5Tn9%jRDq6U
+%4CGO\gL6dRs1<`0c=^kgXTRdTj?p`er[6VHF>Wd,:MpjCbp\=r0M>QY-#^j_7\j#>Br^mR#(#F8b')oeC7_)8PFs<fCu7!Wiac`=
+%%P-rD)p#i#46uIchrZupY!(!^93'B2:up4n(?_a!gMGsV-#rLEBfBMK8/hcc%P9Od04*"m**c,:>WcV/UK0(F-Y1?(O_mri?bY>k
+%fs-JJ$t;8IY>Te(0sJLiYQ(0"-\;]7R+L+E&9Milr^bZsJ&4)gV(j2NGF1rQq=2&Iat7cH+,BSRmF,M'pB6'C-?041%1LIL[:XWt
+%,A$Si@bPGgO4qe^*pJ.EQZ@&g.c]ZSW?d1T%q^^9)0U;U-o2=AhsN;`2H2O,<YB"#4.5m]$tKG*Ju$4T)!DY\])EF`_p,Lj[u36R
+%TB_PTi)s(c8k$I0^LCnlX$ikoWQQ>*hf\9OV8:=A7\jeBrK^!Kb)K^#g5++!duCk&qslbjK+b>m@T!jJD!Y+#FeP(R>L-IG>l)>n
+%J-pIg`Ss3T@bI?3S0Rs)P!WP6AODgWi:Tpgc\8rch.Y9uB^euFEn')TiY2]\2;N,%$HQ!JrgY+Klij+TcQ9C]+_=HV1:LSs\@&_b
+%U),Fu<&([pH4PDL,(U(##]=?cCB>2^ke0+&DQ,%GbS';+K.;edHfY(3Z0f(UgZg$IhG+DC6$LFq2WFV4SnRe<&?f:qhAKZ@!YhNl
+%TLuslcLm%]B8E"ZMXXn:[Co[n1<[3Ar!*7*c<\</X*-VsbsHrteD`n^"&\Bh$cpKX&o$fnW&*K6;;C6FE<uDdP/ZanZmO-Q/a!$E
+%MoGXBN9H*)b90;-q#<WQ'`58T#^f-Bhu,1FG#\i]_OYnX$>Pbb+@&mJQ]8M_o^IG["JG1dm,[`A+$`$t."H9--1\8EnkfCZO+1j?
+%;/1YpEaq$/gGW^3lR5acVjZ'QpLoG5**,Z"/tdM`VgV.u+j1olY4,>Re./3J35P((#W$A%8j+-*1*X0-r,kpEjC-J;H^d1F6(B_:
+%8LC!eJR'P!o*n+D>(2q/@4Gd&Im*Y@8*aMLCJ:U4=LT^LH8"MC\'6SK!nnjWhR/IW]rg%K</n1QCHnnrRG<1FI7)s,Gt/<S%YoSe
+%cCU(/AnjgW'a#;.8qR!AC)]$k^pa&VLiVr"h?K1VX+>PF-s2]Q%F,&(X87!Yb3YM<6;CXhO;mE(ASclIC=i7.$DW8qG0N""H$?a/
+%p(>J*bn5X*KE+';jp:D`E/nnb(J*-H/9dTjFPdXK_Cn`2F]n(@ko:',@5r!a]HiDQ<]Q,Yd5H[`!Ld0$G]1U+C<i`/RIdDNkBoGu
+%!G;TA-(1dQaX<LV(h(InoLp<Mk&>\N26l.7:'39Sj%=GhN2s1#+m.uoC&N2Zm+]*g[_LG5BsL":K+-C%nE#Qm[A6"f,<FffZdcS!
+%aHVON74ZQ\s3*[UBu9bb3KrUY92XV9(<#;PkXA=HX'XtH?%I0BUK!.L[&0sHhAiVeD>T[!d8)/Ni<&LYr^?GGUkFb3"4S@Df3&SY
+%X/1ihr.XeUXj[!Yi3G^OcMMV,;bPD<Mk5a\rBPP]>SZ<-e1L\U;Zj4cYbkV0YU@Z:]_-`BO/di_SV+M'J`=SeQ(^_:H6S-K<5RFY
+%<@Rm>BF_%["L^0^FT]Uhmkiu"4Z?tT=AnXSe_6A&05MN.IEn7PGH`!^bY9XZkHOZ?1oK"`N*mFm"XEKm^k4gFpSd736pAn3f7^;>
+%]gCI"h1W!!M[i^&?dH4[:Mr\XXlUIsTPU9*]!LS,aIJ&jMtOVV4>ReLDVi6qB&%u`\KT/GM'.YB#0>..:1Ec6g6q3!(%rA$.#[7<
+%M3A?1[5)kd\M--C.DI(*".%_:cLO:T]ZeRd)@;;V9`.rS0[5Hoo]\Jcb#;al!d[+boKE_sm4Z9!X#e+>nKfa:^5!mO;F'>68lkD6
+%qj,sO+:ujtj;S/F]Uij3F+2*L1qablOhBnriq\?HC.Vud'UR8`q90uq7elra'e1Mb)[X(0O]cUV,P1de_L?1lQYdiiYSs@TKrf?"
+%N;"%[&?@c.N]!M%ODZpZM)4B!p?Jc*I2Ct)-H1+]O>RL+YV\$*p4a?3m)f!AA.7-,0gsF9G*!QY/HR>K$l@P8NAM`6S!f4Rd=hg<
+%9AX9?('AWVN9s,ik$&JP`lA;pIj?epq=Dai>V#%/_Lf<CJj!;#'CD(e*>UKBB4,#.JMZ5'MTO@5o0QC^@YWV(*$k#H'LM'tr>f-N
+%p/%b%aY72?I&%*&g(>J4':+kJ!t,J.T<KkKA\X6*6Z\D5f_>VjKp]lhnEK"#\`;^H^bLt<N:GK>Jbn`Y9?)r9f54.nP^(>C.$VeG
+%3041E7EZN-3CgN]#$J)H>AtB#bpig?AW_Se+hj@4AR*^)JfmjmD&GPCR0t5j3UK'p,:%)Bg'Cd]WU@I[$m;V'S2@VY]OrbXi>P=W
+%K-#usLGK-aarl.[q9XQQ3C=]g4Dq\8C+0Ue\"=as1dR2-Aac$Z0c(R!1@LV)nP0)g*_G17Yl9mqJ48H$P!Vo1MHT6i_%8lCIJ<-Q
+%kJ4aZ5pQe9^c-Q>Or]97O&@pf\M,tkKim[3KJf.(2't1IMVPt$btt6/"SECm)nfbR<?C9_?6Oicdh\>=h>5,:VB^N2r1On0INg14
+%_VJE1q4&mLCUb;lS0BR%;(Q,(+^KOdZ%T#F@E.8=-%Q)-5)L\uHJ65q"G,VS3-0;rr_;s.dLa-9c7'dg-PsFl(Yh^JTkD%E#:4-h
+%@/U!Hp#TEu%K!u7=\hPY8M>I':s<O9_9YW,O6"SK=C'F/MkI?/B?A5b$3RTB3sV8Q!<-9g:1]H#94Z\T<68?n_['j$6qrWk")XO,
+%'\.BMHUARIkc)Q'[p0=G/cAV"7aAl(8]PX).aAJdi*A?Y>kD"UpEYk2<gJ]0@R<?(*lYP%+b8$dcX^YjK>YuTQ)R8gP)<Uu-t'/6
+%m[GMfQjAM2ScLSiAf!7e<Pc0Nmh6@TR&Yk8\M#1UJc/2ua$!no!^s9(B2J!>MQ0XXP9_[gFX'XTDDF>G72<Nm,hDOa9Q:F@)eu'm
+%DB4"H[bP>/SP5U*Nk&V@=r3W=%2RI4oVR#:$8ZCI<CprEJ?8f;<2EtcWpKs]iPcQ2-!p'<>iVS/?ess.(c%BX201/IZ'F^#7WK]@
+%FD&Dh=+of\11HI*pNpMP<YB.\8>.[h%KSR&AD^ZjWE`r6rFup=+@G'+0H4TJGg.PuTcD7G`u6HR8js!IbXu3)'s#VD1YCb9+I@[$
+%ad*B^1+5a%]M/d?LG$S6XMQ>^>"'4Id#=Wi5j"H6?IRh[R"?3@\Rc=WH\G0R/OTR`$sO5l-qf0*:ff)RL37AOZ8Yk5N'9jc]f+RU
+%9K>3jb8$Aifj\DKApBVVlSPC\?r,p?W<-o-RUlj'GnL6%[9Wk]=c-(\`s".KHJtFIg>3^T?Qiq6]iE9ZKpVU-#nRu;]S_).S4A1K
+%9'C-J<Z`,Pf"J*m+n4-'-BfZ&m[@uGW3e&5rR:Y+%Eq7!kD]"7\WS:("?;J.V.q/j1'!`i]:m#NhCNGS4-E5Z@L0;?E^8@gq,eM2
+%7'`Q,+S>O(Of!"^DYq^W2VUug#0SR"ONc9O#[lTdQ(\Jk>+M[+)cFHJaQM+sXMC)_Xu&hkqUfJKb46ZlQ[&+6PENR/[0c4NG?;,=
+%hKpU"Y7h=Eb7KD#MbkH_#Eu3cNS@Hdj*7.,A"V=/q/3HFEpcCLZ6b[`0'q8B@>=0G(!,pgV,Nna.u7L`*pXqEl]oL==,q;o.Oq]5
+%^B'&AnHU+-Y+4]j]KOq*Q.Ssu*bd3lm(c3WT=Aht5"8"Q;Tc;++@#H?T\u?U$L[B94THoR6=JY43UmYKq*["S_]Ineo*P/'q1q0M
+%il(<-#[>8LDpV[H+Aulp?%e,[l4_6kH+(q"6>[;1I@omGB&HHc`UST"jkcCr7h3MX+%RGEofX\OT6n.i%JaK+TURP).1q4%!mBZ1
+%e#;Gip.BEmh=2:@_rrB7Fi7k\3P<.C]h]L\k7Ooc;KHH%!#ZN,_A:HfLKh@G%3J@RoOFts(<j!(S93;pf8Y',kFa)5p`[,DfZILd
+%QL#(>NA`Jke*V+8qNFN;3`u3t>^`jLg?sXPXed52bJ/U98bSgo,r:9rMd%[J.Zsi89[u9]Zf&Al*Z*n.CFp5,/d9lBr?d%OHS&V^
+%Mqej`VtV0g*Mp&0MD&c$[sI-Olg;f=Sf:]Dq_V^?SC8LBa1DSYbY&t>.0!sh50GiZ"/EK_44^IiX:,*X!8Te"42n+Ud9[[`A)TAG
+%,"2B&,>>9uK0U?Yl,,;$;M#@!"d*-l@655tI,/k90D9_sbSGF34=V.?/^aF,T<-1P23g-+/js81M0e`()Z><#k7-8[ODT_=[rIf9
+%hS6(l-X#*Nk7KQtNJF(eM%_]o>$%^R`0.Br5n/s)V<+RLMg/]qp-'K2!)I)<E)%:6[B!s6EfJk$$T5VKF4R"j@+Ha[9)'n<"E$Ei
+%KR^^F.p;G$T%O:O=_$lA+JLWTfrj714#23>baW6*I\tY*Ub$7sVVrr5$Of,Ufelu/D#Dlt).cS\/]&T?n8&'60b$tSrgG'&1:AbM
+%/Ha)Mm(djA76.Xukhj1_,\/&P$Q*+B;KpaVJH_"[^gL+j&cOsoQ<BI]Rp>bbX%*k<UY(XR)StIDKT6:+g+6ru0,q>l`NgU50Ub5D
+%b@e_U],o8akWZ.%<AA>?f3+g1X_^C6;`8T!%UL7)9oD0B9,-"JH28^=QutT:`lM;]"g]V`_"e:7AA3N/cM#_Aq@lu3!q1pHaIRF0
+%&qkJ*CO?8k]Gj-X7te(g[b-sa@BWN)1K]pg.nmM/M^)6Ri,-cO%1?NLkt)N7&m)!YneH#JS0h!po*hO4gJ&!'kE-_dDEBd19^>EH
+%b;S.cndX%0&Sf_ZpIS)F-aLc)>s+6HU$`&IC?k`%nX`1RlIssFRZXT&<KU(AZKud!KBITcO(?Y[5%0JEQcsa9#'9+4f,)>"&gc8>
+%P[t.$pjA$>QIF'hY$-'+lO:'i-[QEu&VK7.'e@eE\%iPYE,-@Cjc>XE)^s"r..q=>-hC\^3@I%Z+42aOpA<@_C2,>_8(k^=4qY90
+%TRu]#VfN_p6a]&>\iA5q!Vh&$n55[km&X1C"#=oH\=s3J_LcJbg_'JE:!%rlHg)Lk[/>=lp!tcCc.D-IMsEYpY91sZ#\D@Y;.C,7
+%,%t]H.dd]6q&&($>0NCS^s^Z>W*\8gi2^)e8$$)'ZWfEoX@C>e#VT+,;S'aHC'*s$Sf)+['sZBgMG%dM`u0oG[Q57X14oKR*\--J
+%CHXZ8p$dR5>[@Z=DYC#LWECVihb<00KEPGKeTB<k(]YPj6>Kf`?7C7*DTP0roph'm93@IO)osMV9n:+&&l_l=IfNaSB4=]M[YJ.e
+%QPH-)/XF$Uhod$P'S(;?(VJYi%q<*<1P:8^ZtQGoOql8/$l>18CCBjm.aN!@:DU_A:!YNMXATP0FSHKHplt5Y.UuG'[FKM7Z'kh;
+%-/VMDFDg[M=ct;_@MIDKjsi]*6P,O7%%]51#KdeUShCD*kZabb2S%Ym"CuK(`i*#&a]]Q6Ks4\F5un@P^"I0Mq5-i/Y=p:NRauR2
+%1.EZ"?.UU.BZmXTN&&fGf?(:`V3&G6%6j3#X_sf3nZRI:Vi9*gH_S=a^Oh[+`)kTb+&*J!_Jk=i'kTiVq+c_?GB9+jBm#qW&%cnH
+%^lCq:-o^'/*PjCj("86'!bF&PK(P$`GF4_%:Z>;6>TLJok&IVAKn2n.2G$s%C;)LDJPH%5;=ZlBmm.`CZkeYBbi%i[I_TI<[QNHM
+%pr>76@#[;Jn)4EMpNNa6oiX5R=1qC2]"\7jr0[?K,8dG-qWA<WY)9V:oUZpnJ1P>^ln8Z6aNa&j4+YGb`3t:r1DVJTPP?QLU!:EX
+%CtQII0q8/5j,SgN_PV[Ad:>3388XQa!_@Z*cqkSGVO-N69..@Sj=S1lFlMt*!qNL2iD*fmZs\[\jp59*QtukPc'0-?5.aP:jK>n_
+%FVsQ^qj,KhV2C%^EQKP1(5o9!,s6e?jDEh`dlVCi6npNA%%q(V$hW]C5<g#t),C3rq9=n0p*FWUQP#9_(i"F$(j9<Y0p3M_T_jB%
+%"a9Z`G)rge(`g]*Z/dr,Np)GJGA"o%!EXqt`&,C[?kB_?/LF##(.mr*:KVEk>V`=`Hs(ZR3seY;O/5pIcf"/C8!)kj#-OBhCB"tA
+%,h"EmZY/+(!9BA%YS:%Ej1a*>/$jE7j/+`2$,6TSU]?d>V/9fcfbq'6^^;uRDh;J$nBTOahh%F_`Z`-B'5lk/'3Npt-K)to'3`4D
+%*^)aP;/annd]h\7DF?Md9H2+Ndn<\)co-d-jQd"0n&tPc"q#Dm2)#7n_*_?49hEGW$0RhlK)=PE-Mp4_"u2iJqD;k>/"J]1bS5"o
+%^q+EqbYAM$Y\1^5J@=3r$tekI9Xh9pm_K%*GB4ha.o8a^KS6if>2\t>U&2&>*5rmDT]HjXX?9=)-]Z08e>7NApblqWNCN%4jS?pT
+%,AY`%7N$c'd%]Y`.<^3*9oC6)iXIN@?Q-QsR;$Z6[*Kf`SWLY;4BF[:'#GRN1"Oi"WQ37$PA0o!."W4Oa7)k/>T:1!!WE,gQuAu]
+%8nMnIn$LQNF`>+5ai3W`-R7S'<LiGM_!t:SBee&8al9P3CCEa<r6tIYF[*4&CT4f<4V_+o=7Af^N9deBM2Ehdk,m`c=8**q6Yutt
+%pg_Bl*gGQ7J30`NPNoUtWqcrq+1kF/adGG>"@Xe+9=C^SVe-q'rkao=?.$m4UnYj9N7U3K5bG_QK<=bP!INU"#id3tQ#nX+PZD?&
+%bAIO[$@Xf8gF'JNdr%9N,F6Nfc&&6q4@5)X/k"JiT\L@m#NV;EAHR4Vb[-m`kNg,Ak`b'n5364)4XV.%%rh5O9:r_WVol33H%@fS
+%P$*nT]nZiEO=fiYP2MBLn/+CH_"Erdhlk*]>P%J*-o,JGMk>VA^Ygb>7.W4s(p_WW2E=c\)n'VL0Fpt!5fYa-AY5&2IX7f!VPI_B
+%1X_LNe(::r13MtW;oebC'V(K4Es'`pa,p%TmXO9K3(XNi7f4SLHEPGe=m=c"(_knGZ7nl&-V:#5L0*'h2Gfh!\0<fV8#e=b%k;n$
+%3jLaIV/R1p6TO>TA0A:*JueO,?B%VhDe@mJ!JP2/-oa.;a,hPM9V^r=B?oW,H0YG+!NJ([PAtBK<8[MA+$_bQF6lQf%S)q7ju(i[
+%MI=4`9i>fN1te+SLB;o)f7P'12CGs.d"'0!B#\RoCN,GWr.;Q5h_r5J:1nlQ8LHobh[\MPerm)E^*d'=`\0Q%H&Jn%*E9M6SXT2V
+%k00T8k[0QY-MC[\%uk]EC\\/BTkMYbgbL`#c_!"^k![-"/7*8[^!YW\G:M%>N-d1G+qN6SCCAmtga-M+Na%6,L^@gn9frZ*m;e"e
+%rfL]rP&Y62S\\KmKd+j%5'JBOmG$F@dg;@,?[+MZJ&+4$8R<lgCqEmuIb64pW(Ur=_dR(g:/EOk\O@ec=ioiu4Lcck'HK:k0mc"B
+%rSd=iN<fE^3bGg)HbiI$qb?7(SO7"72K^Z6(1`q\k,)EZDS-5]3%^#@Y1N7VO"?jjk6[`#G;LBH1Zgut7.5,S^mT)X.pWVH^C/m5
+%GJ2"MhDu-*4hSg2#_3NV]TTRihH^AM0]T!$#/,h<5.=5P4r@R7I=Z\:"M+)gDVAdGYGJtf"t(M1(@g=LqAkLPV"l$J?].`!Rft`H
+%0CEuEMj1mj+FfH6(&LU.YT(K'?Mu*+BG-)Cc`-_@Tr8s=OEPS*[PoW-TtS:)LY\(q1-R".bW/,u'q7P]*o"_pE3-C991>=]T,*br
+%`S@%,*Op/@W-ZY+s!&Ze`@PQt>8d$K1_Xl"-B*`)oI/1F<4#qZ(=^7)aCP-FDBnO71/_5mL#kfn&*Bh^lnCCV-H8;CCdsO8[3-),
+%W1"pQC'sFLQSUNCeBfC/&4nD=:3/*oLObX(7eWlE[W8'hRa^[WTXn<[$#7R1MW2mlQ6c.(&MR'8I5Sb?hFn+6pCa\o2o4rH$`l"K
+%"=L2:%%HFlcU)-lb)Fsd=\Ao'#X-\oQ@!^7_$nOjGYpW:Q=RokU9lV.?<6qN<!4'>dlrF-$gr)QD%`7e)A\k6f,@-eLCie8Z@pgc
+%BAmhbS-p(SMf.WC4D?DnB0%sg3G^U]0`l-HO*<b#^g&uN22[T@@t3(T]g!,:>UXl:IL&Kf9BustWT./e(HBE)co!eC+bsi+;@f1!
+%!nKjAaHa-N($jS:qV6:K1"8u_!^QI0n.F14fLlcF=i#j,iEWuS^?okJ_hl;bqMDa-<&44=,QK[`fK5L!0'!]C_bgi`^.Ope(2JcJ
+%nN'LM6^^heD-1]6lT"bF(lUD,q_r=62\LYuNtFRkDr/9h#0R*Z$jlKh3Y3ulrk!9KFjFI=OoN?e;t&/Bi+BLA=(H@X$gu;5U<FaT
+%(-g^=eZ%joWr<k!'iFk"Vn]FgAu-$Y7>TUMhXHE;pgG$nCD7!%S3o_#>$a&TW@a3Z:IS":D,&1(W!/kllZLNf;<rBa$:d/=#$@s*
+%A<@SG2FJ_YVR_:pa%DHT:!$O*]_gWW:(j;f^gQXiL+=N8Sue7G+:\->UkE&GGY%r!`jabsZ&W)ILmu0&$9l.aiKSFMCZ\ugAo9`$
+%Zs=BEW<7$"RLatsgBb6upJ;++J3@ApW:.'%bE;3Gl0YX?30Jq8E<f,e=a3dMJ%=gh$&sQ,M#9>9&gAh"@'\K3)]%h%YbVXM?rD7u
+%UL96^oR%DJ5Mm`YAXLG&SoW#KfeO$tGQF=30PPqE``+^qNPEM?B\6&g=*m-'5DR3_b1##76'PE/L1Y0`8F#=[%C>P8hc65u3Y5B'
+%]2B3@gfqr^1)M=^VAOXOFuk`X`'E+b!G?RRpH!!9;L@%dn:r&=WT)QaH#':&5+,V%p^CgW#A&JVkb1h+3?9I/BI1KKp:qR?BV7#h
+%9_&hmRNbNA7NAdG%mUgRWFNeP;s@u7aJ'E$KViDP]CR\KQ">^i[Jg):/Ko#P_G15qILd+poR_'E8OAe>2O>LE\P(##7_^s`2c"Ka
+%YF)Zn->.J8<YCkZ[2=/h:6fNg6]j5hR:`oa<FWp%mfSs/,7F2Ge^0iFnC@VfXehE&P,W!oo*?QO80oPr(JD%tbo(q</Y`dVHU%U*
+%Pf0[P5i;3>.O1`@8cfE"WtsH[F4IA2G;QY5M,t*I)5,!$CoH"**e<+`MA@Bgo;G8PCMF#CelOQ>cD!8-K@&g[)EeHd=]s6+3Vek$
+%jTTrG)[2mDl@^Y,nM%1M-r!g07^Z-844=Nm[)_*`Ub/R_+d^+bS`q]K!]_phabMGqgTh0rFK:PN9h6',!jqcJlTsYU,Y:I*%34?Y
+%IeGCE?j8P9p^I6c./-J\i'c$OPCW6-<7"prHioCfYb(goEjSWApF#H1__ihARQ0f"';b<Nc+.eI>>N(o;_1b#^c@0NE2f!l_"QV:
+%1;qf&0\9eh2mi%o#h-0@Nni9M[u?q-mO<bD':ZUeSubi2m@B]r99,G_q"g>,i6D8m;GBI>H7q0i(O27Y+S;:VO(/@6:8hL.Pp>!Y
+%:^gb;<=f:Gf&I5b.NuS8C`b&eF^*t&TGo6Q%0=M_XoH``(UMuH62'5Z?lX*%fr]mRMREZ_r>8rgfDQI)?GYqZoN-8hfl\4j9>Qg.
+%Yl2h.!cR#(%<&XIi@WY&q"%(nYtH0(`7^1>^JRGK7lBe+(P(qs#Q]:JGWUjN=LZmP3u2NlJd2V/4"Lmm&F$_';=Y&Ur8I$cpS<i_
+%W>eHj,fh$+>OU2dO(ced4%:6q`_3C)N3rl/Aq8?YO@mOZ]@!lP.c_bWiLZGPm4;eQ9c+-fF2m&K!i@)mEZu/*m?@k<4L6<emF7ai
+%pu*!W(N-/75gcT^%BOm>%:$7%PmB?hQ#sm+8B\_agIr)KPYf#`UN6MLL&60_^ld/F03/`FOH^>AJ=^TMI#K`d[<8GT<Y*J0Jjg2n
+%dL"V^(,^XXPTK0'H!aGu@)3_6_u2J'=qL6_E!+ARlNGp%3sEprL(;(JWD\d,k2"c9ICXu70L?]!8uhra&-0/=hR5\3>+kLqNKBAW
+%TYN]_9F&W_@n<qU6GS3D1-=f-)]6OLZL%q/+-A_]:"toD=Jh^BmfG]H!-^L.UW@EP^;OonZP`rcZA.m]\7GiYNp[`K`R]i,1QWo8
+%!P\S?g(js/[LQ()UYJmioo*\69"'3Q70'[M';U0J,,F#N2RT:iqMjG/(h#AY#.UN#0-E6i#dO\gQcN\)!l.><+N^+>;DE+@3@Hl&
+%LoYX''c>?#W5>,p#g??.$D)6Mh_U'ki7D$2'.Z0_32((#EWITH8t(,_N\upoO_.#gC+lnijAj1#1Ec"OP$#&AoOKe_p#'=a^/pM%
+%4n*5%"d&NXc6?7p')@:XLc5KI4^%MJ>)%PXg&(7!>`uP:I#jTV`/5UKL;k(L8qbn1mVVD<=>a^dUc3LZ!g&6,O'S*G/XX.sb:Af)
+%f@/Qs2]^??O$W1O*:2&gnRBM1+6pI<7Z&ljqcAM8#^VSiW+"`q+NI,o\88NAR.1h01.To#2WJEQES[Kg`>.ar)=h:gfnHm0HY85W
+%]g_A)++mhYl&0mcCWhZ7Oh4)Uei2[<8A:oBr$QHD9F+6"!EO2PVr\fD%+9;nc`DXiR,IaO"Z)$6Ub388'&X@n-F:`gb[J4Ahi7+2
+%MUV^(#6h;6)F5Fq^j9,gfn2';9A=c[]E5q[``FQjg/;Yf#H8Ck%*]&1./27W09J<0_AoiE]itQ@$m"[9empV+1G#C0p^"I\k@915
+%>%K=HM#Y3P9Ei2_oYJa;=j%jc>?25rhL5U*#c2f17ed*\OZ]^r;;sAtp7Pf(<o$@9E_idM<7l>?'N[D';24\V5^IF.'#&oiB&)2M
+%acik76Fn!0>-9BMM7S3fbbPr'#ZAMa-isaWN'!L@iPX'OF#(l8!;`I"$l%RVGAg@_X<&p\1t^`ID<8Hc0mLDAU9lLKU__U/J2f$,
+%h4,AZD0*G]gC?m(lBCU?M:d%UX'L%/pi5`cgutXE/%<rUOWC+$\.0$BjJ/^@"g:5B?j'Mmk@;JYZMk;"Ko@;E,YutVP0?qu)PIEc
+%nblnUBtkak@EKJh0+dPkgWO3K;jb.X>[=kj3Z'<b[\%Vb0R\TW?60XNKGkO?"5f,I*d/X[QM^KCaq[M]^9lQ$4YR>-DmkC%1I1K,
+%cFAqZ=hA7'o"NVO&X-Z-f>>Dl8iD!bnJ$-m5`4\5>86O:e4bn8PAF*VfJO>P<"'20qd>aXE=9Ao#9A0T/'El%FHF-s=I3l89UHU%
+%kKf:hCm-"^#Hsu>7p2(piPYLqqQJ"%-V2G<@a(ps,&i(*?Ee[/nE?@,o;1^qaM=?Qh_9LslOFb*!!^`tGn6Q?FY]c]7u&`5gA1h$
+%WNqOGN&BKYljd<9m\\QY3L@?p`sUZ/i&0k-%QP$=T5.)Y8ff<7J6_P=r;8\.V60N>=^q!%'d)B"cU5JZ@#5&bSoK5gE#tq^hU?ba
+%4cCLe;Js=,TJ-q1&uB=+UI<Sp0[uO$635Ln'4j`WQAUrN$fKo0Dc[-eh9/EVM:/t8.ahG=L[C3_h7l<`#P<op&NfJFHq4iG++4Y9
+%p"t2G;oC(#?;hSXrgVjf3ks\Fo1,F05Y(0XDVo?"bl64XJgXI.oNI%94\eaWd5ZZ05IS8B.Ga.e^ut1j>$HGW!KA[T^#&r@S6*ic
+%!dEJW#7(9XZmB$;oD2X">c8+^rRT.SNhTT^]9ZqDKtQ,DDqCIHXD&V-pg!N<Gh<?A(9r-5fQpA7BDOo0Ct7h!^l+o`$84^!Ue>D%
+%A&&cUIM4scd:+Yt'L3n,N7Jn:p2LYeU6V@JJL+=@>WL_V4rZd+g'!(#meI^YI9MBa>04-NPH.paA@Te1-_L`An0%Ir%]si]4tXSM
+%r);?9m`-A2s/EJT=9CSHe2#b3d^7`^EXW[m_5NC2#2DT^`YTB%E;Kdi\dY4-N7.9<R'3,LkL'!aTi5Y'a07a3CWd%>f5;LF,%tq6
+%!m3L[H>s&m8/LdeCQ)2poq4S76%Q-C+56!FVUScUBZUbsa1+/dAD,+P'mKkPaR_.'+Qh:PfYH.R'E!:m5`\b,\E]lP4oL>NDI&Z0
+%T9O.^-YpN^UX%eLi>?N$C'*D)r_]\2q4iK2b/q_2jA=?%UWu2o*`pj;k_!!o7ZiQHP?i*"\9I6P3)@An47'[fBPtEX(UI9R>gV.+
+%H:EZ2Lr8j4YTC4:Q;AUFLZK?L$'ZLla0@B;a)V\R.&V'5"h)WVQk$uA&+\Cr?LU!O_8tZco/p-jbq>U#RA'VWeQ[sQ-!*-(6"Pn1
+%YQ:oI"LkjqT2WOKSU_:m)*Kqb_J`c0P@2.n$uJ!YXP0_MXa^!K^M*^iVI&RY"?>Tg]e*m@$oV"#3%(PTChMl'YPiR?ai(FL@\&]-
+%Y62=.\!G[@J&"TFTkHnMWCV<,>ch&lAq/]r$',04+9r&-F'(c2/\s<eG`8<9=,[1lNR9-N8n+(rH3i_R)A)=7.iLgi5D!7^q1F3\
+%Yq8=HjA?iF,7giB+;',HX:_P,,'gMP@$8hai0H7b1bPf8!f<USX<M>B[1TWTi=Q*kS-K3BpTB-T+7AT+d[ar+WAu1)C1,=8WAL-:
+%PhSr$G-%7+Hk^EX`uP!28]DV'?*7S'mX*+lN.urd0OH@dWUg+,7rVl\7>LJC^B$VK5Fu0&1Z-7=,C#M7l8NS-gHKBRNg&lVSR2?)
+%!cf?h=/bp@Y?O)\FK<28L^N<qf<fH=HZ0]SV$\nlmd^"ZG9)L0#.G9BI6Y`n!Cjpi27Bf$n2+l55Qf%\jf5FRXd200^>B'0UY01>
+%b2iYcLG'I"ZrJfVVKU[+J\iU]TZdICF:RI'^W430D$`,""h#J:J1\k.Du6-hH?90@O9NkTdKN1r-K(?&lop$/+3g,HIkH.:'<)4p
+%\7lJXF&B`cAM$0U[8bk&PD9>*f7a9S&Eet*TmGGpZWdUm;;[Ee\$jfDK>(2IhZRoqD%@<,;m(lhjB_150EM_/qu!@q^b=9Q6@nMS
+%grHi4^%FsRG[9$Zjtd9W!]2""Kk158s*`,kqX91mT(u_ljCL##4,a^lSo#!$anb0]66;_87hJ97%u/&J\F;t:<g6K?E*dJ0_dugf
+%&"&>M84tpG(<2epo\)hnY-@$3=arq%C'Q_=lN.Jmi/-N*"1TO>e_upL\-L4X(1N^h]/4:A30@8sBalWsFp@oW`Oa+WNFi'?%MdQ7
+%e*=d9GXd9e]Rn#D(5e`7Y=S^Q7fuPa#9"Rn(57k#6[M+0R5DM[7N(tDIQd;s6o301@Z-co2-B_7<0`3=CkiH(]<uit%6E(2]W2WJ
+%9]F`:Ti'9<rfo=P.-0Hq!/+j/UnS"%7m8^8Fe]0\Z3PteXC@da")N5??1ia..i?`gUX`a+aqdF;KcD=MnX)(N]R^f.DO'iH17qlM
+%KZHE'Z(5hL&4mW"E:Lro:N?M>+r*KFc6U_AaLc103)2"HKSbX/ndG`CXSclUe/c2+'6t_UgC!)-3?ePm^qt#/B#^LalR&ek$CZ5S
+%n.pAek-\]jkWi\5fa..DD+uZ]hh#U`ICM(9qW^\A+h18g(n"_)PkCK8^cWiT6!9?/]*mm@4(DM"]'br91FX_7q@pTUF&;&kjl+$u
+%pgX0e&hHW"$k*BLJp08#/1`[lOq5(e!$3DM"@]JGl[nT7VJ0ds-,\]:6=$?qYZ"`n45K9;fIOF-'.@5m5O=]iK-f=oUtXTO9Yi/9
+%Pg7&.El$RIBf-h5OFV[&_i)R7JkLQn4DBM%5oSD""eX7a$NBcBj(#+%_^cP9(T.9NnUUq^2ZV.VOumqZfi-7u(^F[".Km6n4K!Kf
+%#LF;Pfi-C'Z<\:NE@es`Gj)\FF8S9:AAm]A4^7b]`2o&,.mc/`,YN%<->)co,^!=SK[kZLXs=BZ1(o<-8]hCl@FT+2TV$</O(<s6
+%9)ptiek"P)JER0J/>k(Up_]<F;,T>g)ppK/l=Q('M"s"hVK5-Z9l)a\/(\3al^b+SB-<(?>I8.@Sf=&%TB9L?/_A(W5YYi8$\`&J
+%R$&&G=1B(iEc0!"C./@nOT,mqYLE7]WZmIR9gJBElHr`':s;_qD7Y=?_Yh+[pgOY-i9$6,E5Xu]7+t5O@)S=S#/k!&G,gWQ@l]/O
+%`lPQb=lNRo41)RgbK5jb.iFSm,&:R@5\77^co)'3,(_h[&VdeA(#9VtaXH(4R?oF<NigGK\?.<sn,VT/^qai5"#,t0<Qk)BP7?p%
+%Z4n(>(,Y(T6bk0^B&jd":oY8K:tpZRS9,_T->Tg$#J_"rG)=kAU6%^[,K`.uYEVP(po:Am@/#W(0#PIaAmm"[M)o*pg;M;blKd%A
+%!G9`&6Rf8a8eRgias>:<>MU^cUXUKb\lm;/@FP[qR<S&;i/Wd[fYOP>$?6cqN`@qsMfsq:#(;1,Q'f^Gj?e,H[\ji@fINq8%0ZX;
+%7;[DAEsJZZG\gjQ<*++4fYi`S8hP5Jg&d<gWO9IF%cc.($qu''/Ja"l#:_^a,U>$B/7bPQ(Q>=67<XWUkutPTd#7BVq$(^t9mD&Q
+%ZQ!=f7kkp_-oeR$CFpD=Yd']`#MFa]5>Sa>`.[5pfr_9(.,?ZLMY2A_!T5%'(uI^-VJ3HX#*Y7Y#nRY6QNY&Fs3UHAq"CYk#91<%
+%*d9ZI2mM`k5l@5&!#=UK`QCLfUE\Jd^jXMG@Ga.c,R;e\[;.@WC;$h0%;I5b-"f!fK!hVL5-3(e_g\J5@Y(P#?"g%0D/q-u=&6SS
+%ILdZBi\K5m,tGAIH)VY]Y&U*s]VhMtXHsIaa^8\#dq_")r6cB0TVcel2?L=5"-[6WcLO*kphSt(30kT2>)s*Wk60;$0,2W.I19Lk
+%U[0XAEN4:$ln#bq<BV_Y#I"qE+^3'XM&Kn?@XVRJq(mdX_$#:p`4f3TZPj/%1`\TXXqS4C[l%<j5V<nelgn?--41YqfNSPd4!,p7
+%:M!S2>c&rB;+.L<-k'\maH7R\#)$iaps-Z:4EUqI>V]A3kiu=K3*tQU@5,P!i[S>K&5)[7P7Z`t(U:L$oq]_`b@StnXI"o,K.'ng
+%+tMM)E>u8ElPWdB24:[lQ;9=K#8[]E6GUUeBE==$'3XgHC`0*IT4.YcP"!lDP\F8N,W_s+fk3X5eWe&69Li[RjT.i@,b1Tk!1#dr
+%;[!GlSL);Y`1le+q5(C)9)o63oO/3I![l&D5a>WeWs%U3gr\SbHe]odpI"j;4q2G@'N".3(0J>W%_.%Z0q_\09]Q=.rZ.Ea1:q:P
+%BFS`[9JZ!rL`i_+=LV]SYoKD/g1r\jfDa>:]=HG](/PBiq_dh3Q4_9*hIhT?0+eEi0Ir8I1I@Z;;/";XPqUo]:.]``f"A\:3rheP
+%"m6_/=WkECBZe+#++\9e!`-OhI)QIu6_2i3I;onca`_'HY;CFHA=C-nZ56MY!lM4dg'0=<ZZm#SYY'7ilRL!_^A]*@4ec$`,ZBoW
+%`>'WAD$>9>llH0D\Iq($G(U7gKXE/;a=&/d+U.tk`(91$h?,->)jg,d-M"UZpNj$s$Y1]Y60ID4:cbQ!ZU-b9N"j_Deh@lp1rF_R
+%fB`dCT'hET+$oHM!;qT!Qn10(F-Wk/.$f!W0NWit&GCe)37<s'VC@rG^0V15c.7lKXS3K`49c;^5Ol$c"3@69e)$fDZVh60!EKG5
+%>DIb1]b^"lUj61dfkk-e"Q^btW9NLXd<&p5cik[($h)bd,X9B*QF$m/S0I?f#D>2],J7qs1ae/\$H\a^=L@-ON7l`nb`Rj%8SM8(
+%@^6nL5V9VF3pHi284'iF<8<X1;cjJ$>YZ'PgV:eA%Yrc\C488p^E6ri<;cC\W@7;^,FJ1HnjA:b;CtYl@>_&=9n:lk8iHd?'TJa!
+%=pp'RFPSimEXP0J493-OA(?rBJt#A3Ys%\JCZdT;G8cFCI+Cb&._C0T%t.3!YI_MJ_+ZF&0TO9U@GOg8Q0`su^39F>\OIbC2a97B
+%XLr<.l=_'@k?c^DSpu8\0Qgn0O6I@"7EUl:i1?T)a@ge[Z5$-RU0^.$H5+0`a#LLOJ-.#WEXcJ>f6<OL1<#slgiFA8]N8E^E)WG7
+%5gsA^B0?Z)SIVChHfM^Q!MT\WoiJuX\=aoR=64e0/D!eQW#2IN[7^P[#.#@s"/e!T;J'<N_M8W+QPrrkkUZg^JP$YmHe?2o*mhZZ
+%CWDTS\4^lh2_r_5$?DK_D53YD$ModS\e/U38LWaS^Zc`al8?Zjf:]V6DHJTmcu^rP3X,KOU&^6Nn>(hnN[PYiZ<2HNc9.?N8nLP-
+%B9E0Dgl0t<3#&97n0hr9JR[UK,:m:bEk%,<4-c#TPj7;O;fMu),[b;+o7==mj)f5Ln-Z?4cXe0VB1BHO#k$+sN-.s+-MCin4<p$o
+%qGuj3K%DoATNr\dlV4uHGMoq"@Jb_/8KT+HpXt2edhcmjeIRjb;Y<,FbuBr5E7Z!I8F9"Q=GZt$UlC"S4Oo'po@1MBP-?8R_bnpq
+%"e*iAa8m:R4$*]`WcHVX[dqSAIcj>\3!N4V7]hfG%#cZl1C;k8@0g!-n<aYJ^dY43Q4LeFA*=_cJce,V0a\aTGs.kaT!nP&"bUNs
+%5KqlBO7JSN:_-2"oi_f`#baNaK3!(48DDiC17BZV="3&/.8k"')>2H*+sVb]cA)B6[^_"SeDb!#F$`&##Y>K,-!mY*@VL#VaX%+d
+%Jk9aV!k\ca7u%V@N9Xf2_2<7Q_\d2LDM,hbJmgd=IE-NH^t4p'E'D#/TO<l,lbd$jbILqH\#uZBbV:6&es/6J2?r=OSj);saN.g\
+%@h/p$0>rL@nB%l<`8Q(%!b?HY7[[A]#VK=^><$Yo/-k.ToHW]7nu1.Ac<l>MgX:'g>Y-KQ_HgO"d&C)+%:e^PrL3A^0kGtSEZtOd
+%Xc>*f)gLpYbT5gLhSo)QRu&`>,pT_"a3@P;$eB`m+EsT4ms>rVR%nUHa@DZ!;RSB)CbAo/gs4Pq"Lh$_#2&2'L!FsHbP![+Pu3Ij
+%OuujE`4c:?8aS8La-o_Sq#V'S\H=UgcI+HFL<3RT"\Y@[?;?kFkr#ro6*#9)O=TQ$$:!Qg4[MH@pro/bU%\Rc>uLf:7$jb[eq-)h
+%SbX,tiYKGD#Ee23q-*neBF&SBN-T[!&bhd9*E`EWrdCD)SEd.*"<_NZhuKMR`W/J*^O0)in7lWb#S`f\FTf10Wh=lui^u07edXef
+%GYS)2-GZYEh"WcU_.I)>$hOk!p#M-l/W(\6&SK-&*3AO$YRP!pLSJTB%tE$u(2TmgP/gnX6Cq;LC:S>),!YT%]<fV)DGsetS>b!j
+%TK]tr%[)mW<P]^UMFCLf<F`E>8:We(gG2G)%+Z*`k]KfA56:nclXA0r6E>idFG@?F@1j^,Y1eJsR/*D\&hlD>_buRfqZD(\pF[S8
+%E6T?Vh?[A7Jbt,bI3-KjNH;tHO."g@k](!]*)W3Y6eE4G0Q3a6^7l6/KVc")]YiKXaEIQO\W$hWAHok*UKbNPr;(O@"h[@M5`^%P
+%FpK4OM+,"J!?,<)o?]&!i9#gJp<6nKafB8?BCao4cQIEPmsfsGDm[=6?lF:HLSU^+W^k$1"/k`Q37qd=E##5CN9Ge'M!jH1Q'ffL
+%Bub-[Ya`mUe`iMiO>)</k8P_9#4M]G0gH)uNg3l%$b3\u5j?-@fVe%@lHF:?T(tFlB0T6/UM2rRh?/%+/AuH4!'dAtArEpR`ft18
+%.0-sq"mg#p#]!C.K[_6,0,+P@e7HJ\kN?dW@)&'k$,s]dF>((.ci'sN^:YnF]r`O7-K;EUs)U[%l8$9Md^N/uH(3r%i";cnd(mQA
+%`OuZ#LV74MkL&sf`N)./UM@*%&oeCrN+KY-o/6kV;4Z#HI2T6<iK%h7YX:@KXU!B\C1=L:jtr.Ba<FQ7MfCco[*=QP.<A`4aR995
+%3L)D.f\KS12qn\9mrbej_chRC8cdCe,ATIVC@5W%T8KfO7YmaR_[EH7)Ou'`#u4W#8/Aq=hRTDN1[Ke_I2q%*UTCi'pc,6o8"OT/
+%H09oekbj`=YW[L5g8qLJaif"&,;u+)?p'9PlGl2ImDtLS.Q0$R\kZ>",K;+ofe0tpZ2hn4@K';J?p8P-5VZjk=kr]F_(ZJ>-<49E
+%g^@tc>-:M%IeON6Z[a,_[u'2QYU9MV=?,XY^V`@l5^j3Np;rfGp"h%_2OM6oVf)4J`R@1fa,J`-#0pGYVLVgeniIYV/[@X#cK-fr
+%eIf[,@h8K&bnFKYObG]V3c]]OPBg=i"N(0=Z3Q!^O3r'=<3b.ok6h)j;H?d&Us+n_^nRi+R?VGb(B^7?/DoN]01/`VlWlc,q$%1l
+%SZ*)!Yt<JHX^H&357@8]0\Y7A("D#PYIiWZA!kj>A9b)=!,H(^hs6<F:eB,J[^mF/7WL]88&RjV3D?3RrCbmcLeCD6l-%,,:k=YO
+%+MQF1%1i()@ta*+DBPJl%<T'8"lQa%mto8_E`"K/NF1N?dU3Y`+9O\D=FhJN>*6R7/8Lp,0L^KN&E^Nl\#L4.:tL&R5>[FOS-E#!
+%7d]cJgSUl73V;FSObeUDIVeimXFL:2hs,:)JQX'q2FDUpa^urr?(59AbN-mi&=0IpCHt."rrX+!C1Ri9bg;a./bVFd'7_Oi@/RpT
+%n-8a#O)+B>N_9msQs#[#]SN5%Z#@.u#]j+W9T2Fm>.P[MU$Qb+.#sJrD,Ab9",;?"kG&Q(77<s6hE^L>$20(SOc"FSA6<CB/uS)C
+%>E0i`TV<gp],[(bbKF@UL_.+"oM`R5iQTQRH'2rue'Lo/R#JA-i`jGP/LfV#j>!1,Qo(-U)#q'%qWCo-.]<-\DGoC?U!.9`:I`W8
+%A3I!P`a+W,fWh_:jVB;MHhqTuSZf6/'K&C?=%3_O6KeIZ?5^RMAddAgOscMG`jm%sLkOLB,dLA'B!>k6E@n,`bXnogFnL^Od#G)[
+%55X^J;+D9kFQ5iC=:q@+e>97#`qU@B%RuB'<-amC$=qrVNo<-t7=WL^[n(Me*T]eiTQC@6LpHdK35FF#8%n/ke(p09d&+HDn:r#l
+%7f<9EQZ4.R9g&J@TC9ra5gt?a2*@9l^u,4qkBn%:=6]r=JmVPqFgY7u-9oQkPS2W/U1V#;bKVOd_FcC1iQ.Rc$@CZ#=t+CEN7WS]
+%q"!gtYcn<jBli>;+qujui,U&FJcqnZ,R(FYO:P0CKY/h=1--aBJL,_3IsmQnTRNIM.D9;)YET?";M`KnmD\<m,E1"aR8ai+UGLA+
+%[^>6n(THRLK*Q#6N-ri>L#X[T"/H1d[ur#6nlrL1Sdm!sVLpg$O%no1*fl9/P\cs!h.Qj,n!fBt(iX/a#7S>2bbP_\,+"'V@M/!r
+%s+%>ef-'L"Lc\1<"=FtRWB;qmXk)R=$t(8mO&pS("$3IQXH:"IME<&sRE>/M[-7!pM],^2XVj,pVP$nGT7cJ2nj8^Q(U&@"Hp6mi
+%UFDV)(F(mEnQ3M:`1L2Uj=2CPJOm[]j7YnBb_TNQ\2DOI-Sl*;DV#9Of&B8Gh5MMU_m<dSN7S7#O:s3>\%F6q'R[,;Sq9L(P`XBY
+%"rY3[.?P8.W[""$0tdhG<WjPJ<dV%T*H\[t!?&#?YHS1E6Pltjs.R1/Qk17/2[&ea]#qE7X&B)W$$%JLgWJH4@/t))2I)Z))^&lW
+%&EJCe,<+5;Mpj]%Pj'dm1'*B.CFXC$Gk;E9VP:*%,&_nTOQSZf9Yc%A`<lc0c8eerE2%87l&IiJ;tJCR.i8sI^LR8Ha7QS8I^JlT
+%js0m4QjZV\VU=_sRDV_rh'0SN7l%tn4D8n&OV9lp8C$#3"`Yj-LI]BS=a:,<UQSZk'SjR^UG,PF3ndmKj^lkU93kj9T&fC'7>KIP
+%LiICY.QgSphSH75#%o4P/QloB<8biKF7:H"@_WqHVe78kg>.'F;s"?YqKGqiR:@qCpjLZ'oX6<gp?M"Y6@df(H?pg3nf)QDP1%<6
+%=!ja[2Tu2k+NUbiEs@dCs!/$(L:^o'=!fSk2e**jHQ=U>jSFogcXWZ!9M!/UCuCb#2Y>r)nUDV[otPJf:X]C<_m:3[`&Z/Nc7Nbs
+%bX&N(6t=c4ie#U+CP+Xc3.$*;@O$]%&NRK<XIUnp7f&u.4%X:.%28gHf"RWY%D(k:(e#+Rk`3CCAUK:$O;V5`;ZGq-jgMVVkr%t_
+%kBAUYpO<`NHDJ3j7fG)nc_"RR5Qq"Di3CIU8(^>t/OM6*r6Jl+V75en"05XKVTHa0f;6t=5'`V=.lP%$<FmXO%ht8[9b&srbCE8,
+%YG1=IVeW3`EWTUB1$)Q_GiRaf04e5gA<*'m(<g<(qOM/GPqL]T&Pul@2>f\GFfGE4pt1A,[gCW4@HiiV]B0"GG,:Zi%7iQECfRp'
+%rDPHF>!5=\B;lJm!d:o)_`K9XCKV`pd6JJW`**'K>=o$t-3%5#:,O"2=4bu4E1CTZ?h,7qqrJ41%aYR<f^nZ[fpVP+!8p_i8'j-k
+%-]C(Es"on;'E//\fG,1?0>0rl5YoMeY!.J:pIf95gOABupcs]b`uo3L#-W5S'.C9:8PAe>mKe+YX>qrdbD^nL2<14T2Ol+4Vk:Tp
+%$9'.+;BGT.qUZ!*?rSekaU;?,EO`m,6?m<>VR"e$_8/$F9O%*N(hCnq)NS@IPI8Wp&/_%h\dtZ@,L9gVSMX-Kj^=Z,qph$:rJNY8
+%K=1hOg[;UBK0LFUEI^RKg92)&lDP2VZ;)Il5^!RofWd5)%/5g0Wo]jS$W'>&'AQ]ak.s^LFACRQ?<G"ue,qCp\S7PuDR*Se+MTPE
+%n"BtXe"ik;l/,@$=#Lrc0b*j1+'O8gYfser#'7&VA8&&QA?j=F8-A=-T2T_Q4S.\Xqdp'XHEo7q<FDg<57*aV.O07#Ms?N`WJ&=P
+%h/=0:.`e-ONtHPprf9@aBGXo'/pSc-YHVVPO/QtP$DmbKbET#q(5'UF=JD/amUP!:NboGk7ob^uQ++(qQ^SgkqGe1ln$"_JdH;J-
+%G5V7@mTGUMcD27=URG&7DDs9*('KCQgY3LRJh*XJ8TlEo>ZY0jTn5;<q^^`odFZXT_+,&(b>hJ80@X,#l1^Pu"PEfh4PH+ki'2fr
+%Y>[(odB?o<elX9CB8fd$^K'r,5!]Wn^8cXKC"d?7?uDQ;V9G_F<%N@$4`]-q%0,,C8+=$O3?0LW5mi-WeD#ETfe%`,oADaj2VsM[
+%G"<'4+&Bg9JG1?WS9].^URJ+9-6Xi/YiN`%%0YTrDi-u<cW=<Y^ps\G1;WMQ"JoWNK<9aLCCnm6g^N7dCY^q2McRkkk*P20mJF,(
+%97s0K[L9$Ff@gug;@@S=bAl5XA@h[NjJj4''J'bF0Y:>C\\1<^a56M7#cm#7!%1le>@;VI6$\0sr9N\J!5]p6$=IdFBp<JCbl`Fa
+%2XP:+aAgFeY_1_YRXj+>8k51WWK_3Z!A,(GUsQCl5^Dhq%&e7E!X[DL>6f%<YGTd'*BC<7`lC.M?IRAo(;otWN6AQq(tFfH6bA;A
+%g"\55r-cEE]T*ep#4hQi8*.6u8HPd"]7\tBEBf_s2:?Vi.W$I9C:HO$(@cO]%A+'E&,e/K+Xq7.GbJqll6%GX^V@.X9s8H<ZKX6X
+%s-f7`eGacQXiZYI1V83C"*uIM4gOe_Ms.B)Y+9PVk^g99Na/jB"2_/FHJ@&;Ej8]V%_'dZ'.B`3&n&%VhtlZ=BqYqq9gBa5g/c&V
+%JV*l-hu>>2>.6Js0UZkkg"S%*PhN"`6!BXZ0aEE=QpY#)RY?QMG_ARq*5nTZ>1@2LC(LQW*n6Y[*^T8GJ,3U0gO9;$`BY+3r?d']
+%JIP9tQ\$:T`\3&k7GI)D>OV2!cmFRp32d4$ql;4JC*tODUeHh3K)9<(K2nh?Jg(38.N^N-4EThaq7M?ig!ZVg`.]"nnoG.i1qI_S
+%RW*drjX?L=3=+&6s.QPe?'aUMkDg:I]97afhol=FE$k7d\B=OHY<eD4ibcc+b+_q`qRW"_B@]ai1Q58sXQW?KTFQude]2t4_ohMG
+%pO$1*\P^!ke%^X>]e+^@BH%*Y*+?W)DWkiqY-"^T[4?OUQuQ2b_D2"+UC'@qG*"`>DV;-Uh""Jli!cXb6),d^=/-1Jbo#e<K0N,G
+%Q\,%L$bS;p[H=Ora<dib0%Up&(-PnRa<Q%%\ncF?cG?,NC[h_K)C!a7!QdTiP;HK'WE9A\VdN@l'Vs5(5Np(P.^i$8Vt.)i:\ms2
+%>7:<VVj"&t'f.3uWIReP7ffT'<kt0fO2XKn75KCaoTH&a(OKtsq-P2:F(]cW\kl@bNa+d%cQ2r0cY\kH[t=qk+rCj6i$#Z1=B8-!
+%>DOl)=9Wu"$3sqX[d_lJ$S]Ga`#)=(_&YrA'9*urMt0#?q[a>,K\cgd+eK<r==Lda2NXMg#5Wc>qb=k][]Kc<f(E39XDZIg[j%(h
+%gFLe#e4j+9ep+om`XuW1FFAO(!!:HI)TS@b&Xk&t1(g1F[A&&U\f&SOrs@b]!(IJSOA:bC(A<Mm(hF[<`^Y)l1_b-!L7.YmDmX%C
+%B=]oF_XTFJ<c?0_\Z`h->YW2.,;%k"@Rn7:WIsboJ8/3sV<"CMO&V6Ol3FCFKjBg.NNgUTWcVh%,iTbm!ftR.CiC/QWehl4^;.0d
+%C1>8IX,56"%PsRU\3[LP`<fo6T_D`Eo9FC/%$U6gZK,a1[TBE2+:kNVcp38JZ7ZXmZ/FEH'Qc.rhiG$P1qCbAC`ksQRSb#o)leM(
+%;?-SQ1eFBF?`\hV@VR?-]/SQnZLt=N(t?AQ*2U[_cFZ&dJsoLfA]\bE_idMiSR?_pek,Vp:mG[C3.C2[e5Nr_[&4X]I$p0Jr*7d/
+%%%!ZV'YhuP)QG7$hUE7eEtCVj&IK7qe.j9`C!7.i%4pm<kda\YP%4NbBmo>6eiE(-q]IcVWS/r/_7U=;:m=C`KgQB&C9&5Z;VT^Z
+%&X)[\jbi><_0J[Q0Q2dTat5=_B%>2U4fu_o.P'1)%9c+TY:Xmp7J49rG%n12qs/XAF\$IMJP4O;XkW<="_,U6ec\s]/8G8P!`^1=
+%Mt//%R2"b`qZVmk#)GUG%&9OU^Y4-](?2t&P;!."[:daqjT7&;ePG&PLk;gSCP0T(-RTY`U($'`]6FA;=(H5<5kT;/NAR1FCIE5b
+%,$l)'g%$@uoKrjD&_e.9>9AK)O0Ng;%12/$ONRhNQPcl>&e?@_'S=QJaNmBXa<4q@a:[M*W;VCuA(]ujpo]0Q+TfYO*.K&MHMp]u
+%@H.C^r>8aVj*oW&NidMM3%h1A^o4AB7-5rG*j.(tmP9"ML/j#/AF98Ep>=K=P*Q*gDqE\YaOqd[J!C)jXf]qC[[@g,ld5sAAp`@]
+%[0IS%b*g8sWj]VsqO?"ZPYXGt0n/KV*4[<mc/tZFrD,Yi%M)KDLG^oV7;hK#[Zprt"hRuZlIK*V'eH=biAQVIeg`"/9)S`nM5%+%
+%45`3e<Yo`tL9'/r"r?\(I#RQ?SnuRV5:;A)"+=RV)F7l=6H/+)N6Ek75aHK1=/:@,"+,*8AO_kYK@Jn,7GH<#FX'OB:mXnVQ@4Ud
+%#&?*:kH&lLXii=erKgi[RanZ"F0RbaOB0C+Q@#DAG(!KH8id7D6Po5Z>MQh9?<CCJl8[Q.`;*DW1pMKgYUno,$M#kS76lFcTP8GQ
+%[`!)M\*=L$%abAi^rls+2lWZJf549)iO[9j3a_VQ24VhFZOE`UTLks[.+@Vd;XpoJ/jPjuBZ?-hAbp21GpT;p75n:KX;Y6j1o"-@
+%![k*?;AH'%8XJ_b1>iM*In(tSQ]b[Y5UHBthV4Klnn."@Oci?u4f"*(g"!KI3l@d:(LJ<gA@cZlY%7G/s4"aLXsM82-2%K)*Vtft
+%8p4-5=d<>Pr'NNN#I9CFL?3-U@2K+BLt9YY9bJH:%f#b#Lfc/OZM$JKRbN>3TQkUiG+PY6WiXG>>S1m*24VjMq:(QQXJ4K?G`)d3
+%!@G:#C1l'q]j\97/ma)F/Vi:8I`:3N]<HXtf3,pn9_HOgfX\lu%-+nn8%u\?%rUHpi/s83;)U>9-f)-)(AYrp(_f\Qnl?\;B%\VC
+%bsa`HXlMo#qk*$gf`ErLQ58ihnkoJPBS<!6+#bp,cmNl>G?%N9p[Ca,rR6&jW*!1TFLjNrqo3Y&Cbb7J#O&QM$d,N^6Zg/q=l,[M
+%fk(MP@65eI9&o6\IB4Oa^26c`br_9bc5<$-<8W]PX#dnBaT>79!IjjDYrB3DR'"CS+K7JPGi[PtRC;>DTq!ZD"*Eo[^u]`,DHPZP
+%N6JkW9WK!r^s2nLXR/FVc0@+fBT;ajJ<'HCm:9!RI:rX'J@^S9/l`DGR5Cla+_Gepfk=?V6)`JdY@9%_o$G@Skl5AiP#?ttR.,N)
+%fgEg)FUI7/rV$!aQSDQTUC.8Rm=h)tm=1%?/OQ3<Ep+P1bR@f!^ffEo;.uQ75?-M=I2+'o,8SM2I@fQ_Q00?a)A]Qlf_B9H8J7N/
+%DB)UL9dU1&bqRg"Ynq"RdK1fq$Z9Vca@e*,6;225)k\-=):YkMrX@5Q(q6`"SEl<LaQBbAoAnT%);K+q`uIm>FKmgQddA'PDt5;'
+%)O!-ZZ>/LaA6'%8%:iKtg]O%QSZIBq?Bk*XX;SS2STUS/6jM9/RSKuk,%ENR7J5Hke;uc4k#Zdan&ND^?U-FS,=hj.=,DaX.KK:e
+%WM=T279Eu/'!,K0!C9uUp#YGVI^n4%B-$&iH0fF6l[c84cI,fOoj4Kc-/9g_nC+X<5u!*D^KchiA]8oq\N3VJ/Sk1H@_S.L1sB/,
+%,>`O[_BR)`)0IAu,n*$UCA183jDutaT7Y/bN&W`8^:i=b^sqa^!_*=;2;o'aMlAYLDkop0`hMuq(o>FI_[aT:?SW.4PV?r8r&3D<
+%Q>IuW+I#'lYi_7t0]$pJMXp('N_O75bVaB!gsT*B?s7=HC-\-f\8.qejlp6&pokf(QR;hs;Op=T^jMI6@Ia88HX&^P)(D_[GDATe
+%a*RZ1h+,mLn;`A$(;(/fQKgUP3J1B=5^u;@G6*.#H))c,fF49;-Lu^cj3(!?87XTgat35'b[\=*jslW=VSsDUS8J@%1=oa_5q94R
+%Km^L.">!?7!g[+F"=tom*(en5'r9!:]OK[\["@ePjTPlb'GiONLu^52T_gDuq".Bi'EERg*lUks*BmFQ6<Wf*lh$$gq_<NEff.o[
+%"B._!bJ<?U:5H:#KX2eJ>f&8BC)#]:=l7@=>r1eRe)-<Y#.BM;_f"0LKt>#^ccF"YH1K(8T5W6>EVY`m]8pTnr%dNEKG-PaPb^\C
+%_H;4b)28AXXhsG/b$]OH^9Y$d.o-QPVECsp8'&iTf70lpX3C)Bn6kZW.-]Nlgu9pJVsTV.(&#*RHFUS"dRfk_1\m#WUcH20[mfjK
+%9%5G<_7Ja8NeIiaK/ng]XH@%-L<hL*Uorn-VSB[nE_OeZV%nYeFVhiuao9VZ>L47(*Y]%%Y)7/+XL</7fD0.N[T$[.mF2(Rrg)9O
+%do#m/WW^`Gh#SWA1f&c5A%t$^DRa)!YuN9$"nY']NeQ"bP(\Rf!u#')%OoZ1)S>8TA5g>*<<;lTL`h;!(OUf@2aWD03B_?b+"?+_
+%0hLG\AH<jeX?qp3=_%ef&u:&.r>%NV?!HGl79F\\"s2aL!^&moha0_]!A`g=Z0c[MJ-VN#/`8)VVXBT.1g?$DY99S*"<#s+aEnfJ
+%i:o'[!;@`"dni:lK+p$N!@^-l>BkS,O4>-Gn8]W<1sqltQ=_(m55^^_@\*[%Kn$YXRt1"5/HXoN>m,8q/OK`mJg($4^A?HJqnU=,
+%,ikdj(-idM]80bG$!*490/B0JjqP@-"CE=f>/^:*Fs@L@8IqD@[=Y?2\\K9bN4a%_)&@-$Y`<$Xj:i'$Td+50**IAtCt+/Ep?#Ka
+%Z31RR'!Dk^lCg16db&Ln/mpZH(YEfUU/5P)5ncMF1Z6oMK,.?0>`e@]]%-]$qIibV@Q[%XE%Q!PjYMfW]MqoH@oHrB##kJuf.Z7^
+%cUbSC!-I%3KtRWTc[\jfmK+#H>"gH3pVe^l,Te4/$.E_^6hH8laO*](=^FWr)],\9V-#q.ik5_^hC&-FY0;/Y\B"oCGssC]"r%F.
+%KnA[h16JZ!8h.UfN-s2R6BTXQJJk5NB4.P3%fqaF:dX+U&-CIh=+a'aRfmt=7(s@)EX%nHn951`JG?q5AHXP<YVCd^T+V\Oo,5KR
+%:djpOEhBHAO<TUXh<mp.2tkHQB"--h&(iqt!5Y.7i,SCWSh(%Ej3Gp\qua0+2[tAB06au+)Y7'qa/kqt'FCl-@B&JQdW<fm4`M/B
+%W6G[i6IW<YW"'Heg'%X#O^Ldg\PSb%3d^,Wjeq>H+(DL2*R,DHT[,fSc4MAl!=rF]I++,Jp$lUt3N)G0K5.P(;e'^%3B2T]=B;k5
+%@2X7fjT(jqkdh+H3*A+N!\t2@+p%#nE(QbiC^"r,"^!F\<4=3Ip#/Vf5QY+2hPK^YL#"%$I+SO]62/nE1MXr^5&cUq4?Q6p;bN](
+%nYas^F86/-)>K>8R)kh2cbUo3.)YI4E;s;+R:Hm%eT<^dVoFqZm:GgfAWMRm2RD*)5./qgikD^7U'I(0mVk[l,kDcEZ/OtO5e8Q`
+%)a>;Tb?0'I>THs5O%lbYFR7c,H/T@UParL3bNt?^WP@,1i%a6X-?)s<AJ%e?]_N$ipoO?E\L9fE=TF[rc6-L*SpO!QV<A*f]AOJ'
+%8=&l=5=[sflh1^TY)Y3Z$6hr,OC;o-H'722L*jf&>UPHq+oE5$=SbsZ59`@[@(3p5mC:J&Pe@F^<#5T'kfI^s!0_pA(2rf7DE#f_
+%*&:*#G^gL@4-+NrgN.^BOT(_cogYrLPm/`$/Rp1**[1VpnU?-mk1XWHCBTpN3YmgV,,_!Mn*o3gg#NQjl1!4K0UsnrV,k@FXDSp'
+%H'&[#2>&JUnp=-tojo/U3.$b#^!6V3L7H)T$crRjmA;6M2[b^2XJ]Rm`55_d@4!",a]B-/-[@qn2n,mBGi`XfI/q9U;*Q**`;4NK
+%?FUD.!1+RVHdP'?%+<D*GTG7W'48ZJl16,o=]=iN_^WA3O8IG4pG.NQo<rZHBW>TF@8o!mE+]uu(%`cVeY0(Bb3I>s4$A3FD($K!
+%aj1t[Fg&0o7pRUN>.se)eAo\tApOqP//^5U_+=DokQXZ_K??W_!m#r.'H;st,D5`i*sk<AN,Jpe&a9^Mn2p9S,u?4RC)V\a*`PAV
+%:F$1%"&-Y!=[7j_L5q\]gr1>^4i3Xre=$bIqt:;i,>+igIPUVPQW<kSb4n(Wl.Hs(+S#>'^g\%W:,<MIJJ]Nrhic6aN5?):J%f<p
+%<.NduMD2iQrSV\%WfiX/D9?B#Hn^juEI(d@W_KrEB%\A.NP.Qi//)6*$hdNg0+4^1%9@N9r!8hI3^9[^#3,2MFgDIiC-HE8L-]<$
+%!qs<o'hiNlEEd(d:1Bb'j!5c6C.sODGed_=cM$r5L/b)6rc%4&n9-7LnaHU]@h82>F+Wn(Upfa%qZ4>eb5,Yrl6AO3e-RH>ii<&C
+%=`<2[V5?^$.h%C^$]+e"ku(/-\9R,l[4O&-O?2LI;V,(>^6(WADbQ=\G7rik;Jp]A%/b4Z@GXKjQ?Au^W(EU`1gETo@i!uak;i_F
+%T(<ArJ2Aia$K0/HZ/.+RVCm5c$rTm:/0MA#bFi%<5<b&!2tglMS\a?&^!kjDD_0bINoZYfo'hBtH)u3ibRY:k(%8?]><(d4%kTG9
+%WM4@(_f(+4[J$?\b@MX<F9Gt'XIaLu#uU6s=.K#VP/W`jM\a/MpZB-1A#'(V#W"U#Q+$V'n)#kQ(lHG<GFJBLk2uej(%;6Kf()Lb
+%_COj;D=_e1N!f#g(+XYJ)dr-pVVB1#f'@TG/dX0Qbt"Fi!ktiod!Hc*Ftmn_S<eobb],Pm=.mQ$5N;;N3VEqtk8t$:3*e)24omB>
+%C88kYP:9BOpVf"dFV,<":MQBYQ.mM7%=U=ZGODTg`d5DePV>Xi^,DcYZXpUsaGc&>hAJ`)E!ck1jWk"cQJqXD!dMJ670'79=]N(+
+%*FTSjq*=]b-3:>7V!WKo%r##cNI;-d1Ou_D/_6+g["<7!MVIXQWgd"-6aHI`>q2;U-f8V*'#.ah6u!gVQn&FMDU,3H9ds3(UFbT1
+%k[4QSf4bEg'YoXOn9sJXH.HK>PR;YhD/*Zr'/(M-/8;<q320U/]VnQ[H2Bs\?P<t%\U$OF"4a50+e(MHcD[0go=epe:ugG;[^M7A
+%r`1-:."K"=h2*MPZX;+rd%o7knA7s^,91"n80>s"go0E>Y,*p]be0DQ89`s6&7/t>(UMS5,-^bHbt_%VRiNk?nkhXkNR_lH=s`*g
+%_"A%,<-AX&TQpqLY'XppA's(V*BDCWe:Re"Z'GT;"3oBXi9H)>\LZ=cE&8PJ!Zp4Xan*RVAm5lA_$Sb?,A>rFVG6:NE$l^I!r`MQ
+%gnPA9B<[=(E(=E%"]Y)X!^^d7j[5V*h<KBt"Vn8Q;Ob&k7,fCHg"J'e34eQ5AZb@OaZ;Ia4VQTjc<f*5_3V(L!Zq5d*';Q[Bt;`h
+%*OniqNO<$&&&CP1p-Si`d8p)R*d`r;b2sq7k;A.'Tc+Gr4BO@3d^OL+L\.`1]RHMfFiSC(HjL3s#d!""FmBY>P6Z9@b9<t.c'KBG
+%e>4:.b-]m"DWQkWiT=;8h4*06L!^lHc\)hEdC]FlV>Cn=A*M;AXAV1Qrc!9[grSZFJ4C\3SUli,%mY]TZZE4=TZd/M'3)bncA5ZX
+%)=I!?Yg6QJ@%)WgQ.0<Bo;(D-1o[9>\?/-[L(RkZLe6b9D=Rd*2(@g2!NV6*^K:OLAL;X0C<Ol+_B9QPb&5qe]XXDF+g$Es#J&;a
+%3\5VjlG-"Do*-6rG3oL/`:Bu+ql&XM\'IXpQ5Vp%]1l-T\b0P=B/Mot(\-6%@@[YY>J"&/fdLiUD)Fr&@jje+a5-b0VIB%\R1W&h
+%(*-eg>r%V"q)2V?qODVJBX!t%b7fFZfMfFFj(AOXF$u)kSrS4KoeqHsQPI5NV,kX7Ihenh3bL.cUUg.TdW5_m`<*&lj8KH5\9IS#
+%M`h):Mp1!q+^?S_/URPul\Nh`A4,I`iPq)b5%KM('6BR-j=Zu3)6TW*c!^=R(:eNY,u6(>>3jX0%D^T#ac6,7\!d3!iR^`g43\n>
+%CcDWca.6h(a1?IPT'TAVE;JDpKPN=pjlH&n7?<T)&=YUP:G-D.D59[N*U2D?f5JmF6>"U!E9:jXr,D\+NAGpPCa<h/RHGP#o1rHY
+%,YZ3753K:BJgMW'JNas@@Lk1+i%&DYl"RUt8HMhd,Tc:2jNk'F_^lp]S6#>Z0<d*s%mWb3mc?9XE3VpQB3n$sA3UbnO)K>N.8Jhn
+%X6V?JfOl.;]4kFl(#\E$IB7oiSi42UMjMR]lNR!A,;-ETUG8L*[\J**C%$rtV#;hsKoqnAG%uL6DY:&\F=>)P!ou.^3]95fQEgJo
+%mgh-8jF84E-Yltgjm6d>mK[.ph%p+Wc!K:Z46+d^2C7A^/`r1#S!'(W?cIij%<BG"c[<Pq@UT#ccUP(h=a-rpD,7!',@ed;(jF!$
+%;Iu*Erc;2c4AP[]msOM8=IqP#E:bL]-\7s3+=cr24,1Z#T>3kqcW`dEhI#\)$=kp%8.AC\fXi=-Gb+4,TZ1OkJGR*&0kq_)5s0es
+%.nF11E*o1f?Qg-Nqt`n\G:^K7(o;@9,4T`.)6ukM21bR$kn]kNrBMhuh!BFnl%*K/JZs6qjXiS#pu-BU/TUZ#V@g5m6&dL:@Xobl
+%^!6FeS?/B.1]VHTL&ugKJ/O7P&WB.1h\\lSV,MMoBNSF\bJ[k<2-,I6YWpqpi$kVnluCkXfY$_Pg%p`EB5k1Eo'JVh0`DuW.,P*(
+%QP6RXT>AG"]q61c$4?n64iYP_W*I%lL$oE,^YSgEUi/30kqe</97sX%HF^q&U-FTrK.Du!3%4>p)@'0qQ>[e;jQ*9-!iN"qo1=#G
+%=3B-mh@MJkN_p<hs-cPI*Z5g`-t><3a$457qpN[!2*]>=l8$d7A(p1C3e(:mLEdu-d*`[G;DF=9W^Oen!hN!n:flc=%/c$-0Rk_<
+%0=Nh>C+=`?\.moh7%Cc^5i;^OC?#eq424IK-rU-)Ld#1=7Ie6?PTYs5gE.64Q<8N1""X]B]E2fBJEh,PYg,i]=fP(AS78Dd=UJ94
+%n"A`I$n.LpS]h-/?)J?Z6,fh4@b1ZAZ2QNr$l`Z9DOQ)=Ka6LEJ<G.i-)\k_\:EGS;rD_3<q\S??pq=Ia3Q59$/Ph:@fp7tHN>@_
+%^<"j0Dh*&41/:To"f,qB,AJ:YBrsVTi<!U:R_rB2%*BVsalFFg]3QTge0t#2<(A_JBOFMBND:C:=?k+GR80*#qjIRE.s>L6=MShE
+%br^/eH0&!"b"Y-fDY=>eC[f6WUXcY2gKf>[IBTl$K_.gIApD6Z^h^!A"d*6L+:TmE1Z6Ye'2U8>,6rci5:qrV%X)DE&5\;F9gFFN
+%>tH0U`IGbWZg9ION!2>jGB4@8>T\60Br##c`erfin7's,dmM;c?LDbN>A>5j?qfm*f!"1E#[(e:b4)LBmK0eT4i5P[&28]8!k.K@
+%"F7TZ*sEbuT#'abgo[O@!jt-TK%hWFTWbAN[ganB#p=qqY<eN&4@TZ0gB5bUU3?ZR;+HWjYMeo-hC_+F3HGIL[#&O<M+R-coVU3U
+%/)`3SrHkODZXp`b1S>.->%cpD<WTBOB;lE#FM:)WAjO6=f+-n+g2aFI^gVf6*!"6f7o7gjlIZhF0jK9fV*50+756#cVuW'Rj#2O)
+%=Va"+/RrSH8"4EU_!>N^qbl)&&)0,jV&Q&*'PpCYKVH_]@7%;#D&H)L'OOsH_sji_G8Lqd'gukE^p++1mq^k8;NZCAJ<VO;'8Jc:
+%S-U7A&I"u+JTWNl$Wa6uMBMD3:Kr&R0"9c\&5VAi!n)9(e*<n`3Sf:b@seQjAt(HL;Ll?7mh[dcKFbn1"p+V!S3^\MXHuiSog(h]
+%)rS.HG;(>^a;/3#,0SUI]%#P@\W=@bd<=:JE9sm$BpIJBf96B6]sE5D+se)e9bJE1qo_#9R72%EV^5\<_NF3,W_u>J_R`V)@(Yn"
+%l!+Sbl,e03L3^#",<HAc:D&eQercDHBD5o+fk=LtG`Jb@nTn+Y@VBEpc`scu=$cuM1pb,fH<f6>9@I6$3`%L$Q8=X;,A:+WU:/bU
+%+2^bSW@:_7U.#H*QE(VN%29AXX)S8`HA(U"%_b9F:o!]\#F]].Td&aW7+SWeYAgHNI^tG4)K+,0fnr/<''=Wi"dp/7Qmn^:aCGc^
+%AK?/P!%IZTC&O`!0<.6:oYhRQ312N>FAjO@%aIQhn?@@cMqR_"In)hEqD1h.LDM$<9k?VX[_2NH!]`2iY7DFh6SC\M=mK)CaNBq&
+%a\H'[&r^r!`MSU<CT0'Fg8@rd*0u'eW@eRW(,0A4n=s-UZ+/.=iptDb5*L6'q!3R/NM06oG:FOMD#3hN/Ks:@oab:/%dq1^O:uYZ
+%H&dlK*/XPnqeW*m"@?Od"f_X"Vk>'nGShBm9>0tQY.gWkAe9e_Nu.\@F,K2W6!oJ[4p,--,W14fmJT<NHnam*(9m276NDL^\W>R*
+%[4Ak9Oq/rnPuE[*JE0kUT_atg4H+F'<60b0m.94@>.j+fSB?lMlS4HTE/Qf%h-[Sn_QL@lDIrK9L;,@[1YjoYnE-1_@mfG]o(k9G
+%E6YLp#tD@'`erA@_IJqLL!L;oNqG&^VX1FpbC&9Y`E#H%4RU6WbeBqk+o\!;IB*AJ<ar)6/#>hVArTCP5_-<lrOJP<nM]DMbi.%'
+%eFVMnp;Mk@X-&N`/j-5U*$G"%,X2t<\s=8EqoVXtAFWP5YgeFmO6)Jo#3&XZFG:WhFGBO$jeNk$fj0VXqst52K%fP6^LD"O%uVB4
+%;T[p$V6TQpPLN]6Mgu5B4E:H[q;\p0jID=A=NWIWO[jAKA@X-hjT?(W%Dgf-RPT"oBr$EUG_f!u1>c05ToMo&AMIam1S4$,CXeKE
+%lUT)u4I&T9k'*)I`;CIt<W)i!Zek_)4^'WX>m?k-/q^0)hDD"G!u;u+ih-g9RVWHmbr(V!KQ`OBal6U2^7Qp!h^YZ"SRKcEGNNc6
+%:QFB#*NW`QoI$-EnA]DVA2ZV<M7(YgOd2`hf+j\UQPDb4[e3,[W*e..0>2r3N60$3VqZM(5)\'#;t#UjNmUXT\fgY2eFG87AodLH
+%Ih-.?>"[H@'5?1niep8#U>^Bb]1[)6Y]s)NZEVktTUGI'?!&!a]O:0scFdQQ6#`E7]%l&[[U^Y,EQ:D?FU`hUF3)^>1=<Y`qZLQ2
+%5qM0t%O\@:%!M9\FV<CR25kB0h<d$YSADb!LPL@-&UT3ZC#Kd7DcZ@bKo7MP'o1tt_:ALPW.`%fRV7c#I7r/M`$m>.!.DB+C4-*1
+%e*FY<Nrm`<37_5j<WUKbZq_#D>QSYmRnOJ1DJA:0U)ST4Rg_thT9C3YnT'=&h]Ig56=k*%HnkK@DrC"\Wu#+#G1nuP\$1DF6skb`
+%_V:PmlOLnPFHr2$,/.Al0LCJc0u&DG9FH^C30n!#"\p&&^;JHh/q$tM^<Qi07mR+66E?`mq"tk<!=_%0ksDB$G5C23'4AD=o2asG
+%/RL6mH-=hK]$p_H)>FE&Do&p-<<+r%gi%Ro_8s<ABj)Z[6#O]pG?4g8ecNj>H$d@"H26+j]Ti?k%S!VX+r>)8o?JFG@HflTaBJr&
+%2sq+N(*A;?Ne>s<M&)mrfBK1S^\*\^$hnfed>>K*B^SsH7j;6KM$hsE3+eqlBa02-1n:[Y)Pd0B%b+l)$["*`^dQa=C*C3`j==NO
+%CHWQ-b(>fF1ec10KN^t:VJR[ZZNYIL,D3#hh->en'J4mmGrhon9@MqjjfN$d7AnG[$`N;0'G)s&=/Us.+K#D4p#Q[iMpS($]fGsN
+%K9RSOFBZ?1gF^4;R!N*e2)GSaPLY6PEAo8!pQ*K73I\lb_>\:qWsRSk5;-&9BYd8*DYBDJOm$bL^nb1icCP?%PCB-_T!2@\dN=4^
+%k"_4Qa<[f<7_6j19b%?k@tGpV>:cADQOTNJ0t^E)?i+Bi5Ag+BCsi?Yb5[[?;*+MO&t1Y%;m+jk2+dW)c\>Ra/Dpi7.fnsEJW!G6
+%@Q"M=C`0qR$asfQb65?s]=jrFTV[:%2=OF,P)SbQ#C,ZK@9r@LFI8[/ZPF<nT<(JqYe"%&`jKVGWcc-mbUQl"S%X?aL3WnaAD)EW
+%(jfXJ0Apse4G$e6-g-(=FrTpk!uWXZC_rbhet9c>Q=)YKLca6PR4HAo*S,JMdgRM4UU8eI!m"Rgh!F**"]T,b\LpkkdGj!6g\_)U
+%F/kQ%Fru!I7kC!M>"6VJI:d</(#:1=&+l3#I\)o"\i$:oeA3\s"[8b[Ne++>@;_b'!s-,F^$ELMaX`/XS/p_1P,31?(7[UE72RoV
+%Up/Ci$L^dm/l4XPC#VQOL?\j*"=ZU2[gJH=CW4pb!QKksM(6fAQ,[9BbNGG44E<K";o$h1#@WP#057BfKdEPc_/KUGfEEcgN.BNj
+%UoDi6ACWZN^j;OnRelE4gB:dEdQGftlie0LW7Jn_@W'oc;V1Z8hsL@X0&pF("?+N2:9,f*,k3:in&k5dN!jsF=7"uPen/VrQPS^t
+%ZDXW=]'2f,%n,lLJ4k6B((tQ_!rG7eFW%6aJR*mWo#YRN^cJcu[*nTXdMEi=><q'3V-UJEX,(6dY8:D.5(i1]EIAunKBD^soHf?F
+%Heq'T6kg3:De7@0`cBq?mB)_l8.+:nd^Br&;/GLn#V&%>+!SGG]GJS?8Q'%9@Ks;;1#G=1)I2VmKB3mD^sh[_!SoOU(>+\)!7U1t
+%_8Gk'Q8uI*GRI)."2CLiI&F9CDUIS<b+K+:Enb7^p'5El9%@ksJL&lq/n[ukG0YY;RoW=r/s%>$QH,^R`$8%Zih^"o&DDZ40*gG4
+%bIZ#I0X`3iB,TBnkToOfb?/Y=dgSPF7@h+"W1r2:F]FKMpUo!(o[XG=7C%R>qd5,qF^\:NZ8g::Td<S%?XKh$en!m))$>H`JiPtb
+%h(9"6dEQ^N/o5In2P3)a?b8VUN5(\&eu^S!I:5hV'faM<qDp(Zr>!lKW0hssI$kcVL7@;Df1Sj&jgK1^YUdJ!ej$"-TTYbICU[>+
+%K^N=V``FTq73u2De].jUa1?epln0+72t8j^"%t3V+%h.6m=p.*PXu'oX[oPLqeTb6f4LFC++o>m&q7JL)[eP]c;q_ulpC5MFN5%2
+%k'i?Fm9\P?p65:`]Ss,S!j:'T+"e=:&eHiiY<:,hNSSPiUdZ(EQY17d(e9!Vhtq+pbYFlpq:M`KWOX0A<@cu;CA%h4YcD8<,"Mai
+%=HY9!gKg-1Vr;A6``SUqDlWr&/PeTn1\b@hMT,J]?N.!Ts&X^Kq`k#G5JR6WT7?a-J,&u755hr,oW/#kqSutBnbS%=p\O49ZGuDh
+%GGD25(-e$(kNS[6H\S(JRUGP6aM\$k\t?Kc??,m%9*%'6%VU$JYj+L4Trruqf*4R+?sXB>iR.o&i>s[(Cseqa/qMKQ$&Y+IRE#gB
+%:+I)__/@r8qm88X+_$`H?i#GZm?AU:ZZ@r3oBj,!0%/E0nQ\M]`Qk5JP=49u%l=1R3*L'*HuSDe#8d)V54$Fd<n,<4&@B[\,-nYG
+%-F+GZ-50NW,$0,[Wn_LKb_JbdK'&^,DquE8eS#\U3.r5fgeHUeqAic6E"c*mO(k4!P(U\H2L;Y:C^<h-'!g?g+Z4C!:k\N=e;jo1
+%,qeM/oC(6>YCjOrNhhIuni,de!BmV'i+>8*#\./bTE]AmHuWHW)N"d&+4/D(<A5g/5Q-_5Lo6m;#9Wt_UNgnn[uKK$IMaFj_MJ9U
+%"h*I$5GSZ,K-RL#cpUFkUuMUeUfCbEoLT4%IfNJdLo>a>1=4Sd:u+%[_$)B\.b441Z"isQKSWgY%7ca$Sqf`2[Xj,<!lQJ,"@Yj0
+%PR8\hYlsD4<6`,/QS$8(<cD"e^E>sele,m*@'^]Y*,OX8fF`>,>2ff"D2scIBZd'/#$7=F`rn@uL\0rOV24miY1FTb(0YGS@V;%7
+%[kf:'l0(g+$3b"(")sb1pL]k0gQN)Xe_NYN=$UsQ_R'R"XtS&"a"G_kd/d9`.nC8k@ak/UWUSV-[923na@VJURN\`'K/5\UO_o5)
+%dL-hYCQa"k$V'U&1?4k9@E#(Jod$6\$3pbK6sDAN^Ok'r#=*7cmLlcs,-K=i^m!@.QI,=aG0F57P"t*#g&^]s]j%'sf0_elQq8jR
+%Eq\H.6up+$b>Kd``kmnd=@:'`qlO#8^4I<H+!b/lc9]gl0aS`N(,#A9c1;"k\[.stfI<NG*Fa6YqFD4S(dW<:_9m,PC5^[9.X0m4
+%[iYF+"TCKTd=r3=lW.R!YQ?nnOd'=pEGQ9!e_\phE4cHYMi79!^U%mfU-+)39r#0>:uU,;=")(HBX=8k`3hjp8J+SBBg9Ca-+D8@
+%8&P'FZe.3#SmJaZ@Sm>pNNq+*2EA%a,/d^1AI,5]k7^2;n,feS:.8F"oK3Fd=q9>LRWj>#8J5:dV%/3S95!(<C='8I%k:((Mi[-s
+%T2qcEW`LY/Bs$^MWn8[6ZmJ+KBamM@XT+M1LGD.XmGVM/DDr8b.9gMBW;B/pg0:#!@!Y/q5njr1_UGgN-O%XgMO@2W#GoaBMkk7p
+%eKJBP%2E`-o[b@g=0<"Y/5]-W^n]uFYet^LoQHksob$2(kcSQ>(q@%J2je:hf.I<VEOr\+!PpU-&]$#eLEc@%nWP9bW2ogTURr7<
+%5:r@S.'_q=T,-KP/_tnSk&2G-+9d!^+7MNQ5S6eJ$(b$34J=hj&Kd)Z4Jbob;(fMmLo1@b5=stp/J1[pa8?L0,SKCDpHO$t9(AFc
+%i^S&&,&YmIDbkh,8u1u34idF5&PiZnI[VI6+s%%ZSl1V3dZd#8T-H4=`dVAS<>=qe<95S-aobWO7=7Aenq7),7M\>l:MFC3da-^I
+%C-o^7@[e_Z3"L*k'QH0p[.nMtncS,bY9<Kf!K2-%'Q0LQW_/gION'^$:ob<V=jFVN5T:C]SrsMU\]Y/NR=^M?)2#Sb*;)*/An>mN
+%)%EueiH%%lIg!Ud6kOL0j@Y$I6bpTW4-FOcX:<[%l4Q]5WfIo/$=BBd8F;Ci=^5-s)0,50DZ(]ceoBF9-@&]B,"T=.6)?T*eFY=o
+%5jQH=TGTX3inVWYk[cj#b/"KskP5Lm<ikl#X[e2*(_(%e]qFjdR+(k?qr*KGM7tQiHAt'g"d_X7\+IS+J+1jM1AqE\OT7m,]&_/e
+%H)&SseXo<-W$1j');U`WU)`t6"-M[mTX0fL$)CqRQG*U[mDad3@JsC67-9/QNSj1g>("tsN&r=-;LYGjX)/;Q,teoT,Ia26TB`!n
+%PVIQ)kMT"&-W(sh1d7)kKnpalYM6oSId@P*T<W^%lr!+R^5oU_]'Cbu<-_uSrB]k25E@"CkZFM9@kt!eZg@ohFqj,22"-;Rff#"L
+%I<'nf*@L38elH**n@I)2CO).]:uQt'I,>$M/<0Uka!U^9iT5oTdN5[Rq&EuegcS@B<\MWgY4dMQPTkR>2"W61W,hu;"PGdc=-`Q7
+%$H@DBY=u#<*4b7!d4=JVR/<R"3<h.=^u\bJ1,&?mSg;EVgYj>[iM51C&@PA4N%0C.R`.`[J*%orQk9ek8Gp43;T^KL+!jT:hsgg@
+%'`mKB"R"p?[QC4>I1DcYWVPVcD`l(UJ1#p'7LiTN^V_>X"2]p>$hrH/]idNZR'_pV%Og7f`X#@E.,<N.:rLiF$m2ir\@$\i&Pj<5
+%4DcD7cut!br_/N5gs'<qHU.[.Rq+WuVt&,[K-EKmeFBoBa$]_7MKmi+jCqh\LDD-^ib?;n%pGGbZp?DY:Re5/csGh-'amGmD;=]h
+%`QPA(9SbsJMDUA[iJ]TX;g$="c'rS9AtraY7DsH:%2,g<VdQa.#Qco-=W[9_($oeE,f1V/[D4eJ]lNP3T_HENkfZ=*:V-<`l1aeF
+%2irmkTTdaOSjO%eM(%A9DFRG!*o2,f;2!HuH:+ML%GJ`S4-2S(mgG,L:-)uE'pg,C;^;mGK'dYU+BiH$cRN4*O7L3P*SGd!5c-NH
+%4Zcc`fE.X@1rR!jXh[@om)*n1-DM:,-=n02i`nCJ8jE](*fSF9^3@mjU@BVj4'GHn+?X-HpTlYH^t'@)fDY6i7>ru6,t,nPJ9>@4
+%r@+ZdVjIX;fIXp]^#/t_@K9mRf5'SAp)Wd.#RONPBd?-c&*\Z`lqKi*/(h:.PDH*%OJY$?ri1M#WJ8gA[7qmLGLo/YPTOL%>5I4F
+%iJ572n3"X?cbtbtXKQ"Mfr\6?@="(c3'$c^7ZlX<3f<RfenC0CE#e#,4rO<ae^_Zr5g6T=qcP3<Ai[2Qm@b(g,b[KPRNse#Fn#O!
+%UVPd37W1_qA!kK@q`[G*DKD!&]4pE.JEl7)1uSWEJ`^fHV<&pfB"oT@>AI1=ccq9bL'@):3E]J\qI!1P6kS$D^%M<8^rmuKBpuT4
+%Y<NZOEPYu4dVYKi`A]-M?3`r\A&m`RIYpQlbEKOp"<\jTJ#EUm>*M:g*oJp^\tq&Em)K7R(EA==M!K<F(hqXZA34M:N9)IX/RIXL
+%rZjQf9aMQ=NK/X42eu[6@s2m:'t;TO#C:GMMr,@bWi;!7m7A!bShRCFATaOEPC?Klnk@a(p)P@N'+a^2H:N6Cm,a#)e&;^F5f&X&
+%!%PJm/-F3b^[i"VDB03qUmpR![!SeKI0\h*Gj5FAV\;gCj;bZAPgB]7qi!OfNJTnc.<@7@Hdmh,lU9hFV;l8nreV8E=XJkdG:H`d
+%QAQKq+#J!&c%"AY+6a#\f:mQoXWJ7nf-Ffj%n':0^2.F-CDMBK]<4Y9)1.EWe0hfC.N^)'hOKGB<lG3TeXSEYU$En!P>N&B?q8]0
+%)W*jcCFq^*`We4!I,T>@>6df#2>;>"@62=X-lYAf=NAu*pr,bP,V%Y<<kuDtCp?7!JEO!:6hA^A)^\Ia.T\q.9dl<;#4O%F['It#
+%;sp3`:@gSc2g?b[kWZS.C0JU"it%V*#31E]!lkr%?0mS5_/R*N7raC<r@uoV4W2]6$U:"ZOs^ioDCA46I>]0cSQ=;#YpOhmkgLW%
+%@!O+\nb$a"aU7O1Om<t([5ps9Z*,_r63J9@i=D&f7)/Y=Hi3)sc?1Qq.F]"9E$pI%`KK,d9f0UV;'+Q%G'X1:'jVGE-+F1>f`j]A
+%WXr#SH)QbpnBKE?3>mgrbG&;<`ABQiKcsT9"gZ\)&+EtJT$:r@"MAhhod!f"s(nsLCm&\`m0EZo2mJeWmY)dl$h9+3+,X7poVOU-
+%"kEalgfDI8-b)*u591@7'?,?bM$k@odj&8XbY-et);PP)0*O_BQ8Dh@O;l@s'g+I4]rD+8?mD]gg+Sm#aVHS5U/:2%5A2:t&m1gh
+%mNa6u/CjZ`?Flb3,>&)M/UbT)0bt#U?n)VYj]F%:P')(*$'P+*Jf6(SS9#b8d`9lfBg!4K'Q?]d=FV1TalrO'%.C=sE'=qDc8PcN
+%JA]2Z?AA[Dg%YutPQIH:!2ulM#*P'AEZ*0p/GHu8BRH-6&<RN-ZTUU[XMCA2L8^3\ZtjZUNY:h<VEpA=IJ)"1Ch#[H0q!XjjCmkr
+%,+s[T'N>Sb0A)53=YFIQ$A.raU?.teO;^*;b=.3tXh9T*L885@&"q-CE3%on3j"[>Jn8De)SWJ6[r$b635bs42NVVq=s@>+=nXYU
+%G8C7nKOnt-`e(U-8L[?j=,[mGC^8].$CZ*qYeu@R=L"P>iu%"c"7aWa"?(8^^Uo<s!@?BD(9$.t7tU=]G/iq5TP["j\F,;eTIsLB
+%0C5CP0&)kXa/@24RVq[$Lp6';?up9gNE<oe%'PYGWt5:N+bP@p=g,9'j'nnUp<(+Z5)[Z<==pgN&\9h,\G;+4>C_;Dpe!Js4%/?2
+%gQN_&C,`cP=)1BVTk,Cj<22[ZktfX9D'0$JX37LA)>+CGLcMMahZ-9OAm-mrlFnBD:=s#'[5?!0Z4uH6j?Q%n,iApteT!9F2hGFQ
+%C,Lb29I/8JgXuC.RC<k]`mM1M"'0@8e1\2t()P%BY)oQ^q6@PSV&U*PW8T6EjN.NH([Z+sZTG["0hMX/P!.\E`Q"FIoLT6[7/D!r
+%T+N::T`qdTA-T5hLSa10c%70-,<.XB9H!JNB=Ud^+X=DS1e+@%W#oEkE#"&nb*=WtdS0l"2c[(c\!'$7doh['XN-/dIuJnc@+:<5
+%56T*!4A&gGkW'tS=I$IL7g8*8dOhb5@%YUnc2u\Tlnk[PZhTboKc3lMAkuftYT#/gbBJB6=5[fof1XiJ5nt%\;`"!'TV)nd;YNFm
+%UZjGTYtGFoL\"X=K$2Hgq`$FL.[e#Io:4Dq:r/B<.E[6+>8r"MI*@Oj8k`jTV8H^%IVp`oYaeO\?@c.V.4;$Ea&]1-b[sXl\)9W0
+%5TlO\i.;`mr<VaZ-9r15KDLV%+*CK*J[d=n"FX.kiW,U/P8sscfR;,oM3^%b*<VD0&A<"Ba3jd[#jOMROqKF%l/d]d*J;m;M.?T-
+%]#.P4=E./sKs"O?5SCDR\g]l1ViOl>Z%=[M'\&1;aJ>n%JW$b6,Pe$AFh3#P+MZA/N05aj_)Q)g#K`rp$^H+snH72ukDmb>V<cj;
+%lcIq+AkGYbKWJq2hSlQ"8RH1%k@eKp6T2B))i;r6@Nf3idp4Fh2Mg#(&F0>dqDK8bUsl(A#uV1&5Vg'(7b"*$I'@KHkPT(QZX*iO
+%7^fZ"^%i2Mr<G3QJ_!49OU+_P1iF<]r7'K?kYD,.*\d]?M@e-la:u#R41SHSqkS_#AiQi-GYg>2H4-[>=9bK7\P0,+f>"f2*'.NP
+%Z[sn4@B9cthdHmX4Pljkme5ecf%)E/<r)QmMFFbtaR3]g\n7WJ78iQ5r.#K:H<M`A5]dX?QVhG.m++un,hU`c$!*DP5CD$ih6a8d
+%'l;DA3C)Fg[@EfbkS$@J#EoYKOU?+EVs1&S6\FJPrqWG3C_h#bej[Bt;T^2F/g_=gEdYWI3"d8^rpX'CQZ*^NE(=c'K9X'ER`[;[
+%k!/>gK_Gb]^0B`#N&GY@bH:C#D((\#[tU\UilAJY`HlhTE"<LAQX`FD/YjqUlg+j$i"fHk+.7fQO$f2qokR?Ss2:p_JQc:L0rU@1
+%O!9/g19q<$-)A&(%m<EB1,:)9ee#3MdeBCKCiPc'+6aR%HApnnX51l;NfgT/GR!?IUf"EA7Y42/^bhr[&4rt*Oa+1'[$%;\iL;f@
+%hct>\+k*N;MTnXcC;D2"VTH7gA\=-oPK3pHKl$"BThD1LS;%/WMV(4SiBQ*`ZKNn`8.-M.OL?j+LSV]na]Y':]L1B#W!Gi5KC!/H
+%&1)n,=IP\?$uVX#<lc3i2Eqp2#.J.m1LbBj\)L+-J'hS('_[c#*j(&.o3Lu0:,IIJhNeod7<jQc'Eg/<eT6L!YbJ@3!INKE'=9MB
+%9rtR4%BiC4K$7+?=bAIkVkT-j+5Zo#1b9EN^",bgDM/=2!\sYtPJjXDXDQ/6j(QX[O5o"D!Xd0u_WgL8s&Kt[8'M+BhUohkB=Z$@
+%`N\W&UN\.k"B02sjNrO'\Jr<=B?f,=8m>Fbr7WBXrrP&jK-I*`]5dI2Me*2GB_Y1be347RSpab1gCZHjS(NFVm@<p?Z.^+@:0&g6
+%Vh;uZjWZ6mn+m&B6fRhY#Hi98@.p`[TLtRQb-+!PY\:B(FD1[P_9^?Z,RCO4,WD[ADXf.9#LaSn3GRK_+0^8,SJQ77R`=*>"j99O
+%^AAGk.li^`.j-@/]Hj=F?,Xgjct`1I!>hh!LqDt\6-YpqrRNhu#m80-\s(Z:nkU]J2Ge0f5-q6nS"Z.<Ka;X12l%rB=@S(R`RM*Z
+%$-(4Mas_kuJEquFG'`?[Xe9mU)r`<dY$P$EZ,dt+XVESkc$-*&*%Zo7]jkUDj6@/PDoiN&pX,1KQ_"@I'QUY+aMegJAih/f$1M61
+%V+T^7Kjq`5WK247L!?c[ZaLN;+1a,t:9UNc+RNofb0eJ@Srdo^8JGHR0*="i8l!l5.JGkHaRhRcPLp7[cXZQIA%Pm-!hurP<gV3a
+%5'!o?8"uZ6*^4moRWi[CerB:@1kV)?Co7g#U'DU/>%,C9J-.huWVJ/)Md<\L<dOA(]NMrg^fCb2qMY>\;/5oXSL-F3SaPG#Ea-j&
+%S/QkZ$]fC=;p#/!iVCSPUaW2K?W*_4Z[Dp?J5!HrH,[S54#dNfgV/L5+4)$-_;Z769s_<uIl<3p:Hpsn8VG7r4oH`tT?lSIoIN%K
+%rXi-hn:9\2Cu/>K3Br[u/tB85SCc#hGFH:M#)c+b9ja-bF/Ji].MVa\8ZC.X_6OP=*<th\JCQe#qqRA@XasP2Rm\qCDqGG?ml=K=
+%$@_<1VCk(IC?i2`11qP9P(:qjEJK609WOrl8]s;*DR=9PAe=)/<^)D`K%b0?/.XO]`F6n+88e1aA.".uhKoj%L`ig,3:f^e?_[ld
+%f_&>3c'sI1%jXqBm2*V>9[+B6FjnQ!^]Ik/f[MFM4)'N'[XP"o5,3Z[SHB2ZRU8K?d3*W1J1k3^,B&cHq)eqg0gi3W5RGi,U%g7r
+%3_Q2JO<"mU9.-Bgk)L3;8r^2VPWR>pKH%'S9a=rJ65U7=LaXpBet+NCaW[LX3Ib)8OC?9(X2A>D'=-6__:8iUYPb,+<L]i*[LX&q
+%M9QtT;+$1QD+:mKmO@?nl5Dao^/JU/r(n;;Gd(`_gm]8U40`XokmMc\#oidRNF>$Rh2R6h=MR5C=c1MY%jsN&Vl?O#*Y+dt62+MO
+%BN9O1%C0UQm^k4CWGa1F=8uO#5I?4>041WVMR"sEUD=F/W+^Q&/9PG-LrLkXTfV>A>9m$%^'`)?_!&b1J.iY+hTEZ"e931jJh.g]
+%V;0:EE@<\JqDA4&a^X%!s(m@Dk,H%^s6C3?WT#I']df#"ICo&]FTtJ1bGGPZBP#o)r%L+_S,6#d]g+/F#V[M4b:d\'g7dFaDao\G
+%lk#jjVb+hPn.8eg<QVs6Q05f?,BHQ"2r>"%]Fk6Eq8!>eeBi9"9&m/iN)Ul*bYbMX5:k>SM(2!rkb%Zg#t53P`4dN^^uVWC$R2[>
+%(2_Z(1#5.?I25YS,SYfGH?G>9Q80^n5<D2dA.TCQ:>:?NJ=dH.,=^qV_%fA7_[;utMirROo$O#'kp(i@jg/u6=i!jJ9qW]#3\.[;
+%&7WJ^g_r!TALcJCe"UlMKi3>e^V^0-8p$!h#IYF>j3Z1)"LM[V%m2<EX9<gk$Y\4-U5D>GVu<9'KofuT@q?Dhd('hqQ`DB.[&?mS
+%+!sHuk8)Fu#5)Y@-t(ekgQD//q-d$/CeU`S52!MtUdF7K*ZOiiPk<m4UP!e[OjKgJB'/Snl:Zqh+0O`*31=.%&r9e^=IE8WBlo&#
+%ZntX9"W2+I.)H8ME_A?bXgNRGr",f=O7/K^8+DicE8<s<"kctA2qPmL^;[t/ns$'fgWW_F"LPk:771OM=`AO">X1GpIsa#?p9eqq
+%Z4A,S%;S8cR"C0\YtEHLg4(=edrDGt0A"==nF:D$($6U&NaOlMU^*V_=n9XsK0VJ1<)o90aMj'E9CU(qfS+U(WPh?bPA+`o"h=AC
+%dD?M"OaNY,6HM2$$fg'p/9[r@_br]^"2j^HgBq/#EnPYk*/0-A:%Cs_GV+%n;YRT^Bo#U^NKK^(/g-XW-4k4Ts0X'':3HZ'I.L3g
+%2m5BVj[Kc!YDZD12RER+^5R4,Zo,:N]TjA,@LH6_^U$G(JEA^&XqT["KUT#.@5e]jLsQX(<Y!=U5Xr)>3I.0KH5r/&kRns]=BH1&
+%itE8G5mrL?nokZjQpg%XhG@IX)/fY[RJ4o8Usjr"&dr6Z$rL+W$Y-Z_()H'&f"tO)<^[O*h3_C6$BKmkI7I_IYK[E#!3Jc6.ljW9
+%5]:/jV(8/Bc>DaoNnp^/=2(X)6pSb[X)'V;#e0)h/SX:g>'?JChe4$sGa$u*IVA7>:MiWH;/hHN$XuC5YA"H^`bFC3YT]B`!=lQa
+%8q2_i.#G'#Lf1A,bDl!Cpf@4.$4[GFIo['2!BR;jX[srcs6t,Ple<XD<Y=8Fe]\5@fE%E,2L.Ck's4n\'<JUcP<7-GjB@:pX]O2Y
+%U2]V.'&m'p.?t`^g>S<^muXomHDVbmCmCNL8<Zn7igl$\_87F[-Y`P;@l^DH[&rs4k)iIaUP,s)9%G_"N[A"ni'e3]YY,Bqo+).I
+%%9+RI6&J6qX^IgAR,+,4ZuT+HND8=r],&A-&#07N3H:?[E8_+*#>7O[2*V^QMhqB\/EE'6rS*MXS4EN,j8&j>He?$FY`cF90__Wt
+%HVsu1?i`47aJuh<XRAK=BX^"&.4,7:PMV.u:#8F#+JRZtC9\<=h!+#g&DQR3ZZqH7-./Ec-^n)K?$k24LaAU&<7m[q@"tNG:G4ZW
+%E7EQ<1oDh-#IK$'e_aEOSb7VIZ<Y.h]]h>R4QFYRV@*..O+)=aDu8/aJEnb^B'M&J(-e#c>T1n]-8r834!)ZY-_TRpBVn.MKg`k!
+%ieIu/Uib7t/.ge>34r,\[(rZ&I>F$t,*:;(UT6>:5E'"Q;gs$7l!XpK_b%!:M7J'C>hqAsUB-m8c2]SN!$VWe6+Q"9&/em";Xd(P
+%`I/(J4Y=\;qa&,n@sV=>0i-`9V+f\KbV5L0nqn=p_.9+M\pu3cfV0-WKle)K(gjgZX`G7/6+Tj/S[KkClXdI(53<;C:Fmd@`(E5#
+%QFJGY/c6<i5_1K7E,F>?*M^rkZ^/OS/dsik!_LS9nTOe<<1a:TJ"qVinM\fYVYkWt%)0[kHfYcTpFQ6UTR*;lc?b.(fo]+cgiJ'F
+%:VY?r;8(=e(;!)9K:8lt6h7fdUUFD0K8dM3#0N,iIpHA!Q3>rV`_3r3*M+L[(Fs0%C'$/#[^4#]J>mEm<fl\Y,.m^3h2iXRg%7l%
+%P.Gr/:_K9dlt(<jjU5+<VGD(TIIQ2s@)9W;rrGQOWLLGKLj)Tef)p7-p,u2&Gp;"q#fSUM62%K*5CdW#$B#:?==q([Q2\JUK!()/
+%@j?b6GJ)^KKQejc0'9'=r5GR@r?'Y+m@XCO`<42Zk@ONsEfX=LA9s+4Ia)@C:U/mnnc&CWH8.>(iCc5`*eNi8_;eo5!HWZ7/YI-+
+%gVGrJ'57_#O(oUu58CG!-4s>ir<FbOTe)jKT'^s@4o9e@c2sR;bBa#RA;faYX-qLcNSR%1L=$7;%/a)aajqdO7+Cu5Gd><%LNahX
+%jRr3jG!r0LV8nMH2hmF-^N*tU[\O%ffCf-7;]`nTOi4Jr8,KYu:F+G,I!Ri11rDhueMmNeZl"o&J>FH_V1o@kooCQe61@$*R.G\G
+%blUMW/>)gb\B@!Z,JM,-HUGofS&uW8olMiW+i.o*?<r$,>]Bkr-XcWCked5P-c.<aBdi2!^A/;tf[^CN2F=ZPF6tb\]fXAl]i<>u
+%91C/&7)Wi7Rl3F_?1)PBBnhc5.GT*@2gt9>OI7NpFX)//G&iqD/^FNqibJgu4,=oF&[Yfg]C%l,+\bdKY6IZfjad4$j9P)NA`0D[
+%_!GSojC=p3U%k]/]oc;:]g9RT*eRodDE9JLMf*>l0[Nq.Ge;8AqoE^7JYVh+s'Udo`aamrcc3Wr)7`d4a`oir-q+#rbMH)D_35;'
+%:RFJZ@6IH9Iu>DK'A:8D,dj8Vl.aL?(;8lON0KE>:W!^7M0I;uTjT20r=ad1RGqS&cuWt!oN-P:Rm2;s`F&Z$^3t>-mC2!Op5cua
+%a%ua*5Q&FfIf8NcDu]@ZJ+;d<\OQOAf71"(qpg1ErBnWns6DoIi=E^&rGV]&+91iJ5QBlts5S$Is7a;*rBL5Ef=t,ArVRJbs8INC
+%bs24+T>(9]^\n35qepr^:]L>3+MW1"LMss)Vr,[os5IVeo[h]EJ+]F?rqNdKqWm$Es8KLZJ,ep/?hr%Il!IcXTD$$Kor%,*r(kqZ
+%r4a'?T0Ag<rg-F\kPqr<qF;.e^S-k(q)H;kYADSCDXbZ9IPl@#P^;MahU%;260ibYR:/HbqgsZWfJ5"@#g&nrgrrnc&/_:@@KVq_
+%q:!<K6l]?k)BIEBdR]J:a1M\l^+=Ioq!DY'j!5fi9tFF.0sT?n:\RT[H.uQ0s(DLQe^8$7qR1<eJ1ud*r#l-L`MOVG4'<Mo_Vi'%
+%!H$`aom[*W+_i3=jT3YJqa%.+FnSsZ]TGn*5I0OG+J_ol'A<=Yetk'"P!`o;bn&-Sr:"?f^cd*Yh")TD0e58UXbc.Uk@'q/A+6]T
+%h]@6&7Jpu05COKRp\TeC-G3^[n*]EFqQS[?UV!YR[tc'R>(3pF+.kGMcMqAJb^]52\_cW_J,G@oct1u09A)>?B@Au]n$.N,:+VZK
+%J58<Weal!g$.4"GVNk4.8D;K_$I&B?#-2BmC@0OXa6Z:ig[l8P<<Kf*[9_\]=@\5]_:Dr:LJrMFV6J_/07?n:<N9l.@Q]ZB5$taX
+%4'8P_UpANsZ2p3U9:;;)BW&+6cY3)p62'?cBeC\.@tHe3cmT^pDW)IGXd4k^/\F4<@f=iY-L`iNs43,=hZT%nY8YC=.eTUh!]?&%
+%iLP=S2XS*DAbgi`O]5L^[sQ\l5eR2,KE:IG)EZEe8=Q#4&FZ"e_W"-VV`U_@kf*u]oH,#XB`0bCYLAAMobNG'F*@&R.EBkL,8<5@
+%$VR2<-cCa1petbY\p,^:U,f/A@R3#rF?ceWjVFh<nX[7a(TT5P?<>PArcI=5OehXW;C&j&arnM;6(Pi381%AE`uafC)u%kLL.Qt*
+%3jE;(TR$&"baH@$GtF<HUE$-"EHS<0deTfGc.U?.W"e$;>qeN8gMUTZ-Qr5:TL+O*P%9m3D@_8j]n/U\pua[r(.OIU^c[7"dqlFs
+%j12Af<?qgUbkj1E-c>^r3$ghP/T%4kXBVT`6n,$Z>UM]\\_,"b5c!pED10"3h1<I3M$>M8PG%:G;R`GKHl@?[T#J4)/udog:#IiE
+%1q++569fOsY^=u^OdaOJc`"'=7u;jZ<q.6,4VNYc<a&66-SK*RhY^h1Pr$V#ea]NNCt*FIe"33RU,RK^ghGSnBcXLlF;jsbW7fAg
+%,di*_\:M9RU>50D9NLKtb*q.JMoeB9CEp#hHA3V@do^qNNcj^8<:4giR_V%<$s,)qdcM:ao.roQ.V6#80@Mrm;Sra'VPG]XALO@3
+%VfC`?^9iK+-cp?%W23Png04]@h.Nie^/R!9[".o>ZdgMnA7u+jKRe$aceV5`UlS>bo,oUtE[.EOBL1,+((bLQ94j=7;^B(LSS'0#
+%hr1Sc.*o6/gK:-TWCT'JC2a9uBGd^[N-:jQ<aSLh*VB1J<%!p?Cl>_H!5[a3f*GJZ,!/SnUQMbmJU(SYB04BA;O9]"Af<1HL$`hN
+%Aq8(t'7<t]aWa`VC\7#2$jaSbEZ<"(OiL4li_km:mZ[t`J):TZMi.pYkNkH!gV@[1c'%f1lf?k7D;Vi15?hF<fcV%XZKd5-b?!oL
+%BjP*p3o+BLm0Qa:0Ci6,QXNrE3c5S_X?hOH+KWN"kkJ99-$"<dZ;88%^;FaJgrD=c(Ze)gFI&8qJ=1Upr!i++OCPfYPEiV_Z%ZGq
+%JA#jA@a\d[rHfunh(,J.OWQ#$BNe93m-r6S&:T-3o_Bo_&QgB)+FQfSI;;NjUT.JhCfX2$&V-2&C,8r`qKgZ]?e+lK>M/VtfGZhR
+%8B_(dS^8pRGV@q#jKN0SY?9e]ZccKo^_s3X?3,2:9`")HX,.Y/*YRA7C>CoWD5h7>r+Re92pC[Ce^1_.Tk$H0KL$(u+V.n_#bbBg
+%jqU2spM52b.7ddPemb]=Eh)bDa]DR6S<Zb,%>I'XHBosRPV]*'+A,_+;J.-[VR@;(`mAZ)5$SN&Qtj+#:r.L&+3Gun'?-&B0.,%[
+%%-8k'nBajSOFu/+cn<aIWdn6OX=%7ChaR7;crMu>pn/V/1p$CSn-s@Z[T73h\d)!O*>L8sUh2^m"s8!.)Is?rM&htk-AcB_(hS0r
+%YPMWpdBKR'(jr@Dl][Gp+e/-[W6tBLpO9(io)=O<d"m%fOAlV4Hu@PKYL-57VuYDUa3/nM4K?/R_[b480;_:b^>iYe$2X@)qO+`'
+%;U0Q0CJb#=_fHsnjdRmUVV/\QD$3WfLO#hLgSg!co).m/1%u\kkf'=jh0@MX<d^eKGAbpm[%,4%DqX2GTBd*`ej^A#4<n(hd_Dc@
+%mQ3;P6%WE#qIr5:Vs7_p=1XN(Eul:KqmTGmkMfE<(VS>t3q_BJ>i$L7NLnujek&a(,q+W(p/Ra.Yp"Tie:/J!o+2Pb$LM-@FS/'B
+%63sPf"Y#)Bo+G)F99^1J"%i%]qYYAPpN_j6i&6X,?cG48YNS+:o<;hRI@Z..Rp3SPK9sJ<[L#0VE]T)4ch6",,JU(no6%`=MjB!m
+%dfpnIj:Sg-2MoOm9dH'&;>1/eo#^!t??LB4kR48--(RP:HX'q@TYW6L?u2")Q1nWm\-t=WWM+O%RQ@=/:P@955//)07n:k#W_&@1
+%_WOe??D,'e^er/Qm[tiqS5<L[V3IER7.Ne:[he,son(7cki,AlJfS[X.#dcI'*LLX9NShkR>!.cDTj+El/ZMR,-4Sp"t.N1[,P\>
+%?2G+6iFuffH#^VVd#.h#cbM^cmGR*kY1B:r_kGSqq&rmRC]\\eo06Iu6H>PF2G&nXNV]%sY(:JQ;FX0ArS_Ls<rV[IXV$9-?2NC"
+%dlm]tU\!EcB)^neNW7,^^-Fo-:^"Kq<u^![3:e6"K.e<]&s!k+Jo0W.e+i\oHMdu]]KH.%hELkK*\W:o4J$cSStD$]+!,9[a5E9p
+%O3GYf@31J6kJu?Diu\$Xjlqg%p>PH:Ge&TTn0n,-fQfS8DY)cmF.5Z\N?0a.<ViXMIs\&"^O<%$5:Fre51I+bYJj<!_,0n5UZ0*8
+%YRB=TLUW==NJFQC)NT6-XjMoplg9=!m`>t3jhop@nS2G/jLZG)h`a/;+-5M:cO]QT%o;-(bC01B+iqFrUF.-G"G?KecO:'Kc[T7d
+%aJ+OK&JAOeofIalRLT,b_a=([h[p\\!T+V1iZ,ZW3+P%Sh\@4'4Q2nS+C`4ZcOUVUK^T6\R>C;='<-fV#o&eXmg0_sK^T6`h'VZ5
+%_F=/L^FN]6>?3s9AAgq,*C1n`nQfQJqb"URE5W:cB8;N6@=D#AaJSGii?OQU>lgbUF8.a=,c97B7hCMkMr,+9@RA@a"Hn!Sh[rI9
+%&`4<so$!i#+&8Ocn/VNUAq>D$8BI&pIr8*)1IZeB=NU,N^FQPL22=CT[,h$f5<lYg,/,S?A5D3s!_as#HU:E/49+(Y';+C4%l;m5
+%Hrlt476Cl60ua,RJk],6Fnb]\$iFXaIA8pmkIS?D%c?=AVM(T/qY!GObWTZ)I$]JKZG4:GBd1:78]db+45?&n\],PdMPSpt+0+=7
+%q=B5=SAW[6fC=[mNelNk*sr&Jc0p/\led*dleh[/LL2\`Xc^f<rTE:J$B;U$#`:_/J.#,DO-TF=Rh6Bt'0Y%ATfH\t\6:7SjHD#4
+%dTE/aFJD$=dU&U;IMj.-Ls;ct]apA,CYb-[OF@9n4M9-Hh["IAY9rY\:9ErgC8r-H:4JIP(smFGeaC[5;K[2Je!MJ9$-4#l9<2sr
+%Wb/gKT#&,G<I"W"V;L\JT#QBZrj'D[93[W5h+GRSeC-Om"i_>-V6+>N3]59FIr-=$+'$06o>VffUroPUa%$)&JV_d#5N[T'B(C!/
+%n/?.`Jo'N,L/dPAd]AoNg4m?eTED_V"GlsO@*?+:kh.^NdL61XWe$-m@_hjem/nIR/i@6'FP/)DbC0mQ3,+1b[kOj[m$\t:T\k@&
+%)a%>IXPeA@]\N^J"gF#77m%'dON1B<E;C!_BmWX+>W7^R[8>\p(1?)/QS66hd/>-51K12l[[U&c)Fr^/VRJ7JhsQ;)&1UW]V:6Pa
+%`M[*A[02l++C(pk]4\hp`_'#-d_$X8@_06+-9uF^^3I8lF10=0LZnA8ZST:KSsM4a61:$f%:/`?IBH1dHcB:Ja&Mt[j#%/K.)G%D
+%cRcjr&YW+]/+3uA&Ff0HC9l5?a!]W`rricLN01]e[L/)jDDYt:hK?U0Ci4BjD\kV\GO"2S<8ur@aRkWkb.>=/)VS!4BK$PYD9juJ
+%pM!EHqhi=7_.:0`X!o4XI7)-Hc@0<P2B3ZQ"-oM(<VKq9CEo+l0,_f^G\rHB",0X,+S7?tpp<XX'2Zb!13TPqd),+*(l<E5ZdhP)
+%LWsZ(G=6c(=#6te0&CK@F2!r`Vk&Qh'gcSG*m9aU]:-Y6_qN]OY2WE'4[^r9mJ<[Hi$F2R[#qV#+0Fp6U`M`ODJ"G:oZNDlqGMb!
+%7FsAAn8)hCqHs1,^!Te,<H\W)cT=Mif$d6ioo.Tr4^`Faa]bR1qlgP^1N(ZS,fS0'Uq6ir_bTGX#p-TU+*OkB>?#2-XUnhU*Vkn`
+%kS8eOk!!FTZ4LWT6L(W>(@\/P2Ua\9JAW/%e\M`9HVcV]AZRipKqQ;Y*oL2R5R]8$ckaOS@u\d\#f'P`W`-9ndh?9U-S'D+9<E2`
+%W[:E)"&N,k+e3NkMiS-Dp-OY81h"qO0=u!ITMsg5[I'rdYZCpF:Z$]i/XM>Jn#RU;KLkR*R*BCD1Q0NaKiJeFhE4hX.$Hls>J2p3
+%g1U^-nb^$F'gW/=oV"<?:B`DSg;\Bc&r"qI?=Qk0n@rnjb-/GA;tft:ZU2Q.kG3R<SNDF39c=c:gH)rd@1=I]^clQh-UcO.(I)_)
+%'^OlC`Dp<Cnm9N1n;RKI?M#u>F&buX!h3YD2RKQ.iQ=)2Yb3GlJK7B)2G9>Xhn\PF]k&Pnb(M:k%KXt"&!00gp/XE!pb1oAZ/CmH
+%O!")kO%B#1nC9K;gDloXYF<07I65h\E>-n\det\-kW?(:cCNbTD8Z?qH5Edu]!@jGecMLJVS_X,T;_0X6EY-")^/*J/'&?sn"?.o
+%W[KsI_$qrBjYWPnmBAANa27?q>U3:3M^LVo-V(R>8/6!)n3LqR^qGEPAt1iTHuhf@:XA66Pehc%[h[^dlEI4B4TTC#A=V^IS)Hk&
+%CZnAUEncHDBe9Lg1$6U;a)f)<G=:lHP$(o@bVcLCp5[.a2YLD:`U8Kn!cLP(bQ=<m;OT]%.,s^90N)8!BV6N"33.$$E\c25*Y!3U
+%M7\pRj$OWSL,j#NR;c@8'k]Rk$YiPB/S.0A:iG4kN$ULG"s#C$.;NW;6NScJSV$^seA!O5*`<;g:Q!du,;Wo>)df_dY!C,Z\u9UR
+%eX<`n7U]eWl!K50mRB7<>!m@tYGi_?MphE,fa4c]gTA/`_H:u8oKMp;f`ol886.1.qekpuDs1bOT>kDHh.,58UYFC5J3_q`JdB4\
+%S%X)7<H"tq3TTDR)O7_skmMb/"Du=MP07Y$eSifr%jMWapKZf<\lhg"3DfF%?h0^.WqJak@HK?M/TH\;<r6=,95;U,[Nml8I@Blt
+%o2Ac.!$05_4ieAVDRr?,7V/?k#o<PbloUl7dG2<m<l-R0@Q">/U\NN?D@dFGO5jYhD<RJZ=I8Qi#Y=@YnKH=P:s"5>%JjV+YQu==
+%jn!ST>_ffGZ6e^ak.RaO@ha%7^!*$*S4M4?&*.<`=r,0QaeQUs;00'c"[+42ouK=+A@>"rDhZ+t3@(TUb7`ZUE:J3L06&*NGZAE/
+%U^<P,qP99sc;AKn37%st*W^;;<-O#5$gu2^,\7E1J6]P+abgRD0<XrIkOc\69;1.gjb`;==)X.rpJ=N4K3/"Dn0j2kZO:@&/B;]e
+%of@=Fe5UDbbGK\EW[*h?)4@A$=euj7;`?+9dp6k>Z=U)H"+%d/;=5_(D(FFd*qbp2,@,kh=i`Nf6gumq2t>_lV\_W%*)4'ks20d,
+%Ie[9B0B>'!iQ@=cr\4l>0I^iKH^!uG-i:G5D-]?]!MjA2k_gpY?HU"0T?%S'ls7T9@>g8%B3du0O9Wr84,]bP(2fhp3[Pac/VBn=
+%R[IBe9H9e6*;M!qkX^j@3ftZ.?"pMhXtiAVH9A!/m6Fcg!s/;G/128if@0=lQDZc323kUo\,WjOV`lbSS;XLG-gln"\S0u;P065b
+%@Q?T>-eNC[.Ou,$dt2/[G2pp6J7qDA-1M,s@]&-pc#$uY5SB2o:)[bHJo!H]o.j.EH-fQm+_fABGH0lTWmS2,iM"*.FnGO69_3U1
+%%7k.*9TaS"E]cE(/W-Oj%8saD5Dj;`4'Xbm:.2n6%o8/oMPt?W,X:W7ZVn7nG$<SL;cTrtJUgtNb]K109G-1ne"s]cC(5NT1^h*e
+%-iWlmpNEos(X$2*gt<T$QCIKe51sa'*;dRtoXKZ>g[Aqk:NsjWqrj5,f/!knhT*#kDkg/[Y_GWYQ/e?sTR/b_UV4&#4OFU-Ib<:G
+%nq;Us2psp4E:B,.is+8R;i_"i7'oSp2I0g9:*7m28q+"'d;=,8XU[C8PC""$GgHG\+`aVC/7BC<![q\OVP6-j%U41h.eXJ!M^87s
+%(RP3f^>kPn?cXZF:'XI3Qs0X;kftrR8Q%G^g&]+e`iAbcOJ&NE(VY;@@U,.K+8R_Va#H#!NjN1^IUZY<U%CFJC^YH:O.C--f'foO
+%m887lXmJ,"HT>/;=ho'^Q!?DA-<k7@%%K>#j8.-Y\_0Mh</co0RcU5kM6omV405@Oggf5XTRBo%(u<WPB33VuI+b-agL[hN4L=%=
+%g3_.^6]2dCHg<I>Kg0B]I['f51"T%^V%k7a]Sn[2dL!qcpkT:0\7`$$#u0:@@7*hi3]b`G2^X_b;p`193N[_+koZ^OP'\c&W@IVW
+%T.2bF<1mmhOtGRhb10EJm"rks,+^3-cW.g%(W(Ci?[@rD0DkV#++O7dJ,[\W/Wp#s#2u135SX6r3-*b$a`Y3*^Ak;0s&:mWNP.m&
+%V";nIfOGOkd;AOCKaY]e"*\[GY2&j_/E>Ghk/S;8QI5"sZ<sk=,YdJ^&DgFAn1-(b&Asc?DGK,GVVm'J#4WohZK"%QPDN>K3_bYI
+%dp(>HYHU5aB=ctOhDY&.#KCKtO<63cfflR<NsBM?S5L71*ACD!%I;D4MQMb`WJFX?rpV/_o8T_q(&dQ[fWWu=pQ`HK"L^YCRbiKe
+%49e\uoG.5.[0"bB5GXs0\dN!Hbr[iKrij9c;efd1%,)Ku8(O>UTP<KP^"Z.LBqb`#Mk.KnW9r(A[8VSrS+,1R40TAd)Bq-eN$o74
+%;@eNr6(VjL$IWh+p93u%G3ct*;h')]BIFtm[8_Xo42Bf5B=n?:SkXb#0I)j5p$f=`3@?c"G+,R;b\p+ab583C`ddC7T)4(Xa'#hg
+%En.eV1i7QCMGZ3(Z[J:?/;_MOO<p[4p-7PkXhgBZ]F$2+Ar*D.<W(gGE4Tf"WAEC@NRfYqC2hR#CK1\]%=HhR2<</HnQ0=i+HG!2
+%_Yg`$V&HMeP[<iL/3NNo.se_%#:3Q3$jZPZ6r,lop1(N6QNU2+/CdLg+(7H-N=b$"PRSl?R7BgER@;of03oS]VPhMeK1sGtm"@SI
+%1qjuB"eXj8emrq`H;M/d_4.<GJ=a@c4/H,0(b_bC7&s=Gg4<./I-c[YCpmJq78-`46AKc;q>hd>7lNZS%YB_?APW0'Nt09p%R?$F
+%g@Z<!V<\l@]KCd]SY**(8jf34^(6]3?O3^Zq4[J[_j]Abjm*R9qF>)WfMb`[Km?$S_,VsuSO8HIo)mfo<.2$]Qtj]E9Ug/Ep^q"o
+%2F2/Fj<HOoBY>TM,mST_CJ3%AYP"15j(bI]=]dEdRa_A30-!H8PbV=`6U@S48Ei`0.m/R5AY^1-Z6+:(4sJm/!iC*%ZAZ-..V5K\
+%>+o;oG[/8nIX;O`JURU<DYCRlj]ecj[iM["*C9gsP=2O6MTXIbmi@%a`p=cr7++T,;O'i2"G@-8aY5@L:`;*i\ba'MXSQALKL,nN
+%!O7QSehm=qNnl:!J&5r^k@KXp1gk_A!sa1t$`g4i%!mPZ=jXWXlAA>PFt[0@$)Q=V$@L?LCfS4PqCVEnlEhJ1d",Pcb^4mZ33XS9
+%3Qk-7Z[9&U33)D,lQL*K,oXA]9WiIAp,Q7+n'Td%6M"/OXO%XK!/4:;16kI[U5Wt'9hE<qP!448SCXRB!Z]9/=.MU#KWgbpI3>6t
+%kS",%:IGDI9DS;GZ8r(?4F)fT8!]@6A&"@gm;6RTLo4nr7u_b2_]S=70Ii`QplA+H3\4RX5*<[Impi]H&`)f,Fl'\m$s:PgJ>!0>
+%gt'(08VVHV7cD,:8b+)a!-<GL,`4`?BjnHL/L-=-pI66`U"4-S_6H@_6RJgbqOoEQ/L1H_*A6\>,Iam[q/g8cLK.\bML)]!obG):
+%DZa!pR[3FIYtV</'L9.X<Y1DB&,$BSESf>V?5*M-R*^-/YK#B6*JVN&L>,_+c9t!j>$a=MTUonH"oSqpR]VUENZCeUEX0ded:$5h
+%8[q]GZSGPpHa:VLjM$S4M=B6Ec:ZA-D91dq%mff\1g&1n#*5(jdPTS+i;s0Pdg)R/9In*/'W8KA[X02YZ@G*d&YO4Y2S2gbcrFcL
+%TS"5Ck'[h;Aas#/mkN46lc&hU9#BqI+@sHWWKhb1Hq=Pm)t_O*7D,g,.sJ7//BVju+4e>1SB*&e%G@eaS*se]0'"<[%:;Qj&P\jJ
+%27LD^1S[e'd4b6uB%^]4gVs_jXtXi2A!nF93R_$Gg/W(75nt2e*XTX)*b+lJft/8<[,/d*0a`\5n(+KeQ?N`q-'0`F.T/?6FhY,5
+%g5C3MCEmKdc&`ZHPc%"M0E1)e55j$hs$9?E:VZ[OZ0hSRLL:)D+"nT45Q'?pR`58as7sPUs8/F;Qe_Y2-s6?oGbZqB?eQB5_lmg#
+%Rn$%1$u!"Z0KZ6k.pN%T7E7O8:/BnS_,^q7CNiQ"(O4sh\X2<P-A@g52bNJHW0=)+*.6`:?icqem`4R)\+Q>S;dO;t41[L?Mn8#&
+%*e*k?:dqb^JKqj1\Y=WYbs7M+S<U@V+3<C&??^p+71Iq1)'$7G)`2MHf$a4"[5"c"LqW$Dm`Z':*j":[J>4RpYC&9g\Vs]FDl;H(
+%.28!$l@O/Ne(.gRdT/jBU[D6l1+ET#k?f=^FD;qKnVZ?AMS)sk6I-5YFOI`bnI!ZR'X`V<F[(9J';?@[YUAn)DkNQ\%']?1d0@^r
+%=9JD_!EZ0j3B&45Z\V;c;j`]?b,df/**6dsG-c&e$DOM_JgX4fK>1XKiuEa>:cJffql0iUc,_tcoU4\_#5^JH"1)r9@IR(7$LG-_
+%W+e1,@I[S59g;Xu-t(MT#O5O[4.r$bmHpVDTXhXc'lTeQ`;Mp&4gS/O;/7V[5//qEj4`bOq:g(m=be;<-t@lE"HUf'bC*L%3qL+s
+%DS8"'9hYLb;LBLU/Z*5)mI8%3G`qr,96@[):@%2Di(7ek</<#[P4iX_j=?0jbsTshk`HI&@?h1uo;l>Ld^3&PN_(tNYq^fVn'hTq
+%/9.nZNg:d?&TNQNFdZFX?u:<^SVmjMAnfTr,%@2pAnYZ)pJ3WN0sE8ei<*h4K48nMDcU2D/okW6`=M4t?1tYFd*rt9o3WY^[tQEF
+%AD<N3a#8Im[LoNJL_#;b2@Bm'a4[+b"SnWk[cSs!#]VM>943+0!-:A0$e%jQMS^Mc@,3d&b3QV0'k?"".)aVSk%AhF>S_97SH(6L
+%eH:H\M..4dbl+*fq"isW"le+'%;Mfl"+6p]aNRDU?iYK"oJ$9@_6=ll-ibZ:/S=2G#eaV%dmRRheS<OL5XDFt[bK>UIeDu=L:2(B
+%4O@ZIgBAU.8)'^qp?G>KYbEsoW6nOX$.'1]#_*tDB-*0d>V'EBQU>E@B%E'CW/+;g4MIWoj[lH*mW,&#MK)drLf=i<H7h`Wa[<O.
+%2"Paf\HrPj>A`\)fKXPFI8n??T'e)rHb7nt"bNK'Q45HrFpB)P,&/6I"rLtS6OD!u<bg:NCto?+lDZ`)J.b]V&[-H6'@)6i'o%#A
+%=Y)lRs,E.!FoE>)SF$)nH@S?9U3*9s+RU`PB?Zn!OhrcEmokABlYMKQlZBJHaYnVEYW$Z_2K0_oG6gBV4X?C$=&"h/(sHA,7.YRN
+%aNP\#-o[TK?F_<&<uj@Z,FS[[HpeM3f,):Kn)h'_kXe$U6'b^A$r4kRa4/.<NBKf'f'<07djUlY%sYAgjPq&<8'(nIL1GhbJLF3q
+%NG1U21,Wj>l.4BINM?9>>Wp-gK_Ra,!"'X%J<e'8id37:#oOBfa(*`(a[0$Z'Gq!d,tO3ll+N(s@)7fW;b,l@NMjL@Hf'ncVagpZ
+%!$@,DXr&"<UgR5mZN6VI(>UA5MERp*"$*W](U)5d/8Fg9p"e>dX0&)m!nV?F09#82A,$EO)pFRap[3!U\[W=nknT4E\8;'G&RX"e
+%bMf9,p:.LeD$8C;n!b-2Fp9G)C)Ic(dZ=d,S`%=iCj9<]@6k@(%F^Is2Dc7#g#i>c6oel%*CJiN7SQ`eA++C(C@$N0bTNND#;*l+
+%7:_cOkm/__n*FdDH@Y>uT^YO=`dp'lR%INpe*!tlgg::lf%8JS4Ig&^TiN2-+0F>dBitGdF!DA]*'CjZ?q2tQoj)dgc_kk$;)Mjd
+%@0M_3f8*L;_&ffNf8!nGKt-<cWZB((M,.ilU^4d0eHgCpq!r4,!2$c7[2ZH(ZiQ+hE.C^Nm"N8&bPB3sKW\i6aPJ3M+.d>jemQ`T
+%@<&".,[k,t%9-+jQ])&HXrZr)'U8s/\W'2=#+c<Nl];Q=A/0hN^X5D^798Q\gurKNE2+-n`"@ecHI#.PU7$_=Tnif>BeeLuJaW>5
+%\4shQVm_H12(@^iVWp`i<lMCC;qGV(cLHLnP=^I2NnBoUXmehsIdUr)&)$(L1X;JI]_>:mI5CAdi9=Vg?3:LXW5&S>dqcCeUZr_:
+%8.2KkrDOR$DT,_0N9GZIJ^[G.@u3(E4/$@KQu8lA"[d7L?Ep1JGcW'ug5shHqD'+IJJ'cCB.uKKII]eX@%B;+2;4''S8"Cc\tLTL
+%$VP`;lH#EieQ4m3.(/.PE#o=5Kf-40K6=f1;"e?)Ts=F1mP/L%%^T-k+TRhS6qdj*Qj#E;^tAf@%LsDP-W2E72Brb..+;u,%."J8
+%3F/c68S:9nM"JePab<@q8Q^^!F]lN9*Erag>=K*#S:>]H(nS,4&-_qrCc(h&C@:Y^f)=:7BLo,Z4<mgRBK-g+m2U5Mom&7S!L:D'
+%$()JG/ERZr_h3*^Fq+jES4Qa5<oUC%M%s"/O3YjkXUZrB2&8uXP_i^bp\Mo_lfqh">k;rWQ)XoT%BsH0>;2.\P+<c1$*Oe(>@`NC
+%0)!f-5\@V'-:/XkR`4Kf%(t_\RWnGho;4%(oPURj^!*fa"T;0@,<d3H_X4e))&!4`fA(t9E^uX$1O'B[WtXtZKm[!ejV;d;Yqt.t
+%1pp:`_eHgJ7skn;FNK-'G8@hnr0^DLZo_&L<g`rfYRC5l$nSV2'Xm'(JN&WhgIYos;*1Al"IY0j9qHIjD+nS:_9=[jV97:$`@?:s
+%LS&)YlR/M_pcAtU*X]b:<I^SVq!4a?doFGQ_Doa#bp)*p\Ko`*bkS.5.:28)DP#`C2pSkD;j:$c!KkDKb$g?%Fgh@-fKc=Lb"K*h
+%m](sEr;*hGVI?2UoBW<fHF!4O0(.*uf2KWmMnh/o3go2.6li/75F_1(>t_5Y#+)45C58C[i,LS\L8S%p$-^)_Gl?=`/@#=\,*m`]
+%APWY;5YL_=bcr_\f=c_Z5i]0N$U(WKqF"b5>%k4pM4kRp)KCuMmbsIIW\-1'l:Nf;*1_k3WPnUGq:DW&(P5]QU7gj6FD6KI]@KQG
+%.,Fiel&,mP=AhC6V#m]HArFR:C+f`VkFul18Z%sB%GUk=V=kqM(ufpXnt/%a#!DmSPEP@.?gGETSU!X5j=th1fc6j)PV8.3jJb3C
+%Bg)qP,83GA#.LTXp_P\K-niSA-pR2/MH>Cd<KfEmg)W/`0l`^VH=5*r*f\Q\<BYfLfRf2E&d4n-fnQ6sKc?LkL]dB^W1AmL7]tq0
+%nKtY!FJ>oMVgO2B=.Yf70(Z]Z+UHO.dQSqkhTT6H#IWo6AW4',/-W_kH2!oDc1aWJ"@D1]>L!Bc3Obb;N[_e*DjRg%Eo[:ic39s#
+%;;fIdEe#271R\k8O_!e2**R`$>F7D:/<N85\o"cH0m+dtEfZbTSN#2=9Z<)9/UWSrMC8oJJ%g1`HOA>>S[+6_e4.(1K$+U!gZVBR
+%-Uh<Al`/XHP<"uShf4QJpuu\p&UpfQYE-?=bo>M6%o\O.KO#sf<B4`/][=4(e-%e)>B&L?<^EV=O$D%*fWd6L^FC(0$G4u2YB[UR
+%bhg6-%;1f?CabfQ?+i%\-$g'<>H9HWL86@1;7,?.3?c4mgT-_AQ56i=\6<9L3l`6r$B(ari>!R!>&54aNmXppFaNOIVeoHLARVD9
+%7uWO(<lCG=\.Y:A>7F>L,U^m2:ZcIBS]B7re-UnY_@#acU&TPEf^!&C^lgI6TX+j<]r&Ur\4S5cI!,0II-Ngn:`K%eWIrbmrloU7
+%nMG'Z@S62k1G>%@CiWF+#JS%\C5&]V*IoJ8UG)lqMQON&X?dY.o3c!OnhXqoYmRGb"M1#5#0pbk@uDA+mBZ[^%jU[m3`S@bNgf49
+%FN$&E.pL[PdA,f$VEhlOl,JCi\HdJD#3?Rh"B9Of6pm2u`_/S=!4>8e=g1#_idPgk6,`s1WP\?dTWSh`*E3a1@66@Y?6Rj#)mE,M
+%R'Ula:Si?="g#-/4(O625p]eS.Euc_4<-FrST'Jo7`.Xi">SZrY$]G?kQ$$F'l%ajdf6$1S;hL*MJ;Lg<S''n&P@eI-0KUmXi9D?
+%mlCq2A(=N%kQ<Q)Jtilf6qC^]4EbHI3Wfb^M2b6%3dl&RcI7!2Am:kBXYTg\2&7%F[0=-=peo'dGfM^[RF1:l4e)jF?!$03/On5H
+%)4NOg+$P7NDX]rs*bp9X)NLf5`MnNi#!1(b<%&iP:+WUn9.#Y[0P[<4`eliG[039-8#)&eC+7@4"OlKlpOlRGljX=mB!lpnF'YGH
+%;cB[KrkWA;-;"opU$gO)r06GYs,<InesNe@6-?kJh/-o']L.076(A^`5qgs&k=Z<@0P,RbIBMDsLDX+o4d`%=dg*=F[-W)iQ&6uM
+%5R!]N8CI_#BGnAP#:u=#Xj]PH1V=a@6o>?!L$BfP=>I.0&+\KV?X:.[8ge(6j`WS#=jnMJ*:UW-aP%BR'Z@f31?r2>D0F+q<1".g
+%ob\.=\XrF:+p'<'&@!C(hd@9])et(CK7uZal3f.DUfku+/0C>Gm'.]mAHq6Y83s*J"\?]u/G_^U-F`!`o?t"`_@GQhH4Ug]8./?t
+%U&-N@Q<SsnGg]EJjRLJN+_;mp'5)CPH`"06h;*R9GNd[FK)j9i6$C6_kJ=5eXh-G?4F*rJd[Ys!7:%M;!O[UM@N&B>/D$3,`iV)<
+%kSi$5bpFRdXaICuF:U56$]Bm"4V=?t5SP3^VE*H?gte+$%hBJ.\*pZ"9RCW27cDU>NtZ!6`D^`3g9H4Wj!"Mj",j\"04&&QDU$i7
+%V)+&VM9*'^J@N$R;`mLI]AcJ[nggk8QtPNfbRdu]Q=6d6A1ZD-hH$c/"i)c7Ad_mFh%-j@HhTW`,N6HQg&ai;4iM\,RV$-R^@Eq=
+%Y@j!?05S'CSeo-&_QuSlJg0aEpKa>7[9*S&Q.#r6Cr'.j.?t&?if!sG\.=fUB["b#a\[&OKi7WuOOPJ.I:`^uU!'+(1(;]HL8N].
+%MIJIX]'55?#O#b&Gm;F&HH!`%$b@`n-e%4>#d)$VQ'E:2Bc:s(o<g;m0:EnQgE0NV,Q,F/rF*Sn8,NBkU&Ptd%Akso`JE%'NtmUM
+%@_n'\4K.F?0XdUF\-L?jOF]@bk\6p%J_%sIY[uPrN2d9Ua2;j.0*GOiiaf8_%R'RseH6/^U)ZI<?rerB6uX%eHtP>5%bj@P*(td"
+%o>6W).4>0T-8FjWnfMU*6Zr8KLIKc`pk%#5C*5'G"_W5^cj_h!?apTCQ$`lm[WN20#!a,K.[:<lNc_.<*+ZdlPfOMe;/bb^aUb;>
+%5jnQ5n5`'@0(s61SRM44Mj7hl_Bi9jIi12\$GTRI:LQ'.fY">*is=,pn3"IsEslkTC]_p6ib7bXd.FN*ASY=:Ane68LWJ`Za!57@
+%2F^p3bmmdK'W]h&3%`p8H-h*'H*_e=<$`]uJicViS+ecTRZm-77hAhId\I:XnC.#QS:Zr=RYQC8dV[+u,IR,_?raBDg>c^)R?KV=
+%U^65F(O@pcm-)#kC/XS<@jM<O8fl+KV!BcO$`S%lfb?=*U$_9YXGsq%XcpS'X)Y#;L7ZS#Cro"gd2O%9?$7>'Gd[13T$,RiO8F#`
+%roOpE"'.!:QXIrIf->\'_K%IC1lKch5LtpZ7sdW5Bk<VGRDYE0I@%i,Ca9>1Z:d$.F"eo$M>*b?RPq&$30Q6pQg1A-%XlT"<b5Y7
+%$Ip.g3l2%G)?4VsBu4Z;NN:@KLLu,5%Ti[kYWn4GhVD40!Uu.e(8^d5[i)l]h6n*o,#%s"INYPLXk"N@]ZBXJhdEa)1-9lPNC>n$
+%f^:n&G)L",;Y!;4>bQ9i:[RXVe;_&&\<i>`.=R`.-`ip^MgnQ,5S5[qbu5nRJaT#EdoF3*/?3Y%BSY,)8',0_1KOD2G2;W$ZOB*;
+%fX;o6,OFd)YTm>X1R3&?#59F)Z&e-=,KhB]?dm/t^!J-PT_m9$N[#"+]5Qj$'>E,%!AAPCE,$0W3`W8sQB)%$5m!7qGP@Pc$afI1
+%o8%L57<Rd;k=7pE`c-D+^>m-uI>PLQ2XK$afFd=6SlU"iNa+>H/JCi`PiT"5(.B<9k,&)l*iuC6IMlA\+Wa\/@r>SDfk4_;S&!ZZ
+%/!"=aP;)O40ZdB[0rD"L<&ubcm0O'c(K+lV$_a#%Z?5f`5k^*k_JPgZ_>63H+e[2"d_sG%M]5e^"1;>$&:h>0eV?o>/Jr);N+hN4
+%Jr\B1a]][@aEZjG/j7sP`kdm7h^`nm**$qlIRi39@?6B,_dCUn0;RZM%JVijm@8V-;5T#hBqqjaX<l_kBZeSGRUa6`LiYrWVg#c+
+%Sc<0.mO)u4J^X\r^jLnc>ES*/7Vu#i`f;AM,55,'M.lB!1ARel9!12j$]K:3&Gj@Ka"jXn$F4M%B$e^B\6GEDLNBR*3"L6E<4/S&
+%M[<`\OEHJ2^Vc&bLYi+^K9baQY"tr`[BJ&4ne"pgV[^uSnd:Dp-P5)BQkt]7g5K!Ag'VLCrBt*BT4!58:.AL5oVK0agj86NS8^],
+%SMfS+C6`3W0L(NA,ZT!goO7uH8fdF:C0aI*<Tt\3fD>hD2A/@d'PHSjhZ,Ws#5n\Y8YFG,0qoVJnWbWGW\fEl6/:,@=g8WXA6*>4
+%S5KEV>f6.$`jmmP`/u?2Yi-%cBsrTu#mZ7UX9$?<__.bO33_q*dQiC%i!DjYR))s<&Tob>;Pr)=(@(#jCP-ISeBR%.&/KF8[p=k,
+%bEG3L?[S$uK^V8acDYaAe.EP*B>R=$4YdLfCC=8Omo@[HS&%Yu;E\FEbFo@XDB'+3>k^,*Ct[9kLar,r%%F("g.-t99E@j^R:f-F
+%'\Fp2d2YGn*rU`IRo@p=XS5YG(7[XI`lt!'cX>Z>a(?^6q#D!l=?l/d\/B@!p5E<>)@UCqG7V-?@\u<%Qkc7KOo11Es2c(:.Q7Ao
+%>/&a89IFH=g<?5C-4;'+4'Q8CVe$2#N^m\aKoq%5U./AT$8jUp=7h+[&G^%]SE(=h_JA;>mCRG.$JgoJ$mCWk/%oE[L(LBkOgaQ3
+%[[kW[.\M%gMoNR5Z8u"D7_TCH04G[5EgWaX/HnWh3;F2jn)N>,XR)aT2$jP$XDFd4AB-rI_[=R.P?C&/!BWWhiJa-h^)(SfL#F&c
+%:U*&F"Ua"WPa(CQ_F,L-13HFJ`XWO6d?A_r^%ShGArJm@bK,!@l"sc)rCQ!*"n6p4Xq0e(1IYN4X^e7Vm,j0^#Nd0kSo/r8\Q#<4
+%?#jQV`G^gR<HTsB"3c1>$h)\bkDOr[!8O-^Iku*a4uQ@C$&mWq]qa/ursd.:l#q'aaK?MK:M=*oct&f:aghG[S#"_c>2d\i<UDoj
+%D]WMfY)Grm)u[R`>Ui"#Xo_)<=nb$mBb(:67e^SLG`qpee.cPs)(+co9/*cYe+4/qUp:;_>NjJQ6Jqn@&2u=$7h8U'SZ)Vc%,FLR
+%%SJuR=S?cJ9HDpE4DQc-FTJ.7$!i")$fD/NU`/<d(9b@d%p7dg[\H@bHJ^V,7^+[7J:T=u=s3.6<j6Kb-WR9JRSU_FXXJR;W\!bF
+%XO0nlU1`L[U]g4ECLPM!/Tn>*,AkFukr<5@g8VeCq@.Fb$&W3[I2\*-q3"QB+JG"@.n'fL'HJ"`W:qRX#3n&<LE_F:AM/k(1oc[6
+%0I36U(i1=YA&QH'b^?c%LC0VM$/NdU>T!2#&6^!I&fKPK9Ke@6"I5nBK1AIqq>Zh/HQC@s,Y@>/qAi&!6D,5ErZ_OQ];_)a?lLYR
+%+HdZ+JdSE+H$cFCO2o@hHN=J5"dPZ@Su:R0^C_OLk%<Fu2&tO/o]`[hr^/VanKO=m7=U":U)%:I^0acT.,F(['XA!N]$u>??gS%n
+%G41K.dmpX1eiWGp\)X,b7KUi9VYW3V&.Z(8h*;6tUsIq'iN)fUXscV0npOcBF@8GX`#S'*97eTj(2,5K52hRDUJ\.`rX?Z'pE*T:
+%X(KFj3!7!2T'-pOM+\M-Ve*R:,YthR-t_ts-'-4>NIou>/i:rp]JQWmnjA<.o3n!i"'?LU(Upl2JFq"C6=_C@#jt=R_IX,&@V'Q=
+%Jld-PG[+ZZke#)oS?I%U9s[T*7qu$emp^[1fFcsu[-pT'S#M_HoH[-I5+\Ch`cj.U;D8ljdT&%N=W@/.l?q.BcCgEN^pdTu(0.M:
+%3*%%O6!I3!q]QG]:?W8so<:,i:2&B\.'/XjdIMmUIo.BEN6ogP*RS^T:4Q,ZB]h-K\m--^0Mm#5EohGcYp,%%gjfR<]Z!nXL#O:1
+%]M"FY>TiCLCS%b;[n&tIm;#pi,q`4l_K.a5cc\HpY"OWlc\6`f<nR30k)GW2RVV!3rAMns+8.n4m2+<G.9ba[Jf7XEQ>fdu]AP_o
+%aeE9[)(loLPe/5qP]i7#KSr\q<S5\f\BKZqC7[m2@1Fug07Dt.fe0rj)@B_B>3[+uC[KW6Gc<lcLpMkK[u9O1S5@rdiq7\O4)<@N
+%$LRtQVkY=Q,:D1J$=kjtL1RtkPIJr6b;WmTPIOshX!+^Xc.bJFS3i"eFO'NK<pLfnK`37mH+:kZ9G;H@c1+S7B,S;<hjDtq!17"U
+%GQu#2kNJclh$.og)In+ORo?&&]+rSL+'\k,=7cVbd?1H%)T@tV)<R=0Vf_@IitY,qT)'XbD6(JAl10\bMK[FjN[;u&d;7QsP?Q8;
+%qX?!d`ZlDS;^9Pgjmts&p2d<^R(f1Y8^'?=f/Mb\--G:48UsHg3)K;o/apo@:?jL&bjA8/Bbj#n.I1E9gioDh^CEHfGmhW^i_/>k
+%PjWL(_=,)A-OD(p$GE4SYlk`5,-7cH=?84Cc-Mor];Q_oUk!=6RY+Y_4X:k!fUmKlhJPc#?N3rd,s^0gNj4+I]kA-,U:nfN?A;6`
+%e_I';DHZ,)#9:>hn6O.JD3nnJD>JGMWNXtr6+=%i/=qH(43]b7^@.NFPFM>\!'HZFh1I"rZ'HDZd0@kl5:R6@P+GXsYA?GmQ_Xi!
+%Mjg7cgNT<.p6`.!J"_$;\?H['V4.N<phV%Q.qD.m9?nSPTTXELAWfsE<j-&.R>+a9b&3MGN1aIN!#`)Y"C^g.HP.#k$3J'#oi%4k
+%4WEcCII*JY(U)h5G&NEUD6*SHS7rGKcLN)hd'UjY<Kd:"WG4ak^-[L,NR[=K7Bq7+a[eN6)5Pu8lfF3Qhiq#Y,o)-UU,XOjIB;Di
+%+nP:l00CCN[4`]5be#^=;Vo+A1(un6`L2(=;p];A#DGk%Ng=e2O=XH<GO[b6V/Oeb(h9TAom%qOQIpQZ()sNC"CtJj8o?;`&c<o4
+%j#L7;Gj&t.O<rQl;13bJ0i(I:I2c13mLcYNOCd/nWd./=]nCFEc_ZR_.:K?k4Af;iet0q\,+t^nbdlrTK])L7%K,lt"/os`b?#gg
+%E;(IP\[i5r.O.3ZYA4@TQC^Xh">F$5*uE9r]>7rN6b#d6!*+eO+KJNP6aIn!c_HfU,3L`dZ\(1f.@ps[!In6;#@QKN:#$@KcPJcB
+%XC7kjF=8lBh8ZEp8-cXOmcDVd)o0I0qN)t3"'@o+=bSjYK<!9?WEkuU-$(uShC&"HLPAaa+O6TU83rTSL(ksa"0qSd'6u0:5Oa0e
+%*Z=(&-N_*,Z3[ro:D$EXNle,-<D[20>5Y;JPLtf(A=FN^NQR"]^S#0QqJgX$TA9!M'kp\d7W(i(!F:1-1Qe"mR]7HXh,@7&VV?-4
+%h!*67=B(O[7dfN\j`5Wre(Y,mS9H!S-8#M/.\FZJq83+^l5me@.*jKh.'IkVEob0aY.W`+,(0!IdTXS--6mX'jsK`./Rtnh'AaG4
+%kN:ql?UQg)>C$:<,uSA*It+u;C><UQ(3A7X50?/.&$eAc\`D52S?r!6=jDr`kfHrM!I>N0b&E]amM6JqW's3omjB;1VXX"+++rXf
+%c*(?4nMmRNFXfiu]5u:u^J`OsFnQOeSLN6)!h?Un(3Bp>fs^_^YV4n:DG3%ZY\'+2io;ZEPSE@=E)kU"B[!XDQ@t_eJX?3<*J+L?
+%XH2OJl7tVFc/a;rB<hC'l$'%=AYQ@SS#1OqMU@=KN@(<A=1nsqQ*C;D#r<q(G%K@o=Z0MNT=(#i8''%Jl7@P557('eRP42nbB<]*
+%CggHNe='VZ/ZLMo=E4]f=/#4&rk)c4e'\=XV"VlAqh0IVM?'2/MP%n!osiFg*BD;C8r,FLkbZ&SEEf26nmi!Y'K2,IMuBlAerP$G
+%1gYd*OP)?#*q.K5.b^o;"FSD-I;JEY<mT%mY/#mS\KFbsC@0E3N)!sa!;E+LTIAVXJ:uP`4,@cEUB2D(YZ+SJj62W;AZ)PT945>4
+%hZ/WL3Wnn(f97Uab>,ZVQQ>.Te9g_q57P&AEu++WAM/P6P#]*J)n\id",@bq#u_i`f:_k0i,D>O%S2LqJ^-DQ'>Ql@oH4pBTA":`
+%1GM^.dj-spl#-""Ng9:opLF.&(M60lEQ*de`NIi*/4ho-#4$8%r`hLU]ROb.Ijt&Gp1qhoaub2m.XHD9QK<9Not7bff$L&grSi03
+%7?+5Fq)7NXW2s!+,jhfF8j1iZ!U)%p"lCN#m$D_C/mF,EYAU9S=F6VRp4h)<A["jpTE#*37U=+ALOq%/TY0m^l-0=[r-!rRp8@&s
+%el0os>%0\&\bo=2q7>%4gF"-C7XWZ\@W''1]soaUfW'UI[$TR\>B'.6$o)MJMt@GCCC11XnKY6QC=d4*7DGRm8cm`5[OOP;$<*(T
+%kWrc_R'Wa!G@MXMN1$8(N?X2fDV)#XS&DObI]FXl=>Kepem&FaYqs9&g>GBY,us"#O<.3cl<6Vq*hC-XpL(WPlb1/!4f_:525hQV
+%GlB/bM_AK\Q]o,WCt[Z#F!#sRMN_:MXRC`<CElWhE2is7R'9VShZ\@!?IAq#*Jr5An;eI_>\:1fL8$,QYK&T,>Y]gX=?q.[XM?Cj
+%]0TV:?P3qtn/,Sj8&5P-kd8p)IB/hQ#\Yr5iAIe)=UHO0d&fM0Vk>@cfm;^q+MEMP8P@l/2QohPSEk/b<Gf9Wouqln=k*5O'Q;-j
+%\6F8rCJ".9aP7rUp6E4ClKu#t"B26+ic6*UQ-X<.8j7q\XfLNhp"+*Og,e1AG]*oX`M3pPYjKB\/4QlnooWm[*hAM,(sK<jrO7i[
+%D/,MWdJ81pQS9sHbP)g]^L;+u)VODXcW*7\&,V5MNa*Arp'-6Yc>^O*l=g7B;[s'OgV7aMQT-1n/A$h^0apmEN?od=2eMqsT#nf.
+%GG:`*\6o1?&b_g^,ZaE1]Jgm@cermaiWYJhX;#=%s-uYR<Fl37.2/6+"-$=,@%J6&LYXdZL/]>QBs*$8Fal>*IV=83KP\E^]Nn`J
+%Y05n(g=cR\A1)kim"PDeFrRk+gXgeb?BT;Qg-1(YNXr:Em[$-!P,)%[e],++oY9RTbkA[J0-YL3&8L;0*n^^YJ5MeTio=/oIt*:4
+%^TYr(Ag7S2s'5Qb77lmLp7a$QM\@3mIK&1(I5n9o](]fHZHh_0]u[*l;F`>NcuT$)/IQW59uUM4<m>\AD$80`4mKP5Xpi?5_(b*P
+%Z#`5,PF\M)6J"C'ZPUnU[''YOEK^NWig?9<=lCklr9mol!$5pTQ)#U0]'T7i27%TakrhF;IUIeU0u"MV'Ld9OX(f43"0-q7ZJESS
+%*c[.=2Y,VY%UGHCnVl3M0ig.U,KXP"+XKgW;Vllg@$[lDi6F7HV4DGm4lSs6;L7sNY?]HV5%:d*n*CJlr)&h^m/7q#%S7;Tm"&Yq
+%:#YVlC(ku_rV_8'<YKkKZ2n@$l+%_COF5u9lJ!@p*3Os+s5!#@nD5iHpe/4cro">Rl28<FXY"6q,Wi.q*Qs(%.D)`N),q.&ZB4V*
+%g2>#]$sjg!>1Z%UcWa!4,klsX(V5D!7/k<QqY]g91B!PhTe4`CP6l97$1c^Jq*4m;jh^j:1f+ZSmD'lpnkB#`aaG[r'Xk$j(jT[5
+%p>KdX0$j.Wdc]nMefWEO6KL\4)[e7XotQYT[nHn.JR"da]er=uR87:7M*h#%F*V#"-q&H.!cjk<%Z$TSd8;13Ekb=,m6qIS"+r`o
+%[)@U";(ZiBOh2`1DgT4d>YB\f6D?3!`TZT2PaG\HD2Yj9kbZ@IY&kUTa&]@4-b8$']:q9nU`JPB6Tk=)V4>0H`u]3*Ks4p!@&*ol
+%D9)\sp!&@/_Bg-B?h?_Sgj1gkDsJd(K'T`33?)?m%/hJW^84XifgYb:Qf/W_rCWn!G8L,a*kSQc$/9=2*U>h?VSFd+qNsChkM4(t
+%Xp$Ni790#IY8<bt1Jl);Fl#tkT$_TJUekE/!g-GM=?BOHf2F[les:>HSHZi)X\Xf`*`;FE\m:g@AB>DF0Cuad`g%Rs0$IuH-nR#S
+%^p'7rXhFGMPC.^Vg?*MZJS/aq#6BVIU0'iDQ1Bh![Gl!'6J@Hgr$!!&pM,0gFC+GLm'quan]2(LAVG&XI3Kub6R/u71C5!<lu?Vg
+%KlUL&c#39P'2.>p:"1\HWEHHlVAS*.A2,(uOe^\?AhR6?pia0H6nk+(kGHTF_K*#C+PS)M>gG\l+Ioue&V03m(ebCQ+-df`Np=`8
+%U5k*U"fgK\"S[\H)TeA$CB%QAE:4Lu,cF=[D8nL+F0Z,h`r[oW__c_gAlWL.`9)e]fqe$n>cYt"q>,$OVb`d@o<b+e`hLe;ZdO4(
+%BApbo9oim+ha.SPO=E,R,cG2QPU/$OY``H84#cshj-gGtdZ8nD=;lEZa@5#X6\>*rn_J37.UN""7+UARC8,R`!)'>7I7XWi6CEFr
+%S_X^WBnoUAY:e$,@B7uP8g#.L,+$,+F?/7J`s@l!cu3bHNkDN,BsNT,_pX+#'ZU+>>VZ)mru]>BVuCDZKb!M_+ui#s`ab.a;&cNn
+%9t5,B-h$@Z/%rjh84'F];a*Z>'?;aH9D?$nkX/?HP@oE[njGr,Q/Y5`lp61dMV5eCLBC3:>X4%^)/u5/E=j]YfoeKFbcV`0m<Z]g
+%9B#t/)/#-t*0%'LIj_d=F^4.g9jR0X-\QQC^c-Y+D*?kWj=oLbZP5)(3,X#p@r%YF)bGmh+(E&'2Cu1mbo!f^fHJToNPnOR%`?l@
+%KNP4G)W&@\\:pp?QVKj?[U3Ir(F(@!;("BLVn7]>WN46r^@(#;/Kb@F3BqXDR\+>O45@kg"\QH!^:aU@^bt,LFCjSbd:n%N[oNCr
+%`%fU2SMgq2qmi=+.h1:></AlraYqV'X2o4-r8uh#e6EjDe,n(%QM>ITmXFeG.p/nEVCDUuP(6O##<70BA3Zt@fsh1TO&pZ-N$gK7
+%3bQJDbt(<13f3Mo2(U-fS'>PMggXGu_g\s5`\us$R_u>i^QgKc8O]mN8Dgc@IYOP$?10?/VEL??Gp-(3$7\Ho,#Y`kGl3lQC45Cj
+%B5=B64Z/'CXj]8p80+hPX=Jmh0-*/DIB.F$S[#KH,(_="lEDOU*k[XWhJEQ:X1gaHMhU7:3Nc9[.9G1d_Ue-,jr*T+4l4b4)HP!H
+%QBET,a?4ot>;WI3ZRW)#6D7O1[t7A4N&&/.>o(\kE3Gi$>h.%:iC<?L=ZFD>gW7BgJQ2%]/-b-XUuJ*XReNEnS0`AfF*nAq@-4U)
+%=(@$WY>!Bn"^SZE9HJN//(8*KQ`^fh.Y^@+ZO8m*^I2ZdKfjKb*e&;qp:S=Zmb=4?egVRPkfE;fDC%FP9qZf,rj&*n+(UEPHgI-k
+%\]a+<]X4"D]NK_4>dR!oh9-hQ[p$kYkF=j#Gb$NA-CI)PMq<3^AAhqnO0kd!&q\Z^E=q>SN\u.2D`$U!WZbd/QE3]^C/r6aSUQ)D
+%fb\PG8oD9;E;Kr@EgZ5=\0TK&Wn3"=06Lhq=HcuOE\i>IXNmJ-MsRce-=]Mm>Lq1^-U%.^L24E91BBu7kbl52rp[g&YO?Z144ZKV
+%4RcjFnnpfN'[Q'tR:qRpdjs+b0Ib`pe4Mt<Pkq<3%mIA/g?a.C1oFN#3]?Y*B2FaF]=;GPe=s.GO.B*ni9FE6O8-hi"E4U4h%.1&
+%^&u8PC0VONT8pK_'jMMBR!'!,37m(Nfjg*ajE\Gp6-=<42hE-sG"H13R,;gdr5)#KAb@:"He9/Hg[n9k$,m>"V_^-s_rNid,q,._
+%"suVZ3\5NdfnCCfJoe#Kjo>_u2eK"4?/aldN2j=@&atPi(-S%@a_e&^gQhTOj3GqX,!X<Gqo.S+"cVH^no>,qFomPS_]#cDH]Qt%
+%Id,])NPtFLq?K6T0rYC'`A.u=`7Ft&S?*P:m*'K7ZsQh8/"3Q\3K:-a=ui!qC+DO29CW8Hffjo_,!ORRNOrZBc(]Rsdm,Q1PJn,H
+%>V51B-ji&rEWRjj2[1S&L'3]U<hs0YK"Y58/2FBh8$`jJR?]%m[>SH/[W7WC*G6BA,m(DeIqd9SGP`k%+u(=:]&u`*D5P'ZjCV:M
+%T5!J![*`%/o1TbAqGbHm1dbj/S's&WR_ccP*]YVBjim-J+deHGM7C+]dLW!>+*74=CVqt"/irbVUum!@a?KiYAi=q0m/"m2cn^;*
+%m'rF;NL(D-/BG3fT=l7%TFdt=gmU4H!SfoM#aFl2Y-c'hN3Xcb=[n=(a(,;^:e_5QZA$l4WOEU"Pum%UTYQ^S2XXi(dbN^Ao)7"1
+%/hAi%KL76T=GI?qP/[3p!)MGo&"T[k0[j"sb'rWQIJiKY@6"<#Wh.A^<&]QFaiod^P#`?bh_u325]5mSS40]k!&![JMu<=2FtXXE
+%NnSF'+A;N*P7!JL"[.@i,/Y,)lYH.,/p7i,7*#^96*4LJ/b:%c;cTKHYkjM-=!tg3#$B=Y,8/e9o)GU/QY9.!XV4kOO'>f@`<*OX
+%g@jLZT`e!cjQ393L2IfD$F]=:B)_\[mX@2%QZQ!EYA6d^;l,T=]"qp*,[cXn^H"D3SB`XZI)iOq_?,)jW[\Ygl9FY0g=6/jG1N6g
+%;kp3KmIG!6"c1[tf,J#0G:M4[-C<.PkRa&^E;(D0[*#PFXscPtrK':(al8_SM<\ml%e"P:.?jJ/*s.2Y3Yb_lEko9_>EdmI%[Q(H
+%]m.D18'AOl(1'p>6?'U2a#kk&f&u`,D-NtO]5j;apio46[i5r)\Fsmgl'%B2OKhG0"4P\@Lp]&7<aTWY3U07jO8XmM+I?n7RbGAe
+%OZVsN$]J3(F9HLGpE2n/IT7r&@FVXN#ct$l['."d1C2P5&6IRnCl?Y/cu&RacK8O//7rc__t%s<b*6!Ag4$<2dL\^Y[pVb%@7$N/
+%gK^>@fa-;n.=u-EK"_Cnq\dZ\PY(sR%[keccs;?]HFopi*r?]77*N*h-sF^8'iR#<\:A#^1e"!.8g4[\&map5JO<]V%aGK[ZZK9[
+%`piJ5?ke$bbtP3GMm]_((7S)_"a2,abbGpL808n>eJr(2c^=Jd%/12%Rua5hp-rGP?QA<2#hfnNG5U()>-prU"MgTok/XSeWA<[L
+%]an`s?sPS4GCG6pN3>M#_Z:nmBLQmm(4!I2%UhYfOV4WGpXffg_8^ik>Urp2]8@!QdSBsu-ph["Rtd@UR-c:VS%7BXEq_b!mdj4,
+%,m\D%ne_*iR$F#%F*XRN:Xp=R#7fjo4`n/2#sH/thF/l(-j'W!NJ4,[bgEIDK%;)XG\!2*frSqKB'"["X/T=)TUj=ON*I*+2Lsdl
+%Mp#q>5baj948Rt8E9q/7mZ%0e*_VqKC*Y%M5bBgQMSjW\n@Yo,ej\Ve--W:CD#%L\bRO+a6sXjSLUj!HV=&F?Dk'VI=F"3;95A8V
+%nCCIuga2p(d][ta:s%Y%*4.M"KW@b*Eg;Jhdj6Ot\dXaF(XEIHYYP].cXE)#3HrJTb`fD%Rj6F+ER:_c#gWp[HtXiaIS+YnK!#eo
+%<RK4EQo<>'I#R!qRU:,_e:XM%fCT><`l/ts1pe"(dEmpOlZ)9j+#>jOCMIH8o@i%6oo!d5WGICTE71OG:c'b]qmOsAR&D@!%MIBQ
+%>2)&`0]J87Ofm4DEr/#8UD:<%He>bTY]sY'R/9s<&nJ5>JG$*+4-@`n7.Q+!Ht3S6-p/9YfGf0jFfA.Q\;4D+_5UD13eKb@46l[*
+%V&q''.6*O`_Yu)s5QLe2V-S"ZER/8[6+CRdo2[)H+?fY4;/`YA!jFMM_R#.,8Db26$,R/e!YCUBMe$0Z<6):1qmm<M=[VE>e=c1d
+%,onUb'Xd)AqZ'RoGh#f6!mPqsZ?R"e@M.K':V/mf#!Q`XZcR8u:l]o8CsIOa0gYh>]^/G2W(Ab$Qp@pq<1^l)kTcf0(O+7YM7O7q
+%9`T+/':W]sW:^X)\U!H--$P([K*:7_"Od>\q(NH;P0>6L_>[Q%bkfisMR1iO2[%"<"#sTRd@am8$JtkA^GE<7M&9Z<:7I_^n7&:r
+%lY6/seR&MK.02j0WBfaVq$j]j=%bFC^9*$4Pb7d]j>Var6s0<.?u\g]K&-=cR]7VFB'frT4/QA[g48sSd%fO)-:f*$>p=ZtB0jFK
+%J9<?Y>eQPF2+7lH,G1F1,tJQZ[V+!RUAhu^]25%:(aE\u3Ps>!A?Ip?dI!O6!YNp`KIV6GHYhR7B(-f\1/5`)[8ZDCioXNk]5eOh
+%BW7_M9(Ln09+ektp:e&d;XCUthO,1^5D=T%/T'4KQco7\7jh%IHW=.,8\;d;C"kO=1(ro23B22F)B\\iW1?0JLC$u[WOW0-9cIO_
+%,J3`Q,HXH`-X>b-dO%(M]RD;$ZuEkX]+^^+%2Y5c3/?lSl$R307SjAn]5^O#EY#uqQT6j*>BgWe*Xpb-I*c6:l16]9N6EhiB5K_n
+%S`OWHkoW'F+VL_A^Eo"?/VU6;DoH*UrO6qX/iXBIU@liJ=agYJJtd$cY6(#Xek4I]ABe6d*JqkrhYbmkbZ'M:/kuW&FP@pWHU="j
+%<K1'M:E40=G"K7Cd]rM/Z-rEU;(c>BN/^PP52i4`&Qk`WqfQnYkLJ3BX[.]GC=)8J>u/W,/djMqA48X`9Zk":S^%*I7XG.YAqpAK
+%Ou9Qg,6bsq4^@kNQA\(2RS%N_A"*mY;H5A'a3\DVD=).+2Gn%kOtYTOBc^EeRILL7.o5+WnqtX*/89>0;9Dl1RVDVgFoB*4jguJ9
+%pTfE<dD?&<Hrr\sie1[&fjfT0g>mP7ZQrR?hi!Pn]#p?;+n2R-;&;s20Ntn#pO.I;;kh?DI%n>i9F6H,^n9qWM%[4$8YfqrWO$g6
+%0QMaPlZU"BB;>akg3HSK8:cmef<-_C')_&pqR?B+W(nDG"JSW^;bp6G3+ot1"GtBWGeHd]@r;iV8F>WtSSO6K.II4OX/lD9ZAKhS
+%<m`1Rd:g-b\;LIt?C.Wr[pkDV4_EfPI+gV1B7@/7q)&c+?mViBMd&7GMiL1tAuq"q0f!^1<ku4"';66DXK"i]E2@&6</&94]1h(X
+%Zk^X887YjRDVAjEO3nrkRX)cabf!I3No6[LB]i^EpV:Fr%IPicM2A_<j]Y:7k0r4DnM2L.@<$8gkt5bm%Dd:M"HpuqC[R@j0Z'*'
+%ESr)g[T\r3+]uZAD.u3K@GSi.X2Gn".Z1OT(`.]id)fUIqr;P.(hYP7l2jY=?L9+kk``$mR'ahZ5'5?:T^GuCl,gYEKP#2Y':=)P
+%'"c_YI:cqa`''D7Q4,ZEZ%gTT1b;^62DAQ`gVj1Zo#[Ypn1d\GA72,#oDj=C+[O4'\]aVt>CL4sbFQZR-tEo'AQ&*HdJKp0iH`*=
+%f6B<m_K_qpH9d9FVWJp!H;*Ub?qg'^8m`@5lOc&)\.a:[l$O.1Sa(S_hb4nf0Pm+lCGcFV#+aV@[F>tBL/>Ve5m5sIGtbo>1U-r)
+%S.6lZ&]D9l%7#LuZ&C&-]d0f)a=r37OIR5#N>9n>#PVHHjl$0>6nk^XO6#qp5!NBOV$LS"B%X%)';G95-"MO6hqLGb-6QPuV=F7+
+%&6.?.Shsl:rde?S:o]hsMEQm^$+e6iXEcqsW?)^8Jt1aqjY9m%l1jgk^,?e_pB#[R</@3(@DE!ZXPB>TWZ-F4fFoYG9miE!Lrn/*
+%nEG?[JCUAW(HEgU1-,IY\#e-u9Up%%G)313V/Ye^Sp-crJm$Gm!s3:joO(.WV2q$eZ>NB<`+WORN\#ZE.Zo1_Y$R147NWD<7r[nm
+%HEE-J)XEs)@2OQD*M]MC;qdm5BDViXR^m@O9>jRdHXGcfi2R85?2Kl9++f?Z7p$G[aSKHio&%H$M+3:ZM+=0G)Q.ib?26.8C$j:D
+%OA?AC.re,W:pu+V(!k,,(_s.hWN%tFG5g-TIg/.b:`6=l"Y)kBaY+ssl9Bs-ppns\+6(mJ(O2=6.N'!+]:B>ELRX.i?D'pAGIl",
+%Ol]u/Pru>2>-D^H?Or':'f>5j#8HPU`GY?mK,UudE*_/<IQqRR_^(npS-X!K`^(OCd-Dl1q2dt@UCJ?r1^R%qk]*`Uo%[b@pgKSW
+%[rW5Q'm'Me/csfAr=X_Pna1&>`_$B_e;QR?=r9QI@%9sFSAA)0e/]\L4I3eXYbEq+f)8iI.ui*LqZI2(QAU4I[:bo<M[KrYHmi*$
+%RIM,5BD-c-,VX+0WIKMl+t0OoF+sG2RqQQ.U"u#/+e<\FJnO9GjuN5YM%g_=V:[5F^9A\q',\*DBHuI$O'YH<&amp)89_L!H/V.b
+%jqL<XG6Z8cd*VLJLBrr.(oZcVj%4CW`]&\E?G,Q'0IGRpoZjU-\jSuH2c^JpTq"NrHf"GdoRSMV3[aBm7sdP+=,/iRZpp([p-GIe
+%KNGiEM+Wr08G0QsTp7uQ@q-l(=(?Le_a6$X886$9QZXLh\OS76>J:)UpA#r3%9M^nec/sU/V3r$j([kU??^/tA)Vc._n9j$@qNiW
+%AfJ_Qg&L[!eS$5]n@We60p7@'H&>'Abr\O/k#g_<Z;)R0@'oL=0\T&dRPB_nLN@'!Yd1`PhWm4jP*C=)fo/gll?ClL_4Wf2o"$Ym
+%C%I%L\31J'DGBl57\Z2L&`&:uc^*'M=]r6je=$i?4Q8,BQ-6[DFJG-<p,.%>ka@S?>=krXK_J&RVJT?,9V`9O^*PgTR[*D/T)GLe
+%S]`KNRj(Z,BeWJAh./D6#BgTZ(ja/XrRT7]OSVtV_>lpBT'M1FJ=1E.Q*(Vu6B#]BC8a/$7!Zm^nbgmCe]KYN^$8AEqt]O/[WSfF
+%MToAse+-O?htD"'*kl1V1"TEGPh;9@Hdk19+ZOAo`kagoX^&?EHpMer?S0IKoShBo)3rH<;O8oL]dLib/pGr6bU%eiXNhJY4i%]S
+%C+I+sS6g-.B.C/VcYP,Vd0#K+'+[XEasG1<[94dlpe'.aSq#91S9SWss!HPh&`8p.rN:53S[GdK,8J]7K:'0*.Sq<1\$dL2I[HI+
+%D;F"m&aTpckMjK>6EKVsGhG[@]D@;ED]ah&_O/e.h07e2C#q8UkVBDIf6=&:@^s8qPWdX\D>FK1OiJT%9g\`8,52qa%OXN,m/uUV
+%[dl4J^J]t>Jf"3Om[?MQ)&dM70[`3G1b!)PEn#C-W<"8lMH"9!>2aMmY^S63Tk,1]A[EQ`WhPJ1$S+,f)"+!Qg_VZO>hrXBRoSVt
+%$.!uI/&BRY*XktMf=0@Z[3)q"HArV]&,ts>X?,aOp[RWPRun_2"$/'3@m4K!V&7`7;%P#Ho4'Q`!7'k.Fmm"kSJWop/.9E?r:no8
+%J?W]i^_)pAl/"D<VcLBX$+qn.>p^u.,j10B&m&,;'dSM<8OoO=lZ0KbF(1`kb`+LnFM0(hd5iWlT7HHeN\?TK=q.9kXJ)<&LJDD+
+%T)^0B&N8#qV#t0s.e$m";%CF1OQF^"f1^trjanRN[--tlB(G?#l;.aZ.-2pmjC^cgaW^'7('/1M53mo@?n1$l;\deO+Ge1'<*4f3
+%5Q(^gYD1V_l&B;s9IlGR3".#I9+<)8Ot?;k6?%h3jZ^kh9Hn/KB%^f,;:g`P$Q,(3,_A@,#N#.bjVXj9h'jbJDO)B1^W^CD1^Lso
+%J(!+*Cs_EUD!ZmbRH-G-p_:!DDt1baG3@ZOj&I*(qOmuje-q*T.RD@d\DA>jPK.>NZY(@u"GOBY2OJ,2Zu6*"j]Sh0_?cAY"0j`@
+%TlH&rW:k5ToP2k5k!&dM?K=SAYRi>i0I!%cV)%B?O&98#ZYg_6HJ9Co*dn*nileM(pT=Magl4`VVqdgKb.-Rm8elf&K0du*+u444
+%=B+_P%9Re%E:jAd*`9TYl.HD5&uhPgS_,_,+"O)0'_@oK5/T-(@fFB3f8SZV=Ob32GDR[t75_.3&JP=A;S9^I:X\(C<XU%V<o$k6
+%W'U]#j?lW9+ne7$XJM6+&+$pLWke[]NJ>[c)0F3h&D*(RAM.=/_Q(/RkN@\p92uco),l%t4s`pm_bV7nWO?*-,fOo?DW3(E\[0_H
+%$4FrMpsj%1kZQAkM]FG0"lDnX@Gj^:Ef&<KfN1(V?TAkolXSJC]Q^SLWDUFbe.F?bk(c-!go=]4e-LDd/IA]VT(Ro.26">WObPDk
+%I(pK'gdudVio(sd[j3NAXB.?\]&&m+hp)r->e+L%].t9>ocUl_^&LsO^@0hc*!fPmqU\A`8*aXkbmSY@mEEP)X&SFfQI/WaCOY^.
+%=2m=q*.Q]'LbDA%0X[Ve(9;7`G>(6hcO0_KbC6p4%WfR0?PF1FVYph\fI-KLN?/lAl4PH<F%/i]Zp87"48,5am?puS\;)?o7'P7-
+%2pmZQo25[7m`9#..,u>h[Nfmpq@_k;&RhM"I:Y'SPRs;@@%ho,eXtDo>%$0D<nsk<No+8omE)[I9']\(OQ>3P/(iA%"1[TmVk;l2
+%0;X6tZ2mY`C<)O\S1TR.j2k?/"piIeTl_S*WWpt'&D&gd,X%s%P%[eFfHK>ME9=DsA8G.0!sj2R6aIFF`<[,2Phoi\n*HMSo:e1t
+%BKUGi\&$`,@5VE0OI8t,@*</;5Sd/LcB[ZDGNAMGj9pT-T0tei;UbW)V>u'[c8WSIj_d:`A$+OQ2EOZO9?4*[2t"ubeN\#Y+b+%c
+%4bC"%GWX."PLia#,#Cu'L-%Q1\\+?-e6`ES@jO1idX3q;DoHC`$2&;;O*`gPSO*mZW<a-<-u5s@GH4<WEaHYe%e]%8B^&lm,^[BF
+%o5<4894oV)9iR[PV;XhfJ9[$2=$B4)`RLpG<=c%63<m=k0a#[-;Y60rpeConlGjb=PB<SDi91S0C:9N@6*ZS$;[t1`[k-N$Y&LG:
+%U5:WuICQK3V4QC>cb&W5C-'5S5A#DQl9gih4mciN5C>RXQ&?H8pmc`&"!=X,K@Zuho-IHhM_aq32bPb';R>GG>M[hQo`LZtGH)bQ
+%+j9p$rY04ph9r7&W(W:GcIH<l^'Op4;F!*j+M&#uRA;5[m9_o_9?V"l<[hLZZ;Np1H<me*P9Tn$ZmgbfdIPq:(][=?T_\/+^EaE0
+%W(C=7(e@o6$@d%uc/PmnJ\5!ibf98K.h)IqRW%WdN>7]qV"<B>=e\6>_@H]8[p7n:j%W_BX.^L07"]_iFd2+7>Ge]QP7q0Sr#fp,
+%%)T/Z<E7PD2_`cM;!hXeh=F-A[81YHYANHIlWn\9/!'P9,+)niI+KH0_B6,0MtWD$>$eY\]GibVLrh/qIKM.CYSWW#Z/0Q-XU-2p
+%9=-Kf0ijt1Wqh]'?oui/>EmZF%H0kI9Q+s+3H@"`DY)"n6+Le7<CqSA2W-k_B1ZX3)R;Tbf[]ET+'_22$JJ'lfGfEoT0<?q*d=%n
+%%\g0O(\tP0kDLKcFC^U+S>f)XKZcoA7&WK(pO5>[qiIG-YZ5!uHHbNDY*u;1BI/`+Z"dFKfLTXa4Z4+5i(:#OB%Ot1(H$iB.;r+G
+%oNE==S&!t\#29[_Up9YD6L]et:=!]bKh!g]_$DPI3iT*_DMip!jbsG8KMkdjI1+]f!E+RV!E$iJ_=5"md$#_JM<h\4@K&g)9'fd<
+%+BnH6flkS_!ZE,US=_g":XM5I57)qtbb.sS+#d=m0\c/b1KfBXs'B#gi44Q/f"@Eh`nC+UmP19&`@"L<(7-FYPlVLOhk^$93'dl2
+%<D1?9h_qGoiA8!e>mIr04L\P#TB$Bfqdj(lU1Ul1h1I35Ya/"2o-c0k@ncNQ.E:SDY`a8_XEnmXkrp-1Q9AOrQ?Zs5h2T(2Q?u&%
+%ii<gXqJ)1baj?deLLu+@&)gC'+aW78:PbZEWO/CI6Jt9Y17"<dYW,"U#tNDUYI_WY#ShsEMAtOB[fDVOK.$-=DusT.[`VCca]95G
+%>cHf,TLk.iQcKu4Z*7L/iG<B+7IEp-C(bc,.Y1)&WG^S`if$CM.ICQ#R5/,sKQ7n*#Uu,O!W<m*/_R,An90rN^rl7daY&`DITXM^
+%)))T?-gm5Yf(ug\UmNrV#F@kkK"STeRrWj`N;@LY4n$&>qK]@h1i1j`o6Ziur_Uj'k!Btf!h3/KmI5HpaAS7YP:@(68P-YJJ.d#q
+%E7WbR:?>Dr_J1M&YCpifF1ELX,tD6]4W>cl/C3^r4umHqY.tB&^Y'`<Htn0Y2#<NAJup4c]i[[_+]"s;Cur>nq5YFl[@[>!=X>KL
+%q[pY]V*[!HH%<rAY)p=OZqlE)U3]R)Vqa%[rOKQ7I5:/DqPr&#(gt3_Ou<!GShO2(aY:-TMY7rJ/IS@;QDaJ>"u+C[cg-`<c#?Z"
+%msmJ@+hPO$cT\=Zi#"pFG-tpH4HFmK2h+.;'<OB(T3\sY4B8i0EEA_Wp]97QA3"D=Xt-c^EV&?t4M/k#&U\T)bSZ7)=l/Ki<+FUV
+%PJ:Z%Eu'*IWip(^=(/Jkj\PJf6?MX_`Wt<r5AXJQ"QUu,jlWm*/"OMB'&oi(PNRG;I8LqUEgi\nOaUC=B)R//M_uC@)d+#<i,GZ$
+%Pf"2!7m<GNg!qL`dQN.gD>,ZZ(gfqmkMY4n@U5$ITO(aD9t0/3mO^/]_-Fk[fQ"X32bBbk^[ZGJ<*/PWQbC(3#-Dq8F^#S8X))l^
+%cpt>7P5#"UCNl`e>8%"JOW)Re&nVB@qU_MF8(_D4+E%VmD_UY1r))9UrhP?DKU9AA;C6_B.6I#lG6,=0KV52,eGobE#6QOR(t?/V
+%aq4'0VPtThgUT;MViN]-"erS.^p=P4D9$T"qhfS[eN6KT.i&K.9mp9Q1.7s2^ZSd'L^/BAXEE^(hNKjVmV;2=OWq<LFn_]_WsMV-
+%,gs2^<1<22f[Jd?MNpD\VjAo@^n64$^4J@1n`KFcXE@rhq&2EZ_ct)lZ9t^;h3+_^GXf:?6CiOO!:!/7)5dDTaX2L_0E*d2X61e`
+%%](M_<QD^_XO821J#gq`%GNlNgBE2?7>0hufsE"l:`5H!q4o?NZ_\ViNbT\"53(Na<Z6:QI?_q]KkRDh,Qt,Ar,!9"foP%cSeqL9
+%+&L.0hZsQ[D?Ku&/EMs!RQ%"<DF;*#,LO1gpD\s/g3->;Y9d&6VLr*C6(6h%55Fto1%%g^X4g4uj=UUh.P]kjReFDjIPo+.,1Y8X
+%XX0C67Y,>A0s`5V]F\_ioMTH/@cdEbI77)hBum&?K6/Acl=$FZ>K?G;QGYkF:A"'?"<!0Mao^rmDa)*7?895rO1Y#Hd])=,=DXmj
+%=VaA+L7PKV7YXK,2@@]k1M+,19B2k<pt?Vqoe*rN1$89&D:FPB!NWk8fX"dIrC(.b=&6-YK#/h"<@Y]D,tK/R-7Crg(-j@KX$7AV
+%0)co_.Ek`k3%`;qTl&0S/bG>kQ^(nef)JMTi(:&I4@O"8iF?WC"1Y<kZ4;eS7sKAl>`oO&P-GA,>#uR-_ZN0L`B/2-7,H?77Qn9`
+%poNoELY[JV^pT5pIC%=UW8$%nM2aekp0sh2>7>I%qf+0UH^DNsdDIDgVI@M!@g()$UPMrF^Fkqljh&'D"W526N"MT@AiB6n7_W%N
+%'hfjNU67>Hr>L!J)S*@E$ol^$kspGHL7H6>)..as`F*EJ0PC*^I/S=AhZEu+j/'L(iU)6n$SjU#/lq"n(E`cqoP0uB>XBcY/Hr&9
+%G4SYk+0gKoU0Gi#ESp?%'&;`#*ar,kfO6Oee%,_qDU.Zo6G"l1:A,hZfF5tfQ^DA#+8-k\G7:MU^EJ4k4"[n#j>=*r5?70BZW3u/
+%XB4[df`D^hVX!/SKU),0jCH2iV#XGs^Z2.7O)@+Q_9=G$Sn$VToWf\iJuLVMG<L1.LJI2@m:e*"?A<e0V[W^1$.J2`m-KOWNOi&-
+%@pXG;3-*j:^tgq2[k4ci(3U"UbU*''A:.Gek2c\`&o573>!"aqdjh'tg;4T*JOCIN]*.ElE+d@$LtZr0d/fA)W,DFJg<-uV$^*cS
+%ZKYmG7[7(iHek".+)sr:`P*"5bD6&a1AD3Gj<'6SD4RODp\PQZ/UC[d^1U9jih0Q2ZBAf*0&!tlRH$p2%-m.r\!94N>G_%q(>mR4
+%>PBef:EFk&\tX5dc<djCK6*iNi.UPMj+"0Q2cSD9[)dSjZQcBHm5'jp%*mGGV,pfFQ7?!b!gh\$D`qpO$iDo6>1oPTUiAA=XJ6[?
+%p9@$?j+Off,*K5T,nn'',9[$a`BWr7/oQU,EdUV[r]]$TIQ3N-.(Y4Fl(!nlQB1-QM9`Ni3Cd2jZV<-9_',q\SJ>#gAfcGk2^Nb1
+%&XN"rKB`aNdb=)0DtsZhqtUY8>&#BjI@V=#p-1rap`?:F>"#t3c!3)Mp$qG!fRC)6pJnd2;_*F7O5)G/cITr*VL6OX3eAZG5#_,&
+%KV*+g@LHuXEqPX#L0"*J&i1Rf=4L(D#B5fh*P,VXhEcc\Ds>ElP6eY$eQ/"j/0;u5$ijEiE&6N0!$hZ?5Sho;(N?-!YdWlr-P3*D
+%b2.qTG%$YRe0cZON)a13[]c=Q,;i:@YCll)B.[bL:gP6L0ZM8mc$.(N6rSQ?WfVP:,uCoF8?tjnSCQ4NDh7/8TI9$>h/cMf!l\)r
+%+cqi]5th>lO;Vo(muG_&WrV3o.lCHC_f64.?Z4Nq^H@H*Om(6mC1DXc`'M+M<5FX?Wh7dY>1,Qn?#]R*/&PWFT,@"S&!c,d*8IZN
+%Za2R\95PiX([#$(WLZ>4'TOcTXXdu__Co*k>"^ak**7LArCHhcTKr_H9uQ&i_Or%p_[/,`G"CqmRlsIp$:M:8QlWg?MV])#M!'os
+%+3o"4_(EN%<En'54j#_KrKP^SDr"]])"oPS6_4rigDV&^G$i4lAeb4jDA'(/%C:CPg4`G)NLuIeYC.F[?"].TOK*"cmr,e*<;)pB
+%h*1NjL5e\D[OadSERSo;$#;m->*1l%fKN9"KP69D[6LOARD$Ft2iN=UA3]^L@,4Cpf&Y]>7NO'AF14tmd'p$D3Elh2L=0A4F1HMC
+%+cXf+n*fCYZ5+f(X'0@H^D39>T!lM8T6Qs/VSl2,#OWaaA5Bc_\4i@'58BcNl+cK?.lF1uQ=_5l.JpJ_FP:_QV`/473AF#+>S;RR
+%lmfob5s1M-(/#X87D=)uVI:dTcYOO+9+ecj8\SbY#u[O$p1`,rfG0L'WsauRR8QQo(=O]uP'A6Ul&tFsLGTs?99'rJjQ_3Zb>^6V
+%0WG--(,Sg9X!8GYRD:Qt,SU)<.;!iE(XRlHjfUDC-f_RQ_QJ+<l1.;;(X"]lZ)JdH>@VD>2(>M0K^N;fpN/7r6j%Ad3Z,%+.p:7r
+%(8=<JF0pc68sEY:DC0Hf5.+.e7]9,!j:N/[+DY;h9%LIPkH6YtTNS"MAk@8]603tO)dNWb/D=rs/>dHQ."dIL)jAg_`;;HYLGSjM
+%jWcHGU-%Qg9_^Ng0I%BoC9:C@fO/l]*:nd$fW6].P5SAR/:!O`VB-VL<c9qe`Cq(9bJ5&4AA@cs)9$4!CS[EDE&1V?`%_4rST5kb
+%*aqe*=7R0EA"H.Z265LR"j/Y\E0%QY(FlMYfg?=<@o>W`[M9$(2S5f=fnY3QArGjt@SnlLT9M-m]>1ch:S^&M_$BfO*:+C;V$'c>
+%p3bP]7B-HG+%2GrdsbKnPLsXEja)L]C@Pj\BTLgW5F0NB#]&D,$#n.LW[t8BBU2_^6T*dE[-T<D7:%C2qc]:\.TIe"T6s<aOgN.+
+%p)(9rnQBmJ1U^0I.;Qr\H4'NHkE@r`pp$S:O;Ie^dDL<!SZ_2L=9`^'^W+E)&!;KaXf2EDV`I><bdL_gHmH)HM-!#:D32NCQ&4;&
+%p0/Y9HB54`oYXc?[kY2_X!rGGQP[[\kua"S2'Nl.[&7OT8hf&,pUaf_Nt#@`JN0haB5Jg1*''g-4HY#>K/qsLG2.NeI97Hb6/bh<
+%XtYMJ4(WSt/b+7nacC:SnG/#h=*t=f1$h76U-u*;gdUW1Lq+iRjt<Goi8'_nm-kWO6GS2C$BVlh*mYSF3@Xf`U@$UtIeI`U2I!nn
+%gF_K+%bUcS+rQ7RPU)g/CMP"Vpc8.Ig+$-77X4$WflHLLZkkG\E^+H9"'*cr)UoG#!X&D+6T1=47H=*e7SeOi7H5HTOdmd"SseU$
+%&X3ZF"Cp+s?JO>ajtLjiWSX"FkAd12J=fc0A#/Y@K6GqX#Sq8$Loq+*M<*YpqZ)%15jX`>a.<a.@XNCGCta\-oE[cC^4`-4SuDRC
+%NtddtCeo^hc#Keo&QXf!qO^'b4eY_F\ZMj^LL3)ckUMm,R]gPE%U2frZ)M,IHb_JW&0kA@EGDm:/^[aU2#(i)E\1eC%h>L<USs)d
+%NZA<c5#9GV/FooF(k:YWpo^>QJnoE1,rc&Po[&W"<qk"Dk-g5P4OSAoT`%Z_ihn?<n07HQg?Ac52mgaoJ*_(o>DW9^DDGmAeas0M
+%`_Z2mpT^76Jr*0&Y(*afrU63os*1c,Nq:tQs4@;I?Tp^Sj,a65s8INIO#U2;o7+1HEN?H2jp#*A0.Wd%R`<YK%u"$TM/V;-V4/ZT
+%Hjf\YWu5dZJnAR`R$NW.3ZkEo97\JAj"i@e"F5'iaA74=:"TS*PLT`M*B\W2.NJWZdb[G"BdI*cS?i*5D=aMKh\g!WOWpq09;f_e
+%bRpb-.`0m]iWQj,qR;&*pVN<pg.O\1;aI@1,j$`_3$ut:TTj7*V_"?DZZsV1%O[#H\1'mq/icq>a$?DT\QY+NFT5J38H]67$VRI!
+%)63(;'f0)i_Bktp?:UHUcldQgaL<Ieg@"_0OY:Z^]%'l1PX2l8Wg4hs#b!=Z@FFhc!5eVfkr/tqVs9EfFFp_R^-l5&L;Dq`80"QF
+%6]Q?0OW@POZQ_=)Ms(,ijm[G+LtlBJd$>[h=qqW+@1hm!lSs8CNDeFK3j82\JkS'EDAk^O&SKX)b#J-@2XN>k_N"5&D9g63VB"OJ
+%Gm6?5mbp,j(cbnS-!:N9qj)8Qhnk]<#epAr_g'9mMS"MV_'=jU]!*/nDCn[4S/%*/(L-53"SondMG-)t!\6Ura)6Gp`\>2%=$KC_
+%H4)jNf2npPSsuFQfGZQ9kT,eDFfpLP.gE1bQspQ,H)>F/$`K__/V?b.`=(^[W@fA:X$>YC%SAo`[)r;<c5\;t78R-!o>VcAWC'a6
+%V5ndJYKs7%LV?)=>NnjBD::NdhmL1p!-_O!7buH/ek,hU.HioEs-i^4D\7'!AN0:-PmRW3,G-iNVU)EUC=8+NBbZt-=>a/,LrMP$
+%4e'J@U012<>IS))BRKB$bPu7M<]e`\OKe=RJVFDe1#*F$k3pOI-<!GDn8O/)T$F^4ldt1@.,\Ha!0NgpB1BkW,6N$7<0/<fj@]9f
+%bVT[-WpccAP#O*PLT1&%*@jB%kX>2>,<99&;<2Pd%._c4X\iO;0qVQeH"Ph&&iNeg[1Z<d;0%E>#g_k)g`5o,$&"FF8Lu2"T1:iR
+%C]dKa/\pj[>R6\mCjt\P9(kYT'1eq0g,'u9'4UtnfOWqUWN0c7X1GtZ.5=mOoR@2VM6J=>jG-F$6]m-Hk=SM+GnRQE@!=h&W/,FF
+%Mfh@tBd`k;<mB&CJr_\$CIN6kF^bYJdM@A^pe'B,"3l#Odt9,3+*o$Z+rFb"F2`U'$Ku4-gL@?0$`OC=o8'kNU]sdsqU2'Rp'UGm
+%Xc*k3KERs64G:8qNprH(YHkYZ;+dO$HG#b_V@II`R,1%",5+D!m)Wumm^8ub0J1opI'sD;;oH?Os'&0j%eH9Jhh=D<;\`9fG<a^;
+%&.b)JAs?uM;T(sjH;R3pmZOme>HAF<IK7KBrI1h+EN%6'%>^%(dWAZZF9J_BWbR^N'S8Zl4?:p.e63*'HQTGaQO?(@ggHB=G?10C
+%RQ]ENA'[6U5#_^5%WJ8V>I5nCpfmkTp5D&<.DN)Do;V!3*^_*8Vt3[pYt,/M,_4goTTfC(U,$d!1gS?Zn3jUVO]tLHEJ%ij4g,#X
+%oOa:0*H6J@#2S'_`%nO9<s7oqIKa[8/0Cs3`sS":FN'Wi:6F5OI.gLsM1hu)9\7'CbQ3UTO#e:*aF0\5++J@!Fi'7nQ[uj^`ni4m
+%^LM-LXs7B0rMcS]]Ss)cHC@R>4!>(NH+@`,iJe8h@HMD>N'SVdQ40)Y$9H4k!5S>=Q)UC=m%AcRSI=U^Asp]\Efb6G"$.k^=g!n,
+%H#\'^6S-+>?nR:fKo4kJ\_+T,&F8Z1;$E3^WC5Dpj\OS^KJ$Z4o%Gd@/TUB"nDeEsQhdOhdqfA67eK1\QRLk@[&f(*k;)QMm1qNp
+%2\_m9eU)pIk`R?G4G1JRmJF05I+bHC<B&ZjK<[:hHF*.#Y.+D#'LEAGH<3!a4%LBNqJs-)0Y7DC`tm!UYkKU"(TlA`&KUa*GY9q0
+%*.he6-qtJ"M\eba-+]f.a57kcVSgl;8_OtK(%c)9VMFXP3)%W'=9Bq!a<6OG<(?W;'u;["/*JdfCb^8Y)lZUH^YmY4N`>HO>o<15
+%^67C_<e(hh@>G3[9m6"nn?kI"a9?p:h8ikY?:jO1UN4M*4+aGdg"\Am*EF5n<'W6d01(9-'`@`q_lSa/N_Q5hXE^1X_BS%lFkQRB
+%5_Cb>he'UD1lk7]WA@dqB"$P7G0W^p*=J#j.qO>ANZZpJ+3o7,3Hh]W[j`WZXLMtsXjHC<pW>>+f0OJLS[6%jm>32s@<VjpGQl@$
+%UhF/+QmGmi/T,P7/dDhA(gTZk;/>6pZ)C(_RM#FQ>GT!s#Z:gX.c0@BTD/O1cHZ8=_>bpD&+e,](0_g4SB$2E,i&<nna/<EBT8)D
+%RXS_T^ti_3lR"!:r2J>]kYho&;3@%6[m)$ts*[Acs(C9^!hPl6aU*3d*GK9c"mFtWKuLO=Y5)W\I^GB+l28387jtko:VBo$.)MGK
+%TYB*d>9&Bt;Q;o_c,3R6W<ruK<$'h.%EXg!:[us"EfgaUI"i$LjZlf>i<5gI!O)m1_IhPfPc3HK`/1%%$'ksO-N/A'iY6WLl*k.k
+%"P%c\"1A=:!-+6?.;;WA'RY`>8[Wt];;mjtF9"TdB`D1N(20_lT%c#a'Ro7R-+:ngCt*t4.5,=N;q;Nb*4;^fr:g\RklcRG:JW;`
+%_,8GISp2M4(0&nWi]89"6/aY#Vj_A_%u[uT33qn%n?L]^.uY#9@C=[L%5;=hi8mJGiLmT]PQE&J1f-U5Md4Z&#em3dF=&`TLK>B#
+%1:Z"9$O(a.&WFldkMO!*<TqUgFp2ggle3(DE,@gnR2SjuP<OG)4!!Ni7!g?G`1Z<1J=tY>6BlCu4<.jX8KX!h=P5*S$+@g#k'Zq=
+%<\*:W/nmjZ(^Fp%-0)dX':=;?R;bPg@h1qmEhPd+;_qs`h<pLDJg!e%11G2Q85<.fokm0ZCW]m8`%gsK!aT_Cr_>,>H)37)jS]Y&
+%He?u:grcZCDRR6Vi_u5-rn/(E:@?$?hu7?BR&<To4gX4j=2hP.8'*tP6s2qnF6a1Q\>3*Cih,!R;"qOu4A!8ZZsZ>+L\i^_8W]!'
+%o0bFm&I\pbEE`YXmC^URWQ=&GB/b!^9rfmjX7&.t9ANs2)Yh5^1j#bbg&'DffLp:1]sL>F%FTqX+OR,EMjBVc'NF)n%$u_mc;ZFt
+%D.=M\p!(n8pQr*cJJZD%%\Hr*U<#$61s\+4ifOA=mD??ggj/OPl2H/!n;_3Tal,5QJ\s8Z;2JtQdgR'\r\@AE]Bq$gk"h\H8qZ:M
+%&W&g*KHHerd8r?QY/gBGJU&-fH&*4TIFZ@YI(O:C9A5&]JOOJD@4Q\h4b3tl(AYDKWuODhp[s,3rZ#65[m?!-R+4j]!%K//_.Dg:
+%0,Ic#(W[sDO&ELq#!JhI<-#L7[e1_g+4[R+Y5d1;NQA[l5j3eMqWErpnNS\^B#[VHU&-a*"/C+$%-e-UQ8NpiWlnHomG-$OMQ`.I
+%;\P_K4OLR^XNIc>lu+,]ooZlf2Apcb8DYq'5umBl)ns"Tl$<qsa^2eg]Yt&^#JnbkLeYOQW!FLsOmVbq*KKIl'MRR'Fn!<i$-j[+
+%Fgl`"bH"\AH\i=>"%rMXn^#aZ[;KVH<+rf0JcMAN*9D)KqAISk0<\jhOKEeZ_mD9.nn47mTn2",,;.E'`FNc>dK32UH7[l<Q^me)
+%#.$ooJHTj\Z<NP.7PU:.N5i[Ec0V<IN'%lherOa.]"S9,gjFqTQ%fNr>drk<IR^q1aZa\@@0.62d5_pupduR=^a2[e%'5Dk@G%+-
+%;3BXi0CLg&PFLj9Vogr-Vu619;D0YS,a:=QWaO^gaG;h\Yro09]Oa`:46hUfOU?0#in\[C[IZfo#C.&dGP3s#=Eq*o`F?ZLH',p=
+%@ntpAKq92+,M?5dMa5H<,7CYZg\+X`O&Ut+]\S`2Ye)ta*H_-&bJ<kWp66#6ba(6#HEBN<C-(.\F`UYN&fUIDqi4n$m5%Y0j-jt]
+%W#`b,fB>f]:6P^2mWl<ZgHaiCpjVQjW?+-a&d#u6/QhlC6A,S=1Z%!LTF58*/VqfQ1)uh(Ej/nA<`23nF&ZoE7F8`dOg)0V[Y5iQ
+%$;hOA&HMKFm)#Sj/o[tV51$%m1M/mQrE"fHF;A=e=#?LN!B(mp%=72,KH4k0-?fE9Wh9CL'.sfWaIj\s)fmZs6Tb5+h<b1Mnm^Uk
+%g:?5M,lqXMqZpX%#%DHb(qDFYO.`@q"cWfR,slj&:G;DHr7>+10F4.O04m*h8!gohAB<@nfM9/e$EBPmT[2QEl1<R,.U79l?V7.0
+%/GC40`!EJ^\r/]mfB!J.bE&i;SGPZ%XBYoHEM]"kMdbKoLO<V./LE&Rj"d(,!@@d^c??I*P+PEp<O3mNIXlSRiCItA7Fj7RJn?\Q
+%RXU6!U->]GUSf^TP+8L&aOI(h$YePaTOE+)aM!Tc=Y%7Y+H`RBQB)]h*2&(.+O<<=T^-kT_'p<$Gk6u(ZB-+7p4#.^Ec<qN/r9Qg
+%ps`Bld#JA_EOI6CD!3^-HY=R_ka6X;=odC',nhGJ[0.PG;e%hUGAA%a^R)6LFSbJ8ZM?TQ>B/VZGqK]X]/bd^R+P.*=8082_g,L=
+%#=VFM^h28M_*TamGi#<L7<gD$e5_bCcM?u_4e#aVJl)Fs!R\)@hS0/eh66!@gA6TA:gW3(:3]Dg=0RoFY9in-$C\9Ur=Bf9Z`l_Y
+%G9&0>7'pYRQH+2"p:U8`d*(egC.NY-a&<E7b][r@;`J,)\a/4h(%i9$N(:WFn+W\;MYQGSmT7^n@*n%pT)^VlDRZb6FE7!,g$?bD
+%O.GqX%Zgj]a)/tMNh5n5<!NLJe#Z!<^PCdU>m>A28K\VaZIu62JoG%7),0Gh!4u!t/QGH:nM'>C"pA!nk<BOo;=u]KYj6J!bGi[:
+%5)14r?p]^d`?nr>o5Y4.c'u?pP^u-noL5ue/-5`a9B2Ik)pgGWZY&W]\#X-CBV!/_O0N7/)@+e#Xc_Y,]YOmAlCW)$(/^c:-+f4I
+%&Yjq"8?p.JHJ8>DkN0XP[WXX61ng03rbT'EnK^*JM!nqMS2E5RI40qH\V5;dYgA<p#6SB&;jBc;O2'N=..%?qD#"hhk^J>g(5Xg9
+%1]8MUTI=:"c<_"cnYHd[Ms8PQW2a?hE#C!PIO4^i6G[eD:etl3O!>>6l(/iI4htbAhX(>FIn3OMqTu),)dsQM5UgP^KW6^.RV:<+
+%FgK0F9c$(4>-^>fXtZmqZa"GKDEn6EbPSQBqk_?p)@4mY(UIRD3*=1s5]a!]9nJ%mHS@i.MB?&7`>5q#nAiQ=fkS.u,[#;0R`[8P
+%`tb@1LUZTj.>]0:WSk6DembifWRDgPR`h$Y7bf^^P%JV7OOIPjkXin3:i\P`I^4DoZm(^W&J1`kc!El0_SmU#3?sM?0h0Vg<Ns/-
+%=[MQ=87h7"lV!K@h"H)X`>`_^b`4oIc\VKZfrle`m;\*s,XF4gATSMW'kqd[COkQ/0')slO<\qTQu))=Tp!G4\^Rg06&6N4WfA)R
+%g4(#)e9c8l2&AQ$raJ/K!B$N:p?>(U[tsK6F10U7d<o"uUcX?2YdiU"UHjkj:cuB$b40',UV]nV11SWOhhO/=!$%#,=JX@mq[B`[
+%:(O!,,?V(JR0-+5-E*`+:!eX*7`T5"gCus):a9PS<lfi2g<si^hR7,&%PE<5W,^ng)2uKSTJkSJ$%`W%Hkq(7\d]C]A^]7`XqC8X
+%0gJ;s7[Q1jnA<l7oMgMsa8336Wm>DoZFZ<EA\A.ml=.gKSbm_%=a6"#=\&gBn"M'b"X/b;Oodb\))Qb>ifp']7Fb'K]3<>UKeeXr
+%.jKB^TOD?;me/bn4uo[]_e`QM"0F(`GERuj6r<WU%b`61>#"I1N(mN<V4BiPN6c_Po.a#7Z+l<aart/&<hk6s.H#];C&P$A8hs^\
+%`is3+)`<sc;&L'PhE`B[W^\R;LOQnJ$eA>OO'lu%giH&[,tZSa:3Y5'6l8nh<PH0/+gKX^KDEa3aFUcX@3D2d;Y*[.\1PFHTV5Ju
+%gomb8F<4'Y#>cVLooOT`nA.J`0[JZsm]`=JWsUq3Q3;h[l]lfYWH->nYAsP[a*t.#_IS\n(%t7AoV$PqJP[Y#OBL4RTiH(MjBcI$
+%a+9/"8ced/J9U8gmRm]8_b"#S*U3.s!pL9'lF/?C'M8GG!,?2.+?,u2[G8LU$Q8,]g/AiEmns[<o4GhT&*Ij$gX8:?61Yt`J`uBb
+%r%23?:M#UPQej<2+L^Va3'b_D]P502.`4n\i-jtP*^!ETVl=dO-O_!e*@JY"DcZ_PB`QtAidMC@M(^j`nMgJMc!uMp<0?tYjH\86
+%TWj$Lb=hd<..#HgcJb+l;t+MR*W2_?d=/WB7T]f$SYEepp*lsKA7T`6G:h[]eLrZ.UbhW4j&"u"`.'4/>g#;!%N:(%:&99Sa?MM0
+%ghHL>F!B6njtm(9*@C![!^)gO4(H]`'%GA[`L)-^R_=M8,ET<5Q-/6si=]-=<eEekdfsT91Er`ZpNnoXTVbcoNW3-dlJ&RY1'gFQ
+%q>*A_bF%bu_qFDu))$.hO)Kpc'7`!M71T/=E/jg$:2N[A`EH!U0:2V>&U_7l-4RE]#i]!!.lO!&Js'Yip"obihdcTKfP1B$Fg\qb
+%MGur0WgnG>#$.oqrYeoEY#<k<N1V%uG9_!mYI]8rS,9'oZhFU=V\Y&".Nu^nXl.P&,HgJ!MaZm1)=n<M04;2Ylg)X4.Sm*OCuD!=
+%i=-^L!G]hW4_/(,Ob4c"E"5f<SJLgP#c+iO7HthJ/'74\g4)j@RA`o/#fJfgXPN&_$b'3#S+=*QGGBrIZN`!'MPWVqaO7ciK:"=B
+%cfsP'^=gl"8/q2]X0J[#)GmB"L4@#_s.us_U8)eHT'LCL%J&=^&*ja[<<e;dOI-M/e!>06bMHnJE=luOcaqc\F3\lZHkL"\/6_Y\
+%aoXuXBtf_M+"QS<h>#W%gV$c4IL+89!\8e6)Y6#3n?Qq.b_Fh]MrEc#D&<58=^*E2rT6Z)E,5Z;@9Xsr?2is<Go-?6T]FYAN5De-
+%Wdk-K`TemWU;F7O8-mjTC]R,<h"4[/ISP)']a[i;hXVFQ0RG-Z">^V^If\'-4KV#\n8A(8+M,n'ZAr$U\0m]m=P#^'9*!eh?C7>1
+%YYi<*F/X)[Fr_W*,+la%4Pu#5&7O`1e!mHUI1^$E\%,fpnB/IjVu^O_@KKWCSIpX'9ap_sl.:loQ<Uj9?lHfb#KUUTo4cI>Ef]rZ
+%E=]u(N>.6f%^_Rg;a::]Iu2eGFI;RP_;O!PG;f'UYM_,TM2J[(:ZKb%k<&QhfO-L*E\e9.HBHUWi9XOiK`MuM95N1uSNZf?Ok^;'
+%Hke>cOr>nB`4*?o;ZZ/g=Wp#J9c#ePmukXW3#S5ubjKS3q_m`K!Mfo)^1fL^qtjXO=pVS$G+3L:K'dG$!(?GC-FbQ-il-"8B5S:(
+%3+fEj95WYrSSie85.X7\,r=)(Ag&A"KUDe5A(:bgg:R%to0o+ejS-hG.6Dhu#/@h.X%B#*/7tDOI;JMt=%1kO4u602Iqp\iR5j]]
+%PCOpi)7[&NTghhHBW*^k*(&t1qS[n^rq7,@\l8WOCf?PoA?d^dQVrpa*iEF?0g)UCZU0>MGZ9c:9l(H/n:I""@HH;s?b*:fX:\W(
+%pmIUWmK%(tg/]tmcCN_A<?p<X,3QP@UA'd*%\>DJ--Hab$G3Gt_'/m"#N)V8)%c(Tp\U^A48'ZU^qF%+NC`c_lti(h,GdJMc(jN-
+%n*_SCBPE%67OD*K1oU*R;>5rl_4ul6(O=FRjjJ!Yq^@3`4\,!=U4j<.R+G"l7T"O6RaLI^#1tk:Ht:JQ5<q">pTB/7&KutNAgagk
+%5&N#0Df+]Ea[HRL(W(#A$01nQf/1-;#C"nW?3tENL.8s#@-mBDDsieUH#:4=I);%q$?hosI`RJtBrjFKl&-99rc$L9,m[@ijl=.U
+%($oP#@'d^+R)r7-FubG(:%Wt)`a$?0V&TgBg3$1VWPE7<=Rj3QTqlJ7M!E&<rtTbF_aTc(@4N&nn.hp:mad=m.XT2gVk6?s`B,o7
+%6k_uVo"<;-Y>AHT\"bKj[S-YdZ&^hc<X+>SpTo7LG*7M)\<5qt;:Daa(P=ZsN^<7NTg_9-F[KBULW7Z/^BHVeDQQrsS\)X'Y.d2#
+%n'ik5BUh*-@$6kG:+L>A-au0W@S&.ps%iF!=8)bC=_VN0I=IHG:?)9uV)7-GInZ2L1:0tJCf7(u;tj\)dH1U<UXjXPR9[)P-qsjO
+%`I/#uCaoggIb[E)\`G3ESRf"@5[Yl9-t<u<FV9k7_d^YQpqTjML_W41N-\*il[@Pi2XN#XC",nt?D%t:n/1ef.HkNSUY?pkI/s,h
+%%`:+!rDuCTNS_d"He>OGm<UMFOW(@mf4.=6mF24TeAlDd$uiD?o(gRJo*nOsIgge:<8BMS.@@O2B"?C`WccpXmsT<[<LH1+d@=H'
+%:f/7)dt`r/TF].M7BejaT:)7%AI'qFod&l@)\DgD"RMP)a-Rtb5kQg4ciVZm&U8u#Gm9+5^8)#qkndbAiF]UNpg&+bB``Mlru1N\
+%n@$74n_k*+##MP%,57;!$5)\6pU[usg)J%<AiC1qdb'l@!&h;2J%qp.]I,]ASD2K,cQAKYl_$1Crhs/DDEI?iIM's*=rL_QbWA\_
+%p:c,Ohs3%^Zhh@erSl)]'f`;\;C//O>nhY+k2l.*HOj@6Xgo#1Ra7WPm:E3Zp6&";ha:A*QqW<S)+_K-a-p7e^q!ggfB1QLj7RG?
+%O#cIj)e_IffWUt:J`ut!@j>9$`rUkC)0@c5g%OD7\Cl`s!L%B#61jQCN>+A?(pDjf5/h17l.B]Q>6mA;O=elY3.\kWNVRnU\FVfP
+%q37.ilctVjm\"PBb@J>I9cZ%u+t0BIZZ(D%'LfZ\^oo1(T]@&l&s!25pW0re38:?m3&M"L[8AE1Rt\D35s/aN>HZJclYK>2h)uUZ
+%T4#ee8s&DJPWQWB#YupCmL)IKA2N]N']Q]%mPdnaBV,)%f<tK;XpE"l8=AIEdE$e`pc4cOU<Bc,oX^T`MeVl,/lkYEZ`JTZcMUMc
+%qn<=W!ss/nK=*YGp.f'uH:d)EG=tKTrL>DHA[uQc.rgEVLuliB:IA3AX+<1OitgFA`&6_K6!p(*epMl6p/*"-a)>it+9Un48Di1S
+%Wo(Ms=Z*]f1+RP$=".-U9WOZq^l.%%\KU,%+@>)hA-E@53WFHqK,NF)kB3VOi*Uag#*#aahob6BZ!s3IfX0G<dg*I,RDiL'e8_O)
+%@GP/3=0l+"-J+FgqC]D&P'^fm*>\D&QN-pDC9VDBK6kXBo=DkFK1q[i][8eU>8b'_6snE?";=9L,J1ZHBeAJ"cDT]<^&3fbG;I=9
+%!/?RPdGq6)`QlmJ!*I4.R!'\3Wk!WW^)-4s#L%Dnqjj.JDsL*A!q_poD.'ttIiE@3"*Q#+_V]aaEuG.QG?o&7a"L&m:LJ%+(QRIZ
+%bBCXmAd#["j3udB(REpHobVkS15:X.ci8Gg9sR$LSW#)^EEGLZm!fK`&H^m3#:P1GOs\P4_sdfYLDN5_n*cU#%\VArOO5/oc4XF,
+%Nrm=R+ZeE2?ggbRTuL"6j'M`7W+NYk)g+;MBJ@%8qii[6S?;>*ObKR'H4%n:\L=SlCE2cLK%Bg?;:;2qolY?:l!j"DI-khmHY)OQ
+%9#Rukpd)(;j.;Fsi6NVk'F/KREsmMDm**RB7"ZI\SH.qkiW)X#iCY:maDTgl80R+$hj^s#?<0g.04BCE;\jheWqXuXKO1p+3S0`[
+%/;''rr\h!N/KLg,]C#=ogqT;ZHe`9@kCE!/:j$DFH.a#7G)i<;p/@oLCKN*0CB=Q4=;PY;3P8^3Q6T1X3VPm8JV6KU8d>=?&aSiD
+%%K#MpF\6]4NY=HrIXf$T\:(R-.;-^nN4K;``2q6>gY%Jq:-G6$1dMKrbg*&F7,J'$l5irRfFa?Rc(t*oLEJ,%+meh4LQStlP_9K=
+%:>Yjo1jDo!1/^NnAB/W97;>G8O?k6`>)@Y3rk_DgLRh\`Q@S@@US:4@DnE7$W@*Vok>FC6Pl8E9*"?j+UJ>f)%LBKn=c(>/?)Wl8
+%38H1j;(S>jRLc&Job_h`H3WNgJNg#/>(oIC3i(@Wr&h/W7ChKqU2ELZIsbu2FiqQO-d+=Bimq,7M=5;OmbkZ^kMGkrWOit_a2U6m
+%'8ZdQe8u(@OUTrH>kI:q!i'!]K:rdkQsce02M)/#/G].((WE&0C2JYAP[CAA*oJMMpbdqc:\"l^lG9"cN1?X+QR=K#Za8^ffOcEZ
+%haVVCJbh27Ca01H>M&O9!.Rn.gpIKG\R1#ui2^Inb+rqs_O2E=_A1j1HF]TlGn:t)fP&0Y@^-4ZbOk:((YJ1.n$P5I&^re[[\jA<
+%dh3Se\;jt6cRE:RnDfDHlWBDKF^:'_7tsj/qKe>k"W[s%QLLg:7kqf`&<B+3"apRfHUi>V=J]j87]7=PK%Xtpl`4r1FuTs^fW?`7
+%m_\D6a0(r0SMdrAP?o<ORdtK)]Sp74#;`df5]JCQ0?:Ntp^G@dkUGFl\X`I(%#e21*$CYBn0VA=Y2Dfu)&5YdN^"W?gh"!1U(IBQ
+%'E-%]mi]FRY=f%49"2D&[5(^-L0i)VQ<aou4knbUL_i'[i'V37HscjCDQRnW;Des))M-(jWP/]o#^Z*;K_G;JZhh"td_Llk:@ZPP
+%Z(&P,o+N/)GlKUY_4TMte\"rj?7^D+UuiR0.(-kGFc7u3,7K^*Fg:.7B[!2FI=YQNX\moij/'b.:_F[o*NP-Hh<mMcQ)hQL4p0oa
+%#Zkq1DrXGbWAWA%c[/9DK%pqJlIIABl=3oPQ^Ou#lfq8JI-=.'Wfl)uO/_HaZLJ?Kqe[MOf5Y0(JJqao@'Y\r4ONPZ*HTgSk@$AA
+%_0p[<:Bn4G.VSb='OT5QfUg-XAAk,ajQFKCgfH$'E<e1.@\#_p+ll5?[":IBYOg*-eNJc(`nK6IJZc.\d'I0[A0p9H.+Ifo4-#SX
+%.<HGt<2$C^0UO-P:7AAf/:L)Lh\MDiIMAXUT'5?289-(t"q9T`5skXNr]Su*bj:[KTW7fX9n%32PY\\Ib<a@]ro^-6:,;4DVlXM*
+%g4SAD!e1@us/"qWLnBUHB7,<a>_oTN&'asN&"no0)7"7_ga3g3T?]EcgYh$8o^BpIXkn4R4\\h&$I7F/bCSXND7>0^%r[89(Z?3?
+%lhV'WMJ-f<*c&+G)guQd"-',@4+mT.:IF#)f<-$?;>d#Dpc5gss0)1_?gr%6#C9>K[srk0s4dSEofrKJIsh2j=BEQCIXb9?o!5Iu
+%TDnSg>>YJ-^uTj<@/>ZXE7.1!Va>NAk"CI$?1:dBn`X"AeX6q1Y&SF2l\F,D[k82OQMGb/it"d.]G<Z?Zl;6?`GNL\`_cAEfV3DB
+%mX9RAd7HtSJg_e_\E;j2/,phRSleZH`"5k4J)KY@K#\Zh2\*Z]=:8eblGl`jrl?8BeV[j2q/4T.f6%SeJrAQO)]\8K;[O#=KYlXX
+%8oB!bBM8u1#!ad\h1P=40Qs->C]oY9MWQ-.T7:NjpieCj_/`=gC9<KR;)6q$STj$DRd!ln@]E3dra=FGB(.:%QGRP'@o8=-WdBMU
+%ii\o_cKu<thGbWmi&Pp85!SX9;u^i(K9;Fb2H;)kd7bL9nuqq"D#WA"h'!luK;Z:/g@@<YO:$R/#;]hY`)&-Gm)!`13@*%Mc[6eh
+%io7GSNG5Xj0,X8IYgDLnn[7rsac4oe-dWT:F3&].(Jt=?M#$:>BOlinN0;^4Hq:p+i@%X_ouWuH2$$K;rii2`h3ajDD"l8ll#q3?
+%0`;Y=`,I1IIi-W2)Xp44%,(\5Jt$-I+dpA<FCdW,g#RPYe/p"d%_O$rn?DY(I<ah:dma08^r_8mM_6=46G=0r(P]/=mB\U)BB\qh
+%nk$eB$K$^QjN^pHFQ6a3@HeIl<@p@%HY2B?@L[_[cgq%F@b,%gAI%Z3P&H?l!uAR&l4+/lA'hu1@VQ#Q6WcmUi2u?"iku,OB%V@e
+%9"._?%9qtip.2kN0[A^`L@O2Z\+Ff.k`\Nf*9+8_6Ns2YIg/CmeJ@&^G8JU',DVr(#la=ls.p>>_PtWq*@'(QQt-iu#^,nQb=;XZ
+%@8JpaBQVb(WT'FG?UK2e*]aUcS&]u>YLOaVU]WL!%oPk\mg-NFs5E%dkBI9[5G71&pZonI&lcO'@m7U?C_GkuZYtqH<<U]fEhCB3
+%Y<V5%C@T\7jkRDOO5SXanNI>dp@*JuhP2`BR[P=*'BXE:+kk\jjrY]H`*e4<DLA@Rlm[Xk.7uQk%KWE-pqt9aT^8GKf9BNdF?ieG
+%M1tEYSfSfm-]Gp&gUf^.r<cl7Wq\;FhBLU_8+dFqEE\?+[Op`2a=5,ODdSU)JLTX"..bY+2KqnYqFQNf<!4$hW>P@%+o99+=$BHc
+%nJW*u_#9pX&1WSO^0iar)CTGj&2af#88L0<g%rUdVH'jr']T7FeE7mdp0)#'Q"4gmWZi;+:S7R5>5IoI(B^bfAd3I^;9XY_+0",B
+%1.aB$^5b??K"HBnfN1H&,N9#V((gT-6i^_4BN/C81>UP#n/S(Oi[XB$LDPgB_fXjq-u$UB7cL,N(pWT9p\P3P%5j#&]1J2D*dr\C
+%j)V`C10C<>n/C0XXN0YO=iK8p5g`h"_Fa)nfC6jei6-4Sro+W4K&sLS5C?<L,dkg&3Au/)nU6!pb=a+9%-tsV2)B@V-<-4`/dA#=
+%CZ`26e.c5Dgk^u-H$6f8)*?qA^D?-@BtjT]>JNjp.mi%TkL!a]CjmB)W)qA]c&<h\!]/suq#Q/[`:D!HHpqnLoW#mq1^CQGO4dWI
+%V];Ff2229&q`j]\Ch9Hq.-M]o.6:lSnD&MD7o-?,$XnR`]#j+^-K?\qi`+rR5s$IO`q[G^lJ8SgLb=b+oBn0oF)212De6UImAOOS
+%/PELf-\@hsZs'M^6PQrPi=@egRVD)Di"achC5ZK,R,&of&B5fnPquBA5u)@a]h,@LJuI@NC5Ajp>7;[`4QN@ek1?Mu64@;fJXd;'
+%3I@@:;#=c#Ti3oR56r.!$0gZo6)pMc#g0XO/D.EEIm=O5L=fcN</FH1a'/)CE.bmG+dST,@kSb2cHdL-O@p?nkQ76rr"fb)g53]"
+%Z-q!#&u#go1A2.Qa>3MU7oaHD+&[#_S<L;-\hME]jL$f"0pcPC!:Yh0fDluMHL]BY#&,oN,KIm;[j$m`&<@QeK(&b.2*,-roLZ7e
+%Eb$nN:SK`]2NI&j;KuYlq+:H."PFKH@%XVG,]e=V5>o_?8*q%O!-mco`8l%JF6Jd<,C[DBe$a];'_UNX+P-9qgG/n4#EhD7DH6>q
+%nOlB-"@)YNb>#GX'Fp(G+rB>0UI7ZhYEq;N+RMAoR7<5IjeoaJo9A!X6/b_PFKi0M_F+"C=tV)6LPK:2"b`R^`dpA$co,(5A/SaK
+%;[>h13&<_r8?G@QmVCB&mJWH;6H@Vg:W#FoW&fR(k)kE=o?SC#5A_B"Zlb0T%C3,(E3\(M7]?.A7Jt[#Onkq#3LKfM0g:4sgF0lq
+%aC[VV#^3-KCZ4(J2.Z&ZW\tp04]S%=%+\j;l"`Tbb%HI;.5GNuFhN;\ls"TaJ[Z**.YW4q#/.lEW(h2'HW4LlH#j=qLMn'f2j-;_
+%5d?T7G,V#n!\+]TK??*M8PMS$%8W^pdnWH_72=NDUlJUU+LbB+KH,'\!Oo_M`mKCfUH)4aaUt>'Bf',8NrA]8\cPil/i"&di_2bW
+%%,j<\2.(E2@)r\(I@bn>^a^E8%=of00sMmXQc_VD#",5J`Ub'Yo?(R>j74!FXq?k6Cm^$*+"$NVY!g.Ch?Q9r;$g4Q[(3;)%&L\L
+%)B4*cWkFcq8Q4<ngr+6ODt#ms@pmY<:<@W$mL_n]T]U`I5!i5Wcgu![DL`.UrZDm.5homTq4u&"PM%!Dc[*>.IJMMjPE-!4YT,]+
+%Kl_AZF-RF96Vbfp%P_u0B`jl[<"^"@0#Q/(PuNc'pHFB"b!Xqh/oZA>Z8RXG\4!>mIo70`\FJqXiqnbU[Ut%DrZH&XOPooQ\&$<@
+%FRVS#qNWGFM$mM\gbp?IQ?"Z!Jqrpo*fWI3>&1LHIW%e.hiC:X5D]>X58#\UU>-[5s1T=W8bV9g`%Cbq)t?DnBJNZKob;0rppkP1
+%;HMoU0<(1c1j@J+XBkMG9Y2W5IS1U=,=d8uS<V#gp$>qAH*C0ANJDl\Y[m!G;N.n$X0(#h^^K;PoSPlGNd`a^FlmYSTjAH;^cd;%
+%cVSH9K!;A$%Y9&BcXHQBQ<96QlcD)h"E9aVrTl+l2+@2R\3:ZB,:M`j?#<-J+XBj656uVR=p8.C6(>(('Lf'@S07e2r.BLOoB>BB
+%n,VnW8TYRB8g7i0$=NicGG6YWjLE.>];LqEf'ur1]ABK]j-'ajD<g42>K^g?F+.sPXVO2/Bg>j=h3/+T^p^=ib2$TO.'>T(p!\6M
+%2Ap#M*);NeB$1H4g7k5YWOsYO!,O4`m5g[>*e6q'#qW)u0W<MMJsnOmp\-.LnZ!a%G:"]7,4ohs-Q_I;+[ON0]oI'Sn=8J04G'@@
+%"k2]MRl=I[DNMEuR6qOrM]\1+%aJN?fnE*aU_N&#%H5rGh6W1XGl48]9M%_YbP&GMVV.O(g.`tI2qZAMa8HlCO7,Wn+B$PN+Gtbp
+%#YYkY>m>KZOZV,T4mPd+;gF8>S40Q`bQl8HJ:+^NY"57@/9L1*=WFd4UY@QpUH?Cd;,$0_s314Dg$uXV5)V/$fmoR15P"3IVps>Z
+%PG[s6j2inDf6nC'HXFbdO5&W2a@2EZn,'oNcb.JtLc9-\UG4T:IV98O?IqVaOPGJiAW]j'\3\_Peg%#%6&[MGmA\op.1.oNG#,D3
+%N*VW!+Q`hk!d[!j&n\CmS$oBpBRpuTh6]S3U-Fr3&*W_Y$l4VAnKSHmn*XXd[>:k%T!6g.mY%_@DP\FtL9$;u,BSh__)uc"ap!aD
+%`Y3sY68\CO)#(-^H]3hpZR6U"YWf[2AW>5V0GHfo`Z"18$o[7:BTp.$:@&RiV%Jfjr4ILjHRYAafY946K*TIIq2VU7SEa]^A!mtU
+%XAKu;G91U!EEm)2\ZN.MYaQa)'b8D\]PhT=0:dkai^W:BWh-;_=!M<@XKlYT.occH(I^,Dn<ur]&8^o<X5uiKlrk8m)jh@ls1_oN
+%G>\!#PJgPK9t:'VJ*")J/RWW/qg%Yq2Qcu3gZs_"O!i]Js,hBZC2U1&^8WD?W73uTn&R(1gZ3'E#<$j$*tGBVAC.#3mrS^beLqKq
+%/qpW**A-*$Qk,:kD]1QH?6.\eET8*fI=C=K+>,bB*2ZMY:q7Dm?S+4Fi=@>bIro\oKa2Tb,7JquFf#pO1($I;Mcj6&XcpWm6We#e
+%g)>rG&SjnBn@6SaKL6[rLm@4GM3K8KGFQ8?WY]UZrA=iR98ZZ]'-VH"-A+("Jtu2Of%9kfU#.(*e!<$R?S>Kk*ZE)Y3UT-GU":OU
+%Zuq\2.u4'q/EL=1P)NK%*L8JH(;8%:2N?.b3\bq=+3?(M#WFk:I5e7Z!kDI5W?E2r56VDndgsf2*eClUh)'KF5jXZb*d!T`M#g<m
+%pk)3JZ%K)p9.coAgLM@L?U?Nk6gRkZk+&D&@eYjJSe6Tr=NhAb3tIJIOjS:JD_.I#9F?r>O)%>\eQo$U]?p+2_]<I_\C5;2#H_jN
+%e*A"@DjOY3F"X*Ph(^-km]j<ZrfsreOsEE+Q9Xt7k!5q([N."ED5L@u+R6O/[CO,4HTWt?,Q:N:Aq?9!(10Xe@W%94@eC0cDsoo_
+%_k!jN$pgNC2Dh?Ff`#O/(*6pa/%iR*ngG)(kf/l_Hu`/(1A;rrdV)[oh#,[<f:Q+BI)\\is.<<R4@C];'%BsMat6-^DDmGCd*8GI
+%!jNf`k">5C-X/Jo:*qS%ReSj5[.=jrFm#YN-f9t;is*7+rcnW+b4'\Z,]u^Z)+I)p3U"dVg:$`$VS&\DD>A!C^>mC"ff\bhn(L9W
+%gpo-<nCWT:L%)3.]q0nKIqI>rs*j[3,.#NR2&=g2BP;2H5Y0ei1\a"Pcb.jPk3FUbH=V=^rtG9G&(*J\a7VJ>`g2;o9_EO?;C2DT
+%Uq^gM1l^u0CS!q5=05-poOA1#-/b8@hKQgTYJlt[%Uli@2N(/<?Yd'07.JE4EEb%'S!+ko%R/Q7T['$G2Hkrro.87:1Cd7adL!i\
+%O/&JaD=YNKU"!3%(b:`RCY=U)ak*HW5D8MM5528NkNGr)rL+N:XL;8j]d@'R+\=5+0-\rb*"[2P/88t?`,X!O&H,]Z'#C,sB66a$
+%lQ.k6?YFg\r?1$$ZaCE>+'6-1?M?2i7/sJ/>MVkNE8GCE2r(,?<3tdOe_"BBd<8c`@g(J7)ZOq?On&HKW$%B8Xnabol1hG1Rbj`L
+%F:^Pk;<m3)o.@kTo[oj@3:r!_`!D80B^!:1IS''!Gnpe@o#dSpOeN[DmH>)al#MIZ\AY%E$]5rU4iBBc?\b+2VX+[-Ch]b*Ra%^9
+%F*!;U?ASC?b4IjnqKDd^MHpN]/UNUW=,nMim&=kT7)4aTEuNbir+Z@K_@j!8&XRo-;\&-naE.7$la2D0P7Y3O'MXP;B8MBhZ'%lH
+%LsLH>%t,GX%qO),9@4iX@&P)$\@HgT.c-QW3:1?44(Xj)3%1Q%'V)5h(q+SoF2"29681n]im9,]aeOE!F-ScmO-@Ir*JksXN3Alj
+%]#cT%hg+kLDT=@R--(5:/\l+h]3q&(N9>Mhmr='Hq:OBq2<mgidR)]`>#!WZGb96sp*_AhCH\,e'2+9@?f?,?*E9An&>KTt!"s7S
+%0IXa:7W_(0ebNaNf$%\ehHq&:@Q(@O'(M^$N,;,GqEW'%B^]rMTET?,TprnAg3:)T&t*$);RmK0\3IZh.`fB&.k=d+J*4c&'<Mml
+%#D^98]f/#K:)iFdqp0=b/0s2nIi/%=B>R6('l+"^+,;Y,7(kh:jdpX?h*.\H,'h_pd$0N<S!;1Ib+$QTpH*@^`V,<8erW+Lm@@^G
+%G\feYRt;G":h!GrmBEUZrDNUIlXoDa7-@QEL%2(okT0"g'*?Y'&:[M,=A-W6R;MtCT@adVK;7Er0"X93,2F:G6i1ca,>DJuefAJ+
+%46LC88[8)X:XZf`\:\Y1?K8ZS!)14QLd<4Rr8H_rn#![a[*l^VCYTNW,X+$KNSq(%A$5cEd'o7"H\e+=k$k(o+3;qJ^JY%O_,F^W
+%O8J^NT^r%pfl]ZCX]i77CO+C=aS%ggIBe%VI^'SS'S6.'q"Up`!C#28Hq4J@+YN,Il]8Op#Z<J`4btc^/Y(PV0@WOkJ^*@/$9AWZ
+%-165`;WiO:j[];(+k)d+Lu4OU#);JE=/A[3_#E-dZ'UFf`"Ft<5u#M^E>!Dnkk--Li$+K1<r%*cJC?)]Cm[AqM@8^f7nsnDG#_]s
+%q[!;/V.p8O6Nme*7W:TT28lhu8lR]jL3'KaIk2ueMk8/0X'AgjFcuVs$_ci2nJ#'B7,a*HG9*7Af`*UOn,B@jEa=GL5lq/jqNh<c
+%@_iOl!Y?6l\hj#.a@P6Weg"-H-%V"&1E[N\Gc*ujfQWctp'a)<!lofn,7am:U*,O1a%kPW1hZ9jeuh'kpGGCWi4qRq1<GraF6flJ
+%:7\E`=F70pg6.UK-DXe0V'e#EgM9E7Gupb#P^(3bD4,S:5a%%ZVbP,j3=CG`S[V4?/?[5VOlor'`WD*jC2\:>o:R((YBg%52f?EX
+%/[MZ:RAt?Ffo)Z%"!UCepd_HK.IH@A=e1dO')7&H0:r%Pc(:I=KEPW;Mu\?R[;PYH>N'65SnF5sWM$O,R^CT[lmHUF42S<A<e;[O
+%4CiG^MLk\g&Y3D;TZ<5M,L,=qL$3-ED1l`_kfgst8E4,s.5V,._DWr%@>(:VVSi;0AE+;+'B!;7Aop^u4*fdnCG9uhQI^0HX\>Dd
+%jjfOf>=sid`eta3];Ta4l4tgmS^ugto?;)!H0pJmGSO$p/U=WkD!Sqb0.n!a1C^rblVN!1=M3=+Cod8($u'+,Z7uA36Q-5d.3XGk
+%Mh1NE(3HrRnARrYAi#5JVH$BK9EILc*PUI_7T>pF?!4L<fd6_&Mfd<D*=O/AO=G6u6;:9f8UK?-dJ/>tE.5P`I^3;Dpc1M56l9IJ
+%OG`_!/PTr=`O%:o&W`[6L6f9pg1G=T>1O6cW%+a*>GO([6[.-S8I]CX/'t<^1Lb/Cr5A]A5h&K1aB([tLQtd'2Su_Y(9B%;E/DhK
+%:H3Xt[MDaPad9TrLZTM\FWcSeX*YbcVDK3);Ap&n'8os[g71SYMo(EgcB?\_mojIG3C5HtE[<JJ^j7Hs"&r7J-l;tV$%T0t+,Q[I
+%]s@"TJ_8ORQI0S;XHSCr$OL$GUh$&H,s$9?3eH#rJeA0tFU]`-eD1fL6FNs&OP4S`*?E1b)ER'r$)rM8(>Hp+d5^Ee;*qIR6lF3f
+%$p\7'd;Yq.D\@&%%;$lhWtr]:eGIm[A38_dkhB^8`/;J/WZVg8L-bT"<fE<VPX%k&C&GQ0?krfrLhhRBd=PCDC6KB_,>fSI`jm8Y
+%AT!dYc>+Y?&Vk3M*7hR(<KNChl.RNWX3kVFhhg@K0A"a!?^8D`q*D5g$.Mo%i>=Wco(L;q;G>[gkVDk(GdL=R3Q;!_B92n2/P0E"
+%qBjdj*54JJ$@8+cS5#YtT&]ac@pt7EEta:ck3*b5<W&a*h4u^/!SC#mI2->"`?no%VmOp?Ol6'f4/1$G6jJWj`SG9FACdh4GoiXR
+%AJIcD'eDVPC?=;T>945E?H@/E]l1RNWYeUB^F.mena8F<$kn^>=sIL$'08p26J!qQS;LL\0jE_hD:N#_#JgqJTp>/elt]0_NkAAP
+%9k+6gQQ;aD%cfVZMX)#IHn?/j8L@gP)F\oANo#S!cp5L^A]Pd4'\&:SDUN/Lo]4,0N3"9pq9`W&n=rt?'ZBS_Jt@BF1qGP6qj<^`
+%nVoPI2`+W"WCEXFJgZ%K'h;+X]j<&UZGXVXd1JV<:fdLp>:\BE$Y;pUoieeE3(`WLi+/+rkIqnS<l"])obPeE)@gYT.Ug<QcNAME
+%,OS1_Bh&)@&Z`p?%k2NLA'\p[;[O?\j6<45TTE9=#AB2kE1dJl\V<[F/="^*<9m)M2Z@*[J;-Oc[B].bE0El<Z$$lP!bu0hQkT\=
+%Cb!\5PdihJGt4a6+[=%'1ajF"S3_\,ng&Cs$mQM>1=[uJ]f,%I1ZXMm1?j:lQH]>ZLmr#G`b$JE:YsJlKL:GMY6`o&&43B"O_pVO
+%`A;/>)%-uD;'Kua%;eki+JgJBi9JI)nM74deXNOm3S_J@V/MR32THbJ"s<^Q%^Y=&-oc'ia-ubqV+kDP[E\re_Y@TN[_cfWUH;a&
+%6^@b3R-Vf$J"nKcLE/s#`1HlGi\!?akX;*&.!_3@Y[*k/4(sL"0XRJS7!H6Rf@\(?d3X&eJV'2m@4jV%MqMrG(M</%)EYq2XQ0!C
+%Gt@]7.mP"Y[kf0bE(dHd6NFuB^7'AFahMM#mW!Qa[KWmgTY$CeYYccXES8_Y;:;Mb8bBIbTYU2uAG!1.=+G6F3A[H22=7K-K>,:0
+%c/C@$fE#>NSqI3k8-e!OOD=?qlJ.+R/2LTQ>^MR4h8r8IDSD21AIU]?'#d"/U*jkL]L!?m>hT4XJa?J@YmME"=LId=R0AA66Cf@r
+%+7aK*HF+e4<`>\*mC+C_`E_V+E,*MJRfY>Ifr5N.E1&Ja"MGW]$_pk/fhMHR15eoqXlBRk5)ASL8[&J*,h^&L:YoM>.IDZNOu0&U
+%7Y^CGQkd#KK0r5[.WXl0R/K#<Lh?=^Y%=XDgLT,VgmK2T,M"=tHHhVE*(Fr\<fenZ=]ljf-8UF4p!DBC+,h<de4)3<JCMpaNF$fT
+%+-#P/\9*SO,*8UV2G\CK?J/o\66&Q`eB%Z$VZ@aMJ.3FkYE`J;1uTQ"lq\f`eEE$^9A`U`9m=TpPLm)F4'/j612ja*BA,VYI/n\I
+%2:doT<_'WR+R)GhU3^N)Cb1NiCP6D*@p]BZg4@i/q.g.]+jmi7jKb-dhgF1V?m/)&BnDVG!'2kg3Dfo..(/T`S5Ng6Cc>_VZ>unl
+%0#Jd-L>[g62!qcF\PFe8YKbOB[@l07?aN"cJLc)LVn5d3:-'/CN#;c@o+[aIk2Q8C+0VED>8Zuqn`adWn#Rr-@l]LPTT"UB()"(,
+%3$oU=io0$BIpPn-=UcN,Yf0-*[k-Vk%XU4dIoh^0Ycq+H,@#"abJOl\pT:UrWqDL73m`H@]N7CO$l"\`NN.92h+1s:#':^iNAk'I
+%Ji"6odRN8%SahYJ(Ie["2[YK3V.chOS>.'B*&fZ?,Mk#-:t*+`_b*dZ0PN6'm9oTqBl(+P9AG:&^0=hu,G:CC*#Lu]Q_TOZ:P5@D
+%++4DU^0qaple.BQ3&iPMs4XtTNl(:aiX$JU.=<`KW+:(F$po&)Vm[Wo4l"8@9OAHLn;R.W%Em]"=?n$V;iI0jOSnCsd0RuGSO<g=
+%=4Y(+s4EP)KiE(UF;!B0k[NS#0IA3:-$?t`;HT[^OC_RM!TU1(c&JoKqg\jsDFTV]s.oW"T5[J_5m`OQZ$E)a$+4'?'@h\u`/:F_
+%!+6F\5Hsla,8?7Sc3Xs]Z-F!1=_Y%moY<dj0oCsp9rh^(/7E(XWB0BVd8=Rk09H:1p&O+f0_%We/D8!nC*_=V6>bX_?AEX`C__G^
+%BIn!oOX\Qn3,Y6,H.,nY6`iRd=c3l.ojNYgQ*#UR`mRtR&kc0,gX?jg)O#[j@9%SD>^R`t$[gNbGIlP)b524L6VZ*Z+&uL'PoZ'n
+%/lZ(J@j+ohnlSOjjF\r0e2T]:>:aK>=5H7nS,C.*p0'P.js\6n?reUR&,IKiPK#VVSYskf2$DoMWh)`JW+\i,(Lf:fKsp'm[Vc/h
+%,j/qd^/s*jeg`)jltL?L`=*RR,a7k$l-t50!Qh"/,W^&t2`"%@.<uP\_at+V\0Gmf;2C\pPAg:Vha0=Amb[ilkATeFH2h)'gc`At
+%qWY%656(9CB0pH]p[mb"S^R-L5PXG\*ri(g`]sI`c'oNQ5Q@K3hRrdQo,#19lLf@NqYHDZ?G,-tT--5oL5c(`hu3K%msas%_cJM]
+%miT4;d:])HjdlGBZQK/@kF[.pc"H#'rSp*arVY=bc\)?WJF)nUa$4uB)-)CioY5]qU-T64IrP>'T,p]k^FONc^AHd]_qh4Gb'1oJ
+%&#TQ#8P^J@7Hdk=N.Ipll>n1L=17;M@O.7b5Tr"]D.,@/]UmNeikU91;>loq\6&Ag=/HGf6Cu<l>?'[p,(h8Dodd%N,dRulQ&*/M
+%^4HMsk*#IE[lXV=qj>f/SI>fWn0ZOAb=l=!0?MXY-m24C,mD'm7C(1IG:HD[hS'+e1EXng%U5^h3>a&tT`+k+`QQ7")N5'HU**ih
+%hHnk-bC0BVLVJpVQYYe4m]r#-,Zt'9aZGM)VSSD*aUF@k;q[>m12r&pUj&$o.S+okd$r[b.?TlVc@P^/+U5%&8Y]u]2].`XYR[IG
+%eJEJ_3kBMp%6!^O'(lnGJM=AqS>*68Lf<m&*OR`pK$4BC&nsBPgU`Y@ZX^9\Ho>&&QhQ&B<*^0l:c^:"VP$d(cHQi+BS<a+feSa%
+%K^1%J-'10#gC@5dWo8EF!bHVh;N"6J5bL6?",cZt!M3,ik"1^,W%8NAY0Jt<4W)5nmW%[E/:$L@!:.L7[j&me.%d-?VKQaiIQq9c
+%=r@_*-p'hCUAFa_F8LlH9GpURXWtc3??h>a)=>()2;;EbeTr!d#Lk>@nLKDAd^%20Lm(pA4t-M%4o272=-oug<LB!n)E%&D)(D#I
+%JPnd8igN8XjpC.Z\*')]#<`2&frF1/X%?g.lU;^RY82:K%_+O9GFCc8(/<$V!,eI^iKOWEi@\*2E<XSR031F&0R<`7;l#7u25=\]
+%Qod%7#<N/-[ibR,KOD4Cj2;bk*W$P1+pAaJ<AMb(Mi4Z=9b'g5<)?F$2'&(7!4CI=4n0+R`4rSN_mc4dqYJ1WIWis$Z_'Bd=:p>E
+%TW:EGki40,kiB!?kad]_2,ch)q$sh_c$qq9,Y+]KKVTt2TS_XKp<j>,,Cp+H9SfPGYK`l`dqb(laH!]9-'tW&2Q@9!;^X8VdYuXW
+%KC)hYRqfGe)e>LC;,Gu1PW=i*6Yf[6+JcT',bu!6N)m"@RUqYrZ"C1G>\sma9ics]A#;5`Z9K]84TH5.c_P[5fR*b>'j;p@gDTNS
+%OF`Y96Fq;h#?NSKnb0SCq<Vb@b=1[o7%&dddO%I[[2#:Z*areVe%-B/W&?86F>;.if":2/og4Z]`;rAFKbBc9g!("RXAZK/:-jDr
+%`5_mrA$1')"mq7Gqt$Yb/[G/o-7@32O;';tRdk4U$#fr82Q5S'K]AmM^JBrR.Z*,t6%Xk\_Q+,[;T?]J=Y(8tR"@n=*1ZY-)@,X3
+%a??&_S'O>Lq2@7)Nc:fERd9]>bX?Kb2Lt,ckc*3Bl8IjPBlds?JTOEb/&tb%]UXPiCsZo92u$7BD9_:S;M4"2PFK-alK-=8\>sYW
+%-Nl_nlY?d?$aHkoDmtnV>E&c]Z)'_*$6(gk3nN8uMFW:cI`#_,Z8+>YU?+],:%#t!^)E<[@S)J/4o(lZ>FS=UbOI1qOH1>gJ;LZ-
+%".g883@=#a+)l?,"LQnRi605eB6=CEhq!T2M_Fi#`S57<SF;S^)#/.Keqa?%b:]JF=LT$0k"%M6,mUHN^f$S(M/Eq"Zu<nLAYK#J
+%4B>nn+O=t!hRrrNX/RPK,I%>s0rO;,p@=q<X<!uRj1])'P5?f=dHF*_DHCm<F4s!/H/77=%^[.&fMc8h:p!VI+589cJh/e:e[dCq
+%fr;.Ja^\&0M!]83UU'dlrX0WL2/t`8WZ3D;aBbO'5gf:?@d9tE7:':Z(N/QV=4b\T(JX7,^=6b4^kqoBgNTP>H\C%jokorqm&C4=
+%Z)a=<[PX_c9lP!!?]'9klJa-ff,:sHI!#J%l][;1>VtId<(aeoY>FppMA/>Z6hl35X&JbRm.E!\eA2m!4PI@@C<!*taal<'?tog2
+%Y/KU2<AN.&C#pNUZl3(mncZ0Vjk7R.+HUH"<9m*;Io%"Yf?[99MW.kOi"?hp'au35-\-UAB"XY&dh6qZfTs%S0]/+30^Xja=G3"!
+%IdR-AIFP<!n9FiTd!.iNKJ>WJkOCqd0\sf]ZXJ*U6^:Pl1P5'f,i9Y43CqnYXJWlL/0F@U>5<q3O-\UP0s%qr,#F2aBK#67C$neN
+%ln"c.NcYO1#b&O6d,H6u_7Y\C`Zd4_gE6TQI"3>M=62>hBdPs?^J@:E?9.tpA<[Yknd&4C;uWKq9p<"4C@O[MKD-5uf<2rTI"k[i
+%f9Bl,qa4La.87Qr%rf,8:1q,62B#oIRb%Q):VT:gD3<7Fk[#6)W#@PF@MS*Wd?\Ed<[d>M+<)LE&!_+%l)SU;cu`fWF7DsE_DKi&
+%@]DWj[;KrGWtkMVHQdH/C'Nn.1H*/dhDLX+8augU+,p(IG<PFh"3BG0;B9J"P5)`)=`C-6NBs";pCYQ`Dn3755/94%V#I@IAqT4@
+%&e::Xi[PYYf02Lr@9O>#/ePmqi^1Mg,f;*1=WD[MTfYCM$DQ_U>`2(*l(Vi.e_HeZ0rX@YUj+'&Uo99:"+Z\6mH`_\%tS]q-g6c:
+%59c39*!7@6D`!Ye[(A7`gHm7qC.*VOoF?1r&.U4EdR[m&Y3k[Ll)Hg/@B$QL<"0rg2:K6npe1]_G6@@gq-l1QW:-cemTn8r>3--Q
+%h4)#sBW3gTKhJ;E6+.R+Jk@u^l*?RV"uR@pj`U/gW=$tTX;QR$)?XOjO>YQc)hf#+V4;bWYlhJ38_XfCd`1DSgr4L/Gl)QFn*IKe
+%?;bLYR!pL36[Nm3s3fLJ+jqaF67tnVIfNcBh,;JZ>=,u+OJl@YX<<j'-Vh5*'6Yq/aaAs-"S`Fk\L&eOD%deLpf:<cogUQI:=cXj
+%2J@7KK&l#u![R2UKLnS,`@ll0.2P_poe3a*n=pJXit5At*!.]RjJ`m&0LYu?Cj<`j!hcN%:^T-r;%M5pTEhCRS!rSuB;1bf,$OZ;
+%q""[C;oLX74qu1DqNVS)euB.2%Trf/r4&d>C\#HG(TruqBFIk4!Wl88)(>EY/)rWsX=kgE]QJ_ZK$GraUjc@c2"tNp@C[M.CPu#I
+%[d59`f`$WO^Y/'?EZ*1]Bftq6N:g@KEUVJ)J%YRlfKgkFMRr<[-Q1--RjqVu6.CaT5qi>TL5Mq7SXc^,@FD#^hI47Fi5E*6'5pip
+%T'V2tXW/.u#)El@@@ld6im!AAI//_#PmL8i(SuZ-]/GBPYXr5&RP[Wb+uanL3GTE%-$Jh4ZogW2Ek@ZTO9T.B9-79X8sQqTSt47s
+%ROJNu)*IA%Q[B%KLmW4jj>?pX!Vp$P'hI`f"Lsb\KOYS^d6T2BOj"lZ9EcMO0eF'0!4@GZJR\*YN4I[a(RqbiWuo\^HpY7nhuRa$
+%*+L#)^R*Qs8K!l]5TP^B\A[mX.BCd,d'0!JTbF:@niAYEVq;=qRB1YU&8fCT]rqUn8ZTiYAcm,k(O*SF^".G]aC&uu[aO;oBNX*5
+%_.g:llfflNWT!=@-?"?.O12kZfT?fZRcLTtiqOlZ"63[X+\\.2aP%9oS'hae3fAb8,@5no:m&P9^,L7R\GW14b5m6!MI/PH`mJ<W
+%FY]14)dg`^#3fm7dGnuXc`"p/_5/$pBHp[S<#DMNPjogF%1VjlH:.?aUbl*?4s7hO\O=R'UpX@?reG,f=3LJP1Je9R@:jH;?DA$g
+%_US8BSjHsJVfJUf?=kY5e#oEm+'/%G$&VXD#CO%$H()W!I;RMV=.#;/5_e"'#,ld&`O@-2'a%DJ(uBH=_3:ohpWEf#>9Ge0D'+5B
+%eH<9X\+LoS$;gUXDPX/Ph9%X]h=18$4bNML('@96Rb4K_V@5V8%dV8T42#EX@it'/g[<m9\XQR#2<)$eQ-I:<YF=i-+AgI::AGIX
+%?"g&)J]so0@TK'H1GiMl1f']uRj39d&Z&aN?+D>@8%ZLA9j9d8`lK7^@Rtt=#S71B`)DpgV2B\B>@Dlg@4fMlY4Wi\`:W=f2!g-7
+%&b6(6.sg,t.UN9U,W\m-;iCo%)9gRX>-en['99`[&cFhVS!hbKnDd'.6,p6Q"glZLO+j_^:;VIS<KrG:T].P_K!KLlGDR=7j0Bk?
+%EM$0;e8R`i"[J&#q*B.4Xk^hg.d+'f3jK(Bl&QS*pdnmp+$a$Gb+0(C*X0*==l2ei@ABX"*VJ>XP@-4V]i3_rm-GF]QRn/Hr;,Mq
+%+2;Kt`WWmV-cUqfDDn,J&KFueQD[4FGGYO_/T-PTngm?X>MlShNSBMZ'!V<;&#0G#9J(I,`XI1-DHo]u$79)O]JgeE6:>naHl0)D
+%T$WE,:$@Pe((^76H,JBCU#(er/G9&W"V?3tIEC:hP0M)8ahVbT6Wdjh)6>JnV_^oB<$IJTWgdB,F,@5a[5$`d'?d[YY19Cd9H9>B
+%W,]jTSW'5SfH+T#!quQC[W>?)Sr<\npa.>e4H!>q\H4);YirORX$!+(A:TDg+4[ht@Ip_G55BXfC,6bWCSW\ae1WEE;[(XSMF))(
+%>b2,m`nE>5%5h""!"j*C,gF3\<O#rl3hC5hX"Qcijn8GKSMia9Mo+&Q\I7R?*j"'IG.[r6![!R".#gZ3%YdW**\W*Jjk[4:i=l?b
+%HoD/dieR,'PeUGMp$%5bRMjetc,h(^7cg.oKfF:/V;mN'AqJChBjkCie^%s$44E)i(hBkQk&M%+k_!"nrU:kG@0R7<?[]JG[m0)A
+%DPH7GD%CoDPmcVRJ62r5"l?GENcDt:KR1`pk7R:<.:Yhoo\KWLK/@!6c920#p!=bs)>(%A?@s!<\h:)$RIT#tO$Lm[rV*3cX0:FT
+%>1*Gq3u['r[;FS&*%0)YDfe4pO/:quGLl0f_ch-JEci1>jV%bB<5QU8R_af\%<gm%(Fe+JY@K26<^Mt'ChK9h..kP+$Fun5`><Aq
+%gM5]p3SLLt0331.&&rO=A7k^3O96Mh7ec8modY:#]t!82-FX>^%J"VQfc!`J2*b@AiNo#uejq"g3ubB:BXUBrP(;4`O(n]6g&91R
+%Lr"qMIMd9oC>8#o\?cl+UcUmu2M9s<Ju8;C`jZ7@3-Xs+Thd#JAE?$T,FYcY-9=E:b%?B.ak?`OmZP5)MCh8(bgce)&R<f=(e4'&
+%YgfU*)5/dgigNO]:ii2o#gdOb.%sm-abEkFi"`[rI)X/&]0-?XXh@OQ=)fC0V)m%3,'m-W^c..W6/u_r.a]YC@XKbsoeMVsA1VUU
+%;hT9";^!mi,qc<em''jq"c_!`RE!lg2%hjOHs`+]'H,(^_PZ_@RdXq=CYaATN9NZ6$=aAZeA(-eZWD?/L*Oas-DR?-mskLj5#%K*
+%'2dTfJl#sY+=2u+osef<M$=(oEEJIbFrPTOI9WYm]\/7!AK50,M'"pnfkcWr+lmh;jg1H$BJeIG73@P&r#os/S;!42lmd9b86Is3
+%=U@NX3B8B-K"Aj"l\^t.=W&2Jj=6!(ls$EFL)M`b<a<]?O5_`U`3g';<AbOfCZJ2T@H:(1q,fLpjS>.CZ@][Ql?YG=fNa/.+en>/
+%dArb>p+7@-Qu*"%-=.]'@^<gM$ZatXfq!uGF,&O"S!QK4[cT/+R2I]Bh4']qAd!A.h3?Q]4bnO;C-OR,!^,DTIJN7-A(:Z2Ec!6b
+%CO@l$Ccche2ggeK_Ma$`'\>S(FqXCiZd6H./]m#.(a)0'%mS#6DB=BGN?;@k,:q8TGf!6iAkent(>u<YlXD;/L8C0@\NUY[`aVaG
+%BMV6)&l5nu9Rob,#%gZ<YsnFeIQg'Uan&;j.Um6k_+H49bkb1CpU'qVSo/V+AW6lGOko.,q^4"LUN,mm/MehSobb>[JEKD_eG0*T
+%=gH_I]afR-_R,!G9CsS1.CS.43khH>BG[l?nb*oMH0(8d)oS9;m'3>EI^8OKe+Cg;e]$2Ca(X*@S8dS%08RR`hS=Pgo'4c9D=H#T
+%j)F<"'qe,Jbk%dhARn-H<@.cVb>N7b#Y,!RDMk-gl&8?7#N22j$8J=KjFj*(Ho2\SrDPNB"K+QGEm64C^nkt'B"Y@6h^/"Xk`5(j
+%8iP-^jHh/l\oD+6ULthHB"7*`ag^FJ*T!(u/UX7hSJT_t)AqU.$Ga52rr$5$@MZ^9r>o,'8?5f1c#XZ$QNib=YucfBP>m!5gsaCg
+%\6K5DKpfAGPcP[2Nm_c!OT^;iVMTW:$6mKAh-RTfo7F!DY,*!9!9)A5k>.edmWPe^lJ%q(n.Ed>;^3<pmI,8F:rI?'.JSbJC/-[5
+%DEKM$a'5TrNk"TDg.#=`G;_rRRS]aCmh"k!!0#TBFsL=#\9!qXi8%#Prm&GT+uLi>p4*Rh7gX](bH%InKnoS\lruHH(#[BQ-_Gl_
+%:)6j=^p_T.6X7u6l0>[5dK\5*+`$aX;Q_g1T/bNl:://@QulV!"Aa%bL4sPkgKPrb@?n/NYGAVM4LW*,i"F$X>Ia7r:>CEG`[5LO
+%92":NpjA4pnE6]K#oO'lN`Fd<E"Dg1oj?$1S%2cL@T:JCQ3$U)K"M(UmS4tA:9-q.Da4U[5%F5b7#r.aNilAbXYP3fA83M>V)EmX
+%.`*I<I)WXn'->9I*uGZDba0Md!>bo2T[ibS`^!T]iH.FfPInV;Y=.TrOk*6]&VV99+e<b9g)N8qXPlfY*M@9#(X[!kEb@m^g0Q\G
+%Es;f^E7e<uSP\a:h?ErSE35nG.,>*t8+p..,7.=1Q0G$/B=J/&gtG$?1H8<-[eIiDH7)WOCFt1*8/4@=7sLB.l-oB^NhaR^9gW0M
+%HGp804D((2T#sULVfM.,4Cf]]_F1K`Pk]#SYP]qJmg(SZoOb;6#'s&`1CLY)r-C=1OGbgQS_&O@K'k&n`-8T@,k9,%a=OR=`9=3-
+%l=&@m]!D32G.JgXaik(*Q^5EMikrZ',>k_adQe@G85P;qK@=@nbqJ``JU%#\.^&2SUdS]CUrd.5_UXGAG]Ps.D;l@3kl9c]a+&N2
+%V58Yes8DZNc(B7ZF99Ea2GhbaGJl1;(>/qN[\:11%,d\1R>djde&>_B[W5L1C6i[M\Ri^7V8;Bm;o**%XRb@(AX.Bn+=8.QV"<>6
+%O8`;q<d]_FCTj"DF;:HF&/.[\>(P.I+3KtJPsLkof]Ysq7ZiGH<j14uiXqATj0/0>6h5Ce$8'E&NNnUtf4Z2+ED:aW(IdMmpiC;M
+%:_GVuOt($(Y#K6fc5Is4g-P.DfspUg4jno.7MJ7-3d&n*W[N]RM/J_9!,;+)!eN'l+%mO&Lg+p+R;@;/[!hG?d=X$1iV^8#<-X.M
+%Na@Ku@s-e4?Z.6nh/)_r4oWsAV=cZ*`P_9nUBJr[f8H9?g,>GIK,5<D^6'k"iBoo3:<W;Z+Mi`@1hN=^C-J^P,@Y0*[WS=leDdm`
+%5;$NT^_#7q%0kb1%='E.ZpU<LK/SmeX7R\sU`G(P87t'+d=u;.PY&MCiKe9$k=OS9[?,1;?g(feLR^44r]ulC4.nm3BWJ3U$UG]H
+%b1S0U]Ej@(:Uo-/7Al9^RtW(!TUW-HmoT3Z09Q9#]_e7:]hT8)Wtk34F[UU&^?jt1,L[fsU0mOU)BGc!0]6Q#$:^]P<SCAsrO&nI
+%n*=_3&%J/`m"26oBq1O$iBF@Rds@1T%O@JK[TR?InGb2Z`=&V<JBU_j[Us8,b/]?`7*T'8h@,$HNO99E#Or$qX0_Y&j.sFk\##&)
+%o"NIUMkdUPU:*d@DG!_RZD17qcr`ul8r2mpp/H%nVT5\lE2<8+n+gDX?p1lcjQq]Jp=JZ3[79F`8FX]9B&OJ]l"ai\:0Qqi/I_h,
+%;EnGXX?m>UW\9N8-D*aEJ]4]_=)a4@mg(WB.'DoK.1NDS(hM<rRQ7*g#&M-h0q=A+@*et>csk-G6dL\j<@b%Npr9XBQ-m[#WCTpn
+%gJTnr2RI'3YKq4@U'-##_IE#tM/Q#p#FG's?_t?gl#H,&j8->3M!,VfN#ilEG*U@k)NT@OfBOtC+;C7^(Mc>))Oap1_&O;81ob"U
+%V3&J/<_#)k/:hS(2,Y?.^qht'G!sS>D*0P>1b&A)NR)FdK1$fbRr\D>iSl>&Lm6n<nK?(MWZFl./0:V@=k9Uu_FBWOZ@=(goG=C,
+%.Gki_"09NdfE]'f'P??+Xgj/LCCPQO1%fcPN3aXSUO;gh9:UpfniU0"J@]T?:`5rXn;($SdpniOY^2\J6>%3<6,U:GK(Z7</k./<
+%W&rOt;G/X:HN=A'k@Z;G(/g-FI<OUT(M$mKCkWXNXZ7A=.SIET@HIj8:YM*gT^iS$Y6\$Ap?59RO_X.EJR<OqFR1HIQd)hF[_Cs^
+%"hkp&8Y>9Wj,o@i8@Oi8>7o,ULln4c9U!V`2BhV"9:*g,d'h3\Gf!i\DNLe1OD,p_Ej!C)C6cEWa@>`Wktg?&hLXcKH0VCNPr0Jn
+%Qs.=O(Je#.<pQ&B!\Fp375/RT&Qk>q2C<3-clRT=cr[.m3cqRQ\rfO&^`"GSXd6b#*#^4!)RMV3+;>/[dop6b)$(RU1NTNbGoLVf
+%)d>gBoqN.KYTT(_TS1i6%ocO5j>iVWF/_f[&0M1=gdJAgC%Q9e?rTU$[IAG^f$OaAL8Pk)V036Ro@6cCkATaO+g!f7"2!.(G]bH1
+%n0NZlPN#N""BS;0_Sb`CO?4?t_GoBOL.WY+7QNp>iP@T(QW9@0Q6]i?67$O#G\0bs,)^hRKVLj93siIEWmIR=>9K!KPqbcib!:#J
+%+j:gn^6\[]D&mG1`P6o3Dq\)K9e!>eA##BhFI?><^BB^LOP3.tO?U,q>=/hGTV1=kY7TH&]hqd`W?`:JBkrK3]!TAjPF]btj^eN?
+%kJu*TfuR?4-6&qS"e.k,*J8WYc#Ppk#A?[D/A07H;*m'E%p_4=PEBdf;\KXuZQ^q[(^&6JkL#W7XsELKXaQ,1R9*Xo8uYp;'WOa1
+%5+.R*HX%>-IVBg$.s&*-Dk$V(K:Fb`4"3gK+CII&9Kr/%+d`UmR((_nO2eTV0MJi2p9Ppd-Z*9$kdI8-dE''[]p'j9"H2g=fH7HB
+%R<?EUh5XMFQ/&7T6iVBkA8'%'WGV_=T'k<Cndq597/ls]m9tlab3tRb-e^P))t#u/gWS;,JQ*);bhYCWC-o/"HWa9(e:Ro82u>+h
+%LMF7kHnr)5-[0ZH1BKTDU0*N^7lYZgO4IrE:6:d?]/Hc(.I`nr]`))<`G\N%MV#lSF`Z7aCYHfF#89@*+1@3op1e:<'0%Nu107(G
+%@5B`gW/ZYWf_b'5-A`]b`[[$W'0_S>*bg"cY7Hn2]87\1!sMPVE#`uSMZsAncEhetLhkWb\rgn(IL3XbZ$01FL'i."YrWI05SMjR
+%Z0Xg5glc93%X"<,3pYk#'\40)#HjS0(<<MW`$JP8\:%A"3Ha?TZIBd24\aJ/:_N/9)VqH9S&$8WD`SAQJ5h%6-ojgVLB5cL\5>RE
+%PtpRWN9Mk3[5I)46[0:;R$EG9gVl_o#8r,<e[TeM)!P>U<*[qjJ,s,Sf9j#&:n7XQ&5nBsJZ(=ES<Q.F%Z3=L%_osk+J/uPj;)<?
+%F?O_`4Aht3)BjgONg3Bj47CjBQK(s'<\1.K@!kD2JQM'tGX:[MB``/<b`,HC9H+'SS)%o&0Y4A20]U@*WY0SfNN)GVc*7dfo^gKC
+%X'_Fr#E]JD7[dJK@<oSA!1d+E-4We1C9BDjYKqM5!cNqnM*L,tYJuj"[LSW[/C)bs,&%?4a80tG/lL1m=)r9#&ckYA,Sdc\_-o9<
+%r-EN&OhZkqW>X5-7CXh'HG%-6JH?H^!b<+U7dqN`pE;;6)mKW!c;mSj.kqLDM^=*65S9`>msR,a.ZLGrE.b=oa)NGWW_1GOEQ1aJ
+%PmG<R#t6aXCslEagI^O-H-k3H(<'H5&Yk^U\>B9E,m+aJ'A3K=&2SP"T9MeD(@@oYaiX"`=X;S,j[pege0[4)@jANuFjTMja"W(\
+%61LNs4tQI0Y^;74=s?s<02C=*VbQ`BMb:$d7*DW@H`t[S%_!0l[9a[f?d?W0_D&B=2W_nW8FmO#8+COu&;eWl:k`,c/>#?4I!Ak7
+%LK/-4`\hG!d7:a#enGVD`CE%hm]FDRlPkrJ%fRc0:BX<)>9i&Ug6f[kUl71W[iq7S"mUOpKO<PRN%<PBkI2g_q#t.(oJZS4h4kAl
+%<taA"+SA95QPQCD85Kh_X)fI_U`rHAnEQ)^K,qk7E&7gjY'FMr\d26J1N&Zp=dl:N-:VADnOi5]N^G5M'f7&CR?MK<E_O[I@!m^E
+%7\DEQGd!'+kM=i,qGG"rMA!__T[A2<_rN-rN4c"3=)I(SJELgh]@r2d+O[a03Z(0rb+n7k`^YQK`aG!T,9=^*]$NG*`#VS:CiJ^_
+%8\uq-5Rt`MG!kIWa"<mS?pQ:P)jiR<C1JT+,Y8UOpbBjGc.rQQ!,4_\\#9GL7-2N7DBiA.Ji7A4@uE7BJA"+`"4S\=&f^?u(Z]ma
+%LbLbp_q\'-3q!*#>'Ok^*oQ=fd#AOmglr=L"*OI0FHJ-EV'CpNe0bD0H?R93TL[-r6`rDbk:@?uedA$*(rQSD>6B,O+Kfs9"1\io
+%1_?-O/+d%3Rq!gX`sU3pT2L8lhXPGtUXh<*Ffb/gG'1["+S>>%_D`[*l:aA2a%g%^c#6bj=(QP66g!1Ph9?nL]fgkMDp`#\"P+SM
+%amhTtN_8SF&TrBgp,H<^Bcu0ep,#)`N1K7cJoOG4.S9uRO=ZWVYO\AfVC`-1n<3>nYXX1eZluFqZ%lmZ)m;.K6;s:A/`NM"Ca[t;
+%=csC\,"#9W1!T%fKp\8PNML/;"KKQTg6"p*kN*T1A)sAC@$lf0A7&6dZ9frHR2Yig>(cru#,k$D/$Qi>cp,CIdNfK]#]MrVPfq')
+%V3OQ-Rfc)'3epP>ZfML,8&s5G&L1A-;oW]7'4=r`/rabIU7D)8LG4+,FnB7/MM5*H8>u7KlJMu_aL.iVMLYbZm/58Kj,2Cnia<iI
+%4*bn[KZo*U0rTK-Wm\Ua+iG;2IF\UHN'K3uK7&t?AJ#O%>XGc"bj)_LU!/5AO]UghE:"PK12]O73,l8DP1HQW?Zsn8BhV(:NNEZs
+%Y`XjYdZP*<_U.!T;T/DUQEO+Pj5ZJ5fjmK_`$nfsE/K4[q'J&VLC+r=?.XUj94RL53k.`MEG'tUB>s-?,i5V4o33^8;VH"fX$6F;
+%3phshSP'3n_Saff>K=slCD=,Hi:!Y(KX4ETY'hXoqPOf/NXSq4c=#3,R@ntB)U&Bd@tdI=Wgn1B%m@2KfpH4/a#$uA*CIf,YRsQ$
+%,78\'iq<J=,6?KL4_LkkOEADVJN6#0`\sQJ,^+.@\;Q@FlJtn56QeSPn>1R%D`G0F1]4J"ODpCF`FK8*)C(Y)$2&r_p[dcB8V)k)
+%c5SS8pt6:e<ZVElOBNCsZoZbc"rN,Cm+>CXD9^l4XE[=O]+fHCi\:W'/H`>A/L2[%]5N*_hb!Y(^&]Y%dOl#&V+*O%6fA.a2q0>2
+%\*f_Y"Y-_/bC9H!4+C@n7H2VTqoWnCqpHi$DRU%cF'<:D8<4/89PrQ[2F!P8,6W`[M3nthmtj"`/2X3.m#36OV;\MWlPUL+:#;8m
+%m-=cSMDNF`CfF9PD%`-/QH&e-DPRdF,2R\][rGtlb9n5':4H@<`"nrKKL'gL'Vdtr?h+'DR^'lCGVSMhYldi1k8(#\`W`h-3Xjas
+%iVH;BMjf]h-c),XirXkB*Vd=1rAY7!h$g`pjQLMM#o\AV2D,5/@$W*KBP1t9:ts@S>L5<dNW@2-^n,X4qguQP0;_qZmF2_n&i$[;
+%d(30o"\0hE.qnaWJ`+!\P!MRWSt=@sXGXB5LsENZ6&/aI*e?Zm_Z2;nc>5o6Xjg?ig"a*9mr!t!1"d0?"cB?bHXe]0Io+nB3(Y;(
+%jJUNDOaT1i-^YUL7rl1E-FU2=O[%QN>?<>--=KCU;SNa.Be$GBN/=tD+V_01YtsU'1W)%QA5>/-8cFc5.^#jo@7%nkD6\*sO^&oD
+%%U*,f.7c<E@s>E.6I<[hO'4?LBT.p%U2+L,"al"8kMZu,Lm/COW-h^rS#"Qi`[8R)=H3L0!c78W_B%r&cWo/^]H\FeEAkV`a6TQ9
+%C0K(NS?R$hl+5cFjjhBDHSN&.[$\:;c'W13#D9IF@Bhk,SLbX9di$Z&;J;:O4-!=$mhkeWIIAZ8-lYZN0IPTjI)"lY:@;=Zq1Xf$
+%0O?i@HO>&n:;pL+-/NoY?t0]0+\pM@O2Yk@ja)9rKDW#unC-!mHp'Kjc&md'*$4F.<ql'Y7$0ZF*0Es-)I3='0B%.+Ns!@22)"R^
+%*@A4t*AnF(D/hi&oS^9V,"r&e"E+r1Ep\lXT#kZX`hihu@WrFQJ>*&*2_>O*<!M,35hN's`9`<0$LF[4RaUUB,-a5p>8e#bS;_OO
+%jJmbMabZn4JBPa9*P,/6d<Isa#Y;"AMc3EM>@jY[_=neGm*;II.'`:DTkQp`[#pU>1t,1qfF<n/&a%M6CNE4(D"TcU5sh!!PZ]D>
+%Od0"J`Nf&o4"5ThetH9rQt/720V:1&"&O2tSZMp%D]mOUMb%Z?"W>L$7GD6*U2@(*WHMB!<'!E/j^E;-N1oG$rq<&hlnZ`HK2niu
+%$V%@X;bC9s0.>ptno4BVLP_=#`H<%tN_aNM`M)M7MZ*_A*OXOQ6V%utJhQdV*q>]B%&aY:W^uWt1mYDH3#"jo&6n@'ZCT8T0]k\j
+%2[XD/i1qWe3ul3a*@TH:>\YnGiWd%cKu*?2IN68Cg9IF;-^#fY+I$=9+&k))k@jX^oa-4i5s'%M9QGLQBS+Y0joqVN@VOD=9#ZbJ
+%o`R\NZ?m-=V2u2CSk1)J<T?Y]U#tXgMMI!W9->W?G'*'*b4Z1.(THgKIUbt!%PB/F/0KmEX?$!IOTDaFlFm*H4ADet%Wpt9fp+Ku
+%dQWSZ'4.f)GBG;[.&Ub;,S5s"06PRGNGtuh`dO69BRgObgMDhJ?#80&cHX7'_8B1'--mVAerr`H\XhtI)*L%-8I3kJ_GHh3gd6_D
+%3O=opD05I5jJ+;[CMQEeUH#87XYGmk<u^X!4.;5dHu)]!8Y&uFPt#rT6Wgm+7iE-A*Z?j!<0i$U02eR5qmSDeTdjO0_2ec5%e"=t
+%9*b7<mM;F2!=Bmu%0Ip5g`)@K=+02O;hS*!N7o<)M],.i>H?Mp6<;dT4S[Fq)3sORXJ@M$gtR?O+[>VeB9Q85.c3g#I%Qc-A2n/X
+%lmZjWA=,5on#X$/n4<3cD-+pb1r="*D?juQTNnGu]6^bFQ9NF.Qfl1jo-?8um$hdK"LMN"7gV+,Mntna-`:;lh7r5=e(/sfh>C_K
+%h#@?s9Bk(Z't_pr-OT2lF1ce=M?umFkkGq/+&Be8-ZZNK)W%CNkqr("l(M>(7dj!#<6N[e-'V(_B</(+"-hX`k`Hthc^^$>ch41*
+%9*?oT\0Af0)&pp^+n-WAMBcM`%V;]PDMSa!P4Rh5jrd"JEX2F@l41rB-D2S&&0Vc$9VV3b30(h&@O14X-3Na.fcj%.6KC`hL%p&#
+%r%+QjeKo?,r+5;mOP6/r7)H</Br7'2>/Cn_'@ug>F.Ym:AC=LFa]2/Jkqf_Qa+jU.c'&@<W2+V5$Z*-#*?gNUA!mmtaDlDb6PY$e
+%ii9&r7*mQ0%TFpgE/:`34](Co<L3sJoZ1@lA5H08-lsn6W-YN^=rB&s0jATmV,T6*Ol-]`o]:h1;:lT:H#RP/"'OspTL8fsL[a%&
+%TJS,!=V`E$Q'p1V:E,_YRkZn&AGlQjp<IDN=[]gt_lUDSZ*=nBrAqk(hTBaU(8kNt%#,^PSU.Tu!Q",?F^=at8/qJ;.?d.SlaR6O
+%`ZPC>`i%3-J\1R<_=t(@]G:$3fmR9148a8"0i8l]\H2c(I`-Aab9Z@:7']c3V_jE/kA8/+Un?8o&-7*7Fa$'j9#RBSc]3f5%QJu%
+%YcTNDZr"Ef$FY4]kZ3_LACdj%W#*AUor1(k%!'%6XAKGoW:O!IVu!(';<B0;P&iG)(^\eH=:FHHoFk?RLKVht$TfU<eE?rf5%.3n
+%l:sEseHf,0ehbbt?i%YX7YVt`KX`'DTtoW$$bNP.e_<r-.R@WeHA30'&e-"=7g%e<66I>^UDpn:Z3-:X)gH@&c2_r/88as9poEsT
+%>_uuJI;i!6E>"/?+OWQk8*!S`iooA=8g>_q_YP;"/u<j5eHaal)B,WN".G%H,A4D]U]XkGDegVFDmgCcIMAS8da:#CJ#)GR!'5`Q
+%EeG=j7p36HRaKZ4OuP&fR+W[^i7,8CB,:-#[DOn=eLE7::t1rj/)h*il1.V]Te[ppM;ZAC7b`%AP;o7YiOLqM@Y+'M"99t7J#lX*
+%jqk<j`\blI?!&>=YiO^Ss.3)sb_;gtN0.4rj"mVn2Th[Z:`(J8;D\r?-t4cKG%&q8T'5r&3fZQfDB7:fa(^of$eCT'-rVT'=X5#I
+%nfsT&?/`IW(kT?_d,I4C0C+3M.:.^EKdne!7\8*DN`=F/aslOU[UrHCjZq_W_c94[:$6SQ-4b)pM/eQoOElC`\I'X:FlHW-/M&/^
+%Z;.7HJos:(,5gtW)3_<pL%T8#.9#bMDJ"mVf1q]E&]?q$_&6MnJ:PonA^fF2g+oIhRu!$GMFPS1CIWnH#>f<ude(4BF@khXKQ8!I
+%I.E:sC!X:]lB6>m)@)7Sg+K9a*'N5*8@N1"o-:W&526kG6i$pndk]d=N`l'RH5%j/Ak1TKku4BBLH(Zhg8!M<N/X-X%@AStDDebq
+%3p2i=?u.0,=eFd>;l[0@LuqdfdZJ:<_<7BfedZu*NN&P*TV\W"%UWA610drAT&1c"[4RbUXlF$c"*n&j#Ttd"Q5lZPO4C3W&`[R@
+%o2mLTE!G]K6ED*8E[o6,qB1Pf7fmQ;Oc=rXYAUu61(5NXhNZ[mRop&oW+t:jm4TC0RrU-S0f;'1`1h04OSrl^91eD=PN)(JKBho!
+%I&1thSeA<!!Ie#JNT+82F;!*"W[39(Ku1]KP1VKKN^>rcgUr//)<Hfn"!LWdlBeaqN"eR<DO.A"(9GYb&A+FdKmFuASRiEL-sIu<
+%VC?>[&3/.3Qo1VX=uMsh'(U&Ep?]$Ze<?t6>!hPNDRiV:caT+[HL-)-_pT[Q5\r7Z&"r5<,F!P&(&SoK59_cf]$UnWaQRBH>$De^
+%2&0Y-AQbePXm\^L`<50IAQlB?/KlVhJRV.9Um;U"d-YNV5n/J1<d%p\>SYa-/+l9-gk)CF(\7CSf$TWOp6`P_=p,a%mNUmLg.1D[
+%b\':JZU<)cX2FM%C5gU,bbX#5MZlondDV;u_a[:M^(HQAF6t^KTU)7JEFCk2TpSs">Nqe'\-?h@@90o66H+l:UFX<+?<Q<gIQ2Pe
+%!9t,Y7q5_>e@+$0]OeSVAZN#cNl6t#\gYH=Bq&M05@,-2C16MZ'+kOW<R(uJgpkmXYpGrbG7\d5JoPTs\,lNW:0;lq#lP(O36Nqj
+%CT3W3!gV@LY,<IgapWd[aLV^g4XdMpTk4'QD(K]1-$E$9(rT-/<-$jIi9Z=;p[Pb2;L%d[:E&'0<XSW+eTpY,,0+pF%OW&j70q]U
+%7l^=LJgkP1R(Aqm\+<EZL?R9bM`KS<?,t4"RYbam]&g%U@)D-#:R!4tQo/Z87Upe-`kCT2>Q3&3U=5HHNMI%aph7(T,'n"Mh_r$'
+%Wh-A(cPd4j2C$FPC.^cd4.HFOA=[+nF?b2,\\dc5<f/"snDgpfQqqiaZ<j*+!#Y:/'dZ8JM3=%B2ll^c&HX\gJe6<Zj*2/S'C!6b
+%8FrT+f4,9;>gbp"b,>a9<iW0ZZm(b"X5d.,p_[p[\npJ[oJAf59T4kj*.bahXe2AQQ#T#s32]>-6)5]+CQ6KMGm&\-J]b&fVcS+/
+%GRE^^pZ`q-KWVP,@'Yh'H=/,#a^iasR%"#,>(Wq";G#/Cg4Q5QV?%?rp!@0bMFsb6mUh/MOfI*=SP$q.p4Vn-R,SiB5ZE')"(=.)
+%8p2+50bpe[S>k(QEpl&W\_/@A+_\2\Dht,)'t0LI>f<lEc"2Ya+ZGb$+CJZ9@?E2@(Oa"%m8?A)%O!\@Ct+>Y>`%rD0HT<:)U(J/
+%I#h"t/<"J5p3;2;NKiJbm85:S5hl$ZDR&09nfEdC@Qf+>;UUR7:o0u=VIh(oe_`us%%"!gIdC-gfj!'0fH[36Qo2:h7JBE`N*gZn
+%A;R-dMK;lZE=9KmhQ*J$X_f6s8Lm`W[oC'+Bq[EG*#nll##9e[jjUfO\N68=,7+D([hUJUB'+din$+,WUK(FN-e_;WV9M0nW5QhM
+%%<7LY#a*f;(3F<.]UbMWJ"ClKX&St86C\OMert;Wj!rO\XZCBFWGqQu1`;b)6ai]TdI'\\;jei.]3/acOh?Nj.KgiW-u8:7=<Y$$
+%fqP5[M@9W;J@]'q/e`Gl:j1TN&Z7WZ\q./i5Qa]+Wjc^_U@tf$K='9r>3_%iKWF"C:t`)SmZ^Fq;?N)f\[BhsQ'3`%Ki8qiS&UVh
+%Qc;XgX1^5h^N-S=84P-dfO/PfUT61LX@=+fj@j>`2OXY<h[Gl9#tb8U@Pblr3:3c.'>ukq)CE1YULNlKXkIEG0@OH]j:Tj1P/t%"
+%hBeSQf.5++^l(r6-PcB@M==c?V#Fh;rXoNC"nVS.Z^144Cb/<pHETZ''tFRMFMn'3MUXSs&P\-nQ-#k"S/SgY'#iO+BCA^ZA-R+E
+%itQqp$+@*jr2l)&M^p6uo/Kbs`83>&o\;ZePWRCpW!t#3L<5QELKaLE@3fM4=$BW`gUX>oTiG`&*0gPD`TiORAK?aFAei9Cg;rY`
+%*cf(.41il/;FOIQ1VZ8]8--1dp(!@HUKb$:X<kJs_)U+6#T,^0^mX\t'm4G5HKA<e'_(<ZKCXK5-($_hG:eM`KTETG0XJJ>>G]6a
+%,k?ba]I_-;'@p/QmR`\b@<a9@GE%kPODI;%e)tEg#W9NH%BC5M2K/gKmVAja:uMgFGn"(aUW.%b#t.fj*ig*8W,8UTWrQ_<4kZcF
+%S&d<!QX15pTeYaAk<T[Gq(oY&E/?;,YUJi2+\Fh=%$`U:@I)i'BGJt5NKHbQTF\R'*nk?3.]DSNIe445&kB#tOs]3d)Ok3cn4/DV
+%kA,T504>uZ2dKNTIZ9dnd[7Of2?R&XorsJm08$"SCZ:YcEY=ceQ3M;Q)\+ZdSLIT+^/85g+b;r7*T.M3<4WHL"%-DgkN!j-p,"!c
+%W2l9=Q4u&0.9g,"3;s#=PtQa$jK`7<V!+r1#obnZLrK_1h?I&.2ET\p=Vt+W<K4duCZr3&]cR6K*XQ1PX=>[bH!25F!g4LE9%p')
+%8JSBRBghAYe^>cX%]WXa)`iKmO@Be1NP^*0)C`?rlsq633:LSqe$1OTQUkAiN(?THTHb3&b6)`=9eer:Y;3&.]""_U!.f';G_TH\
+%s,>?/Zbb>AC/W@/Z$%&TDM>7.ge/%`[3p4.$26GFX##Q:_SgU5.6<h%<#8Bpb\8!t]WAEbRr!a96@j$*Q'3`:%Z@_Y?R'ecQiKW(
+%l@S=-J@2#Pm%/\i?QBFn9W0O@?-!"Sb*=+h`eD5P,Qhu0>1WB)bq[q/2Kkui@J9t+&NS.$-k^j4;3M7&'KVf!5d?/+;n@#r\n3(g
+%J]i^`*LSrq?ilG!Rt;$5c&pA?c%)/O\%LZ52&rg-YAkqoQr_@0m4X^uBQZ->b"DJJJA>c<#/+D7)6+)06t9QXK*oai,P_^?o27%t
+%#H!;,G?MWuVq7Ec047;*:-:'2!'K'%aFhCkZ[h;\lY6h,/%bi:7rd3dkW)b?iBbJD83KX]1iCEW'gadJW30V`^/EKK6R1euNcFBX
+%7V^So:b=4HN<CV1f<4LRQ3C^@Z=W?lgXAd0TOp^@X[KEBR62;I[c2SW)j?9r3.eCBW24!l(R8.JDU9A]D]=9hIGKPcf"t9s!9[se
+%jBue\U#6O]6+_5dhQ%\%,J,H%%)l?uX/drD1)4FJOqV88C7O>3G=f#99&LL)H#W"jg%[TrM?>RT@\K^2D=5I1K<Z"Yn6NSJfK:)M
+%i`848\!'m^9VkUGKmNfs[Z1C2mPT&#[Z3bf#9Kn:-?6g6+jrGuRSk`i<A#PpQ,t/Ir`8"j6htZ.T^6+2DYaHs_H;jOV[;$/!$??O
+%2_s6$8m"^"C/S&gZ$`kY\9SeO3`H`98o_5+Ll@1SdQBT[\1fZWkZ1,g@%h3K#cKl/34CL4=,t'+OH<W*EPD%d,;L[^'kfq&G-oSh
+%E4*JdQ=*>#.\+S'l!+HoGMfbI[%kHg='tUY<X7/9Z5]+[CApEjX,D8W'G"Nf'L8`b235bmF+99G-JLIh[S^@1BC_:5a42(6>%9pa
+%7<'iU\b!<]-fS.nYZ,;@)C./Vi!*7D)_L1r!a(?r>Q@k13>SBkB"jju"0AKW)?oM`YrSc>GM#nhW(9pIq=)3^9_:k;UlK>8*,]BK
+%:kbo5qPi//!ZnKjiA=,k8qB2F4UEKmo(AK7psB,Rb,o//jegL>,?#hU!;t3I*kkQ&U1k&=,c3%S8(OX-NF@.nnA[;nWEZL%m?Cg\
+%6"I6q/G1pp_K@&dRUQ6@+]5N]rEb$T'R3S&rGu5/EU"d98FLB\Ls<k&8p,+:XGlK'&Zs4TqWJm[Lt!$j.e?-2YXCfFQ!kl1WE>"8
+%1.d?AobtH%3d<MQYOsW<)&sk9.Q$ADp:Zbip6A/NBnVMLpast=Sni!$&u;?=/g]KS<W:]"mg,+X\ADo;j)+?(pJ"f3;EGDDm)&#g
+%q6ds$$/G=#<B.'\=eUVHf^q$E@p1ZY/(37p`LZ3rWNr,OO4TW?qI)E9h$S#-Hck-O2pd0q]^U0XQDL^,c,=;->(YKN6n5HWA_u];
+%Ks93MA*cEW98+7ln\2%S2(+?k&L*i]9XO_Bd"^i"gb?:1A[E<mJp%Qe8l]?`V/.LS;4EO;?Q(6?\P,`;)!3TEV7,"<4P`]Y`W:EF
+%M6-Ij!glf(5/Nsm+3VG2H-'!Sn<9<b!oVpQ`0:\,_o`Sa[c>;cd$`J(`GmgO'7$*iga8FBoW8s@;Tg]KLGc@=BiG_q2$BtH#?_JB
+%#e%@-NW=SdL;r\3cEoT@b>X@Bcr3'P)d)Lq&`hb"SZA\l4!m\og&,Sq^&,FZ9CS%)PXSd!?Co=WFZ6$1qMl4.Cbp6VIDdEFdP3Z^
+%U^f"L_h@.Vl])=l`V^;"^K*=g-[2(b9Yo@-on*aDRmk1hlUW#887"u(5-0j'kftJtTH$epkfg:4):6AY0p?TkF]Udu6Zf@j:Mucd
+%;M]=`>fFF&Z:[.p>cSR*0Z,qlVm^os(eC/ZO?D5d(l[NG&(1IBXH1+LG@5%^PT,)*OkkXmN:Q[uW`s;]rK9PNB.VZSoUj?:bI`0D
+%"2eIG#&AX`.:3K+SSrE($YuM5\p%=#@OOICGFf)p3L)-j:EP,%nDS4OmIV%um)Sso_uWttFf9c<XQ]cr91S+(+Ed&Cb19FG!"r3`
+%FKQf2=*X_Qh`O]5S,/j3hc[Dpkqk"e<IKAl!j^RafO'Q9G&PBu5B56$=n`&!)4BbJs5`dT\U($k:PH#k)nRD`W>Z@Zii@$E2,UaL
+%iXR&+\"Be`?JM8u;@lMR@fm2lIRrlp%<<<PN>F5!W<5st(%7(e"$%H#@c;qrjpMd<MK;9JifP;QUGd_IpA.7MDl_WH6f^Lq&u?=*
+%*X6E.Qldogj)jJ`DE'.`$k0(Jotthm!I7HimN4:S-BLTcBPhTSgjIa?^<FTb):;uN)5W11f4tR,p[D6Sc.+cqXSC4a]Hro&=rK[M
+%5]]GfFsJo<(Hu[Q#r9Gr?T"#TL`8eO.`d,XgkL*-Z<Kj\.AF'O58kbl)E.Eq$UZ9%P#;1QiN&E099(=H^g_#%YnZF<'hbSA`=L5H
+%=i-'6eR^P<Ba$#B(TlW<DU.s$`79)rG/C7*W!4q\5t9r>:dfA71ol1K\LLd6P=9$t?QJ=l^uGXVc($</Y%Y,to3N#&G7$R(24kjf
+%NHDUH=JY'&+\jU0Z0Yegl4[k:'9OJ(Cr6deoooiL_,#UeH0kC:`on`C6[an""\!8RK^*m2?=kABi?5ZR5l9fr%;H]ICSQT+rn_.G
+%^sIB"^?k-Mjc_""c'[j+eQ"Nu+M]ar.a.m!aT??;D9RF;MN:I?-jfW]-&1hdUP3u9,MTXA*(J\;4WT!be$`e6)n$M>0kW@i8)jRQ
+%hpfsR6gX@Z6H;!+J![3Gp[km/2+SrTS#]]i&pOjS@jG1RR_F$Xl530!AiSjr1%#>bY;)0f(*SlnfMZ,VAn*TX1;+MZ9Le9*9R8PV
+%\"Fr&3p8pG#.H<Z8k67Z4.HY'V#u:LY[n]K*F(ab^,)RRBUVD2?>*?J2)Z*d&QIYb;^r&L-c634YA9,)M`+aeE-"Gj)'Z1Dm09Ep
+%lMt=e<L.q]GT/?e$5._2f[qJE>kLX\df+SiNYVm]28AD\cIg+H.LV[j]fkp!`2hX,W8,Gf<YCL^44:>:hKUU\6EeJ2/rq\fqrIl(
+%IH^@(]>?3X+l"Rr`)&8iBlt*p,-E?,Fs)GT:Q-4?@CRiP5hY)+&LB\'7)KS)*a.qq,5i<0,062IeJ>[C``<A%>dQ*2OfXR>3fHTs
+%gTF_aI][JeCY#=uf33lqrY1%7)?h.4%!h7CN'YLB5cHY#j:^iV.<Mae].,m+LQH^KKG(#'qRL-s43SGRna_,8)bB%`^jDY)FT(8@
+%0tXGGlE=/\b+aWY3]D)B-+cu/h+Jea^a=5AZIrDk[F/t"0gj6k8HbbTj&*uPeqVY+aX&6o2RdQj?.p,UDK?QFA2t[U6F&0FYu]L]
+%Wf#C[Yo90R61cki*XHS/@?3h=W>)q6E'6Trb%bT[TYVj;7aeDfP)+$S-Y>f`h#aWnlp-8&b=..VX@1>QJ[?P)@mC4*Mf=NQHh,1p
+%7cWCVdc@Z!+X`'YCNfjEA,_eUf8rPB?;mcfB*YJo=jI0BO\.HK<_W\:k+;(*f*']M,!E3E<+s\rKD7Y*JjCuq'Q3Y5@F`7SRb"Er
+%.lS:3ohO(@jeR4!Mr[>gMTI,U@jG?8eZlIP06YV0ik!CffELX?.moi/DXagM9$%O9]s3e7j`.HY'<:gHR=b*&Lur73,-7SS3(og3
+%(52gJTV<W>kqsU1dPp.U_Ed?FMlLpK:BNhkh&E@*ocrk<S)N=@Jpm$@M"f$3O,CU$XZX`I%]DE,"Bi*O=,_%7^YS76dF)_'>%rX<
+%=rTT`-YbNi[R,8ilkE)jG2nan/tP(j$]mhL0'kq.C>!34H\qu/1$<;5ZKjr$HUhARWDKu+Z3!^tE7=MCfRCjff#]1j.,Ogb2U<13
+%#;d<od0qmHKT;0OB(@<cOh0kh>uWa_fb?M?TCqkoMQ2YY`u3YA<H-*%Cd0/(L#Fq0%-Ksl<I)PuAr:mi1=Tde73/+>[2FrmLE^^h
+%1$<-1-n86%r_NpK8dKiMnr85S="?WW4@&ktL]^=?Ipj@=PF2uK\Y(0u5ZW%q,M-bN[G?Tf#Yf*i));>>Ai5H,]8hf#7;Bdljt\B(
+%>..;[!2'cYBkP^7G;^)&.^QNL%GC],8_a4.RA1c0F5[!WZ"dLM_IBKK.(gjmhiknXdnFJ;R,fVNH/-s<-)S'hD1LJNn+P"*.J38l
+%kcOV[3`*Os'R0<0mDu>"0EB'!U6f,0g,0S`?E_`;%]WprLkmMH2'(C:l4M2&BOaYNXK-=Md6*e+*I[7`*b''CYC,,[\9[blEDJN6
+%RJt]/HGFa%$[0/6*k`dF%bMF5266?-2Q)Q_+#i!jl*.gcb-9K'^TuN6+tatO6F#c+qB9>([?9#)E18X!j$r&Qri,!kFAGP9PA*4S
+%kRs(&6(mOKN#K!.hAB.La2+du*]>lTVhsMm"'P(HqZAHhH_\QP]Z#IU)VZCr>?op>?CaY##=uEao'r&kGOoDE&n\\A"E!D`/qSu>
+%*48,T$it]H-&dH"5JLcPkU-isq04gG;UdDG<E5]43!kS#^C1;.=.%\[?fquQV4/Bu6G*]7YBZBZ,Sa*;+[`B4RdmPo6PUX`<_"D&
+%N1_=KA:W*A/j?JL<eAV4>b@HYY-SVhmnZ@\2O$>X:nc_4d!Y7+!)OufW[pIGeK$D`,-YZFo*,Y%<V0u_dQdu"h11eh^Zb6^Uc"NE
+%8eYnaqbZE#S3mmWlQdH>(,N!me*6B^ckrd(6(j$,,+ru<F.\.XR]$\0'eSQ>794R,[W5C>4g`+:%*6M'UU+@D`R)WD5cYWi&QXC<
+%P=:D'EuN#67gTN*cr8XVl8o<o9^b5_9ZnUn)Hl[5'a+sr?R]QXYHOtQG2*tWUr0]"B/[)CFaspGY$/IdbUmdM?(3-*,>Sd5dW_NY
+%`![ns7dQ/?iG,M5j\SPDg32(D6[G1f@iiZ/Oo,fh=^7*.%b-%d9U6$j7_Yrl#deSd-Jli'%p,W"_cfT$hC*'Kd3_sclXp9o#$Y;G
+%g)$e2.ekp@A$I6d("bY4eU90.41nW2,<R7J6n%u!ccBJuF0&!8X%i3./Q?B=VUI-5[ZjTcJ34VujiB&thOJU_$dWXGj7@Wc>B@s:
+%2^4TGOI+/m#rr0AfT.201I65rm1-R]c;f#<23(<E\e:MR_,sdKO0%q1oSMs+YC>,qUWMj[&"<4NB0dd4\!D)6P"C!Z'ASJZ7$WFo
+%L/[AlVbK1gCVP>B>?4`O1@_WKec)pu%.?a4B+l/<;SGj^@^jNnH4E4i<CX*ZX7R_`2c=a2@XWP4K77@!qt@UE%qgQ\SWn3HrFqO7
+%=1G#^YSQ']N!OGV0#J8<UJr5t7^iuNi2j*L7KY3+Q414#&%jq[aCuZW47BQ::tqj''4_;/0",7!>+iblmpc30g?@:=NpC\<SQuQa
+%R<GC>p)V)T'=t2Z"h#1#m61(c)k?B&]&2pdSU:Kr_V$u/b?$XhZk!l[_P@FRgptfDB\/9M1\>F)O`_)!_^4<S\-B7E1fEd*D^K<K
+%<L$m\:VYS-A8)Lmerb6Nk+/cX'/-//H-p>"N'(Dbqr0Mj!M\fC4g3Oh]kK+&Cf)YJk!:BC8p7KL5+u$og*7j0gr+sm3GIf$DFLG[
+%WmK;hfj9'e\#nNEP^e,MrRYt:kHi2fT=t+!PLj0trO2.HmsXNn2g=`'s/d.+*a_)/o[ObMIsUjq++Nk1(O&ZY5(2tG]AGZPqHM!i
+%NrT.,h`Um2YDn&0adY4B?@VrE?bC[[g#k#;n($amrq,k2?bL]t?11!1A,kJ25QCAf?TnAWeP#i;#;:Pug#m$ok79fSd?!2?IJ:u6
+%YJ9lagqA48kG+Y6qr7CC5<AdRs7_^ikq3r6Pl9?,?QC/:E;[VGhSm+!hj(flhgOtjiU0Y?bO7PL;a!C'ZPj4je$FB4%hp;P8ler\
+%H`_&O-=*@gF:ldPe^aZ`iA@u&@et<"goN(&I'm@.PLn#pA$;s-R9\)8iRshC[iX.\A$\_]%J>)0h*FcroMb'j3Or-'j)c)8ae.'5
+%29,\8!N1hp#ocVaYDYE%bFs^Q"<VO->41e?Z@(hAb2[9/j-t8]IJ;"PcT_BVh)c^+nG_J.(Jiq6p#ZpuG$A_Omerb!YPpW0Nq75H
+%rVl=Oi@s!RIP/AbN4^b0ci<7bgrE0"Xi8+GB*3"MFZ4,ae9fNM@I;[89M^_I;7B$?5R,l0F^%D<Pd""bg_MZnCJh<5BAg,PY?gn1
+%NI(O3*hRlM6iXSYq!mkWht]@+J,[R=Mbiejo_ObI5C7Bd$8HoA(IY>hqsP&EoLr4t%MN4Loq)2X1W=8<VoK$<c[L*ih%)\op6Ntd
+%U]4SBVD!$13aUb75P"Z"V#S.\Gk'C8NaTZQLUtoIW^EL$43+aP6pRnX)LZK+=0FM/2U99u+s""qClZs#_*Ck`jq!_V9<;g,>B[@Y
+%L\20Z@$SabiQ+r5:V\$>hYgItWu[`WR]9k7N@]FE/lX6Y7\qUqV7P*f7gJ*",_>>Ne%$9Z<3lL0"`#S+'f3Hk?ns&iD2Y&im,g,o
+%;4[/$%sVT2:-_*G@F@k#*'un=ei8)2d67Ffk5HWVFdpL4Z:LPpHA0q+_Au@<DOg@H"GXrtW*p[r%-(1T<*2PIJPn9@D'&ht;IUH)
+%j<YFC,>#M-/L;&)W2K>9P7S&3;;9$3n!0/F)^uT%;AfRr)V*aWcE/MG#!a-E;)p)Rc0/>T@&ksrV`_C2)Q`$-d$G=u<^]>To#M_^
+%nOSS^OX"C;I#(f5.A]uE#h:b\F4k3W$m;s4W5dgR_22T[h)LhP*?15==$C!_K$sM4$<\o-KGppH,*L?5-cm:7?HZTgZ8)MKgh]t3
+%F((2aG9;+BmK\=TNuC<ppqLBeV1Q4c<;]idTi+QQh-]<g"MJHr"l`VPlrpCkN"0JbY$P6f#W>b`&#1Zl+BI5t73h(nfJN`<-aFJg
+%X'jIs,mV(C.@\Ci)kib`P>k8r:8s+24,2rO$j)6=d!fe9V%VlH93q6d?JCXEpD/>_<Lf+D)Ds@]]L*nXP7Hm(X#jK=6tsq%<cm)^
+%`Y2eG5gbd;0[D>u5)>U2K1VP@&g>jICjg/fTBiP#gs0p"2N)j%('_@[R'Z=Ng"j3-Lq*ic/ERuaBOfsD*=`Y6C9<q,1o:T5&boG5
+%VS(`>.M`1ml\]%i3m<E"39Z(eI7.SEgDsGs3=$[`6.ZJk2L04ZI@+r`H6:bLKD/NMgq(_?Z%H1u]fT/#5AiQ9ZZLp[Y1KB&qu_/f
+%$=)\:is6p<Pjfo.Fed%\EsNsW<Sa-9a=)X7"cX4lO![l+NG<fZ#XJXt]I?=lKo215"4`s*99&kOd<FG9e(0_+e_;tQIuQL7Dj&1t
+%D![XkG)"Y"G"g58RUN!=-'P;3S2&`bf##q;8%uJON63!(U'\h4Bp2)c8I/Q/(R*_$\4q(p5f0L1=(b`2M`'sX^VgUleZlm1]9)u7
+%M\s1=MY3EmW.;?tA'PO?_u0eo5%d'9CAFOgkLN<mqKt.Gf['#]iFKTIHa6*;K.F+k(MXp+X$R<7E+92OMX.Y+`:E"8<r+/-)f'[@
+%"aaGC!t_<X[imbqRpXT3D#O"^9q_U#r'KLq])J'cV'jTI07SSuA)ALVh:5$,hGI6B]_1mq,AsW`,jd[Y!6n`XZ*1k.l@%H0CDL]0
+%<TVloHh!o%CknDV[VJYMWEnr^nq3p$o6DI_4,&4R-\n!]bfOp<RJ1<@=.W$H9#MG(?K[XtoM`GCg;sk[hTfc/KC8J4o^.]<XtH&B
+%T?#c"d;GKP(N[m7qSq>s4UWT3P6KX+@D^$QfiV9bmqb*$?E%J7)*H<)UFK.^PFI?u"t0iXCdfd*ClFRs2*nHg1<hWg9f$TEj<Q&h
+%j#ENVQBR4SqbYdMXL.]<QrGgL79"-$V`66),.e_l&g"Ffd0l.=_P8IAYo1?WIba8B<0gp)/2muQnRNs[3AeXmPA*1P%<h8NXJkO'
+%]N>&EVL7S99Wc9jB=C140ptUuc,UCiAsR^c848"MB^t2q87KgNoI_+(\YbC,G)Kn<5gP;tPiQo$20*lLVUkAJ3bO:CK87,sl,?L4
+%]c^Kb:OJ"Fs1pc>1Xoh[\:_lBjGaOW,gR5b\?J/k_2]e^nj[7>jmIik3qk`;4^E@#VN8@b`6*X5ijB"C/&tq=qV/<qN;.Mdb`s9R
+%p1lmAm\uA^1\G_nZ8,'Q8p-*4OqH+8<nNH/UN9r#)OUfd"mlP<s2nNiH`O:uaho)D@RLgD78-*5jEM$(.'_cjk;^Xafo'hjQ'#q$
+%Lgdb0NfZZG_-GA/AWA<#@RIFA+aq!I8^`FiY_Sb2Upe?5HqHF.]!Xu5A4JHkPqDF#KTq1<AQtC8C2tr!@qsGZ)6%-<9c@1%\4,\Y
+%Gq`-OW1F3.6Qm21`W*;"OtC.$(0Urqn;&Z"j5AH'KtOp96(Vtk$nfS<`g*cPON\7afDS4/j`/W<hMHs[S#iYcG!1k#)K#AHX-Q-.
+%*ZZ;C?&.Hd+iV[noBRph26A%sZATCCDTeb6(2b]JnNgd@=#/5@fkMkCPpuO!;!*$DMq><jg94L0W.a4r8)iUjW6t8q$$U*Cqa/<3
+%-R>tX"N;b"Lc!`8XAJN$Y@;nUWXm9IOCW9LB8=Ga,P[cMFr&<>!X/*S1m`'_Me(F5^0P2\eC(V-%m^9]i9At'j/OKpgElQ+n_<AD
+%J#:rq1nqG-^97\:l/IqhV"P#UZnhk+!EuSjoF\SuXFAsX!N)[hbK8,;Yp%N4im(;V07uF[o9$)*+PYJuXdfi%-h@$^q7R6\l:6sU
+%2%&q`3n*s;&X-$:$4_Lj]Q]#,_01W64&sl!c#tet&J`+c(%>pnlkI?U\Il;-oP.PO0M-B=FCDt`JEknoJ@/m[;9f2c;$ZLFabWjB
+%ZP5>[$mq<u9K=UTN&+I%FQ-AhEZ2V"D&WP2T5"GeCig=f'u_sJ@8Nt5f4N4:q'cSqP&n7/g8i]50=+]%=m+RpJ.X=E?BPH'\L`PC
+%^^c]N/bRd[n$>hG]?@79EV%_jd,DO,"U-k\F1uX<eGs+2cU+4.]RFl[T.rd#nOB,I&/Q?[NK@:DToNrrrDT`76dt\NY$5"%&nUZC
+%Cmu,$3uIP=LM;"/>fgo4bjOumZG&,=NF^]#FE_]"3f9of&9,6L74^K\*;m.W&1u(nPOq4842LLH:nWGU5O'Io8>SS69-$WF$n.?W
+%o?S@%ePteS)LKRC_&!)7@oZp!qW6NtVcnJ&,cl=I]G_3Ak+<G\Uaa:"MH->==cuD+MY`PAf+pVlOLBasW<0grQ(pA&66`>1"g9=[
+%cMW3uaA\+(iR4(?/+"Ic4el(>$S^3VI&0PYqstb.^1BtGT@jX=R$n97Zifa0LZRmJRR[u`pZE+^kE(',/c`lKTJg,2'"(Rd]_>5H
+%7IM\3V`%rI=6"lAn&?p&h9i82U$cud_T'O6mLpQ,.L*ND@B?5cOB#<C_Tr!">\0L1@&p_KT1:4;_r[u+SK?s@P^mip(Jf\Bl`4[=
+%@/&nWB@l')ND&<kC).S*5J:t>k>*U\Oo28&`45h]eYR+f?_:">>cd&J1:,`CD]*\i_tGr6ise"uHVTd8J#.b`XF*/-2]YKQ.^NLg
+%;ZHn[EN^2nJYW9lhY7a9fuAH$gQ3c:![V]^@Ek%ojn@gC_L45q'U%%U\HsFM2d&pTDEID]B5UrJb'dT4oIEeM*=FBo\fDnD!IJhA
+%XE<iQ33Bj]G)WOSnAV*!8u/6Y$-=:5IGfpWTY-^u1\9[e]4`M@m'\(;<B-Lb(/8Gf9(QTLLLLTmPJb=fV3&PX_HZKHF5Q0<6^E,+
+%O]G6U_F@]Hpru93\baQ?>+,<s)en722B-?R"u[E7i<q9>eqHTGCts_KfW=$8Ek&?E(F3IrZkmsrZcO$5ibZC`>fLCC0*K=9$PqOX
+%_M;7OONhoO.$E\%/]c%f6actES,9Xe/=WEDJ1h^ViI]0f:?2K+D!pG;hcr.=$`p\FZ4#6i3P>e'FQ"DsaO''G06#>$H7p\pKqlA4
+%9:K/#&5LFK?Z;s%@)9]TXiS?\=`"1q"j+=]="F@'(>N"gY:U0gJ706[P6E2c67`L_k+S/r9tL\cCe1uLjOl5*.ibo>jNbT:%8XH"
+%9cNY@"f338G7J"tLqXVjg9?&W/@H]*:ZU:MXO%&eBE[A,(SL4uk-/[$>=`;.kcir5>Ynpj:KKc.JS0qSqBkcQ/$m_E*?L0pMUIac
+%LQ)1qY81ZjRK\`)+"J4kP[80UYf'?";#5LB,e,@jh7UJ<a*%+mj)9hF<up&F6,c'jOol*531Vq$S@^GuL-W/8htt9,J65]IklQg3
+%\hD9^nFZs,1JD$F-_MiIT*n3Rq*psJDBCaVas8"mG5I@XQ,n=B06K`<YA?bSAtP*:s#8b!h#T;#Q`N]>&R+3#Z24a@+TDU#1j;8U
+%CPi&h>=($2(O,I'pkBT#=!1"u\?TI>jiFkg#X=kJd`H)mPc*-n5j8iZQCLbJXk2a$fR/L/..u8S^2bgc]\t2h<=*.BXt'Prd*3Ng
+%]m?6>::)f),V84Vcdpe/$m'CMT#`VB$ZW5?Bp<:/4.U<02^?F!Q\gHLHhr(EqHQ<kZY=-q%$IYs6hFJP841#$Gn^'VHd'g#-m\.(
+%fhL=3ZA!!!5iMg.0u$g#0tD=K9a04p''mZ$LoA:8"Ik@cS0a^e2'aN+GV0Q7aIC6r@WatS;nLS#=]ak%\<$S87D,^1->JUCRiJ-[
+%Ib\P]cAU+%d6igDUZeoT&Pj`XF=;"?0\LWrD=V_WFr%;`7J4Z''Pb9>A'UTedG8*aaF9K/kb+'hG1ICJX1S_m9qL??[QAf3/*AQ(
+%Q)eXUNm1dr+ASbQ>is!:C)eIZ^E\7b#npk_PZH*?dp>@Y=1>HlU'+g:ErX:kqrAd9Xii.1k_=Tg;*bW<TtSIN+M!atG#.8iK`I5(
+%o#U)2iklp5lA!pn]`8lc3q/S-R=*H\Wkej]o1&Gc'^8AE03Tu$*kYB28FfJ8YUB^/2O;7dV@"fHBdeVYE?,qLj'3RON;UefUoh:_
+%0;fgY%;D4j>Xkkt5IuTG")m&9IZNcc")&nkUnrS_6H3P^V=UZ;i7\D1KG<$kM><Fm<:(W(VUn9I%3q9URR_K(oT9Cf;n;`V`h4MH
+%L(%h=LZgu(H%kSG?#4^5hFJf9:*=DS`*2DMJ>sPVZP#OTVu\HiQQuAc]WkjI'@E7J^=30'i!Pa<$]JoX0sYC6Sre@$^6g)@L-q8&
+%GHp&a)?%/-K-e#r>j[&\q&lTA5o3CZ,Z)Y9M-b![!nYdR3^cOj+u_P@_b[Qr]bFd4[oeh#&G'?dBI!hN7H\O"\rHY();r6A`K#B*
+%1f+:RL&Ih=O(co&H@jteX4,mp5bG]+dYM0l,cNaTrSir_(a5f4IsE"1/Y:pna!,g"NePmS,pc"@KR!CR)cfXZ]i55'0W0UVYgR^j
+%!Q[al..I`N43cYF0?OS2lI5=;\rZ5*2/+lE>@0cRQM0Ru)9U)AQ&@dn=kQ:'NjGF#nlB>L]M@s2)nWltXpj#%F4aRVC%r`+SCIIa
+%(],dVZ$O=EXt%1^hEe:Z*Y=4YRZj69k\,X:e/YC8?W*IYHI9p[4p6*(8XS3LVmoK]o,J%1bN,dt)mT"bD=%#\8Q).m:HlbXKCdN_
+%aOri,<DW80><eVa>cG^B>L"+Pp8StZjD,mDd?Jo5SSFDBqr)B4"alHuW0\Y3)eg!khoL85NVXHqTpC`3m$'T+_'LF<U_QAJ9P3L)
+%'W5$sH)#eD#5%n4+=bC(>aSso^_i.t_o6g7@o1J%h:6B/[s5ngDN"07g/<BV(--5JS_tWJF0ir)Ledj'nK>p7/+n9V>B*knma+JT
+%6!%QGj57mK)ng6AMn:t+iW,DX:<euHW%KB$TL+GDTtlp3XZAbP8ld`U2V_#8=WeAl[_,_4(pfue,)IH%m(4lj%%.e;Tk5C@'Fk`.
+%G]=u*>n3kNd6Co?cc8'IFL,&h-P_ec9[JqN5)EN9$L3)q7];Fo1g[kQ3&AAP+uI]h]t6X/#'6*q%m,ZVe_W<>$T_YMa*s4b@-8kM
+%/PrY[f:&k@@_jOpm^(dsoR1;.2=,k%i8-Jh)nJlo`%1aO9db[TQeI;W4c9]S,Pu;\=$p6JaS@GAYbUM:Q*jkP$=RtROu^6Li!JO`
+%Ks8];[Pn2'e_G[4[R;!87)n;t9Z$s/Bh-u:bB=32)L(sJ?"Y0$h;,`'o0$![#Z8B[O-Hl:cEF"q`f-9n?dRW#Zg3]h@--Xan#%=@
+%(b?o8$f+u8%d&>\RiN$?_r*Hi+P@=BAA5lo0CEf851$,3?Z-Nk^e4^0A[lqF%H\EC^6i@k@rj`=9,Md%`W6f)Mb`#FGp0qUZCc'A
+%3rs6&iNj?i>fZ4!5i0s!hS+?[$Tq](s#)"f/]d@G(U/7\*iRX_CbKZ7aM/?FYs#*U=FA!QSq,RC$.WkXoBWEB!4d6!kB5+[<_\0_
+%Xa@&tPZ><"<q:5g/?j-?<;4muo9s)0'Tu)&#k9beo?PZ4o*SQHXQ+mmYkDS<i_;:7pZ?=_mh*3;"8)la*a>B&r&,MM6]j\+O!eFp
+%P(]>%i^RHa]L>?5Dbsu,)a3RPf>(tYg3"%BIJ!U][Vb'=\;g)CjuSV5<7^P]O!tjg4:L(U-j.<e$mFn%'TphV.+ai0ge'+@34_0g
+%+7DD300i!*5[^2efMsf^=o::PDrYY3OQJ;:'PEgJa4V"!M,(r`XFuO#EU"M*\N8kuQL-#!i6p&r+Rm([;S,Xh=iMuQFfQa,(7iKm
+%2nDIi5jXO252XFUo8q)cAKK.E*.a)9\7+M-P38h?>oJfLT&2nJ<`Fin$aUcq\tni%gNLUE!V!YeKpQ80(-o)oNmWW<pd#/B?erdt
+%=,'h6A`m8;6*V&4ck.^\!9f(uWS7.KT]Su/aG-XI6dW"<DmfX(dekVXas.H+ZJh8FX#j`RY4(E;H06m_#HDA,]5]/'cj1%jlKh<^
+%OpJ0gA#ob!UoAkZ)T]oU05)`!pBf;tj:Ek_gek2!4elgm9)q%bU3"Ge^(Mi\2mM6^b=N/h23u1B7XH-1)@9K9Q#e8k\JB2u[^D=n
+%-pBNj5irtpOedYn$imX(>7n'JnZc^PD-=C'duE]+Bi7?(hPFZ93eqa7gC6!pgS&\gKSfS?jJb\i_le2i8Kp)#Vqk,g'*3tunk_]g
+%*he>uI.t'roQW7FaU5XI!F44jKA.uTHsV1U5n!_Y;I(ZGNmKNtG%&`[G[p#04Z09)[?\0Jo,AQqAR1%9@gK0olhe1e;gX[^=L",Z
+%$*?1m%-[o2TJ_8K.e=.8o&'CtQ)@f'gkNTsUQE0HXXB4(;rM?cf(7[pGL>s=*U8)[U=OXLP@H\gmG\VZo@KRn]@_T06MPH6[^SN[
+%h?oVX7KU8?[@65n^9)%T'm!;+2K2g,Q"W*opH$1(3#Jgej.+po?BnX&Q1tKrA?3G,cS\KT[Mfo&cd.u\W^hd\e$4+ZM;2Mj^P]9`
+%'2nl/**)?udPL)-Ca'm-q>cqoh2C#Ih]jo;(Y43#e(9`;R$$Q<5!2rDBmQC\hEYt8<7?9`8c92&XUmmV29DG(E0O?eV:`KdgOd'N
+%L>&L>OrT@(E?f*M!l,;Q\JEtp(8CNN,joU(@:W>64CQ/rPaV>e)hC=gKR#-``u-&1PdOuTmkItt:6C0s$tQo%Ho8d[D;53?!5:c5
+%H@]aQE$<8+G.cr[3)(#OC-g#&2F<ED_%DH'T:gpa,_W&JX&($gmNZ,K;3S[,/^pg1klbP0\;TYna<=.ILXqIA6nhZrRhb6Kf/sL&
+%R*IC%Ks,\/&KR[D;EH7=:LQt>eTUcA*Xk+4&'S[KHZN8J#bm7Sf[oN-QGKn52];.tjYRi_eqtTBfk.NBi`q8f]-&*]1d[Q^A3J@m
+%9iA1KI:IB+jrhj$]S)O,o!tsmA%Thlr3o0lG,1eO,'HYR7kN$%c4`/h`!dPc7RMK@Nm\Y$d@XV8eOu=k)R$^#90*dZK^Rollo<Aj
+%p3>p'AlJ=#n`s7P0AcX%`>:a#;=fs@2u\tn]HU:31>I8i*<FLm%I::U.-4IAW+!\U-!&L=.9?'0jYIPl<m^^T`mrJ:aW.?)>clD\
+%bG.V]n?>^n)<G(^K)oc40c-$ipI6I=Y,9E<l6f<b'fCB?=dbR4`gj.P6KU=deZ<snd':,.3lAkk0Mt5n@YS&CK1bGl9-Ze1O?Bus
+%>_G3Kr-UUa,JR(je7#Tl;(r3r[/b'<R_-q9SI+e$0RB+<Zm@Jfm5Bak%%KB"#&'/fQ6`u=5,Z]iX9u]aNJVWV#n.`aI7q\>@Z;NI
+%Rbc#lc%:I)#LMW[a`jl"Ca'f__Sg8-@r=#?Dpj>="+YD][;Jo..@n-,3Z0aT5"h]>:oYq[R*M]@I0lG15ZIklK8g69R)f?'"Nnkg
+%p!!c_=LZ$e0IBf*8**LInM!EN)Q-60,98G60#EWfITgb!Tn60/"Wi[t?D<n!?qlXB?@CES77Ck_VZ;PT"\1i58c3!NXpm_epL3/h
+%WU.X<"sq%h(56A5Su1"825A@o*lU.[6;8*4/a!E[hgFmNI]=nM;?>ATT-%b"Ec;%GrQZ+[P%9b?*pT)^/EW%"#Z7n-7DUH.>@dIL
+%A7A/f(R#<t8:p,@f1&C7h&CO8(rE8e]2@Gh&p*lH+b*i;eInhdBek3l_30d/DgFA]@5I32cA\3ZY(ZNPQh3=d7&7Z-7butgpUtQ`
+%%Os7I.*8#G3[;?moU[4f@_WF_f3qZZ/qD=WX7auK^UK:lC\pTp#VL$f#ul`s/V$o5b*N<XV%Ap1!`R-k&N-q)Uk6QWDo<mLEXd;L
+%WMYT^C#B#T?e\Z7i_hCmH/#"IZ?3d9"FRPZ_r%Q\B%k:&ge2Q9Ml7i6po3K8<'MU^9!)0j_>(>6pWj@CNrClnH*L\KXg5RadmPKc
+%X]/$eBItEI)PBP!0u&?ERtkfk4d_[81WCI4qdql@-AMiX6?U-(q(P[ZAsD%Y<]34PG_p<+fH%F-L_Nege[Q-omn`8tFma(4WdrUh
+%gqUeMkVLQ67T_#QQ?59aQ6dC:TWW,8J(\as%%iB6YOYm0p+n#P3g[j+,k4c,^`M46cuCSdj,6p%g[pCSh6R(jg.OqG0ZVbqbJ<OD
+%dptl2LAg_o013Q>^Nh1o+$6fB0HQ9R`GgjpPf#:U(I/I+=Z+7>IAbV'+8k?U^$*<Ts!l`WLS7rf9fMJc"@gPVXr^eb-?&^re$D8!
+%k4?Co\'<=pp4'i(mgid=q9Fo==0FhOVYaT_H/>(4Hf',=aieUPo&fUXInpO'kO3odpMk9Soq/mCrFB1f9b7-odoSb]nUpSN21KR=
+%i4EpAHMQP*lXr-Y<Xd<85.u2kl!NHOP1X+0^VN$]MdcVA[m0]A:\::=h0U6VHM-jsSVPNTs2g0pD1]oF0;S;s2-k_$H_8!!n_<sX
+%[B..7aj1Ior+J-?jLC-*5Q9no,&JK"-bU<F),PB-:*^"'R9Hl6p[@,3p>XJCf[W4c=8PY(:]**MGAR"\NrKJBdr4G,J*3"STD\Cg
+%4I0`3p<g?urR_&Ks!Rj8htfB`lg+JRJ,=$ZXag*&q>,R+f>#%bqs2#efD`IelaQkgGJ<ShHqciun%UsT?iQRDlPk?N>CZMh?dDOH
+%NV>[8hB.gYnE]kK^\2#^r7OkpnGE7-fC<)6IJE*rJ+`Anht\1>l>QU:bCB:OrXWrHS)=&\I]NJ(J+-86r."Nh++4U5ocO4mRt(!q
+%J,)lirce@J?i=o.a+*^ts5K[LPLk<R)o(s9qWeZ1rmuYi0E:Sb^Z`H'TDGs>^]+iEia;[LJ,]2WNhnK1oRH^Ms6p!\O8nkJYPo.5
+%`j`_XZ[_u#s6Ronr(hh(5P8g\I.Z=pq>^C0s60?pq5aOpj)t=ps82ilB4(Z+fC2_Rp>1;r&,s'<j+%(+DuE:X"GYD(p\mDNhE+9/
+%.U<kjlHVP*k1k$jF(V9h`u+u>MB!Ad3M;'kP;>Fr,mPAAZ,th;-0Isa,_J?R&1"8X+AjCf8<tAh+d-mp1>T_DVR?.7)B."EkMA8s
+%%rKn,pY'Ddpoa9Rn+6/g2/Z76?amrQju<(Mf4nk+);23morGgmTDf/spMAO6I0TF^@fECrqAn<G<l6P<\i+lU]7'c2or11T(B7a?
+%>3df3)VVsg]Dgoqci$Z;j"J@jA@?>SigDptr65nE`6Z*m$6*]5.Pu%j\D58QhYH'$e0=ma"nahM;kE\t1hp.'E1XQ<k-n.]Z59X;
+%qQp+oF77\]=6&,Oja$;Zs2u(hlkuQd#tn"ZYE_hc;q]=BAGbiqqBY4t1O<7#;MOHHJ+fnmX]%.Hg%T^jp<Pu'<CZ5qPtSdcH^.F3
+%Cq[i2dU(/`rdXeC++EXErP^<lX[Y`DP4^VLV`/I!Y@N3sT(od-rqrramo<E!)X5f#$ND94p3N!9mFsKNQe-QZgHWIJi\UW.F'_k\
+%B'gLJoXM'nQ]gfMp[6V4EksjZqUZP@GdH=<Djl8ZeZ)QKS=)',B_AqH*BC&sXh6^9ZYpS,]?$UocE#)lIn<1\Th<o"kqg?RWqTQZ
+%kC3G3aU4m3a"i/DCmM,il;b)kZ1d3A?G:O4d$DXL2qi%Ydd'm*+6-p^eB6kBWgM1Cr3D;d2CtDdSc2*Y7pdk*W(#1(IYoNE\6^dj
+%*FADTMP"3i4RS,uLC`iW4fdIeWHuYC.l?R^eZsM8%G#0M<iqQl_+n:EWh[9jGkU.]6XS+&=Zsa,mk:MAp$CSL=fHdtf[Elt3jgJ"
+%WP0jl.Z@JVm+U:M(D!^=db[diHa,I27h*S?REl=NTlP8pep8^Iq7QXH%6r[jc+SIAc]UROT25GLXlIJoj8(UTT+U^3nN%PI/*/e/
+%<Z&77o_mS#h!7I2O)'p6/2,N<20%cC+g"B70gG+V;R9qHj&10P?n>>ubbh]WJp6&IEW*h7jHWZe)"QXuR3OI[k3$$rQ#"bnX,32+
+%n!1q3]o[m8=uWlrJY\q:[U\JQS3<TXhAJ^6ZXNTZ]cXPRX#=\4V;P@a2i`8?\6SUNV7TH)\7jI?N;ONUcW06eI/L4W7J"0ccE+_2
+%i*D]DIF9_CY#cMMq.Rn0)?&m_B7L_73+1J,8R5!Op&"'GQQ3ON]^"@A/Q4H38c&8=%MKU1><&l\V%c'Ll*=NS?*J_5O=GPS??5Ph
+%PP:^W^L,AQH%T(p_4]ISQd$Dq,0r0'>-(.S:]FnAaq*5EH/)V>au:,hY&XL>NgVJ_`^PHYh'OfOFRdje2%&F7pj`08j<*i6T=8h'
+%2_2m+:48!s\C9G)2hKAeH#2#mnk$U1SN2#qVk;6ReLJmOa?(!F9(ZH&j2d?'9*Q[)"BVF^?U5Fh>hV'5:!u0(7cV<,/RPb.poHT=
+%a*nu8ZqC%!^@1^ij4i^>9%@_7CccS(Q/K":Sldp&WA'$@p\f(,WmBikA8qLr;c,n4D8>=i0&=0dm-?+&;S9+/n22S2#Of7th1E(l
+%F%4"?HHfR+B(`GY?*!%#ec!Z5UNT\[rgt:Hp>Gr#,ASVOcTlDZcJ<mtkSZAs[XCt0iO>/RGG"TnL5i7s%t2N%_,J\XHfSPQH7_2q
+%N7Ifl%t$++6/oaX@G%%/n6,K]YNqr2r:Y$Kae*GLB(LnZ*T%/:'DH%PJ,ZX68p!,?hfB[TlM3S9qNjqSX?!mF_Rt6aVp@.45<35t
+%nu[95Cg&rsDKm<%h\*D/IsgLWaG7IaABL4EY\)ZS]mXdRpa.LUD"Ve81NMrT>1G_6]3_R!@,[E(8+pkgebS#T2/2s^oW&.j#$mY5
+%X+%hmD]\pn@[$"(HbIZo4"nB^jZYZ5Gte.Kla3.qiS_fkqcAc8%*[TSm?.BQkfr<0*-CL0d/LR9<t9X:0\WeT8L\\$YO;@f62W)@
+%=MFP%`RB1#ogoN)is%,Bcb*u)p-0f%Xu:I@aZEU'kB>'`)qpec>C?4jq>9fegHVk/)`9N[IXfecj&^/h%7YSQK)b#0/^i*d\jgd,
+%]\R)^!F.L&D]N%DWh,[&MtR)An9'%W0Q6<KgEA>e#!H_qq)`fHn!I-'P1./km?!ocj.51A`5HtufsE?/mp`V.gp<ZC3e=:lG2oR6
+%r3"g:V`)k7'D@r?qg<_R>#*A^*E-]B53ia,lJ`.q[mF4Z@UGAf]DTGZqQM'nNN'psYI0sSj-[$>a#6\,X6--SK2s!##2YX$e'l3^
+%rl8CGp/L%`ra)<gH6k4$_$`/m\FCq_Ym6Whb]!BiWl"4CW)r*C>l.siXR$;Ll,jE=qc!"/f+6)@*9R.1k6q8P3_dE_6AbH*1oftt
+%*T-)QnX`AaW5Veq;,MW"q@e(jGND#uIXKnj!uk.q.6D"VWI*!'^5-s#k;<'qK`0<I7;KAGP>O?gJLUi3/b\T;kBD=+!mUGR^X$CP
+%r3DfiFtO`!JM/N4nuL6U],k500roRZ)a<_fPqWi0m34DlGOF+Z>e&u3DY)89F0O*U?9c*82bjKFgK?V`5KJhrDP,Uk@U)ikhZX1o
+%ou!5,Q,<rUVb2r+DZ'LteLI]4p$CJ0Gh>7'%LcrraR8K<YK!7&iO#5JoWHt2kP'H\k5A[J-pQuIW5G9ZpFY[mW:,&A<o\qbrOAuo
+%?dbBc+5!c<mEijtmJTU`j+,FcZu]8h(h-[ll!)Hg96aP+h=LM.)c?Xc=G;n'dGi9]F(X1.9X3^ZjO\;&[TW8IE?AdMlonrJs)sOr
+%E%>__hTO9`Y9-l:%>4AnqIA+u^QnSsgcK.m0'l^ffI3jbEJK=k=-Hk2]_kfVgTK5SbJu3*YLi&%FR5s?/P:_>>B.SBI/;EVc[-I`
+%KT\J7mCelhM8AZ$2braBXiUj:.W]!_D9=ZhCXq/4manj<aln-Lf<T5tN12N,>?srL^!U9)ri=EFa&WYbl*Oj<`:_/g,eY^q>F#\3
+%<3=d3n#g]Jjb#'R2(ZiE[dH4n:f\iGBT;jOa%W'Y\4ueGa]`u6f?fNGr4%%afpp$ncN!&!mA-(Ss8Ipb<FW?`D3Y]Qn%uf8rHOTM
+%1AZqJ4Wq(9ZnFUEZ,?(Q;oeO/(Rc1ZAM*l[-G4-=@!^GJFbVO+Hi@pB]5AWr4hQ0DjFEN$hW3NR]mY&NeRIK`4i^55h4m`8F`0/*
+%4+?J55qO=nJb3[6?Gc0jGK#Fr*jt">Mhs+!I:DU5ZEZ@B"Qk9ZQ8al-)-%b1J`j%DO.JCPE:^S6`XA%n%A,ao<*&+b&k`bm&<+r.
+%]`se^PTiiBY<$VWU#Y#jZ"@[;=KK[/FYnjXfDQ)h(Nd\-'e@jYjL"/]ZDti'^s0lI5F=LG:]7L1$[5`nr(c[^UFZ2,O<gUS\5`be
+%`P:d5nPo[D>tr^!MkkR4,-Z5q".Y,4(.5"GRa`^6MtDC^c6F]4*8D_nF_30gH7S0uTk3&s1p-S,eV>ct9oHK@IbHTVU;&XWYj&NZ
+%ir6K,5&,it\k&TI;eJlHoR=G!A7tQ7@+(uK<Pj_oo-HWVH>n$,a)*")NnO>_eVC=r?ZtJf_G%JUb$&gV%>cV4(Ni)$nV%lE-dJ/=
+%Ufk>rp0uS=;3T&pBrELYn+Gd<G9:)CrF'eN&*Bl`l],3Xf?E$NHY1dI?`HiUVL$;U6d'gRK9bX_G/i#Tbn?$ZSE<2:9HD\f=V912
+%CqK0ZkOQote`1PR>#*djlt6$qbMQ'p`arA&;EjlqiD4f!.i3%aEpBHO)%#'.Qg,$Mrm=-AHe#Hh*khYX9hqqJNA_kr3tp3)V&^4o
+%'A@j0O*B,u/aGtdWRlIK`:86pC%6Je.eK4DGi!Bo:23S]"uF)\SPp/F$#[ce#HgS3Mf38H^?b(`KiqA@DTflV7s0;7ET^G4cmNVC
+%SC[kte>tH@%5,n,G>G92E*qu!&XtGP(;%.jH7_fJqlW*,T*m.]/a"jljhT82gK-oKR+*%`lJ(-a4s&.RDOi,&Vm!!>E+Aq7pCc?u
+%CV/l=Rdk;9?I4WPTDIqd:4$qtbCgdUCU#c"8+^_kGW>5*qmkIBSN=JtrSfgZ/R6!\`-!X-mA#RqP2Gro)>1.ZV`"r6%NjGDjY<0k
+%n"*cCS7^[AX)o78]Q]RXPHaVq^-$H3f$2C9NugE&jQ'mDE:0@tC/D0g44D2fQS6.'n6,5.Yg;0U=Xs-r&"iTj:FT2Va7/%Nl6g\5
+%?uraI4:M/b[r:-9*R7%(%P5b_mXO+FdpUh.A!+1\rhT]I-hR>po6hG)6e;jmDaWZOhdXCbiEanGG+'/#Y!//a`l"Zla1Ntg^TSG(
+%>GY*GnCbWcNo"dUlLE\7Fre17QLDu!Bf*PrYEh=lr:!IHik#DB<f/1e(RCh7(CeK2Y=?dJmJ@;2s5DB8H[`Pt'6cslSSORph2\::
+%qIUq4mj>lh2_=Qkps0:N.u!5>fBr/72Ct:[IJW;!?``.rkK'VQG>d<7?5L)#5i]IEa"]BI%W,W%Ib(Y0.6e3?n_34PqtKI1GPKgi
+%o2fiV)/dPtn6J#f?`?8/qV2s@S&@Au.L\o)>(#/@FoCUUlSn:fbK9XQa;)&u:-U&1-8/UdZ[_fZd9"$<HM4gnIb*Od_1&3mjI.h"
+%PEhcbl4JLe=(]h%+)X8'O8N=n:TWn!N0B,$(9HE#H?Rp"d8q'!2IlWpqiB#I^K8^W4`d(q_u&IgHhM:N-n>cInP7DALTWj&Mu6q+
+%c[7g`hk\SArp\C!c*KLMFi-hH2OmGrr1<,`F7.sF]8iJtG4jq)&"?(OIBU#Fq<c0!orrgNpMX<MG5Ha6h/h>K`iTnlQUM.^4o4]@
+%F6-['G&!$#]8H@[r9,fd$feCj]4]WN^8obV097K!$@\E/`clLi8)I<maQaih3QM*Blh8`fSYHG-V$I$Hn%*^`h4U]V+`6/[A%u%b
+%k$7[n@cT'F:6WEl[JEA\on//`7h1RHc3sCH8pqcIS.25CL$s>uq1h$ar5)rH>re8GIbZj04"?:pJ)])F*4`P.>W]<%AFAiioYB!a
+%lbacKgblQ.\Gn%G0kJhU?gYaK*a:e)IV@*+oj4rmi\.fl`Ei5`IP\H;7<P3mC;Y%,NrE3fn\KpmbD%n\:Sm],ZaQBOLiN#3fA1M[
+%Q]9)U_Sb8/]g(1qk#Zi]K58Lccg+Y6&)[%P^#@.Yru*Q&J*k17AReoA7Et0CNCPPWH0WC&h",T)?Tbo:adC9T3)JQ\,8P4tn_,YM
+%)t.)n\SqGZ+\dk@3YdS&lT8b>pD8=iEH_*1W<8WU:?YTR81a"O[="mO?g^!ur>5::#C!>B5.G2"Zp*rF9H>9b2'9MBlhBR[4R(U@
+%mbPBtik*I-:@6NC<1Y/M[i4o;E93*%0&1i;\(qQQ_FJcd=>H^kdkVHO3PSap`PC0-^--N1lKt58\t&YAD?N&hh&ASN1TGdkg7o50
+%L!$e@3r=hP#C\dZou?C2p[18eh_<,sE;0'cWu'*RpjVt7cf^>Sf=FSZ]T?gSl](J;qG1>$B'\<k5Fa]YqX"#N=)Qg)Hgee'S<Rs:
+%aa%jocHY9!592hupR=lmQHpH']61O@q2SE&<2OC(@?]h+rF5H2Y;U7r2V:mD4"jjKR!`2LE:3(l+2?_-c),V6Qd)!\G"Bq[<Sr5;
+%Y``)F/mGY^f=lllNYjp.b1pR/ens3LH-=d@gCg]l>ISG*\:3!!3KqGk)pk^0HDOMXkGRU.hrg7Q<OQ.d.d<?a#7Vb4B'd%t.B[Z#
+%a,CopYZo:SQ-,s=r<5MM$5H8c;ndX5MQ*`c(!;jn?./[I#UK5$]c`oRFPEZ(9a\/1jWkNu85k)D<DpljWp&.Ljo#6lZMsUumT'<3
+%DrZ(\+@K;9fdIW+Nh,D]9l_Z4Z;Zt]gIR"#8ks0NZ@2V9D4;muQZ&ALXCGnRqe[lLUP)]IbUg[C5FhQSa`3cLOQ)MK3JEm$%bX'?
+%Ls*5TUrS%rG>]dhH5mZCDAR:5,S5O2Gi21+Q33=[j;j#s*%CHNH"2K)ChC7t/<P2Z_La0^!u"c:FW/"fV#c&\CGu8EO/oNZ,EhcK
+%o4AT\nsD/U[>5R8!NHPOJ43LtCaK;34:qTpKE@%>)ZFb/iD"?KJ-%r.$RlZa?](TU7D?ti)F!4B&Af7Ep-[+Ei)K1SM:+<siJV![
+%KH$jlY2M.p(_]`!"TYD)ch/#'K]lLITh^k'XB0jAM#]XoTZcX])TCJ>9)tsC3LZZ:+-N8B(:k"#Af3VY/;^DZ+5,sH2.2X$]H*\Q
+%#d\ZAEB[P+AD6[DJ\s"43S63b#p]VM#*DBJmii2ek_IqPJO%L+)B>=?=Ga9#!F]Dp>"_t"JUr?-*eHd-e4F:Im%?StUt-So=AUpI
+%6scC:IXoS]1RTpc(R?Bj;UZ*6QO1CRZe\/&'"s3?)GGp^H(jXd&NBjDNMB&L\fr]QM49T?:e]He16p:j.TZ$i.JF*^MaK$e\fJF7
+%T`gDD&m$M<d=@Hk0`$<n68qji&of%uUZdHR;iu/L]ZU<VP&)QuE^BfeM/CmGI(#.jn:90.&QLl$^*G`\bOh1E72XsUOpk4VYX7%_
+%i@Tos&"ram*+l&]((L1?=O)=1l\*;PMb0=R`E<8:5T\<:"/Vb;XLg[@-B>"bGU&&-a&*%LE]?DdH';![=t$]i9H2WA5kF'Zj0nHd
+%"+:SSC_H?$Ja>r^%TqoD#7<9)M+hLQ4S3?]UI5%!_T8[og?6jOQg'IY5Sc[7?*b1k(f2#X771Dg7]Sr<ZLO:_$os`'l*6--3%7qf
+%hdT%3Y\>9.Z$hp$Z&-jI33c.T-P)YJf4?uF,'W#[M(B@VC<]\T(@l=C&k)$neHKXK&pd1t4<nHdi(#&T&L\DnW<b"U63]?H4#gRE
+%-eKcl;37bKZRMh)"'64#D^[L\TZp!4/mqP?rh<F-?sF?L0.p6/f-(J@0R&PS`tokgH6X:qkGZJ8CA!Ft$^m,/DQf^WR[tQZ+8QmH
+%;Y\HN`?au88E=S@3]%t!(3VX63jLn\f`@*O<`$8B();K!F:W`-XV%Hp4miZ8RUq?P$h1Q,UpFGhWr//:?!/'X3"+U\gEi^<E\\sZ
+%6,*[q:14Um4$4jgd=M;<0RNsJ!eQK`2'(BiphEG[IgVuFN<2Ct%dIe_9j$%i[f?t3dU36M2kn;K?/coP1>\OK([f&*FRmJJ,K534
+%W%f0U@p$Ziet@Pq(%CmX4m*E$_iOEmrV)G%3E@i[qub=-r9J8CpPEEOl_CW'%]+OOYt6Cg[)^u`Q`+-N0qYDsZ1VT2Lt<V+\B^l<
+%MI(GG:@FT#2Cn6shSbIFf6m4-OfRWS"V^2dqR4IF[+DC9N?@JC=G&?gRm,[B`HmR0nsK+)BQ1-h_+G6MCA#k)'oW%6@m!Vj;_p6'
+%oV98?UR:U%/ZZm#00Op_iK"S8EKQ"#dpfS6O6FF+7F'^^2J\u)@W1BD*lQ\%&_M3Ek2:u8b!'oXr@Lo\ZWR\*I_J`Bceth]HI7`e
+%\p=Sa\/!2#oT6S1X([=>/`!6^HJdUpgobXgO_$sRLX;u?rMBuH$sEB9SLWgmJ6f4eqT.+&Q7a+KYTgc#f2ek\de(Or_k=/-/,-.6
+%_1*8<dkq`C7otC^IFO@*Ds=M74626#V2h*FQKu5X_dt/C1\oDRqqq'EDpRXu4>D-dXsP6<d#e9D]';n*m\)i0VmkEf9/1W*BK'G4
+%%(UPNn)WV[h`(Hf]gIe?-XnZ>c"kXT[b>sf2tokXn@+kBg8,XGc0'L5MLhgnQX%\X4k`-uXnIhW.>$S8k,k'-M#SNB1cP1(i:+3&
+%+,iiI&_3MeDJ:Kt]CX>F\S&p;^NH&*$c.#V,Ik\5eZ1'!TYIN[^RBN@F+nA10Q$d:2Xnaoj'r?u0AcV@48sTfM;4V>3m'*YlOU/9
+%J,HuFg_8eII(ae\,Gr*>$`\CRs%mjcnVc:HJ\PM#r@KuPFBu6=1O_pl\i[H(53;Y*\a/t&4l,&"f>?S65=%8Ve"tr=T>k;$o<.95
+%gX-'%XL@b1DXJQn8"jn?r;l&BZ6()H\uI(U]Cs6k6*^:5/+u0J]se_dV;@1+0lSQ_]_;j/fHK/8k2r6R"+O?XH6G6AaqAgIRir4,
+%00!56m^mXa,lH'Z9CU86?OiX>droul&4h8`I+VNaFo;e5\Ft3UTQ91d6jM#g[R&oW+*)GkCrXUL;m3\n:oG(gn3P*8F*;.#n(L.=
+%[Cn_r0nZ'IDBZBae[1<&EL!Vb+NOkeF)t,NMm_?]&F%)"A$Pa^n)rj"_QU#sXb4i'`qq@HiUec(<:T"H]*2,]Eb;RYmt80](RG2.
+%`m5Qj.8s=@/fas$hZ"/D(IF[AReBKmb_b8iLV[9hLQ.D0m<0HPJEco;-9ABGlPHV7luMO-mEhcgmPTDd4as-Fi"8\8HCoO.iIT`j
+%[u7ZjqKD;gAMD`d*^<H&mnH"`f,tjp^*D#SH$2K==GO#&EfZ95]39YCIfP*hhs!(H6G6L?"m6L>\@3^HIEgAM]tLU^E*';1$YHg/
+%=4A-IIseA#k,(3HhgOeM?ihdln>Gkb6UR_Hpgg[X7fA0bqS+':\ef;^@DuRPr``U3&VfZKrY+Ko%4BID-o#f9a%m%'Cp*q[gURi)
+%R=".S+(sW4mJcdf38b`ORbU4J]^D^Q5s=tY`],#u];=`J^:ocIfXcIDD],3\RSFc">FnA-3kV%Hn\^GjqH)=K%M#.=HYbp[#A1-!
+%1P[FsI\hK\lGg%e"MJP<X="ePhM/W6CVKsqY-)ORCV9.p6)pipSHf9rFSC3&j+Wo+BirQf52fkhSBB*i](;,fa,V\V&MO[kB,?Q8
+%qZ_V3Vq+bhkBt_oJ#g6mH=tO*#=70g:f#R]*\;Te<tMT3&=qF^NpRala2f?%qp7<ul5_r0kZ8GC-M4=1p8scIpL&d`^$r")&fOH3
+%P8+f,F@%Y&c+/8aC?2#]GB]?#C/8%i[qT[@jhrMZY9.>=N0TpAlc@Xg5<e@`ghTR5!]oE#h0\te^YdqM6:(p)s6/4rg>,alE?p$0
+%m-cB!$pL8t-P#d7-RL*=C`ZCEi<Q0hoDaiP?29.]Hm_^KaQI3smc,t(nTd<l3B915n0m%\cWAou$CBsYfm3CpWSB<$WL#GEE@HAJ
+%gtU'h=+d?+P@5Na\O@Ks=n746nca0L\OH1kpLYGe#6<r4^58PgQp,TcPt*uVpV71p_*L$E^#BV([lXh,e;_FQ%Hm)loFP]SSaSbD
+%(JD9<oNqH4Eg.AG3EPrKX./lLE)l;=B\VL08PktiQ]LT>4YA`O"0]l7qi"jqH2%:?#7f1)i5#?JS!K*$g&,9J]ZQXJHhHeO=7;_d
+%1D;!:r\L_WEaHdHYA5Ek^8,jfo+A`OZQohs"D>#u5keO7MY(0D-Kr1`g5:nM6pQ?'B1Wf%:_OXtKd%=Pm-_-b%>7SMceAIt@9[j@
+%g"GO:PqMU@pu5Xmmjs9"kTl(`(X\V?*ul(j/[(A5.ZH5l7:,I\Y\XDtI+$3nLd8$nK_LKKqA:?C`TP%KaZ_t/1Qn%*d-QZQ0aM)&
+%lu>Hsp,'mA`CCnGF<^aGk+`-?A!+Nf:=st6CYJki-I#S/.9jJZH'JdM8;<REmje+DHkE\q0fDWnN@],-Yfm8#ISqs_Tbooe=[XR]
+%EG\MIj]mu(5uh'R,lnH-PP&c]R*,`F-s\ZbJ^Y_,^k9W_=oQWT^!,EkTVM=IaNbU3PA:P:"$fC*K/5asIO^^TDCJ,`4Ea(!H3*Y*
+%I$^Z5K5P(q%!:p1%S=EUZ,hpfJjtVJ*`HfB!#[3:@SfD^!kP7,)?GNpV6HuK7sV94c[a$m%/msOX+2,Jk^l3$-a?hqB]-k?)`iW\
+%mR$-01IU)bjnMX`h.5l-`aAiY7#.a:_'LK*##Nj1`d6FgKg6'<JKhOS1O.j)<N>Mr^_&j"_%=k;8!T_>1dL]PUE0Pi?R2!AOt*+7
+%Q,_.>#0Maq\uXWO=bn#Ig1:^Tc^$9c%B7>I."7;?'\9i?>!82?Z"mB.3`+?s]\"Xo+;q\l_qI_aZ&8bsT:X,!JBXEu0mj2q!VAL%
+%NAsQOmJm7+0t79Jp?[A4L8T^h`AJ^4Z:b]h\4-8*SjBrL<%0^aJ0@O35'XO&0E[mP_9:*WGk`nU)Y@/EJq*tTY6EY(\k"oV$6p$t
+%cuTie(<\QIc_?,F/2!\X!$?dWOD-9&iYj-o:5Nm2SYh]I)(8?R:F8c*kRCV,T*=;(ODcunG$tr*#:+#Z!Am]M_[<W4g^tmfU'T)t
+%)k17sk_A7$%%no8gjP*p.ZNC8.%Q7KHBp2A+."a:6kS>Xd2Tr(!0kV9omaKQL8o$f!#m406&M%V5id2bjOC#8WOIGS%!<_\jBRbR
+%a;CHJ3l6O__@A'%37P!%P)gf"6XjC^ebVmCemTSB!!P?@.r^b9)^&$P6\0eZ7Mc8aXpH/m,*+^^Ee0$d)J?k716g6$/R0%tL"Sb6
+%#_O'JdD,7:^'\Q+=KJggnq)cLaYYI"8k:!K:K9su^`^uWd?jSokZ1M\JoLof@dtZ-U9(^SmHcq4!MJ.]EV%;0NRFI<2kLS#1kf'J
+%e7Do@a0qcH+?S\+X&pS(Uate40Pj2K3U!o_Jl%!E]sN?h#C4IAmV-FH5hE(oN8ZdupoFQ/7kub-PfJGqe9pKaP,k]a]O7#O/7&F2
+%cfQ_(A\eSgc1e'J%,I3AL0#^a0LhNZnc^]Pi",ql-WIbh=paXTe]\5,_))IN@#lYs+S6M>Y8iOJ-US/Q`IUG)YR8+[Tj/2T(j9DR
+%S-,h6Z?/`^H(V>fW#\Es3eV\[+XMhd"9bELd"]?#'(?\_R\Bms0np;:$hXRO/O=GN*K#^9dJ?Il]'aUA4LIJ!E=%(!;Y+W=#2N>V
+%/h;VJ"j<eoM'aZ$&m3Oi!@WW+W.A@85]Ch!a+A3M&3uU[23E^f$1D;TiMu.!);)*TpqqRCEM@>4C4)2p@6:h/aB1>s%M0a1C^P_U
+%.S2)kAk*N=,9(+#'sT$9.UlPX+PCmB6B$4GD:u(*8jW`\i/6_>PkJ'1;Gn0M5jOKL;B;Ad^Tgs]dGkkd4oqJ&'J'e'VK6lA\q5kr
+%PR.,oc>m"#!2n37(?IY,/HKZqYJRsYAA$"%"nX7)/c_e1#4GMXTGdABlGkS[n6?#eB!0,8Ub%7VW3f[g)i'q_,0Gbk>[ilgDU;0]
+%1+Y*[1ha)0.#l28.]a8oan'dS+XRX$cm.,P'u5d)/V0h\,@OQX^p?aXON*Gf2O?[Z7mUHjd".2DdNf829#tSJns)?Q,g50JK#.XD
+%Kg]Z0=M9rX(Y0pIaXZ[H4#GD+AU;uUM2C7B-/_T2$Ia)T*RRR"&$Tp(l?M7t%!o9.$Hb,ng.F:6n6E^(!YAb;-7%B4#D-6Q&iO=k
+%6lR7RW8$LF&SS02W_K%\@"jWD3Yno)gk'(56N)Lq+e!$P-O[6.GSgPc`RZodaiU-id9)D>7N=&[P(?%J#\jVS:$NOLK0&-QCmSig
+%K1$*4HS+*Y$i$6CG*YY6@ER+C'ibWpn]7GUnOjOc(#@@ChrEp6("aYr9:aF1;J^O/MkOY-Xscj5FP.D]N`]KS$#ICDL%D[F`3+`Q
+%iG0jV*Mg6=Q'oWdkib"?D+uV>[NgF]%[AAL#,M4/`C!r=^nQc'bd!IU=<$./"i!+0oE#Q"/lA=f#g:PPY@T3\,H(T+aKQ(a-U?=7
+%js#%G-hBd\OO#I/9t"V!-fXsT$tToWYooOa$js#(&P5Kup.UekVD.$0[1Le73f@C*iR/_l7KNiX7T2[[jXZm6RMnjiD6$p%00h6T
+%!u)Va0d24XD-Ab@Ymnf^!*_.cWZ?p&O@7b<EGJ)4L!ahs?Gf_dX9PeBp`_!q%&Y6'"bU>?55_Vd9UbMZdm9.Vo0mUG)TDjS"iWAl
+%Fp5%K#nYdsE!O3]<B@@81?kAQ:b>^VKk*XX6R!H[VOU9ZI$C`le"N4&!/6l%LtG$<j-tZhO/7+Z=1Vedep%Ni)0c5:%XJ=0Z\#nF
+%RpV7*d^lZfU,sT(F%GH2$'8-Y8<2@;"4Aqr!L+3;"?3)p[#?/%[]s7nTtu(0e7b_=RH;S##`68KF,S`jK6XckBfn;%3oU8'BAINP
+%Fq\OD->GT0.;1h@#,(SQ.>pYOpg0Gf&R/!O;5]j=nAn4p$nRh=@%<?b$fFFEoO)^6m1&>Pqq/3jgnS=)+B^'TH^Hr5#OSM-\t\X$
+%%3sM3O5S\j!0+r"_,TFM3FI2V$b&77]kh81au,fD_.j%ZXm2!S#-3I?HMk1%[EaPlJlpT4DkZ[mO[_2'<`_T'+m+=ogeeEK:]M(s
+%%2r(WF>?B[P6D5Lo;#->M67iTZDe)$AWs(+CX@WK)J?kK4t-DFgBF<le-PrK76Vnf%MkqfMQPN;I/^2/6:c4NXoss3F#X7c$\Gl@
+%>m.:'cOrbh<^p;JN)'I\+SY6li8er@^qs<eRKmY4p)I.'OTm_C`>^uu#QRIM@9D/6U]E$)Cc=T2el-dHf=SD*2@90)?&/u>4dV8s
+%BekVRp$F2N?CW!Kb6`r4ZouAlba\F$,((/GKm`!<5a1T7O"0($3kumbSXuTQ3mF)?,?dY#i1sb`k>P-#R97$M,QoJX=,\f?)C!%)
+%[lEA<>$H'5"F]bpMea*?/llF8aun-MPGtCBoWf9&:Y;uFK2jH[CQ&-"a%^"U5qBNo!:Qt.CeFa8KEtC!6CJP27<)T.!,c!H[NW&)
+%Hp+$J=u9RHH*i@fkZ5BgNo%Q"f(iMn$;0=l*LRl)]M=Y%+AL-@+@(XH#WONhfIHuo)3^,,H#JJp,&A"`/V'Ocp/HE[0H)r`%"_OD
+%6mm4ce!/.i9/@o.E6E!NDBt[-iJ^H2ZX>oE"s4Q":#G)$3W0<=P!:$L3Q8NoP_k4J4/Q\uo8s.:B_)O)V"o.992R4oianTlAf+T[
+%$U>o>mh-cmi@(G?m=f>d&_T=gnnQ<M-MUos3i#&<T?BT+7BS$XeV1-5cZr\V0a,s[BUiRsNJeMd4KiJc=S%fI^`gO=9%6gr$8)cs
+%bcmBjS3bRS%Z)O?5Fa::IOO#ILRA>P#dZPT]4q]lbZK6fkW@c,KJ5LEWB_Y%+qS8ela-B`Ggus^%kYbf.ij<HV3ShQhj(u6Qd'=q
+%JZ#L`*Kf+\4\:lj_Bb1T7Qr"t%.-8%3(7n@/e=j[(jlm:otV1?)^&7NFg0^K3!?(C*@L(G#2C[pcer:>VRN4"UPD*iTL0*=]n0GN
+%brdt+9S3di%AF9';!e!T`VMe>XHJX5rPsgsnKe):@]h-Y,Zp-OhBl708rC7>7s]ddqoEFc44l4c"%93fS1BH9ro[NN:Zs;-qY+>`
+%6MB+1CE2G]4^I!f'nQDYg63?6,q#OVe)TOeZLj>RL[(/I4Ln:d;rsRjmq[ajpsn8Yr=6[2NtI]n%6jSnOCPQL-)el`qd\iI7=.!"
+%$'`T2(5i2=rOG%58Wp5@6tMFN$T_GPY.Ya<!j9'Mho]1!0E1h>$P?OO^V(Ap4FP`';(*ga=!Lkb-e7nFX04uW]EfpW2>V:2r%:#5
+%%_VUn3#emB=,S!E'#.T_JDi'qD-kp[(452?R%6q1o_YRLh:!L-:o$_Z\,sF7%^>:pCVF#B'oTb+Z.aP]nL2_u*#0p=Ln?Wl[]C7X
+%jfKkH!DP[epY"@i@^/6oZ9'=F%DCiWEBLb7]G._ap40(o7]^FPTp`/fo@4X!S6sl1(2G_+GK'>NSFTGIT78X(`a[JQ9H>0#Q)luh
+%g#B7M2ZT<;i`G/qc(-Z#6<kQ8X/<p+ZG#B)RFE:e@!W&0(6c=%T>(8Zj/7^unG84C[k6tbpYo<&L@sRPGi#fZO/k3Rna*Et@Xfst
+%1'n+6:YZ\9.::pn]:lh9:S8M-Wd2;A7.W>>H9fBi$R[d_@YK3r%^-_S%Vm7bd^*`c(?aFZ0(KoSQaJlm0l"G(6S6&;H$[eEXD&uR
+%Nu+s%^J'8_7hlU0qR4cQn$Hkp!Ih:_h1mkEB(@GD,,aVRd=Ad79#<ts3@h.NXT#-\3KMq,5@B`L>ID%ca$3eRra]u4I^nn%_&0.4
+%Hq(lDEtp6+X?_kWf!o/QYuiXhUrY^qTl<ZU*P5]kd,;/io60Jf'*W^IATWTVG7Hg6E`iZ?WBTI.)*q]3/LON_oe.9(rdZ6"fSF\I
+%[g\;Im'YioPr#IF7l.+a'VWdG<<Ha->%D%62>V"(1'"eE4\<%B3U!(pS^^kgoZ!^jo2kCqR$2lD>B[AKWi!NO)t_D&9p93bm"Ebf
+%/O&""*J0#8&:",ioN9>U3PXh$$b<hBY22R[S*qP@7Bos_[QOh3]QEV^WUEka?r,q=dq?E:Ql__hkhj"!L1e5]m(#hk7[j;Jr.sjh
+%o0ll3YSmPaf67jP\F!ALEj$Nf]C73^'jo_'TI5J]Parls'jk)a7Qs$7>cd#%%2UbtVt%Uo*K)dZG9)e<Tch;,<P<'bN]n=mEarUX
+%Es/b$<Ta3I*Fd(QcAer.`MEmNkHi@$e'/P%Ko+F4LWra#\nJRDe0T!]^NNN%SYmf"ToVsDc`b#;!qea`>XD\)YEgUTZsNE:r9jH[
+%^2+I`RK*`1\ZnNg:Vg\0S8^H@UgO.FPS-Y>RZ>6:,6`RGB2?iUVf1UX_EZ>K*.-Lg1%tV0(W23HS#0f7Ji2hY!KGn6$L`Ib@Vg(4
+%+O-JE?%XT8WYK<Y8R\lB*gdhbb'J2Fi@H#S%GX&Aq2opMm*!SP`JW/`>!/+Y6V;Uhi62I,C[jk.gbIrhaID4*2>>T*5nE4M>p7cf
+%;#5AHc]69tjk:i3qYg*/.O"(<2^oTX6O2-I1H@0C$3lRA(c\[Ff3T]:3hLU;\[OK(MKS`.@_Gn;:?o^J=2c[U241ZFX"A[Y5<Sl%
+%o!Z(J[OcYfeo<dF_N0\6b9PSInZJX"*_B^ckOR^V5AqHUc6%J-DgWm7.sC>Ar('5'E1L@`3*'H2IJ(;qEHtNT[-lDjj47Oa6k7%U
+%G&E^MD"oa_HZ/Xl*q/b$@f<gpRl3L"qtK=DYY4DD.nQ:mp)Nk%E@a$H@?&0m5TnCGU\OT_!RXT0I=Cb`:Q$.3Aj8'9-MLKd=^mT@
+%i87$O7$mlgX+R<GD>j+Z,P0!iI;o%]&,4Ot3&it1/iQo>7C\sCL>r*n:S+CFDK"eOrL>WacK+0aK^7W,=AqQsK#.8ApkcUXN"2G,
+%eU$<p[[attqAF+356e6,f.:9"9[/kB*\r'5]$=*0<QrSm/\DG^:HeQJ`9Y6jO-VDf&fNp<^AEB!pH5s5pA<1i7XE4GT1?kIH1QP?
+%BY)FS`9>5=>urrXMaW5BhO'pl+Rsbs@WA_FIk*Htn'>[?F'fH=B]92Rhi.J$p;C=9erH^DMn@DM++?m5nP^sL--9,`cT^o%oX#Fc
+%F\Bq&\E\N`4TA+S&'f#4QVtH%c&s1>q*fK[+'LZc[>M!Ap>c+<*`\R42pNH"\,D6,WFFfMWqjIIhk%K,-Z:l!];PCP[:![/Nf>,M
+%!E-4;hmmO3n(PBlhnK&:I<XoMKc>7(5Bq/IcF#I?((SEeoT87t.bhU'G1UVPFmn1^c`iI3DuO@h\)2"-[q'_)Yu(8<[qY`bg"BLK
+%1E/N:U#@*RqQKCeK^bq)T3A2CIh[..7d#dt=UGkCd@s50AgQ1gCYQ4"PKkc&Q_Lr)WgMs$27p87Q;k4]"^lnRLSI./X,(\_%RsiW
+%s3kE3MFW[^ET3bjdPAoDPKcjMQY6p^8)UYdmL!h70Lu>K6ru8)Q>E09YMt4JG"+t*7">B)*DcaAKS+OC!BWXHAf-OAqTq6Oa:o=7
+%]So!MSu,b+_5g7ji-.)uj%'J%=^r6hABO[)QOt_#b\-'A]"ssZEJupkjT$ninj%f9<+d&!6%DaN\%.sH!FLjsak'-qQW_6L3&BW1
+%\-CtT&=9;Bp&k[gj>$c"_-KN1$^"_R-M@J-U,0C1o-3gJ*1Z/9MWtZO+M,q<ft,P^ED^"#lL<Ai(KCjC5WQh$HOXst/eL\O+m#Ij
+%EEV9QA#`ULjbNAOm$\%S3eX>?9.V/R]7=\B2oRpp\\=W]#eH[+3,29;].Up;!H$%8#S>-K_&a.T71=X-0*#f;["3HL`F\6;h2L?i
+%_@H`f-3M?+2NXY*#*Ks_g'`a<*Q2,mF3ksQ-dZXD9$eW3N5<7YN_E[8kOMbRZ]ZmNOLT0./A@'MLDW[Yo)oabE'>Ur/R\(E)-(fJ
+%6NMfP1'autHD;Y:+N,;98dUL#4jKci*J,6o<AjqI!B+>>FIN,=[Lm!/%#La`+V7C8#oO*ZJ4rK/EpX-]gQfQE>;0<4He"MB;DAYB
+%J?'6?0*FHoFOj;_X5LAG!(!.Udr_M*_4TL<'"=eQiNE[f\3u+)$FAd]N<D1JMsG]+?oA/8*)$rJPe>M?aL>j5.QFM>KTUVQ5QR]j
+%#g+!+HQ+]2!"NV6"NE%)>i.%#d8b.65SlKp,%XF.PdEedMB-diD?U(%H3un^I7&T3RBed*3+9dZI4kF#=VOi"SOR%VRc5t(-iadI
+%0_WhEfL,AR]?r#iNOl$c/+.1<F1M^3`'IQ<:e4CtJ;*<\HCfCK+X`*PFB"bB`!G\GA8G)0*BYQ&6s,(<n%(+pSYiQ29U3j^B>E=7
+%Fgl":#TTd[P9:i[rPF(Im[T;pq#JuW-M4_PX$P(t$H<fU)dume'c79c\M!VX"[^,r7AbJCl,OrB:e(qO@k!qTVh03q8fi."<SD+6
+%EWkqJNr&6>Q6.3IaRD;BN(Lt,(r+Y-'W_C5?I[j5(%.M'+p0[8LnT_"GYJO'+F(lZbU>(LO\q70L`Z'G-VhV5&<>(8_%dO08)["A
+%6'9h5W977a_]dAJ`9B"W4.u!e_T!DYY00,1M9d\?/JN`1&6t5JcVD"%Ko(q1%B>s24,>^/7WF1c[OjoZ%6ukmjd7Y,S:P?8l5HtP
+%#hI`#I#a;T_1B-84HLkP,V1JH2cUDA/>eB*%<4A1$3UBc,L]CX_OT89P3=8?mfngJ0`Hu5Qc1j4N)<1Oc!&P%PQ@F*Khjtr(Pq5t
+%e/OX+:jY_6:Y8U>!t`,V)htupp^6JL>7lJB*/[^I0HOFb[5_V8!luWn:Eu'\fW5f.[c7[1$"@Qba<*P,5u7X1Wj<-8e-$[e*da"T
+%'A&CT1YW[[qljdbn<`s=!?&m#=hIX*F`VMq$o%N[%OAKaBV6$ZLB=bbd5M%h<eZ>8G;nZ!E`e^Eqk5nbm*'5]AIsenf@T&<Xf[Q-
+%a>sQG,8Au!TS]D7(T;6(@3?nSTX$=q;?=Xra"ZE^*XcI43Q0Xf\.B^S.eq-D!9\S7)$4e;mb:a+rIF@5qM$+oWC,TPE&j.!_35L@
+%_*Qq.ab4&1.Y1B;#!aXJL'^F&kUIc@=@WY+&"t't#F'"UV+6dW?g`U38-3Ng9f?"q]o=a41_q7/+5!CR:*QCP0RL5,g0dW"N#SL@
+%R8F!YmQSYtgR@I6_?_Jj$+MA"R_aiCLn$.$rW3C4d4%lrAlesV(WI:KhGXGP5L0O/aF=cW&3snW73/rD!P,0>3DLhT)q`<QNgnD4
+%dKXXZfuf'b:-n5(aWO\M0N:6mic6/XLr,uB5e-l;3L8C'J\f0f0An/3$K_ss.+f\DLSE]NK+X&]gY`g2f:T:Qj4;AWAg(F&<"X14
+%m=?F$NB'ph5:qnGK'8Xo%<.t0A?iPmk!sI:k(l#lGG=C\eJ9SJ7$md)<sp@!2safi/T'_dM\nC=,d*stBqUR0"sHC^q1u-Q"@[@l
+%-:Akh*!%9-8<sDURq<pX%QF_B9#1W\LTPQXR?53*h%94T"RAIJ&%<E'"Loj22")ng,:&sY3mGb_]%"qO#*KOfSe2Yu`0:HAN);jL
+%JDD@c2F1u-g'BkI%V=:U%2Lu,[kh-dT\5nJ<1:BTs2Uh/q5qYd6msKLk64KC('l7ULI+QWG9`=dT:l3JReU-sh>^-AU^>ZA*du3V
+%Y!5(5cPuHW(B4;oYN6G.pq&X\qj6JUYJhY5o>WKH6(@h3rd)d>&_0\$)_IOLX8hi5034r>8G!o!pUi$=hss;k?GB8$V@d4cF)_rd
+%mnmKKds9kYbI$`kX$m/up9OLAjOXH1_=Bf*N)uL8X'DR:g$_AVB$^9V,X45JIf"7PV*8D"eno0Bd:'XuV1B!LA^^uVIk"?i']<A.
+%Iu]!*lU@l+8rEp&^/M3fT`D1dqN^D,@DeE^eGp`A92:;$/5iWGXg\t3_V](`UGZ#SnUBXJHL/U`UV@PI?bKk6Dsp_'/QefWG#g@/
+%?]c*Ka7Lo)Mq&e$XDofbXS-8%%c)I(^"DpfC+2?tdbVqRWKi]:XOcT24rIKJep6[g5SFh`)u7e2dMiAo/6X]4lG(K'RH%3W9Y]D5
+%fs\)N:]L"?/^nISbhD;VA11NX)cT;#pYIRBs/n=lme#Y`=i?cQhgP(>nWP>]Cms'9ZW1k#+eQUDHEB5YQ)N30&\#F-IJ2HF.B(;E
+%*P1@fm2J8134*J_Uoo]7#6X0ML7B$[>889*'g&k-`l"h%\<"Zh9[4h_j5]S]rig"SBBqc$<?!Ig7I$[eV:S1Y>G\FHl-M_F)q7O\
+%q=FJ"99Da%YP50c*c!KM3`BE&-ib-LD:GKsG(CQ7D#n,BB>AjQS$?N#q^Ji7qY?Qd'k9Zo%e!$Iq=gQ7:.A:]pTP!`k1NI\5@/RB
+%19NWTfofd?PB&'3lEc2[7K.1[*_ip2(OS6?[2:Zn!tE;n=WPWg3>D.ZLAWYGXdIl/h8Ck5cM:orU7&$(mgad7"oHhPq0k,e7JQ81
+%I9Qk4<&fjSSkBN"^2diFVj&7;HHk[5n<]=r]TX.ifl'(sX#BO4q,fFrLG:$H%18H\=XIY0l4kNW]]&6Bhn=cXm-U[/DA;\W"Sl%9
+%Z0[ATi%(rjB#3QJ_>dlB=H/&WnKFO,?ed"9kDZ7`5BLoZ0rS+i[q+G&=hVBM?fPbE>Q=MdlEOI7"mZu_(R8`3Kr0oce(:aj(&aA;
+%PP/@u[2Xs//!!fHk-MV)k"Gn'7-QFAG&3Q<?>SQ^"(1%(Q#>0'?p-r*0A>pkO@\QUhK1>.pXnP/XD6pZeneYVU!KNG9?0Dr[TL':
+%kfspL[[k%9B/mVu<?m57PoIAPmE?.;ptcX6pY7harI\\9%NSk7Wd:c.]FCo2<=G=BpnjZ9S2l$Y2ttJKT\08@X_Pp^;ec+)Q,BF8
+%<G-`@0)YV0:LChaqnslHcp/QEXrU_,B]>'_?FY7VjR(aXF'nQXhl1,AE0fnkeQ.70VN'CH"`+$l7-@_=NZJ.G=O8N\efWPNihLq<
+%*G7:T);6Vc=tj^c_9\Nr]%Il9U<%ma859'^B;][<>TT+mF2?"5oj`XKhp&i[?r:!C`pt^eqMa0SiTrT0e+DE9LFKn0.F_klq587O
+%D\&;Ip%1gAgXK>Qo$4*!UO_R8B`7Z'kHEW[i2>>?=#L\<I-J0hUH.DlhhbaOiQ$"\J!_(R3bh9jip`Pa-P"E*Lp5cHr`A!J+Yhr^
+%N6ogOPlRMgZjNJI6[o5>fi\[u9u>S[ab"A:,&j[@h!_BWIcA1tDs('^C9oW,n9+G_Idb6>";'h21P[mt_\)_4i$IuVc*t+=WNREB
+%Ce3I;(bUu^0aWGQjl#u2NmOgZI*%c-7MD]Y?_+VK^*Vt7Q>(JO'kkBA=a;kZMqhQkVEMDMOmL'`:E'L*ZcauBqn\E6h9*cE@@$c<
+%+.l9Q6<ttZ8iLEHqr9k+BC(X8`lI8YggX8l3;S_liQf_BPUouigA#Ya)nit<H<Au?P28ss%c1d[6VprFf*F(:rL32!c`.s(!0BGG
+%:r<ONc]#@ceu#ASFWFi-aPEFLY?p'C0K'#&jLH_,<4d2b=s_A:IMaGVcH-g7&Y8V]E7^'OT,r\1hu3s>(b51rhMt[F:1$4"$@$"J
+%ZI&aZ:#,o2RDUGHZQ$pq(d)[7Up`C)bKi9GYUjh`>s<8hLXYd4VjfmkhQp_B"GMHPqDg77S?%E/l_SF3T*H"@]PVb$)5oat]6kbH
+%UXu%=e)JTJoN?qj'5$srVhK,0i4r6ZH18*0G]78;LKMFdhX&93a6aP@LEo6eC<\l&chb_nI=C(om8JSAhOAX1+74+7gl["h=,]d\
+%28W@7g<T<a*r>g%oD?:+34)22pIh=-+_]VMX7i*uG3AjWS5cfKpTFM*rR%RJZke)PI(AL2Dg1WdCNjabh1,4T[6&SN?i+ipR[IIP
+%;RVFob%.mJSDC"l?er;9mkoLO\uj_rXIRtA<D%pN^92M$gNRJcpb>4&rj/g.6Bh@!Z>Dj&0i+4Z";mQNiPD>:Q=>`uPn^M-KRp;O
+%:bPIt9n6i62(F_Fa5`@r:NI5*MJ)HnYic;e8_8jP#5VP?jjf,SA9T@J$kj0PZO#S0Cgq,m[LS;la3_fGntVeL6f;KZB:Wi!i#qS=
+%)fT;Yn7"()"?;&c;kR=<?OZili0k7RPu#mPQ4["[KY1p*d]V*MiO]co&g2X\gpc2J#['Q#<e_&IOfJI11mD7Hnd-NK#?;SsCXTn8
+%A?IZGMt5jM22*KT08aZ%'D>McpC\5F_"aS_&Y+-('FSRkI$5*&)=W0`lbo"kZt-nF?"\$Z$QO+/-P_hK_=>.TR^\SZTNR"YXp!eq
+%6$+ZI#Wq+;RfQd0^;O=Y+;[OD*`HKG'(b^FJ'^$+<6J0U7)7"43IIXJ/07\lF<Jj#@;t3Jl7RDj&#:!ReRNP@q?!)t"a*Wc-D(E_
+%@tEQPi^4'1,r?t<.\a5RJOru-h*"1c#6TfK9&L=i%udX#!C=2_\b3<81G/CZLdMrV0:>0;#]WT2MJuu31G^r#OH=TZ3&cB!RUgdj
+%o^KX'6_8I?XG/\QQ9Rm5DrH3KiFj:)0&\e"<9,cT)"j<Ak`DJ!);q:>ZN85.=n.1T3hD>FC[&"m/s@Uf4(QqCj8occoNsA1ZEO%%
+%:#b:NE!A,%!-OH$[Y+&#@4qG=RFu4\")t[U,V8N!8)-Ib9@1eQlS+l%2?QO(dg@)Z[a'+&iM<cDmh\5#/33(GA=*t$JK5n)f2^'`
+%3]F9-S)!$j2A:V8R)2PZ\K]YNMS3&h5OL"IFj#Y5H397]4QVl'T%CgbNF8Bi`Fus%bbHP]Kb;UE9DGV6Ka#^'a5\maC5d^_"]'h9
+%?th:Pfd4F&A1drq"euXH/did/R\'R=+b8FjbCDP&p&tTX1ZB$=I^5T'cTi"L!M2D+I@fkLKSg8<<-`uqUTPd2#q#D+OOFm`r'HbT
+%r`J<Z!\ZB,o98@'d3V&\`i`rYLs>8lE?i?!4<F,5d($?YT+gn%>''d*!BI+l;[-;O6!PX?b>EL25ZV!QSWH-:CE4a!_KLG?g?/,c
+%NEron1uX4U78=iS%"UYDT]5BM$8k)&")]Mk:^'7G#5k1E?%BJKqiF0mP3b,>Q#86A;@-]$>mk&g!aos^hl[]qG(cmr&$nQX)4n7S
+%8M(4dE6LXi==/*cJh'lLeBA(%2uk:9%r#IG1)VhSrbbGB3:'!(/lOmY+^?(YkCR4J$:7+i@U8+T#5"<K?>ST=LT*Nm*.VNRXm#7b
+%p]Ai#=YPD\PakFB-;-*O!CI\K'*2Q%#g)*r:d<%ek;$"%#bQXu=_WKB+fKs+Li)KG;LXDsTf$CoJ;$Jl7a!$BbA?jRNZT\N2`Dm!
+%/Vi!KktZj2lrHZ'LN!pV)?>C+5mc=VBmqj*W#dL,9M"D9&S]'R8dZ\++"GHbX4T??Po*98VAVZ*L[,q)oYCO$eQXC-HU%_$T$drh
+%:n8K_NW^$:,I8T<!)`8k/5q)Y.?+9(5QY22AQp'fG^I7le%nG+aT:=6^`Jag,bQi7>H<8T6Th;gh1e5]'sK-SJF+$U%Ci((,cL_B
+%+s8#cQ2$CC#]R`$n+mA&i"QIn;G'2>MRsH3J5=OA*si3,%J0U'5eui[QsD0pGBU^(a!(7MIJl%2/,R`Gs,aF6+o`NJEE?99!\Z_'
+%^:^YRm!g\`Yl""$IN'm9/+1TAS\adp'\3&/iS@t(r>gB72ARe[3q_;9hEu0U@"lJoJ+f/*@kjac!ZbCNWY^[A?ID`.,\-o*GkMRp
+%ZsU#&`,37mX`5'Z9b>qO;pUYOqJX^#AIs4N%mf"f!J0le>'=X'8;27,f+Zkh5:S3S_0:c'.17E:*aT-+n23TUBW_/S(=2jsl1Nrr
+%0.rpOje_5[[>P.kFQ-.NYIkkPRn9Q5VSi81o@()@JfK4M?X1ZMrM3VXmPTW@^@Q6,#O2K%;!dWl(B3]m'3Sj.\4T!rfZ+?4UK"hj
+%N1SV0==e&b.Mi+`kf)G8rRJ`AY;^@M#c4Y,^0WP^@kX&r/Z!>?Hf_o+Z.R62C0+G6bHI36NhA>i/SP;NRPRbMESkW\m%*(PZ*`t#
+%'jsS%ch;7G=?<CWWf:dc(<H@fH`N)@/)BO/Ki:#fAOD/hK3N+Wjgt\JJ!@)\8;-?SB2>W62m?>t<B<-J[3i#+!2e\$/R+:']l8:9
+%qM<SeV_"7l$9k+Nco&M69oF'&K+HeMGN;-\j]CirJt-"E]620JY;p:9U8?=cVPA@5b.-"!&$8:ffMYH/2=/hf21*-qqr1Lkm\MSQ
+%2dJGE".oBoS];2YoD=uOQ`QS1SbQkJ:Yp*McHQGYZ2&\T+#U?B6gF&MV]Nq\VAK#dWnk#Ngq)d,3>7KLV=M\r$\o9@<J_=B_,5C;
+%$ZHM5(bomuYa4'+4+@]E-TV'So:nUdD!ZOlV_"In)#eK$baQZ_3fTF;>K%*\)obKm)*>9V/+sjGrpUd(n9t>0H$YG7J.:"Ap?Dh"
+%4co3M3-N0HA`)\L+.)Zb25#0*)WG_]=@IlaV^KJnR3,0KZq9;'?[k]Ij+cU6Z7E0N%X)47qgRM^p=2K5%q2uYHXOk3<L]>^_Sj$,
+%[suq`?8-MB#2RpS[s0Kbc-$B=p:pS_kC?amR.^:((JfNL8<C3X]+-I5dW]!.LcLoMlka<T@IX:]XbKiRD^)o\4+!@oAFTSVa&_i6
+%(2LQnhlbY^(4?^o*!QWIHqfSD'WkHgZ/Lp.l<)>aMn<':gN`#GV6)#I3_jZe*<./Vk<#MOH>'l:l41M?'NkX?I0S5kF6bT+*m]3B
+%h6V)lD/jW,ZWN(HNFgBe4"%$nHgb22ZhN2fER`k@G#2#1M^(&!(Y=_=0WJ&kq2Bd[76O#)<X2X^FB';bdu@Y^VlW*'^$Ft"%3K^j
+%R'/Ceig;YWCm[>%@fgYoh=KeBr,NUgN<leTT,k-'HgCU?8%[^)XQgflJ@&\XBUY?Blgg>R;'*9r'DFY]+#N0?eo>\?GHk?#+3P[O
+%j7o&TnJT8SeN_j`0HYSqFmGqW+13a@9>#"fYl7%>^?!-'P?[0kWL3<?e4%s$D*M=<qbWF;S/\C#J+ZZ>T&.ABfsAEJZMW"jCT3^R
+%mb^"9Do;L%D3E'a/P"9Mh$8A@If&QHMUV]@/Uf[+n\WC84#bCLf-Y)!PD[ei@m$YXn"Ffg0:P*Y]B'^9%SJZmn1[%dIt6k"*060>
+%Gg'[tMAt'sZ`o6cn\<>$s3fk@W7@k_)DG%0&$-*>9^j$)$0V(1kuBJh3M2a<aK/0XWG,cN2TAAa@/t]GqpL,/rtfUGo`CuRfjl*N
+%/ll`;Vj.$S.C>m!Mc@PlGplW<WEE(.E4Y(K9Gr.?k^:QqF;DgcaQ3WH[>LUs]j+GoR`(m"3rpiH6R]KZ0[i-#b[G'a$BY\\3Kf#/
+%\u\(<C^t^0-K/GOK2agQ6l(2?b4r*'O^:UV@?O&#0k:U\Ap)VZ.AP?i`j$hE]L`UTnSp!&l&qh03"$G11,tZV1Wb:2E(h-<LhjSZ
+%/gD/o8G^3^A=CYmj\7mU<]]p`q?5]XFP]mu)G1e3[e3JeR;Z\P#)qM!`6hss2FkkVaC/0Tf,+5g#s<s;BA6ep"?`oc7+38U$'Rm\
+%,R\Q(pai+hEMA]]l5nQ1$DOoGdiOH/Pdcc+J3#r1JsCL&br<0<+eMK?\f"XSYi`pd@Kk#TU+>=]e;SulQ?_%6;[QF+?j@$N'V2-9
+%gEt&CT=h<Uk8>_R.o'X=K;Kk@cE*5nfqFiU_@q1Xl/6Lg-T6-r5g6])j:;e[Ch_*fJt^fWd:22?n:!Y.P:Si\a"Al"O]0K0I$U!.
+%NE=K.n:b?P*57R<a<ZWkKBQ?eT@EMDnPm^P&DfB/*)T(YCD69id0U&8\iL4fJp5"@Q!>$D/ke"CjI>eDi/>HY#^<nT<6TAV'I$9:
+%__,Xp;CP^d_tR;b6/$r2:(EfBM?''b;=T\/.bRCGnIpqcP@1)3L;P8[Nc%@PN<q6NN*D`!GRfW/&.DZ63il%*aL2FCKlCPm9L-go
+%'=L+"O"J-oTTHJ$9"GLdfEI+dP.:f%#ZN?u&:G2Rhu`?R^J@rm>g_O8.;!\OVQ7=GLifF74QS<,*>2id/KdE.o1<]BP!o`Fk@BS9
+%<,0jK6#,fO4B/>E'Wi[>Pkru\Q*M&l[3Z(,&t;-UY(ucfRBB4H,U"<U_'\V+=+nVOlD-fm!cjU:Kg=8C;j[j.<#qIh6n&L?fYMG2
+%clXEY&82H[OffNOLg\C,aUc8#:_js2^S/QN:(ieCkRnlk<W"d0Zn^Jsp_q#HaG2b9aMqPfF*j:em)&X]#UrtXS7WWsN@'EjH#\D>
+%I-RsHe%^,e"F]PK84=1m*4hoEZWL+7EqMc&1-J+p=H#\"lJ^B0.>/611chF@Z:-kc$u&RG"IfF<6BGm-*6(#6Jm*\CQ2kfa%7cE_
+%a"Z%!#SQgoWcSXs/dp#?nc6lFN*GD""oskqGROh=GgJ6lWphm;!eOSb7P]+*he!o@a#'#q..e*(Kh\X];J(\AU&rNB8-l"X:Ml3U
+%Lt8&NK>POOifVhQ,I%fKY/[Ute/53OU\Tcf/ieI7+q8Wg/Q_EZ7!8]8/`G]pBgQ>#*7L)5#M(>n\As,.NohJA'hM6[cOl0jQeMVo
+%'J!G"6%MP4H#?Jq<Yj"ud&gD<.87Yp_$eL??f4'9eH1t-cBii?@-Ci#V\(#V@=9e7p#BHREZDq.C;S0RENFLjQj#2ai>8d@P9smm
+%LQ!)S;CcQT#!kKDW0Tk&:t'Y7@%q$PF]$la=@Q'.!/r7<6%U9?3V5Lg(pL`fOrLbr.iB[J2.M?OGRb(f)1nD)3.QXMOID>n_XMpi
+%HE<SbNCUp&ct-?M3WplmL-a"[N16VZ#_5Jb?>B9_>U_B--Hm6%k$Y-o\/6t6'!db24<_0IJ2MVC#.PL`4A!NF1o69rS&O0/[Sf9^
+%M'jtfI5f7lKc42gh7+.;F-M@\MI8b<VjVQaYHqV1Ga;;?U\Kr6`t!Hi/$rcg,<SsSeu-&p5dHfDJilo1'.+<D3V'D<8><"TU*gk.
+%bQ<F*X_CBV:j(2rVmFY(hPVObOg)4OEljIY"6ho<ckfBL7$p<KOKnkOE/h?pLo6r0"V&>7Yf!JT3hWclA#dod3_f8u>=/ZD$>6\K
+%BumETPF3TtR>0/WF&WXrgC^:L!G%8f:bp"$*Ha;nYAbRuMCtc!*0[V23j-GYJSDps-4O]g?3lW;S]r%g,D-E(/)*d/F^e0,OefcT
+%9uoTB_I9La`jLrY#!qpH&6JoVL2e\Sp0c4k.g_jH6kWq/n$>3UXb>AZ61:8.H6HBo7-eNCa?4jDmJ)Y3Zo+O9FU`r@ZJK\*c*.AL
+%*tZN9F_"Y!:T>;@<*YU/W)R"/:"#9kV9)'%nekhO'gRkL9XJ38q*"mrZ'Wk/^+JDq/=eDYWEC:+Z1t3YEn+C.c:DIm(I93Mf%<HO
+%fgniqX&3sTjV^u@N9Z)FKkE-2MAb]@C-!N)'U'4[8338S5e)@R1J8L'dh]PH"j9Ish6S+%!%<R,K$iQ9=dB@fA@+W/ljm0AKi/'Y
+%J=)[bKuJ8JAGRd]1c)uW#=@T7-b>$KAe=;HLkNc)M(Z%eU2O<HS&EgUP8-j;(.4Q:39)\0*@AC:e55<0q[BZ\SKZ8NO9f%mfk),O
+%&6M<04l]6p5n?9Q=X]to(sE`;S$3qFq52o0mKqX5_4T[74"D%[N]Q#hU=`%/`fl:iLCW"eBb)?Gq'6=L8hB?$^`$h]$C>K'U8dR9
+%)_D&6Rb5"jJAERWC64-@]&nO2jn#TRC@+n+S(9-PG,GY,i2$X9_"6n%+2S/&2Ts*4(<BXu8F=1o<.mcUODNprNtR(ZNU`R\dM[K>
+%dL,!t'i%Po'fRkpO>Bd-Nc\+b3DpZZn0-M5*`b6878k4L2]dS!%t$>:=]cHSct+OcaGhDt/D=j^$__(r$tYd-*IJZ_4TP"5.PV5G
+%RrHRm7FA!NgEo7._o(T#38Oe^D]NsZJuJ2EHjM)'4br"n&k.C3<a4]h-tCo^@>'^%-mU@707]uY8Xn`H[qfuBP6N=kjIf^^3Y[b=
+%mU@$W95F$Z.e82UZEQa*p<ZeG((QR]]OcaSA,Tk&kZSRh=QTUJm`*UZ@-lt1-$4Gs+h(F(9!X3tN?'Gd4&J?1)@?T$+EjL+&%H#a
+%%k`^;a5?:;Tn,s>T2$OiTd@\lDX`:anR4dqE$CGb(/E*q0(ts=W#Rgt%2dH[&6i(&#2Da23BYI6N+aAVK4@J@7i[bi?'VOpe?osi
+%,(j[3E!gU;b])1o\]i<TCEFp-)I)6B*!]\Dhr#LDPZ"rk_%3]g]]GI#'F0J\BO@6VX8n_kLO!CSaNb`"/1gK;l)lW.AU(5+M$R.C
+%gB\%R$MB70-,PTY[[E:!UX>GNe1ST<@B]gdR'TW93_a0N-_;S@lq/-83]qRo:(@B`BJTi3)oms!^nF:q2Fit"1d$O(a3fg0W\'t4
+%ABJS/%5OBJTtk^"3?6!nGVb6_>S^Ir\u!Mg&M)1[G7n@FdT#'5Xo8kK@VHH0LTdE9atn_OgNCF[7(UGn$f<Y+^Ck8\a:;Z<.`OaL
+%SAqY]O;:TZ5rrq1@K$j!A!l@@6RF*REaTeJLUX3r.LXhr7XJ-U#Za`bdk"iP3pL!gGbP^:hS.*1)m\Mq2k*.5W4;#SRNjD#.i1lF
+%Rh)&H,8`,&b"2(CO3^de24YAJnfCQ$,h,L_-ug%/95A3REGQUk(&PEnbMldPq]Qkl^s_YlSS!,H!^E%dBo@-]ZeGZlQtNWZ'E'=.
+%5:#fbi&2orFpPt8_lpFIU`nATliOFlW$Xo:aHG`pR48b"7LmXZ`SVIK>]O3V+`"I.YW+890Y)dXK+jCC4S04A\M3*hX")++iPGV8
+%C>sOHG(mY`N&[s]RS^^2O3eW:.7B!UfN`Sj[13R.D;)h/MKl.0)+W!W#*.,b$+-&+;74:A<EQ@\16clA(e[fXXLgO63[7]Nf=gEi
+%'mhPX!Kn?H14RpneUb^5.8hBheIrk?'J[i%\r^SE*%*/T[)l0D)(LPP3Q>J0Nd1qKOa&om;0bO'8+bS_SB6_6],[Z$%&f[J\Ml35
+%gWYR>=2*"VT`oZ(MG_sQ1_0:Kl%#!U&KSGt?1pG82J&m1kb&njCMf8o_SC\A*ChJ1!1kPQk,98XI:RN>CC,c(L26;7RO?B3;o>%.
+%fa7'TY0p;=]f>ckTIX9K<M*+pP\?7j#<Z(B/i;@.>_\+!VNt,1_[G(8R-cju$52U9_%1t0/eeRqbO[1*/^/g!'#Bdm]0]b?OH-p`
+%@G=HsY6iH9*7.2Np>H5`@>&]GTdf^>=ob90bak?T+CV2AdJ$!!WCO,NbfC=S/([5[6j"*e%rlhk`'d+,&V3RLU$('g;P74-ai@aJ
+%T95O.Vn6?G>$f-rnO1e*=P\D11N5J8Tom[(E\p>*gQ'XG0F(f<q/2m[L.!4%a(A7B+M?+m\1:%S0Pp_S2r2g^dO!:b<@Qqh:dX>D
+%$Ls?+Tp7\(KcDoWkRR=(K>loPo0b<(@&9!CF!JC/?VZ6IQKd$D&j;cq^]BoI/a?1!2)r(8aB>K3U'_<NnE"Q2FnA4'VsH`*)oQ7H
+%'KR`^(mCqJY_a>?`$+oo"kXuCEJL5<93)+DG+-PS-&TdclP]io8U-kX`a6snn"phEX*i[I!5$^f!ZCA\gUG@@gU'3nODZP0frf%q
+%3!>m^rlXPQ[3hG+2s],)C0'LU/_`06e#m2?p)TWECXt4\^T%gc)aK3:\n/V5XptCM,HNl$:pmBbmFsHJ:npV&VEo,"nW[(I"@2gp
+%+?;tA,RBN?[ap;6^-(A)6%bR:4mfPKinDU)@`"N_c%0gT5UY<`7N<E/'\)>oh$Ab+k-/nG6$11p@<a%)J9-c[Ogdq&RY9E<3JbJp
+%<Hib2B:;Yf+IEDhi1bX.Y`8^6+HS#r8-Gdre)K'0;%2'R7?%0>]E+qPPp"cLq:#qf6oYb%^^Ql'&tI+d;DV=Hi,fjN$4>l\]Ih$`
+%*!-[N@`!RXfQ#UCa$Z)j(bFbu1Vd#Qn[8`!8FU,_@VeuMRk/Sn)87Rf0EATiTads3K/"FuQ>%d<,+Q*gE&M,Hkd!FkU2tVoOFJm4
+%!Ue1rGu+2Q!%5Sm:(rS$QcCk:i$\8c1l2#;IYJ,"S,49bMeeeEQXK<+-5/\<$3p@u==")GrbZ\qJhu,40e&\'4D"X6)I-+(;Wh<L
+%WW2Y06W`:Za4B$kaN'"*#AP+aDee&O:epH.crCKl-<lofYPr&,_XQP&8gXa4&?Z\\)<RqjXtkG]\-+]+9FpUB<G;mGS4`b`BIN/`
+%S23"0qDMQk&ATr\>`":[d#iqC,soM")HA,j-nq"h)Nfj[5\@s!SuGr114UE'oHWYNi#qK=(a*eT=Wq.6Y/N%7PftM\Off!C10==Q
+%.I)(;UHM.&5naSH=!cV^:Z]QRa,qT]Ba@Fh:S^g(9l1rhHN=FEk?bCX(mZ$"[]RY;RYV'^JL&,U?$95aOdiO\-+tY9C!rBU,##G!
+%I)V?qD(jD5!%BAB(!^/S?-0QU%<ti,jS).ZXRKQe;MTIr%++ScT.bOU\HKVZS--6j8dmKU?Q43:?hoYrV.McIFPnQrFK#i[!?_fe
+%2($!:).LZV2B?/mFn"b?=8R^H6rQLq0UZN4hZsr$9u?KFbQ25Fg$rbh*_mr%5oLDDTg&O4*ll)aI5)?X(j\ercVT8D#YA1GLp@.0
+%-/9`Z_/1,3]:Q"a)4_[.K8"]3V!5p#WrsE[E!DUEkm(=B1nH]Rfr)6H-<*Jm\f^W7e[f]8-2D:*0s]GY_3uLg:,jbTAZkXm6e&G9
+%=3f%JgsM2q@QG]8"#_^*EPT2")RAlX.iI,rRM2eUr%QT"P?g."!q.#Y9]QS/26UbWM&DU*gLnSA)^`B!"Xe5E1?8'pWD$L1?s5E-
+%l(6lmJn1$SJi#S_8*gh/kWkk!/L-+NGC$:4fRcO^Z@;dTMpT-'!`nnR-;jkr[GJ:$!:15K`"89uO];FfT!mpSXs(J_4S"SMR*&-a
+%<(g>q!]e\WeI-Nb/K&BABV*IQC%QFrZ![XoRQIF`A&a2pcLql3-^pRJ](@QE9H0:T#>nDA!Y>d,bt*MI8fR9nd$LMHBJ.;cM3&mY
+%5YkIGG+98PaTX+!d@m+qYiP>J\L6[,A@aM#$b9X.#Q_Yn,qIB29S@_;R9kV]P5pot0uQu@/5`^KfGK9DBYnRSB>p,#d(r,kIY>Cn
+%%\!Ju/Z8`+N$qB\o4lQO="7=Z97fQTU:Z;G#\q=+o,V@_/?/^*c-iEI0V"9L#+)d[!-%+R'h_77J5h@DeWO`=B;KPnd6bH;XcT\)
+%c87:*J6+:lm7a"\&Oj)]'\ef@LX@K^QDRi0TA60j$^><HfotrN<%h=M=#?<U=eQ)9:;X?sbY%)8$+;1?4dR.]EVCqm24A;+d>;BF
+%-MrP_`*og_S"^%K80q*/NSGJ%=!ZDY3ljSG(faYKWiOJf`CA+2Rj_8l:L8dr&1DNWl4==K5n.KhcsZSS01Mipj;!C.9+Q'[h5V@G
+%Ii74C=oqZ]hTK;Vg8cq4a)L5BR.,E^n#FVRRMm0Ljm_m*Uqnn:jXq*TlM.q9aqk2-8Fb>$[apnq/$fpAVkF_!S'F(9fh!&8E)i'H
+%B56aK,pQ<R&eTqRFul5I;[EkDOrGBg"1?)j3C#sSiB[/AS4Lsf$:5T?f-0Q:"pNFSDa:[\_m7R$[A@kukG)j,7%U"[=6;&0$gYbH
+%@%nphC5%dqnb7X.PK+82*/"ktZt]P,)2-,'_PDmrqO0*O77n\ZE^8WG'R01ULbI-nc79G\fF$&h/OiV-WhGPHiK<%H*PTAMe-XJR
+%)"p:VbcsLJ:M<+JRML&OI&ksb^m<#5lpD3J9B-'!gH+hIR]6mC"Ouu_V=Y2@6A*arl"EE.=W0?BA9UA*_LY6kbW;8K)Mjc8N,d8L
+%4?AW0^cY!Q%#BkZPB8qWG/]2TPIJso&W"j"MKoJkL=C_p-AGG2S'>Y^L-f73mg*kR7h!/V<uDii""-TDM6j?gMng;<%9+oQeC5*K
+%mO5rI.gTG.2<b8A?*9peN6Z!N$YP:G84O2`";sthRTcR7KB2:lQWPFR(1Ea(&0t3Qn-$cSP_I4`%er=0C&m:H9cPL;9*rma,T7&6
+%OHBq_)hRgQaqQ!e+QgfY(<K(/Op+*iBJX(Y]i6HY+XmO&&e,0V1'D<TE^N5t4OKINS4ZS_.2&TKcefKEiq3U97[1lUClRF/bWfla
+%KNZ*bm<Ta1a'n'`.N'4_@1KGD7*,=\hD'`>"VZIF9S.e'>Ctcti4u]/40Rn'Z=&AbT(3l+nd*)<0i?o"b>Hk>*,d@+(9C]8i<hA'
+%0oaTimE7V(dh/52OhlR)<Z"G;l@b`Sc[nlB(FC-4d)$(iA7Q80=b3Z9Gd\f!^hGXM`ba3nP-7O2%AGQaV`^uVkC)GH:r!<0UhC6/
+%,_n<("s$[o@mD;-ZLE![LpFBH,^SO\LI=iW\0pZe,n$&:rZ96Y@^Zup!BH6`0G_NkCnm(L31nfF3AC,?(mpmM"C32S/Y%.Q.9S@8
+%2OK*!,F'\f=GPsc.?OZud0e89U<<d19b-_Q.?^bdD>X^9Kc=]GI[J9kLn<j%fCgM*&fpOt=Di]C,3p(aCf@HGP_DEn+o$]1"589e
+%:n7[n:_/qq?OFc&fU*6B$"FdF+..a,@0W=eY6&8`7k:FgM9C#8"FG.1iofdMQ$<&en&I/@<',-siJI9hC2#K&qFq;7iC&],&#u5W
+%foSc&jC"M1Q607T':^RX]I.d(O;I[6ecG^K[ENO>Ys=_#D-Ai3T'63V$6H^m=paoK_<_tX!?:iR!@'$N@5:PB06lO[L+%D/o<EFl
+%:'LP?iO/d]UPH51!i5NVVIklI]m)$ChHn,>R6h2m18Y.dL8N.o?n)M#"2u)'h5_.?&-5L]&V<7u9dH9lD&reT_,;Rq#RE2\%Qagh
+%MJ(NBFG]<^^iW*Q$p>QiU*(p_pj=6LL"HB5hP$VNAgR[iW5OXmipYFYr"G#Cad#J`c,\p0:6'>U!e@Q#1!LP#6`3q?8ONpp$$V)=
+%RQh4TZ['&GHVdPG%RKQt@(nb@2!@\^WQ7SN-#0,D8[SSj[keY!AH:I9#/S^132-U+0oV4^`F3#07,S-.N9gNE,Psr4!aQTr\Dga(
+%]+KSKoRoW%,?ck^]3M^eRY!#Ac%)_XnQcVu:B2ak-?knb$ofjTp4e6_OH&+6a2an8Jh1m12iKA>P_T?7Cj*^ipj*_rJskEH)R1gV
+%iR!+_+,()q\)EVj4,0RDWXep'acljm+d'q*$"a#F:jcI]$Z;nqD!]n?]h:B;TiF2\eAb19'LcNb!$"D8l;mtinsRfji,B78JhTa:
+%e:RrN$?(Ql3hl'Eibf1J`#sFoJjVd7MBPe)^<\tf$U"Br*WK9>bO#'ZL]kDX>d50r.+BSenoRqM!HAf4*8&3G"Rf9!^]oRo9lh$!
+%JOB86peK_U7.J.Tcs-k/LI0uU.`SNA6"c(BKb-[Jd&\4k:U:iAKa3l].km_MZ',Zj:T;fH&Bfr@'_/j\joXL,/e1D(TEuVOUY@M%
+%'[I=SFcT'#/;'=i.+,7Q?dk]<VEo)59nLIhQO<%6+$,PpYiGsi"ULScL',GGL5B<'Qr;Wl)7E)1An!PO(H5;374TODO3@N*4J<KV
+%Fc1B(Hkk!3Ip.X[2(TJL'da,#S#.W(p;@_bPOG1Qd:,Yni;a2dhOVcrC(T?UjXFdE@+7]L,]!KHn7;-DB],F.liCXrUC^,>A2#dh
+%5<@_T7$]/4>mR&l^1dl3(E?Z.^bp6ph8.g_&1L_0/>\j=HlZnM6Mp:b'U_?o*28!9m>B<m/B/GTRg57Abcq07'eTk_+_F@P1_%kh
+%;):.O]tbIm@$]%HJO9D\hc,$J9ju_lH;g1u"`^5heW':-YbIOVH2sM,er?I`+[86uE=5C-391AJ$QjqY1Y@QrDGS^dK%_&umg+g\
+%`-=<ukQ/5GRQC4\*2TF)/tpB,M4*uAE/fLnf0)!MGlBIdVM,Y*L[$&$C4bRR'$!!L0I`_]5W**lI'9M(TKZ'!kVO\Lra&OjGp=su
+%>rC[cPaPVm+M^nh>YEk-\Vs,c+p'VfLu:X@eRfA[#U5d]1hC3XalKuC_^=B$(4NPaR%8&"LL'2+Q76JB0ZkBt;#qIdgD:&GMV'6E
+%FBm`]\>@/Qb$tZIk%q]\EbWp`;9J$_AZIg+KM9`,M&$([?gpTZ)GQ.p?ULCl=MK6W*A`-/9<O/q9!4P?`9A\hWWec4MWHW&12\o$
+%`Ca_bQo.Q2KPFp`R:PkV9HmrSaD_+]%A,(`.VoJ\\<rig%e,:%_Vrli=<CQp_l0R0a5J;`Ps$RkVL>T\nW(/UC'FK2M6mN3O2Grj
+%N;5i%Qd3;X-:OZh+e+(3I9e8]I#P5Zfe"=C8iW[:kpX]I3*+.O<kW/I%$0Y:&;pUlR@R/V8,/FlM';'a('0%T"'4^fs/,-$U)sS^
+%7K*MI(%irMHO9sM\#6/;)<Hoq2KUnY9I:Gd"&Nt+/l<hp?)#/^HUS^F)?r5=6/KK0L:A!D<5%>4!@oVA,!&B/Bd$?4-BrPJ)c;Xt
+%Lq@;?:qA#_M;\>!Ya26pm73'5RafOP>'-H1*K&-pC4_j'PPnCqIc$eJ`>Bq:'Bt$$Z`q4V[%F4R%uF*:Z"%JdG8B:FFG]I@4Cb&m
+%c?3^IM-CYYCL#$os2G;O&H6Q]I"m1;)tc(PQVtKJVdT`lR!;%FOie$OI@;%'DbpL=p7ipam0IEXa]F>>O_'0<^0G,AM:;MF]pds#
+%9;pN6/=l9Y3e\J>N$1GJ1\po-%*K/!/&2uFq*f7L!ME/8+.ipFb[Y+8XDg:)n5(D+8"[]_`$NV4L,b>U"&"mIi#%oZ,%5lQ!]<7"
+%/b*Hd3u0)gVC):XNo("iTZMXlfJGSSV8P>AJM>IAKZSW4#.Om*2\)h7E?YQ:b'1s<_!uNnF2]FEXBC;&duhH`8&GlI.tAXtKG8eO
+%8%c^t3a#=%_XI"!SDgdY*"0ibggL5^B[,8j1r?"f8"b,/IKaeaV_.+)Of;8,<CS'd4^>SMVC5Ob:)s+oggA,DJ0*`i=I2U.@gONe
+%%#;)nXS7D9:L`%3#or)9ksu^IeG)Ms<csY9>S$?:l@9G9[;rbXe]?/)^_Q4:?6b;m(fiVsP73`&F=JaBf3l$?JV4'nKa:Fm$?09'
+%Xj)6<n?Rkbf5ug&e5.DP&P%`k8liglZG%#`i)'`qqQdW<!`DUm>FK@;_nt(b)!@l7$J1Kp!,-hsB$"R^QRlND#1JjST0l4i(mZ&2
+%mKLU^6)T((&*JY%=F>d!(t#E3muLc.LXLc`EU,V%bK@)+3^`caTUar5$!3X%%SB@9koN+1Bo?h`FrS@kOeiD"S^=!Cj6j55$2;]Y
+%-'WZ(Mo"nH\97;Qd&,E:8G8AC;SaA+S`G&OA3Ah,U8&U`PINrF@1?C.c".IKbM50V3aGA_U&tGJT%\CNgBtANNZ?ARn1_![+E,8h
+%Bo4;sBWX^'gm!dkIDV_r&RQ^-Ci[`'`O?,lOi]+:Yr75Y<B:/fQ6T4Ah!\eFfnmcIe#"<&J`0D*29\W9UM<]Z?;N&2_K;^m3&1eB
+%QFKi.XC*q(kQP?PANpo2#,jI]du,a/s3KPK0.)i4IDaqOE"BrH(i4ih-A)uZ3+IS^,TE4`_X<iTO8%?mQ))^jDDgA.flQinZSSto
+%8sNAjP+;4VY.d:2M3L@giV&OIk"3^6RmQ*=A/S>F7Pg+blu9m*KUdi$1E@T`TST=<m_5NBF+K]9Jj<R0jG&KOC4W5#c5A(FKn0**
+%lShF/'!rn1:fL%HA_7lL'ac-_Yq$!*BFu'lM33^X]ElG98=u1Ma9@=f60:?N;"Fp_V\m=l)"^`U/7,,jY_(b%;P?EKaiqW;:WZdr
+%91c+&Aqub:_D"Yb5;)+$6lV:cW@n]qn\hD=(RHi7TWHS.!&7k[Pa,^8gk19S"P=7`94gRib%?9iI#t.T+c;g:A#4HSM*$UK+ZPqr
+%?@U%%.V6Ok;QN(`T1,U.TG*KT/>V@4&jeFI3=]>Ndf<irC*tH.9bC+X.O@)B6ZU$Fr$44@l+ieE;6nme3C,b>!kf1]\;Cn\a&u\W
+%i(*mu)8T=0,],$nVNUfbS4-s,;,LXim-qs'e/1rf'W1ej!1(H-Q;c\`/3X,MOQ8;"#\\fDq1tPC9'H]B0PL/t#T=s>*rO,XYWkB_
+%W*:_u^GC^4/D/e`%hqUK8VTL=(]';XFCXYnp+h818]it0UAPb=!9&0)mYdm,!T,A%5tE73;:Ik"7$9B>Z=.&+P\+kN'@$W=o`S%B
+%5g;N0J&$W$R7*:R'7cJR,_@2;0.b4&?nDZl+,S280F:;G)4$9s^7<1g/\NM>-\^363*@q,8d#BQHK3qWnZ\gh5ebBo'X0uQcX9\7
+%"ElcLZfDiDSk-(;UBsdEII^i+g_`VNE.E.qKbPZaZ^c\%659S'dR5Blr!gs26a!=4bZKP2r'6R%J=%2>8tAZf*'eBX^qGqj74IIo
+%W=eXFd9AXcVm-sIH]7!>,d0Cg1k;3t@1>UoKLJS"?jqBC,#jP`_EJV>R0c=d)OHL,*QLt%_^WJ[,TS[emf>GUkX,tBI55sb7KGk(
+%8Bsc^]VlC^&qGDFJUP/_)?eh9*"epqM3>]-+]VC]@8<s5Ymh>0>h7i(-g)%#.s5"t,9XOa5[9'n71+'m8_PZI;F,c\,"up%E4cr@
+%80S"I<"A:)73mRXP[8?`h3X:L`X%rl&/r5>L2^-q:1<99A]9t&%aG_`fQ<>h3oNJ+8->:#,1;t9d`UJU$CW)'P[<g/_,;ie-We19
+%*S_lio$q,$GgDC77#4ToB8o>iTDC^H<>24AdD.T7A=F0OeLg:r1`i)B6,KONFJOpBjXKgIcB:KP2c30-JO1EqnNFZGUjJYCLmmur
+%;D'#Q'O:2K4Vj(K/Jb.^Le+S'iHU"V'>G.9%$6m,:cG3fOd7sR8pj:)Hm9oMnW"3L<+uV23Y,4fBTc>Vl4LlWP#ClC"FVGa\[2kE
+%:*:XR1h[Zfk3,b0Sba1C8p0-'Kie?O]F0/;6eW;rN<k25;_m9qZm:G6!i2dP0LU%(*28/IHjDY?90Oh5..eg.0OdI"@6/hb!c/Ic
+%9LBuFPs^FdEKOSX9BeWZ)K%!N2-/k9?'25AW+8S0\NuBP@q\gs:'V`4^e;Wq!IGQJ6K"Z,EZeH3-@R#(3`un"$_(W&LerU:PG,Y9
+%@uT>RKmKtt6:_RlAdeu%g4U'+,3<0h;S5Ft$Hg8q]AY$[#aV9Z?FWG#H!<YsRSV'o!=:O@1bij'2M#AV@Phs0qh(hM:/Gp)\H+!r
+%)I2$Z<35#5OWS9C-)4?NS[`]A'9Z+aTYrBjfoluH?:"0j'7i\2O9fi1#O!ZB,Rtq_U?n-lE&K%jG8R19.n2*AI.s"acmRcipWRZH
+%/&SJGqu5;gf<+*J2;X92DpahlOG590k1r/c*hP!s5^=k.Ti0<caS8FMa9Y9BgEO\',\Vq/#cZZo!O*HOm.%qaKUe-1I#$HGM6L)W
+%#nkk1FCDDD*Ce)*1_H#m`TV?)?8m_'%+nZ6OWFK(;C.GM;(3h3?cXUO;AI6"?g9781Ut6hdBJ!I*KLeDLO)b;O3&YEe)M]YW$/>`
+%I0'JuA4D_[VLN@S7^7)Jk'<,UN@K-krC^'D!S8W;raJi%URK!m705>T&k_FjS9H(i->*HO*n$;a'88P?W0@.8rO,h)_Tt\"q>@%q
+%,Ke1d=<!/r"\d(N%Z3G1O<NoO;,Xk:T.:cJ!\q'Ac3#BY[aEX@G"EO@(Sh)/X+TXN@5q(S'-R\/"^/;;aYHX!nuFIo`>jb,YH*5@
+%4rTH^VMl68E`WgL=(^A\Q*/`7jREGN;9B7rV_LieWX_ep*f<c!Yp`<j8i-(d$q!oT0(>;4ou'Hu%2a$YUh+2p#9*%@l)PH`RmuP2
+%UuD<Y+\1!#D``q;UNCbIHW8RU/*h@Z5==N^Q[.c;\0%#;P_M@L'q6#@_f/RqqM2"I%)LIL0LZ/bOHS-`Uk?^l0^+`%^.'1k8<OdR
+%kcou_kW<H[C.P-EctI+ZSlAQ1akIk48CsR1ig*it6"X5FF2tjhQdX><mbaEkonH\!-#&_i#(U^n.O>O6hUXIMFd[HhAB`7:A&cd!
+%nHt`7B3eT.ghZ6D^`*X$'4NdERWJoM_G=9*60f4q&V;r1@a^/@#uQG75d'ro9M,U)Qe`m\5]q+t\f4=J.J4R$])sCC>i=R7CC*R\
+%N[n7P,gZt5cVbCT`oP@;nOQbSk"9].a67XHdi0q,51=^nn?Y@#*AY:u-N8@_YJ24o:e5p&N]o<7,oQ=DoV0a#PVG[SfeZ<dAnfPb
+%)ZE++)2r6&W#pj=16YmiaWu]O<-0I%q8'HQNOpr6q+8_d+XlhRs$7Ada:'t;"X]C`7&`Ze?cYkM:I*/o.9FR^92!8mR_TQJ(8SK3
+%):Pi.9Jbpc2GN#gb'c`',ah]TKZ8asN.pmqVMK7AP`RZN!d2qAZa_P^J_lVRJ2il/G%&0j'D-u8UL-B6gl>u#([6iGdY_LG"p9FG
+%^K<hF/#g.:P+#fc>Hofj=I3I7HBN<W6%W/FPJ[EG,RYH"UK;o?aEIK?X-cj(?q<eEe+4df3#\O)l'Rm4iJ&b$V(a.VS/ImCLh%l-
+%0]V"m&b<#:HHE6t`nhZ0oN;e)A/*8_IjS'DJLZbfiYjKV9XFj/fg'oc/0"d+0jt&`ckb8)$j18)_,+=OGVIMf/EDVWkgns?m)pIp
+%E<?-!&.]?J&aO#h8*RS%#`\,b5K6+aK6\__!4t6)U?&LFH;0p2;^<e_dD8?]Lm+[T;)/LY8LC65`Fk,,-q6XOq^Wua:>d6tHD?!B
+%#Gh_63<0Jl.)-FOr[D-;O[kY'*`s^5YWfujalONL-`,9fYGE?\,0<"b&Z"/Q0N]"L3S(F5I`42dOn2>#RmLR@Yo(b&$DG$$6S)-d
+%rIbCK(<86uF59^c!^)G\Qh)iYbcZ[\8Fu_l;Ma=Fc/1..KCZN6R!&_*5_/ckEFnDGY)<m>8WYUeh@0@.=oW:qVCl5Q3NT\jZK'X!
+%A*(?]W-);(Q-4.\%Dqtr$Mg'iom5H>\2O3I2JC4tE7ioJ$*T;b/(_!:3u19`.fktIQ]FH.@]q[qYptfmU.&\$NLM]&&;:IXJ(/eQ
+%D2Zb!D@-oo[X:'1D]4bYjT+]7#;1e$Op^A9C;$g98n6YYf6])m"fZ;ZdFRjG92u6V`@-QYU@SD&NuLHm@7Xt1B`)3fA_^7#d-00t
+%^T/OSC^b[.nOd@R*e#i`N13_s.F+Ba*WJ`n:`LZV%D=?]DGBg.dAMjmi*S`+q#AG8P>"C>^K*^mY@j9W8B4U&^K=&&5Nl;GJW;JP
+%@^<rnUOS/3VFY".\Qab0R;Z3:cmqt=R1ndK,.X9?Oe+q/Pt(c^j#P.IFOc'eR^0f3E5tLK;#1O7F9A%S?KOO]SR433/]Y\[h-%9+
+%$u5`AF!\K*,5j1A`m+ot04Eh7@58V@d<(!P@d6g@j:-b)lDFjh>Y6r<fO)61>.1P?Q+qQ^W*I+^5rTKUNiFRYmALHQ7lRf.Q?4=l
+%JjYiYZV`_HKLt_<%Cn7meS@la4/[_iT*,!%U^d1k_c\!8\P$RQA`j+((27kP)5K+gd?4k)jJ\eTm.Sd_Tdh7@mU1__+M[dC"EnI@
+%D-!LU["c$7Z;S+hkr.$K?nEt2M"pGPb:tT,)H#h5BMQJ0FfR5bb$YlHP%&NJ/%k]BEJZ#W]%(+YYIIV\Wb+L$:9WS^=447:ST8R0
+%A]uGZ*&M<aWQ@!H($Ab<?#QqoeeK`;$*#LkKX3_@i;[/(P1:YsBi[rG(=inR-AtXFMXP0*.f@[4>W/(A91b.QF^,kZg;@pfO,'K(
+%bpS!D.F]7XLp"is63UPW_L8H,44Wc+B1k5TBW"a&b%N+UkWiTgkIOY\TDQMj>,A_!'`Y91oiCoh1;X7%IVq.1[d]=iqVqkOSKU&6
+%RMA.p2M_8!s%2NG)BB?dM!_k:>Ffc72.:pEXu3gK1.";'1hkHcBS=?.@lhR%)lQ!TDe6l1>.Pm8:M7cDA$gDpdFp1Y[;i8'6Yu.]
+%p#CZL.Zh.VOEo/;#qFeDU]K"9/eWt4'<@(,%E)lKFMmZk1P6/\Cb_lQ`,+G9gRN_+p8?:(ZnDAlNI/&Fr]M)rWfU)o8l+Y062.L(
+%>8qd%0MYM25;;J;7\?+NN2?O@\PX%BX2<hFq2lOZ$8_KTpg8LB00f;go:mC>/Ls`akJ*Ib=NiMSCCQ^?9G5s$Wq%VQ;Q?2rh6g2V
+%:TH4&+lEm@Y//s3%n@j$U<5uA>]3><WkV$<UX<LYkin-a.\uma37Ms\eZ!_*Z\01YggJ0-]-L>GPYJ`./.J("f[r'-gOBD'7712I
+%jh$^RYP*nP'9D>_RB"l;S^`OjQK=S'W"!#h$6NP+bgis,b(4!WrBH];W;'/j-S[gLAu#/^RnW\dK;U<F#%4/!L5iB$]9AQWgWaE[
+%D79"k;De]fN2UkY`gbER/PS?u]Km`eV>=i*p172faKI.sK7;bl2hJCl?*Xbl=age"s+c)dq**g';[oq6eL/8kCtb&*Ltl$Jd.kuc
+%0V%*jE`9@V,0/`$<2og^/tP%GAEhOYO\EjId8BX05+p1<Bg7t;,p=M3]_g@lWg1g]?TB]>1<nMYrSqaJp]'WZhRb\maAHe4R3:=%
+%-/4oKRC&\AiJ_A06`c,8>%P#uX];>!\<H;PPr"]\nSobA7h%;KD3#Y7cYE=OoAf0:15X#qC:'G3qqt!=s4^&-a6diK_if^%_*]eW
+%N;a>:"/T1F]TTCJNr7XG!<8O+a.Kfn,N0n-&S$qW)".bj61Et5Dl%1JjYgA2U"b92"qsaNCqs3+Du*75o1cGEhLp0U2teGJ21SAO
+%>''J:@>Ql!(osb:cF)#n?<\$7b)2u\epE%HVEc.04J\1^PAf$l?XtbKnmW*VEbR@u&`RbY.iX]#Hu8ib0PU1!lCg-`j2Tt$%f\.9
+%Enk@,2Kn0PP^7.1[0DA,+ofhI'?W7?c&?tfoPQe)Xq%E3_D7`u:5M!,Ep]PLb@Td):pZ27_*?9&VRUklM`X%V]o?t-3N[*qp4(#h
+%rXF;BZC'5<fJUGClXO;)O+$7^>V&L$nP<8,^Oq%"[h9ur82!F8VAKp-&0jiW=(3[P8r\>h(U^o:c2%MAo"KS\mh:0&Jb@pYiKd2"
+%ftf7Yoaa$lQ,`hns)p*d[kYSr.IZGFmFQ%HH\>WVj.QAT%TD?q[CG+)m$jQR`@ZBbmR`<'e[(mkG'hZ+6KBk*q!+pOE?jWi-\""+
+%N#4OMBXe*XbW'.SN^H8E/5i#$$?5h85/4edr2Yif0H#R4BCKY6f_f-sr]QWuot_?[#1Y$)]S!2j0'b-Hhr.t_Ie$bCXeu#'F.d54
+%D(ojIR/`GWruU=;j=nW(<6G39))^U-ro.P=J#TPld6_2iQTMprLG=Q,QQt]s63R8i:Hf^W[".j<pb<9WQVA1>I8G`-J4E.$`loe[
+%rhCiu<G'=?LF7tWD)Td%mLarDM%\5G_t-i>Q@^s@a?P!FA4Ikd7kH)L7jReH2pn!L;2FKmS*82NI_Xi0j8\>"'!<1OB,&\DCncc9
+%oL-f]6Gc1G*DQO.-]04J[=:YH(d^GBe))D>oX@];AJ5mYo;FT<bbMa!GK?O+TMbES8capQn3t?f&CEE[1H^-:JEEn77bm#':7NLX
+%h=r+T;h)Ooo8eb]&VCDC+^l<t,03'^ec@,_7NI76rdC@\gDK)Kn"W=hA]sO]*?>3$/V*\_<'Ml.GDG/t%gMX2EHP8V,)GOZ34r;1
+%@-'ri<ZVpKEA195O+&JoKl".Vc"VQfV=!K@co]]`UVFuh(^Vjf_>g(Kh!^"3qX9d$LqhQ=NK<q?2K&L(iqd#^>E[:;D"4n'HNf6)
+%L8d\eE,/([/7[fS=gg%?O!Jl**+^0gPf*Nq<(R&;TE[IAJ-9$)^d3SB77]-1hb&HL8&cN,"VtbNpOBqYc>+)g<JE^Qg?hpNb+ug^
+%X#BoiE@3],G8e?DB9Ri*>1"3/r>H2\,3%KGF]tB7UHBKC@=pf!)qLkjdONQ]?g)F.!Y"q"KtMF</i&("'gn[Nm+?PubM\$1`Smnk
+%$'q!,kT>Y?OTggN)5I"-#0$oV,%D<G!!=,QN5D'+s$QRKIl8l08.#t-<bk5,Sgs\W-AA&m*rX:Q(QB4/R1Pp=p-J_FkqD@us-=JH
+%J#>m;heuk$]9C>FETYs\NB&raokL&tdBLuI?*p+Mr^8:gLVO%V1p@[c^\dmK(5C=t\_ai,&8*sib=\bbCJT]f[d2.6KM/0g(<FL_
+%lgBIH,"@&um;06^s*HU(s8H!s4b/#4j]B.bn"*GW_Jpbij/S(d7dV`cr\^+\ZUk+/Z=KEmF!\.$c*Mf&LZ.j014A-McXSCVT9oT7
+%4Mf^MB.%\)&Yji"*nPn0`P9XVYE,m^?Xjkf:c+?RM5"t?;AorBYQ"#E9DC)@6L+#P#sSa.r[[/o=T1GXCg-<VonT)X\)##iO8jj`
+%m'RPn)5aC,6\:D-!>_KDRaKLADT.)61*8`('akTT2-H1=Or!.$STO5-oEbG.&<u(oDpD*&aS))n(A4.e''>5G=>1F"a3>XfLag;;
+%IHQ>\*3Sn+EkB6YT'O/i,>nmJI9tk[oP8<pS%bhSB;O?)ojm$\pWHpe@7sAdS.I9dN+Bk+2&Q8>DILo9aRAKL51Wq-]8B>a*^mP6
+%?Z$KWHr&AXlNA4CR-tFL`Vm_dppJmRc,Fo$d@I^F5=-V2>$3-3l&UEqo"<O>6r]A"(<FhRXX<im.)rNM<;Jt8`u0u5g[.cZ30!PA
+%N(WaqdIHMKSr)qP@i.pj0r.X?gqnGl<YR6TQG>J-\J`hea%^j7[*=A,%jN<<S*CANo^/a7Q[0$,8'k$WNm[If3BurKgL<$c8-u-G
+%,BV5q%"_'NA\`d!^chIM_f6&8!;%/4(&f21i[&@tdHZb>9NsBRJV]I+es@D$4!.CG&uVSU-_JPfEGHlpMcNbE+8U)QXb8b]eo_fn
+%=*c`<7kpSY-mn"E>N>.Dh8*/gqApq=TjN/Q55eae-&R]seuja\7MCe@h$d.%9X\"%[8KJ28imp2GmRjrPf:mj-f=K.Tl)Oc:uOrs
+%^iNmNCMbn6F@sk_NK9B?#D3V%.ggb38OA0FWHr_bOm7>Q"TCN"I+6Y6*lNt7mWMb@'b\A+_k/,-2#6?qn2K@/_e3G*Kq8>r2k@+M
+%gd5T+CA#sIot"\e/DJMfQ<UmhXJ-3sCft$rV=`U_9P0+\j.g>E[CW/=s1I*&epa`#^4+a7<u7*:k?F,c@_X51$P,mJfn-plBgq#W
+%fan%)XC/$]F0I08%9CpoXZmE:e_2qK.E,DKgpT7$H5nM@;3bWK;]`E0*BkIH'Rn`CUb.HBo4>qDg<0)ij4@6Ts8/U,j(2et/dta$
+%[F)JlBs5)mcn7<ClY>?I5!V%ml64UL3#g8rJ4<:KSQTgR<Egp[eIY77E`F:eTuuJ1g-rU#9'%#"_Du!k*GDB,lAd02[&G\nKkf/k
+%GhQqQ<Ki<?,dd$=2lrd:W#4#ILagTP.OcrtOnjR.Zn/q&fdqQ6"LP=`>&Mf?8tRC!X/fYYQ)+OM2!\nUjE3f@&!b2H$>M"A$X%%<
+%B#ZIQEgMYbknBAfL'mQSK4pOaX6$CbWeKZ%MdZ@]Y9s]h7I81SYh7K-:h4QJN(0)&1)-l?,\%/b&Rh\T5p]sW,Qe2>*['hXhgu5m
+%"L+rN7J65GY`aeM.lh;'5;)nQFOWlUKg@Gp<"]g76.4AJI\[nq_35%&6nT&])>g/C8Qm=[(.9u5\P+!BVYYW22d.jKV3P&GU7msZ
+%(B"hF.q`Ef>uJ`Y'j[rR].QQ@bK!s84oYrTjD*Ge,W`p&i);!*cpc//M4mp&)jrgYX%nVN_^qN#_\muDA4V^V]fh"aJgY#CZS3._
+%#a%oJ?iBi*#L30r+Id-=(=j8;$pi'V4rfVIL454FrD<g;nGT#CUK(L>ooL2Ef*!2pQ-<op7sfoITf)bCKjVP[j$tKkce:$SR/RA2
+%mg6:R\s'j8d\\P9S:IFV&,WKn7r($Q@hj@oX+8b(M(8/8FVhHp;B5DAG\>)3d%o2*0OG*ss7p)5#+Ls_9kuB-gQ(oEA7i]n<;&*F
+%qu6N[!rVf^&)UQSQ;p*<o:LJMJ-lG;&%H*R;qU]]rr,Cs1H[(IUlGuYk:'/h#@D[1aC\k?!%gs*>S\kO!+ESBquLIY7$<fN\97fM
+%62^+[pa]DhXd!OIFF28PCI$),aAu:PfiNudbbi<u"eW5_F%K)@i,4)jnJ?*ppQW$0L-#%GoQ^\*[g$;=_g^=8Y\MDA?b6cq*/rX'
+%5G\;:Ri\<AamV8NR):fm3R12"B^U[]0CXSGX]6AZpZT6Yq^n(Z(.Mb`BA('gYaaO#h#.1aF-B)nP>pIj(];R6Kl`B`F.]i>r7`LT
+%Ut9J]=,9('OihW$DR?^B\,M\7dLQ)>m1@10J1T!EN&LK+8Gs?'i7ZCFLrY+hGV],bc/q6lg&+E>'\LW#N(/DU=T!BtT0K1M$MmnR
+%[#"1iDPJD4@/RL/3be*'C"7u;U`H&7g=+5b[f^p0lm=.:ec$mo1JZjeOgR_:rPM(ko&S&Y#-[S^^b8SR7HR\`<b+,ndNrP$Q*]2;
+%1TPY%/*5`'2U[^?Y#$1We^#>>Q"oVLe!38+40@&F^$_,*kZANj&%R>R8o6]0hPlbE%Q5&&`faY@>I$U9_d$d=11`kmLmTkL.OkP)
+%/ZBY=D:uKdL)Z%b8Jf,$n<d&^m;(_ulE8lHO`FaeD3C2J\MD%I`C[O'lcD_.OK_acQVcmd2BC&>/(ZXtY0k:\=0>ae-)=d9Lhc4F
+%[jE1T2+!c1QY:*0Mb;Ns/N!&72N]NuIgqK/5=C,+:EZJah\4eOchaXO?W8DF7@qI>KFpL"78/Hb'p\Ti3t`1:TTuD_+.$$B3U-fk
+%UTO4#'AZH4S4a&>ZQ-2+W\kNl,]gV]R8&J-lHt1$'g`X%.rBRM@pCSS7gfBI<pI)!D9stS[AM*.^25Yp8'Q8o=X>FTe8Jf%\C'W&
+%&4M3:k!/&hFO7&@e/1c4*^$bRE0&ES&J[%Lc%4-ORalp7XIQ]tB_?&f$E\bgNm"gbg,ZM]PKKte2R5;19jRr#S[Nu]fp&@UTjM^q
+%bN!$CgM9rY]_gnN54g/_q.Y_Po0iol7D5`^)7qF6Ujctj_5EDYPub(fRj'=G)`DFoT[jGKcB;+Hfjf8/rA^u5WW$-+ruq"aIG.O%
+%BB]VrO57,?XIR$G7?["rS)[)%Gf96?N1j?j0Gl:h8p8ud80Y1X7(\/mK!Rb\V?kTmd"4*bR#8KGImu^mpL(Ch$4KGLR8&6h>mlXc
+%<\W_E^hL/.0H<?Ph[+_hb+^Om;T18_-7+dfdkZ2"8m!C[qN<U`dhUAO2!3)EaM(mI3\#gXJ[V(@cKU79e=*LZbIYBYd(m]VZ4L2$
+%JqC6YUHAB#jT_h^%>+B"[hTXXA&nnGTZOtap;uU!4dZF$Lj`H#%#QlgUN(W/ZY\338?kA,+/uun>jbAe/(h%b^F$jA4%Kbcmc%`q
+%P2[lQ*KIYQp5f_.07ZW&`#i/WrMV`6X%(?2=roOk=j<n)HOj\mc<.90Xb[q=NE'tm2FU,,[I4UZ6bAr1WgU)Li/,f9603f$6b-g0
+%%>p"b5JUmN\FA[c54)*l#&foLJ63M:BX\lA6jb`Y.&2nHXAY$t1H7glJY_>3:(WYX1`?Is_aqq/H4<H`@'_^gXO_.js55I&@6o'5
+%C,kWPD-<0umB@Ei'H%?-?#(X:;J<g8;Pnd3;St6IWGQ=Wd2N=%NO)C>UTDU1P&`CL=r\G/WN\EAPp&c,;%B6e]fYW57X>)L<Z9;Y
+%2Be>FM@QcQ>:s!Tc=a20c.8]F);$P8BJ^3.PLPIjT[:^j^WL7llqb?)C,_VNA%!ok'iO`V*_iS>HdJ,Fp(8\%8:tS2@U3(^$_f*j
+%#J72k$3ZhA-upH%'[;N8(FUVt(/q=H;s-D7RNu^kJg7!Vp58i[g7tK6US`<t:lP)rQSWOk'nKlJA)3Igao^P2`Z"lWAbW"5A0\%7
+%,HMrJj97XT3\6/<+YET+!!e[L$Ekk4R#PZgFu5mK*;OMQBT+danY?>jNQigZ,q!'U&Rq#X00Ak3\c@]r29tZ$=?f9$JnfId>72/q
+%PUe8N3`gjO)+D^KnnBC+Sru$2^gUp@NhWqAUhguHM`@ZZC_4,eEPh(t'(8HDbe$2s:;%rRVI)brVIJ[b+iSK[9?C%<b-fri_W0L)
+%(+ai:K%^Af(b4C/Q0nW6E'PPPr*MqYo0",g+R3j'j3Qn]IhlV4*6S*:S)b7.+N:TlS"A/Z[3VkS[&Cuf]%H_NRL$EqdHGYZ&TL-]
+%>8B\geBSXW2EGj.O'04]W-*G&Z;[cEgMQnGr`caoaAUt@U;a`F*U;:<"t*j#&-!W2=K9j<TW'si][cWZ6kicrS4VgPO@5N5n.3M7
+%Z`^<KJgo`fhJ$gYl5uf:UUD0EfUsF8==lIU>l3W1279i^/Z,tZPI6(4NgEXFah^S9:&]i/*tF$b%u@8t/LT:YA5u^GW"I2^JJQHG
+%28[m&F(qb;,,pYA>:<$?iTdr-56i9`I8M7*3(m^icWZe81,hToEboI4.sr#r4tqYiHpqd^[-OW6f<TDO8/3b^WaA.%O-]7\iV;_4
+%engo-bM"tB9P[t\44L:,j$p&7"dd8t[C8_+p=dNfd1gaX#5&=+d5)YZG@4i:91ABab&K%(02*W?C3dseRi?`p@m;#;A)n2p6n,.9
+%mROgp.Z:a^GG8Io3fSu'frX1Ym6;BO.p!,7JZ1-B;kL"t=e2I]]/h@@<*(BGWq.R9>$S>CN3K:a.,N&35iq5!A@7UoV.K*V@'q?1
+%+Snkn#`^%h!XV[I%E.*LUn)@FN<@83am,V.hR(ZL7i[d(4";gC.P7$+NOj(Qdcg`-Op&(-e'd8;LqhZ(UHNLCc]iK$"QOY_R]XCo
+%<b:VeNqE@6'(Ee:#kXrn[PR6\78mG'P;X_da-!R0MYGd9T4g^+&h)5;4u`"hNegbY7(f6=iYA!qYNUde746#(lA7G6'UT5]\r$UT
+%'m8#A9obs>H<JgMVDosrMGC*OF@*Zm)>2._88K7'-==S$q$N/'=)^RAJeR\i*0IG_KR<qJq8R9m=)^L?JrY5\ku#fk02('H'^$`K
+%_$ToE:<5A)7_U.OMf!<Kg'p':h2il8%6:0=O;$=W3MP>k'A<m5BfF%j,uI``5eA0[m910585Hk+NH<Nca9h6ge?k]!0A78gGUYai
+%TPuJ4hmU+R`.RD,/p1kU<$'ReH-hScU09mmTpDVj6B=/OoV`EiNuA^C]CHH14K>/sQ<-mi>".Q(g2rRKb+i,i[m"S)-QG0V7__hR
+%$JYDl!Z&])CELq:Yg#p3oE:]FXMDlU,>JM(ieW+0:'`i=OFSQN#WSP'@$ZjA?^dI7,MWDAEC.I'T[pS`[2:Xc-JFStb`(=k1)/L.
+%C2+:4:dIdqXs#A)<s>#M"jS/WSiqli,2nn&&rnstiKt8kNp0(oc;C%"KO`d_*-4H`0df(CDFTjIMi_duXU^J$L:*u'lc9]O2<(V[
+%'.2"[`)T6jX$A!XXt!Zb3UV]lj%cO5mZ<mt:8g1UULjlk<%cEic#IW9N]Wrs\=/k_n<W+Nf*Z'd=j[3toWDaO]rO'Y%l?T#!J(J[
+%qW>Z_DY5[,7/gEfZ,$4p`.,Oj5<W_fMuG4]F82;SogK?ChtQ/TiD;>d8pLX9TBYCXY[)W@Rr&kq>>HEuDd*IUopq2sRmo3ceRJ2*
+%20qj6*b5.=QY/8H?6%tE:k._$VD>dRAHqhQK\"iVmUo;`$>\\lJU:G-bFY?e]H<3fr5%N0ZuD@9^#(8M2UhKB@c]Wq,jm.l]rh7H
+%OXDmjY?u,eHq_F1&+=c<8$fs3cYSXp:(C'`PPmm`pFb\#'Sha3gVWa]0ndR<:bD*Hp):%&/2A-NWU00)#"QA]c[,<`r$mo`*XFF`
+%"5u/#?Ydpoq-<1[Kf+tjOahS.g+EPLiqhMY4ubX:ai'h/*aG;h_al0l]iXqkg/TBXc*p2l+]COlcLelBhYX4LSWd2?GknU+*_5eW
+%O;M1B*St[5ek'9n<3?u7;fAeBrGo0,NGXTSLrMtIn&*'53'F78V;"0D$%^EeC7VZ^\^i$'SDK.,__5rpWjTAPFm&[hOkm';F_gG,
+%p+_"&9m20JZ_Y+=J)p;m-K=)+NTN,2gmKFJd-`9qe">h/^H^6?530,B5*''rT<Hn<*lVK]WT2SQZd[P!M_h2.e;Lci=SMI/_sVWu
+%m2Jh(c^<O&=a5t.MQ'<NV_6;+A,AAr1=t`FYI<st@!<OZ5B#qH*VN0.Mm&8NRo/V_GO"b_\d]C\VhZUi`n&]GA,i,lV[ou)@f)n:
+%l4hKSouOi4'i*VcXLX(G8n-=m=2i5Yl9"E5fZ_hQg-*+g5L9&LT[PaER!r+b&)jFXi('=B[LK$S(<Y'#b8VD3:8?59gPFCZb6-S7
+%NF+jR<SX^]e&,???<e;6S\?/X?^l1A=qCMYcaZo?a"Z+NpWI+7UNOiLoIB%]s'G/dYr^]5pJUmi:0eo78t-'HLR7?2N]]FWMTO3K
+%Zd[H6-bb&c(GAp^L5IW;7GK?5(]@TKCS%`GH-WM?>3KYsrKc:(;(/cuo#2\mSYBH[!`.FV&*R7?!^>EA+'_5-a8ua'kHCVWe&U:k
+%=ZdflVn7[Y9<DXh\e[PP6/@7sqRN1\4k<:fNNL17R`/@7:@k1Nc'P6/;jW8_Hi0Eqr#B'K1HV_72o;G_T!g--O@c?GJPbIQO*EF,
+%Y,A,I`RCU>a6`GAA'cst[.850?Is=WHBGd%$Jh;6G1iFXKfqB6_qdJ!Vk]GUdnXi=N`N&1O4dbk6[&d5H$6+Kqh;N2X-XW7V_=BD
+%a1>#c0=9K[LM4#-dckfsoJ5Y7fUZ>rNr#*a7$uZlgMpVO:8QWKa.CG>gSE;RRo#g55@J`(\-T1I%poAAe7gmu4%3%@iC^Gcp`&V-
+%*qnn0NW8OM[Y['\2thYGm7bhmn!g9bFLn[A'K,a_mIEeA5IR>"Kp/3SO*3QIf[A$orEO^?P>8Fp_QfC=DN?/(qekWi:o!\\Y&kYF
+%k.3&[=CGo$7QN[D:'3PF\ikpU&4mOA:ZY?ZSZW(XYLNm)D,rmQEMbUXkVjI3FZPA.VPp:N86lCAbI]fO]iU%aD:RKP3pe+p](*KE
+%;p'=?f7tlMIr"cN,?0!`bZJ4$k=;U4mkq)(p;";*UO#Z#ZPD)?N?s6:C#"oUK`:;qA+e^?1&W.H+/b])^F$nDlZ_s(+19]0jf<:<
+%@VZk/qq*U)IC;!m&C%u@0AC3l=1i"I[EI)i]jt#&;=^#rD^OO\HfI2eC\q_E.k.B5@5Xn]>!JtpU_RBe^Wg\FND71EH0RJ/o<6L9
+%e=Q6]Y[['mfD)pkmE]Kl<&4FKFXq(-=C:<MotQC]Y@b2iFKa+ie#t-.AH1NYCL^2ES=-RJfBk_MhDG17aILjdVI*-;K2oa8`A2=N
+%h4HI%*A)sPH^iHR;nfX,lW3[nE^7D%K"LkX=fT1XD._;T,MUhc;Qbg9QO@Wl@ai`j9<Rk`Ki#q9hL;c;%[;,!UUL%c,@t?X:!fk%
+%]PZP*1=`Df%Pt(Xot2.keAb:UXmC"IU&"(q"*;#;ODnQ7B'.r49agCVr:QV-qt@GWhL96@h7b9:%/s9s,l!XG#>X0N+SYP@iBnu6
+%'s8h/\8tlq4ro*kf&OmGDI?Cb96TDiUA-WpXrXB0_J9'\CFq#1c.gPQo<3s@f932o`a3pThqBW+n;8Ma@*h#-lc:]8bCR'dj=%L0
+%auqm9jcCe6/r@fVqYKlOD2Us*p?]AGf&c+@iL:4\`T#MK(S5Z"E;GQ(/k@;'m%2fg=p0uEi0qj/EBVs:9!7iF\b8U(kPV+j8,q@L
+%bJYKL@1]Pi,TPRNKM"QEZ'VG%#0"q\1pT]/#5fO`>)nJtfT!!s7$'T5G\hc:GIi-DJ*\n5<[-OH,OQSq+uko,Ic'p'>N5At4SA%F
+%(\,7JIEZkZX2S7=2a#[L6H.F012Ch]O+'#3(\r:0iB=hn%IRmmVUh!ULNdjJp1V']M3<Tm%"go(-4TF4CMPRuDgBp::q.ssK?L#r
+%.be=rW/7R1SaKZr>LUF>Y*R(*WdtEpdFWcXRLd;t,;?N2AZ!?<N=\oI79\S"S-pe%nootuA)9tC]s$gH.lEh4T[OKZR#j9hr5a:S
+%hXDADU:EM2(E2CM9_'TTAqe5ll^n#$EUhNUEH;Y)9#XpdT"_ce_hu]V7/?^;r!aP&?cce7md72emN>NG)_\8+8=S9cCnT0V2IV8)
+%4Ql[*Y;r;Z)QeXS>'rZWe'$OJm=ART>0U#mmW#Ln\DEq(?8TC*p<2;9'kKSfLb@)$1JcM41p62j7k=$OIipe^6VWhUeEk#9/8kid
+%7NS'.7I;r&g1be2ImD>Zp[<,p-!3$Wqo2'd]g(ED%"kU99;[>_H*kKDZle.XBC.C$@]C\p5qSZRbZ^NVmfrXKRS9&mDD]gbH,tZ$
+%H$-R&h:Pi[%1[&fOkhuHpOS,^E0/WVf86&+2>/r5T00\6,Kn2eU_s)l\8`'@L7oU1NEo,gY8fpKTCQA4h9J#dQ\Vgb6X_eJ=UYVY
+%kiZCLn.Bb%YE'TlePHqHWlH@_&_Wrb&j$LY<tD;)nYD2R.33AQ(--6O"ap;]/Kj_J-qhXpJ4NIbjBTJp(WZ=lMV6&2aW_,VngHUp
+%k%N?^*:70]UgN0/kV["d`ea5UXE"?]F(EC[V):7oog7!VbhXp7?VY#^Rb`j]G*6Fm?<K(/9oHJu<dX2h&!^o(H!$f(amQnZ_X$I8
+%1X07.D(t^a<=X?:I:95060d`_)(V$117f;G^%;qdBJq_e'ASuc8^$qs"r3YL8;d'i%1:di%ng''O>8*GN__m<iRXTp7*)If`-fOc
+%dJII\@U=ahe`R`109$m,I!R:YVme:-gWtSG7i(LB.M%r*U0Tq@(?s?fUW!=BiKS-0<'o_08Mh_<O$jX.]4#^IHjR7HVcd\ZB0g4*
+%[X'R[Of='ZP_l0Hdj'.t,Gjcqe[ogM<.4a^K&"[9GOiT9Rr'JL!;DEj],>YqFUg#okCQmMT3/S$+[`8B=_LrFM5cWWlnp`F(2`\%
+%QcEfu8N2uR\Q@Zf9//6&4Tb*OM5=bG0e[YGo!,XYI7^RpHXDpoqNg`$8W8KO[8UeT#fV^Zc8Kq+/fI5,]XE+(WOLTc-utY"D>2HF
+%E&ks8g?dQ*T.T29.>?LP7Z"O;E;++QQo7UZVnnOm,ker0^PAYeg[H<NV5+\8$pf,J+UG"C>fNTk#-l`l/dP)Y2:c$?2cVb@*\i$A
+%TiX<YbFt:Cm+n9TkcIEfI`-PT8l*ogFm]tHbtM:qLA=MDb^o;#]j_MQhIWe@rkt&okg#*&:U)d!6juSNJb($>Ch,@NLGlI6O<-l9
+%81r6*lX\.>PTdRs#PH*3c"QM1'2tI:;du]UejKZU?V,#dT!"nZGC>nSX#l,Nlt')@k!%e$;?$4[4"FUgi(cLt6d:To_4_I$@tg:j
+%s(*s)`W3*AcHg"V?K"gCcg[aH9l6+-l;Q].HnSEZhJ>-AY0P+SFahSgNFqkce"(An(q^36lioj#gp$"+6kGb`k]r>:((YfgW?_+%
+%k$km9*sTW;_hFuLnL@8tf[Pa9mfLW=Ls+i:Lg)F'[0o^f@hocrcopg@FcQX`6uUAD?KO2`:O$/Y/fRk^GWk.m?eC'%Dr7?+K6l4p
+%C6?hrej!$W2NhPC:,FcCF2I60ZX9uuGKA&A@-^-HV\1=hm6p"-=2C!8X<C0?E;Y/J1aL*o1m]7"+:fseghj.cQ)OBemu,"u0Vp>/
+%5E5r<>cKCg%oVL<^-on@Lb9uQ"F#2"P[<;?:"`fj+UVI1>(#qO?Uq$&*\OIRn_/8e`Ksa$PfHi7IjckqAG6UP;Ehh.np<)-0O$:3
+%Z;uo-LY7,L]@1qBj'eN;hB>`HM%$DtnU8/3"$f6%T/C]c@^f*%Hf(@QPoD657]k?0[o(qL;AS$Ic+L:_!a86dB^#1*k6Dg\,F_uO
+%*L6LgiFR&JH^S@jLN<1X258]`(:gjT_VT:*?!(ESj"[:rpSJoTFP33l=LR_8D=r:=AKs;T#3GS2j6d9'L;B43/.:Y=$0LF7#a=ks
+%4N+I`I\W;o2i[V8bEKYbnb'A5HlB*Bh8eijL!/li,)80HSHD0%?Y*M%WGm7I(JZ;&:`8c.9UE1V':)3n[(7bE)'NimP/n'@#3_P*
+%7GH2n9HekHdN8iq"j:I!rG[7mn4c.?OMJC!/<3;LgoaAi!#1.-f!<Z&4RCNYq6IOQFEokAe'0)grG#OF#.8%7E6c@!+P(.oq]=F.
+%I^3U,@JOq*>klTO7:TOk?DDSDBJ5B_q'IX3a"7fl-iq5-JQ:3*)f'U=$)[)MA:TN_+br6$Nt)*L\YSB*B\E+&rU#cC#gaD/7IQV9
+%SAOmh)HWFAa0Jhe1&Om-Qo9nP7'?@M,?/`BK^e1a;>)"_J]9Ze/mSnOh,GpmMf[]3BP<>NQ4XMZ1)J-AeMA7nJN'V#rb`=QXQ;.Q
+%Wj#a5r;;Pn1;q'iogH%K>ZcuQN_jdIC.k(@F,FNdIU=-q?qFh<[X'!"Ne[bY_H&5"4FDqQq0N^YXJ`>=d`!t0F4j%ncRY==`emlA
+%H$&R]^m0/T-').tK6snbK5F>$Fr95g/6_TCSe9XoY`cXGiCKgcoPM6_\UVA1\c4SMQMY:n.WqfoCj0]PQ8lelkq.6d9AFoYNK+QK
+%b&MEY8OWNcBAYhseR_;>U\4J?g&$P`RFgnYfB]?(MlG=35-aeW=bMsDIH-tg/16Z]iu^Vro<l/'[iu`&PhY3XE@[aq:2Tcj,%&Qs
+%E7FOW^b:hpoeGiWF5.CIKIF[jm6Ifn)[4uifKou@VPbERg#j/UMGB:.F^MWH1R7A)@HMl45KsBF_b4R+ABo+^02%gWgk!;l)ka):
+%mQ`,sl40=0$PYRKP'h4eIsb;UO!+@$"K6GQj/jJW`,;ICeSi&^KuVq7"6NJ]9]e^V<nT\fqSsn$Yc_mYo3[&K^emVk.M@8S\Pt-s
+%[O,Fd,%kD4TCq524`JJ-A0,!VoeDAfjdcra\Z8\t<R0^RPoS-,K)puJ;7Vq,e+7>E28D/;eRETTYM:M3B>[tNa\eG+`?TSkY?W3L
+%R>Vq`G!&?5:#oem%ciW)J"4XV$.M4HI/Bf!B30L$5[LfD!Y5Q_CH((a<lMtD%55/up)TVcgOl/kX9[qZ8A!:$6cdptm:!D;]6:G:
+%moetOW=092DV2jBnU[@:mPtK,BWQ1CFMtGl)W8C+g0Ls;at=201jV:=gf(NT2ulG:]$n/f3RZab*ZO8]En%(?7e`7k>cDMtm/A\=
+%o[N(A5l/D'UWVP5GBsd:h\<LWS&*=FE,^S]S#tri/DYH-bk\Ms/C)6nRYtV`R-X31UC$*]oCgFV+F/]Ja)\h/>&/6`21T,"#"0[@
+%.bG^uWc=quZTlM"jM;_bQn^Re*i`[(49JuL)[erWZG&c&a^pM?2S21(Dn,Ts]Y)]Nl@eMK9A\JAo"e69e'l6>>(DpJ(+)4F]OdZN
+%RA*[dXWYg8Ksj^g-2.IE#EPqG`]6oRL:]\l,aT82RgY9dZ%*HW,PrZFJf_?*AfRqgBrNl>R"60#fX>;6S@DnE6"><nb3P]d/Qr@E
+%l(W%^*4fes+*aklSVNB9@Y(pu+e^3G;0?4-KH9[&Cq-tZ[:is9KR6.?ijsEu)3Q^H_V1buk?W_Vg"nq9CKQQdk',k:`M(uL/[A,)
+%1PURD8(L*2g=>O.7IlJm>bole"u)DXc].paYK4TJ/EgTHJR)t/kJH=jB&'A:[XEu1KJ&>5;qO4l6h'T_,[&tF?&N`5>d3uJ(;>l%
+%@h)\Lb1<>pkOS,OaJE*U:B@:p##G4jRR7qfbmW@A)!0(qqnbTQ0"<QH.dI05_NtRbjU>aJXl8-QE,Du_=rDQ?i0CjW9MWsW)S'Ku
+%M`EaR[W!SY[<;WMk(6huaE*'$OtSPOSRJ\\r/r1mmXL]4_U=s/\X<\O]$HYE92Y*0FO2IFP=$-T?t$HGi)OV3*76CIM0ADA^:mh"
+%;e]"eflY1C*#d.8.u*)kQa1)/X@J:MOn:@a@[QXVC%dWf2KHpMNGLX$h1_LN\s?is\6tIVYCcG?C]bq"p9eV;)n9K8"O1n1AF)Xr
+%7r94]Jb1ZtR[]X87uo[72o<g:UL<QVDf4so`#L'"Xg^@EH/X"'a1#KA=fZ#6bp4BGd8%rk1U>P.2r`$1a-0q_GIe+e7.D`XZ5XlD
+%*[$f)8YIIie&V'jcq5eVW"HCQYeTSe,25Nn]`@?P4p-G$"k4W5PK]6g$cqErF'2?K$_8`:9[%U>'2o_$>b58teao6R?7FV8Hh[Cb
+%98'BCV!so<9G>XZYd"W/'3[,'J1QTnj,^gV6UETgqW@<L!>=,/KuP3M%>-Es6+%bs0&$[@aoOQP%\"o;bcoL1)f<chO77UVJa&>8
+%hZ+;3jmD'=ml=t9^<HnW'tCT,\i^sU*bmF45A6'T+m=*!FLi/S_Pti:YfM]I\AH"3Y[&;3GkNmj+h0WgW-M1.!=<TU`lQ6V@^f*R
+%KRb6Ueg(gnFGZt.Zo;$9B/N=MM#jVt*aIhj18%6lS:Esg'X!Z8E+q#RMJ6<M1N/=;9XNS^;Dqob[_pd=Q4;)M.>!n:Qd*AfNOdOi
+%5n,Mc_\K`\&SC-Z_H:`/R6<LW)p)E&nL[-)Oqpcp5HJong"h'Ap.M#,Sg`+\md]92pbNJ/[`igPkYX6C)$l[;OWPjBc95iu?q2g>
+%?=^'+W-)jR@h`JWqj=5IVuWh%*u=1pWsq"TMb3OCLe1o\^C:MdHf49h3BM5G"5<EAc^7BX$]aRLJ:oi9[EOoD$'oG%Ub.HUL>g;[
+%&*I1K"jmNAlS6RO?oPhP7gVd=j9nB./-jLXC!>PTYs$tIbdW=F12hI#9Vl&bqTAe$$Xc;Es)sO?*>YN:j\MH]B7.gb["[Cd!<^si
+%W8]([+?*s*%MPAWn0lSmCj@(5K-TXcdtTHGb&VrOKIR0F0-`Ci6$b=BK$Lu1]ZKVUKW6%*P81sPOa^2GO3e^oZ-:]i/3eVG'$GGq
+%SR<p"*[X<8bh^^dEc(JDFm>otIfZg%a!$bZEiHm\nKnRLaeaaNbKCL@Lc2VLH#=-!"u#S*AJYU&HV'VQnR=(S/-G$='$KF"_t/as
+%-([aAbGsC5?`mL[)_8O4.UVrm&WqY%k3b"X8ofI[PQ8OBk,UoYaSh?af7h3lpX'hmGgafVi]ch9#BP`fptOHN%:X43S"08<0BaDM
+%BkP+Ga:M.CX*'p_plh*P$gJCHY9-#4*I7U"hG!taCX^RWAKOOEo8NkEgR,3QN_iV2=k"flcT_*-m-Jfd$*RR\`KRM+[QD2o\cUpF
+%cecDsb]dL,G-ZF2jgfC[[LhhIq"aa)QGOO5@oqX5p$f2OmDVlu]3D!,/)sGKc>W\1[I8E)%[cJf@&D9*JOJFUq,$`r2&"G%<3:ME
+%)LUR0n5-O\R;*?D[If6SFlcl"+*jegpIr!f>ipL6g2nr?IAg?D9Js*MQMs^g%`jQSq2'm,Fb>><ncKD&ldjACq2pH4Fb:nso$SV[
+%eicq`kO)I?6e+5V11[-SJVU7JcVuuO*S\CteV;\\J)m;<h/s.Ngp6:%WccWe_hp&8:c0We(*g>Us%p+@E5i\'\3\JHckg.4o";k%
+%a$\Cgn9lmoIVB<m;\6=sTNMbZfC2To?bGKp%oqp,\#/\*M`k%a5c/Kb<6YkTB&r;^"Q[iG4KaaS>kk"-?9C";6e0s"-ofHa?l`Bb
+%#0nPXGp.Dj#<7(Uf,<*-C^tNN,Au9HT'\4LHs%7J7WA(V/*87q`?IN200G_68:Z%m`ncY4387;R;`6b-_fZ@BE^=rY[F<8,Q0&dP
+%c#J'S?^0]-B6,7=(PHF:V#_7"D2c)G%+"&9B<,D<RhMC<!R<UB=RkE<3Pa=n?7fg,ZT2pf/74Y(K4f7aOIZ9'i7T+.CnhL#(nStQ
+%c??cPI#lK4fb[D.[Zc--+.g^Xc<ep,lo*d<-$.8bn8+,]UpgYg^p>&q?oTMrRff2*JZa-_2iS!df&9r%O>i.&cF0N'5'Su@D'7_=
+%bR`$S5A\-gRMB%=DDM_]Ha+;A5,1"(ME*Q-c#f<ViRsYCZ-emRkZTbLA`RX8)\NgRi!c4%!R>k?XLGd6ZNb&Xhg)\]B5;/6Ee_68
+%Hd?.=DeH+!f`oUAoldbmlr81iCj8+4CThR3cF/(NI5u4Yj4GDCTj56KBBu>AX^9=[%W!-2`T$Q,k;[5-gY);R)j^#;[P:j]"ch:[
+%f23<FrAOLWIQ`SmFF!$=lWGd3!?#P5kI4KJS05hrj8,'u)!?\p?34TkJ/%tp`;"qf13"MX\Q3NTi#9j`Jhc:MLDZWgc/BWsDM>0!
+%*b$+8OYGf[LDY5\oN.;BJJdR/*aB72mP$HLS;;16h-VX@HoW]hLD]3&-$(fZ\D#g>3Q1\ZaEhaB3"O;DEQ#A$m-%=Zj*%]&b<_(s
+%<#W`7ru>M'EqboT(jBtiho-2f$8)X%pQ$K;kJef.6B#,]U0&1?SC6%Fo<g7`j#/a&,fD\9NUPQ:72A=N0DK-B-XtkBB^mG]j!oo0
+%Ju1++0s:22r"NUFKsJ8b3Q*n4A[)BV\:YT<(I3rFYmEXI(geiK4>1069>2s9(t[3'nMXV?".9ZSY1I'2"u-UZ/+oZj5D'g9bLs9O
+%@bd[U1+-NNEi5D2od(g%+ZGYb%V>HlEG'1sc\iWQ7,7_@@XL0mAjhTa@n4cT7>r#F5`G$8C&JHLggtSUrW$D4040/41!]Z.rF1S&
+%LUkps7#WpC6S0<5^'"rQ#@^s0@a:#X`YgVAFKtcAc$TP&l%j?1$R!V_N3b970-;odpYP4V&EAf4r`k8!$b=#?`&Pk`E'NMi_5>th
+%F+`saieo&$j`jG$GJ`MP^=E(DIgRpUrIWupLiHANpeh^aMLV_QaMknF`43M"[g^3bmR=Q+6B%CH2dIb>*.-Z>T=F&GqZatuoB\+<
+%1!W,:=3V?;o:a&:Cq.[[F6IS>*:1jETu.UqZ-2`[k]#ju/.3K$_'Ass3daST&<ljNIg-pr@)H!/]QA8*1,p`C_,$`A'l:B+Z@5)]
+%\,fb4,Ns)XE$i[&V4b_kfh3t8rWG8el',d@q@RhZJdnX3`K-\0'l:C>?+CM-h!Cm+jeBX-Cq'oqGp.:>dAQUMk\tm]fJ:h4g7-$Q
+%6AO=.@(7J(\?Zp>=G8&r_bGOq91=UdfPnkCh%%fjHkG1mU;PLnh*6Z)B37_iJ.B'-=\*>;&3=(4L@b3:k!b'ONT$GWoJEt<Q[fQI
+%[L'^ar^5o=q,,K0"gb0!^b6WIY2&"frgl*I+6LVjiJP=l>d5TK_j/^:o)'Ig>bOTgVR0TM\:P06H%$5DY+.NZ1\)4CE.oKXYEggV
+%*Nk2.h)ciS7>EC(8:7X+K+:u:e)sS5-9>DJL>,*a/;+Kll7bGR%X5K;o:a((p18O5E!71u\9hL*3aC>X#0LOlk]#Vpb4toW5_gj_
+%a[C,$#p$2"@=A\,^=7NHU%VXMflAOlYK9F9=5P5Y![RUodn:c;HiM69!7^.b>VhS=;fW$%21NlHjOgnR.T:#0?cIm-VG["=^4pjC
+%ja4i+<+bU6of&E-(#t4Wk`d&Q3NZ>@O/(C3fNW<GS6_S_=W?k1W(r@=fn:T<%S>h`5_F+R`inWg6sJuBGF^_\F;Ngl2h9NCYgZ<h
+%I[I/ZH=mgOrP4aA]0'\orpa7X0.^F</f7u0$b_sEA5!tL3)aX2_-dtHM'\]NDBbHEMd313bRDm79#mI5([lH)N)nA903DF<*S&5W
+%hD`aupb\K)![?/-]Y9UHm4%H<Yh+U0pVdnED.Z\!h'.p"gP:N/>YZ[o5IImHkh>:lQ'f9?2!LAW7,dh"L^.t>l\"Ss3-sH+9Xp]G
+%rRJZHjh>DYGf7UBOBhaJV8R_Q:aFZPIS7IO0BnJG'--JSN4<ji-pu.@H.GPq!*iVI>8Ir<f<&:O=tG^:YZpmq3mF.=QU[mSgk0b\
+%G+)`3KF_t/ei:+[AP5+a/$<OPq(kd@(3pE/LR7OqR;mO:kjtBq8LrpM7ahEl9fuLT$bu#*%#MsBWN:1Ga`i\A27]iD61NbMEJ4LX
+%(YBOM6H0G*1"rqS&V7d'NaLMJ5Y]hd[Z&f'>d'f$X<k$,O)Y7Yd&s7UiV[fl/HHb)hNrDf:G6uhh"Fp,GM,[.0$?UkqfoU1C_<tS
+%1_>Ck.B44SX`#kR`cuBH*'CN-ELnq;d$XXrS.n(l)-E\nph\X%rlVK/]FIulTCZi7M_&Kp`_?[h;na)-Z:o"kOV[cAlEFK'@T,3A
+%d63i:7,,OcgLYqDBWUlIc3>22O\'qTZd57a@.M:[Qolu2Pm><2k';67,HJiOE(S^3btNGI40O7\j5#a&*ganO\%WPm.``FAXY7S"
+%_2Dk1O>,OLEPs!`Qd*<)=[5!6EhgOEVZX'\VJ395:jC:MNC%+rGlC>QJ0u;=Z'i5dikQ7L+V>a-R"Gh*,t98u#fGG;(Nu`pH`S+J
+%qoB`6gPZn'Wm&JnV1g=+e@OB2@/Zh,*A67Aq8G@-CtgA(=Y<S[91GHiN3pZK!TGZb>oBE0NXj:Oo%e?)Z6EYI^R$43CTI2UY9oaV
+%n3]^"<Lu<'`k4I3@_&pNkOH*e85mQ;T"gU;Q><PagVu=h\IRL;Y?87+OH:j%(DP&U#)dKeb7Vp2Yo'EPrRHQgZ$aS8Q9i-eLB96M
+%Eltk..[JHfDi?V"$]*nkHa1fj15hS<hT!#$B>C^_bY9#ogru#p`eiK#)_Y4ZVgM>HnWmG$l[a?HN&`HZHO'9UZ6aD"anC`+*os?p
+%liVjq)=;BirSH>^i\O<P;J/*Y0TXg]SkC^"/1R&8iBm8;_sQgHCAS9A^os6;(%jRe\D<%DQm>TsF)g8hH/NlsR]p#Pfrn2],r-Qa
+%I7NjgEjo^+[[<aW7aI>eZ1YomkLU%mjn2MuZ#pfgRZ";78]NqV)!,7L)N6U/R/Pj:G"hdCh3].'9=t2%^CaN:XBMRk2#<V+,;@>0
+%Ha@da%)?.[H`^BU:?C*hF)fZU.5@/Y`g^n-r'KQ<mdX!-Bbg'-SfrO@pBt#1N7=$J()5(IZb;#raBdS,[>MSMk9-5NSZh7l&i5=#
+%fiOeV%*61(1lBXhq(Q*fRK5I\PR+e4Zbg#AcE0678;G;G;RL,1nQmW)a5SB)hX$3)Fon8"2gffjbsZ&GPE4apiN0IbC*f%4#>aZH
+%X7##Ihjl3&n#S^c`_u,f]=#<7CJ[%GBRPg@Z-(bo>PtOIeiEYS^\Bd*<K]q?kMj&EI9R:QVsVXI<O[0nZu\FCI67#shVN9Wrm-A`
+%k@ME@Q#;Yk*Y5/Y:W9dt*f&A'X2EM-`tMYV8GaLT)RiqmX`ND!pNlij-,*aTAO=#@X5i_9WpJSi3BDA0gg]u_\!:i!%R\4^_1&=b
+%]dnhteqP!7UW\RVn[NoW(sbD>2^TKu(\M22/=FX[eiF`e5`Y"$>R89o]Ut&U61-SaMdL=0n2?_L[>MuNC2Q>S"d_`GEe2%J/J9]2
+%]=k"eWu&<um_]CrVSq3.e_tD='VW&Cr#=>XC\B7PKLk4bB)R((3/CkMmk.AECmJc.*aIUpHLAuBM0(E:.9DO)2Vot)HUtV>HI$)7
+%?<MKL\l1fnLjX>\D^TK/_i#V6?XA*T';#e!4C!RI\+-rtUiWgW'!InY1@^^K<rTUYE.=5n^$P%^pkV;/Ii#O,PG$*_/>$0ijn#N:
+%(8^bGc?LmHc5#jj&pr*`gdg`%!U\Fu21tV^:=I?!^3$4?=BVK3GU^qngE3'^OQrRuhEJ]dGP_HL<QK3#!e7$%JP<T?%d\FI@@QuH
+%J\fmCH`I`P_I>nhf@B$nQ`!XjV;o)Qpg#l/"E\)ps"3&Q/UnoBHfmc&>2)3q/[\sVXmpWtdiY/Ud&cZLiO<DRQZ]JQI]d7.\Sc7S
+%#_aVohL,:mm37bH*Y#Rc\+_1:A#FPFX/O(@G?FiSnZC<r%LK=SSo"Gt,uMltB!oP(7&UbdCHpD&/i4J^Rtp6l06HPV:T)iY$Al+R
+%g>R:Y3R.gA]o.uViU:;,NK%*'C,9jfH5R3FB:u3+`u[t\Vh_7pgh5S/d$YsC*^i-dm+H4Xjq9>]^KljTebl1uLjaV'h[Ve7;NIW(
+%B+"Zd5MV7/a)EI)no+J4s5@,"jiR3#)ZaX=#50g@rVB97Z<*Ie=>hqjH7JcGmm=`/Ge-;lG`NuAC/1InLOB!\/tVGNp;50#^(#,G
+%5+W\!eG3/?$0^:]%il6`humqBcYjIcp\&a7pu[&eND2pHA[GMDgLr!QhpM(5<(F:+O(>7<Z`V.;R2`HsDQ`(s:J5\,G:eX*O]q9l
+%8=Peb_o*qA>V#;sjq<L\r0RV_?+p!n4p&dLdTY!2=*D/OHTth*KC91Pq/+HZkURYqV_59]Vu6)TTi_%Ah%:aCZDF&,2sF,.4Ts^B
+%jf,ej'T,&n5+aU^mER]KhH>=Y1tKANjR2uc_Y8,O\EVo-MQN`C.tu":DEp#"$P@NM*FQpM1.!gaYOh'#6j_1La@23.gb%F/hBe'T
+%kbEr)l/A^G&H/)ujUg&#^(/'6SPSfPTbANBZ0'V:'0:P()CkbT<mk=E]7fnfD9:8WiHSDY5fE/2)[a2Y'D^SJ7ilSY]%p/cB<L##
+%*AicN8cIe!i^M:5mj05s[sH`[iS?GYXs%6KcpNcVI[[e]!Yr@.&4=kc?'5(3KsLC&iGJJS%^FNCZg?5[;+OlN2VPq3I\lgE3br:Z
+%F4l?Hl*:-:n=^LV_-(XKI"C\ZfYcCe+mS0s[Jl7PmVQ7jgV`PF@9hc5`LH6W?JVL5ZZ6OHpR*'scquM*PDef'B&`^8m`8H[^ACiS
+%\8JpS,CJ5C.Vs5LVeF'#EgL^!6,f9kZnD[MW9rUGS/:tsr3H';>1gr@!krt-&W6mPq1n5n>.43)8=ZP5ag.gcT0C@TmYV75UN5o'
+%p*#'QWG2Q_He,Kj8mqT[GJ6#W;1?nPRq/_*/oS%T_<_p*94H7n%N"D3pRmqF#%InCqkIET3\mNWE;Ir)2=J!Bo'NL")mJ7i@R1j7
+%kI56a\(DIC%-2VI]A?M"Y]5:b(A6cnPCj-H4*Ms,eY#`@4I[,D[Vo*;`a5X>&Qlb+na$aJAi]ti#<E9gmq)6pjFfWGk!%e&e40ld
+%%Ir[l'kC]-G-dOXAT#0FG?b8+M;1CVPAJQDXl_[8M&VHO49:(-'H5ACJ,Ha!G,.;Tn_:+B.f,oI/++HA*FWQ7InO'hdbRms2:4l8
+%"<TdgW;CtC4+'*[*'JcelIA4#Baf!glqQi\2S-ks%A[.K\*j3'])2!7HhL+fF%]u<ZiS9URb;$:H4/Cl07NOt_2B^*;CMBF#;;M(
+%a5nYU^m#ASc_j+3(/=3EO2W8Fg%3YZ(XeMf7t%0tpg:5q_<Zi3^M@u]*:W3Z>j%mYL32b**^c8gWSHKh7BIcbHF&'f*qg\]QdZj6
+%qrq/(1E[IcnRU9)^7WY.PW/^*2nEGphgM#n"t>T&NKeW87Z_*WI=&I[h99d`UQJjS\)!7cS]U'qI5jI5cYDQ77*3R7hE`m,Ibi5]
+%S?/![MA<l8XI^6ccb4>`YTIG.g-Z369q2q:O*atg?6^o-4,3@[KcN-B\j/66I2?kZX2Jee*`"`_"1jYLXj's0[eEoh0%9uYa-:/$
+%G,gtRd-)GTNVjQ]ottpZkMK:0.0etr6<rG4LD=!7as0*SpU@mV=P_U=]GH>qp9$f(\C8`&VP@;Vo[0;H`2EJ!HLUT4W-^J\8penC
+%4"N'@Qf%d3p2[V#"(kTV[pN4O8o*$K8F&WJrqR$:"+:u6-_ET00Z+H=Cj(MdH5Xiem2Z4Eq*&OE.3\uK=[QGAirnc<[hgJK&&-81
+%DmWY\I!mB)rf[XR='[AMcr&GEKH*DU_c9AX35Nt5s)+lq(C!YP>Cl9/;@oI2iTN-)J=",fZ&n_#Fli8b.A>JgTco,O2NCb3eW4Mh
+%Q!Ynt;Z6cdKe55uid*J'Fj^'06oqZ/Q38=;5[p*FfmHsn%CASSXfmjU;B$B9)0pS?G'S8?+7mgtr,umL-2\:VGOLDQmn:,dYFNlF
+%>A$7kj^p[Oe*MFkptT-Ci8'1G"N1;g;ksJ%\s'g:j#Pr,nTV=!n's/S(@/"D/,eRIC26%_>KXX/AN04_pXs'HD>MXA9GK]Jq84[k
+%.51ROLHNR;cU]-><G=81p5-bHq;+"AK5douZ0CLpYP?]'EPmYKdcF.XI2\4@GC,.QO3Xhol)1tdlpmU>;mX<[BTQ]+`3Xeu\4smW
+%g1+cs5hLmQZX;tQ!&55"3H'Or$q5Y>HolKnM>m9^eE%!`2\2"UfhNOn7q\m]:cgVXM>@.eZ1p*I`PqSr^gT3$fIc;:E`Z3%;Go&4
+%j_3X:86t;"SrjMl]-HX[]6MWCcZ,VDmAK5ub/LcT0`,Vhs%^&[3C0R9'o%Z.d9L#1md.UeRh_"XY)m)n)8D!V$6@`,nSP_g6ot?P
+%Wpn[5FDt=7hK(HKdcJt>)YQ^Tf0BD7Yn1os[R1q5Q)hn%f#EF)FYN0m/6GR@Q@#tJ$;0@J[X)1G]5cAQh(Qnm&@(,p#B;LbH8C^T
+%Lc7c@T2mIumhD7!H0ga\)FY[\ls.4>[Q\">J^)&_Cko=0r[:%AWabk<<MqL(X\%.qe(k,SPKWdfeY<);N&8gb?luHCE9&e40KB9j
+%0U1mP`cdH0I5b(^p=O&4`oFae=7IO'q0M9XU?%@3n2mt"GdtBACsl"'fM;U+ii^ek2Y;3o8jX:gJ#oF!(QlVb`E+gA=WV^JHCaU>
+%He1FR:"8l0ZZ?;A/#c%o?g.914".Yq9\'>B@ob74gWjoNWP0$)SLa,RF`m`BaE".:eh[Ks6CM\gY^9O"buI!WenT;^B;X_U%ShY3
+%>%sT9Y[U-Cl.=Kjns7cXM?BZk"bX'MYf1)9<qZE[lJV<P*K9+_c#9tdrn:^Jk%ObC"($]HBq0J\OP(3=VOrN`a6i[R1`kMmD!tot
+%;e6K37"]2u7cLNEg+KVq,$X."E84!0Mj^XF"In?A<$E44#pI:X'q'KVj5YakjqoYda%(B0pDSnRA./<3Xl?s[M(/^P]"L7U04pdY
+%2_p)nYNi/'NI;#b7HniY04sbaYe[D\4!YEpY1U9O*2YhLqMo@cB^e*iFQfCb-MlB]I89ue21uH\nJMYW`^KDU(dMI,1UIW>*UkP/
+%bUrQ>SRSaASHI3gK8O-fK6fPe(fGf\0ccG#K=X2S>7F11.YDaq,\2,?6UEW,*E8u)NEqt_C9h%0KG9`8]Y*W:(13\h6_&l\FV3oP
+%`Fd`\]A,pC(idH:3D))Z6B9HOfYcq;204%DH8K`Dc=M9P/F5=6d3jJgKUs=Zo3tfj7dn<nG(-X1'Z=7#0=up""lG$6>@"8YquebB
+%c*_BK:<_*SSI?u;3l"B`(A49Hkqh=blt,QicahN'e!-M0<3Z+*=TLBrZE.Scn"u#S[@?U5+WX;;X_]g9\5drO2_NErhGG->8[?>]
+%0@in9ZaJp_H5\"A5W^5J(Yq]N&#shp1!bqZjf-G`BM`a[$1Tb,6/bYgq:H9CqtplE#s3H7BHLp3+nak?[gr_L@F?SfO@UX5^Z')1
+%%uIY*RRF]d"*n:"cC]7B>edn+GFLJ$qb"??G=\h59QpGN1]>PO?P_tDJMK9L;U8q5_e2U)GkXphW]liCc)AU<#pmnd<%V%'W^njc
+%U3\PX;t%AH)YSkV2U#cKF0^9P(TYqA9UeIKZajSR":n:#UY%r.C::g+Y^/#eY%00/")EBk%fquB@<,TpqF[M8%ndiAG5TTu2?Us*
+%_5pd\0&Y/']#JpkNG"WX4M%FnnbrA!b@^)cf\O,1O&K];)s9baDT!iV?R_(n^KdrTb86$I7GHE&"f6"F%A[:FF^3V5RMft[m9G9k
+%g:i!K6ba)FiHh]m%O;)d;#J;G/J`9Of9[\?q`q!1T0@^dY2F4YD4]i=aNBM-NI4<Hbu3Eg>`r[eAu1mh2t%GM!A,'epUZn]p*q$Q
+%'N_UWhT?;A[\?e8Gi;-F=M,X]YGZE=dP^6tTSa!eYC'9e$?&,D&+pDkTNdRZ?%A19)h&2t11$<=[IW!lY7H!<mh5Gj2uS38gRYIP
+%HVn.TDWrcKV6q7:Lt*]>T"iWfZHW_I^p"V]bW0iJn_`r9-g`SV%p"CdYP<kOH;ipqQCO,Ds3HHORI2^&3&]3eNE@(Ng(P$.!oGV>
+%ScA="RH)"=aToMn;9XNuh[>E<V>FAk&9%kl2)-k!&47*&AkUZ37EMZHp\>"tDr=D<RuH/A-Sr9,g-sM`n)E0=f-f2sJhMcdf>2gO
+%0D0I,\JpX6:qrh7>sI$ZkrPiKHC2;<FgHY;X@"UF'&AJTdXLdJVn^L,?Jhb8Dm>KbnfE$QDPOHE(rsFm"0&h%c7(KhGHVW>r!5%8
+%4)m,<r!5$Ud-*D,@t(Dq!$"Hq%R38g,SR\F*))2TI$pj,js1/t;mP<jb97)V+gKr7b97)_RjfoFYT.*P%V*HsQ9u)Q0$0>:QkMj\
+%5re!Q#,LiP&JPX_W/18be!;jG@*[(C-r,kg/e.#E=7'ilEEK!<leT\7BrZt)\@1,3&M:e^+f7[Ac_\_XZDie\TaR?HCH4FIM7rd5
+%Q^7;@5enWF2nZ_+_pbfgZsr6;RGM<dPg6.@s5Xh:LOCSe5pp1D[D>.B0'_pKDn"pl%=.Nb^"QEY.piVqB0TPkikm:[We9^M6ROg+
+%_h9Df7BK28^bLu$B:j<l0P+Cf;jr?g\^Y:FXf:!)]0&d%L<$jUao2tI>Fmd4H4S@Ud9o8X3?2(rJD?o6rj8-e;6jOjf[>nl-5r)2
+%3/np/meN^DSgQb;8$D+n<_e1_>XGgi/r-#aU=</+K;g`INI>/jB57.hOR8Cu=24P,idW4^>NdcZ37T/=i#^ULSO+tj"u1%o>-cN&
+%R,K*a)sC_lQ:&(1*FY]8W*dndKJM(dr/p>=$"'Vc0+@UL7NQ$kLlI?4U=B%-8EfY5+usuj45cSP*C^Aq]$]hR#<-:.VA7@V1"80C
+%#2Z@(j:I+tX,L/JB:(dX^'[F9fjgaQhg$3*&6JDEmmd#oaTFr)Pm`S=+)uc&bt2t.Nn3W>)kN,EVVRSV^"K>KVR]p/+["H1rjTM*
+%8a^t#p%c>_UgLB^1Z9=U=S+RY5Q&g@H0'D!,SKak!Fi%_,'1-.l1?bR]Xi#+0sS=pil7&4Yp:J$_aO'L%^c6](,fYKd=3/rJ_Sti
+%:d7%eL>'AbD(,NtA$u+"HP[P[O(>bos#]!,m+rKrd?;-*T6Xq6^LBuW^6SR$?;:%EMr9mH4?Qu+l,pAl"T@Lq^9_t4b-gu%j6YBA
+%&gFX<,-f0j1IAEV+:5?c4[Vot=$7,d)o?h%8,-Z1c3%!>^'bemLm3PW.]V;?%7(IrU]VZ>i:&>UEZ_G"ID[RdKTEniA<Qr%>NY)o
+%`!Z$F)Is"QaFR<]'%#PpP<N9UQh%8`qi+#6Rk6Z+D<Q%al)@$?)^*;P2RJ#G`RX,B(Kk'@S.LZgeHtZZ85u*cZt?=BREACu'1qH+
+%&J<4D\c,&V1<YE*D;SZ'I)"tJ0(RD^qhT19?o6E.0@=m:)Ssb(VpQ"T\*OiB1lO4MWCYpMa.^thqZ?[UQ,V%qg-JQCqn\haG!$l?
+%N]1/h,l)Cp:QT8LdEaK(+I2$Nf_pK2&1LhY_>mmqlYS'B6:pV;@9hUCBY;HrYVf+hM5o``2]Fmj;hYJ9POk^*6Ej:YNF%.JY0`RG
+%Xl7[;1oNP1iEI&*8,\(BrJ-`ad)j[9FR((:%>MRbm5n5rJIpt.67%.U@IXmIqpUaRa@dMp`P=%^Y!/b?*H[FuH-Q&WSuJ#40k@$b
+%!MVk28ODL7n"'':e1T&*ZdV&u4q)eq-3ot[MQK8$e1Q3'J`cpKA,*PrabBJhq_\<^;5FSR@k>U(q!W7DGAD,I:$<&84!2B82K9%3
+%_/pC%I7-cD'-qLL8RoD%@X5WpW0\0/ZsiFcmPu3EFTGr>&tub\4:IeC54`I@NeFVq]U<bb&@k$&:s&&Ql7,4m)\uXD&H5ak)IkZO
+%FM*(L`_Z%b1_Lgk_n:tc]utjOd<PT--="rF*15,b91D-C0B#TQU;7C)]r=tO3.YJic#ClE%G!j\-&p34<#$s4WLgBn[L8e)3H[ef
+%j2pR]F._,g<8j=4Cd!R7cr3C^`HRNCkCK.OF<XW'LQH_/#B?qZ<nMlUN/MVNrfL#<$q109oSIq74,!7W;-;J"rBu,sl_D5NDT(dX
+%pn-aP"\_Oqkjn4@,GE*E>4+pm;X2#7kDgrIT0^R1P9csJC@CS4bL\$IUGRA;nP&ghr[PB)^M_^f*3YZ(Nh1[p+FK0\4MjrCZ:ho)
+%+Kl[29RAXuMN[ScoEk]^%noqjB0)Wsh]behTWd@n87tI!>@2`5XDXMA9VdK*8Rr_LSYi!!BSS4HUu[Z"6RC&chlnS6g_>JDlc)Vf
+%K"7fug[uS4f#$a@Gk-0JD[2jser9u+\RGo.MYk=OY/fqIe9uWP>Ib;`Gug-ZDsbP;kpeNe4qM^;nB$KLRuk/R29D24K/F8H+lp*1
+%LoZPgLUZ[9$lc_7lam[i"P$n(>n@+tl6s>8&>BL5GX&VpbF_Jr2Tbcjd6aH];"lX$4G8^h6H\Lt*`J=h;@"0m$8KqTUiu/>n]'6R
+%p8WLb7D)biiZO/>lde++$?mFUj1%npY:%)f5eEtUg3@kIp%?L<=I:Tg[aYZ%?)Dpsd)SIPQ4%\J>n7/&_`E[u<^MC[E\&2QU/>7%
+%??(W9!4K9CgFj@)fg'T0NV*]_j?HM'KQ%j&1%5`@W!]sHJrc=hok#f38ld%<pC&Q<0$hCL&7-3L&.!8S9aLFO:`"/lZ.4+j9GI$+
+%YnsHqU%V3%*t@]#9XdCZEOaLEAAA.%QmfU/[T\'j.W1u5MGZO"5),%d8Q!g/<VC"1rOq\MH1]X:\8c&qjUdcfA8<nFpXPt>fb5@Z
+%MC_RI&b]Pt*XdtcAdOaX(;lQbojTm:mN"Q;oQmst.W"79(Z%)bp3JM&(fU>D!5F>NL"a$%3UqOhi!`qBMhKffT8,tC2fA/S+=[9[
+%Pl#\TFNB;o>f+(n>0mE__O88T&r)6bL@S&FbWd-rKPdEN$+8)<0-K^3!5gCRK8!;-Q\Rpg=BIFGF$Wc)J5G6]S[(pgK>Bb"UPcUd
+%pUgSPpc')8jR6H`3[e1:fi(ko+2j9_;;)C$q9h5^%ZC<a;1r;/.LJ<HK^obakXK)7?u3$6foP#sDa%\u];9jNcZ1MmKi*J>qtA8[
+%]=HK8BcMmg$]SY5mf64jr7tUR7L&@4rW1?m'*!gTr!?0:G7$?c]nKQ#d;2BCc9TL-TS;e%5[Gjag]cQ@_.q3$.CAuZZ">Y=qGQls
+%^P)J-B')"2*T^W%;;F^,0eR\DZ<Z`;m<<JlOFVXn^l=V'[t\CtYnL*"$kcTJ_M.EA!.oN>dp(%-PFE0j-L39@[QZhS?N@#k-s5-)
+%2YIF95]ZSUS">tmA*(A=9UkjAcYT-:'LW[M$Q*]1%fdiDW#h4Y_+V1rADP?;o$?b\,0shV$o0GjfSbkeIO)KJ@e:bu>c0je\X*-p
+%Hi9LQo^"Q-h$M#^4DWa3puLF(^?FCf`j/;o!8!62$GlA9GX`rcB%)aJl(WT6D%u%+M/Rh:^'Z`j[l1(cY`C.FV#COf#fEX:7tp!p
+%987dm4A:fh<Uc)XO)[GlO,cBC2s[D5Wpd_8OIBSS)D&Vu/So.H45^AUU8ATJGoTOa@Z&-C^qttJos2]5T"$`oPRZ$l\OW`F>`C8G
+%YIDhMl\@.a(uA4/:OknGYI4'hWf8!CS30C\,tjNC=lV'd)OAg->>dJ@\-.sO7Edq^m5K59S@L^E".>WD7GK@A]j$!!SK=Y(&uW#@
+%dRi[+d<_aU/t;tuV>cA'\8e,F$^A_H\p5="hqB$",^Tui1WR;mP3<0YkCc;e%(a4TnHOf'FMC*i=_5t4RkpB@bScTA@jFM!0HDf=
+%N[5-VPXs5\NR\&Pr*"(@Zp7FafFQH@YWWc9(d'Ph5qB]Q68Wk@ZqT@r-g][&3\tH;j`Ue+#fGcr%fRi9,&#$ULCjA8#_*NGDk`J>
+%OA28=UmWA"?;ed$^%K*`+OinJRUs1uC)cL8p43knF`gt2anFWG;fj[PDK>E#1u/k,9)tN`e.DR11=Wi;0IBZ#4_mVEXQ[qYdGGJ0
+%Zf/M\JeJne9]7=6UE=#!_T1;Q1!uUciTN@"5\D<h"DoN/Vin/DCX03]<:4(_@(]Sk'@(n_%eQ[IU$hjTDQ5c#NTmf_#aX-12S+T3
+%rS=%ALqKpTYR!V9Y?Hoe-(!V"\=.9cq)*TF=9/G2hJB+[s7^]5CMb<4p'LX,+peAbA#/OYe7/*rAk31=Q9^6\#+WU9Cq):mk<Ac+
+%<@rK[4@&8DhgCj1AZ8[8?#-M;p^`-#)DjMP((U65l4nH`91@4/P>tA0gOWf%YD3=Y*KorJV&re82dXC.Ki\b25'?`Paekq*%f:jk
+%`PE#'n3F)2fkM8*Y=ge:oO6>\!D1f4)uEFo+bWVbM#77WeU?cl;;!VIVls_FS)&5:O=P60r=&QqU.mSl]X[9>m9rjs/i9NcW(ImS
+%kK1D3Ih%&4HPm!>1I2Qlb/Qrei(O[bLO.oK^u.lt"GcMUP$r;V#_I\dD\NW*"@7"rPYj+o'*Q/1Hn6->B7_6cGfhEOS-af*E$&mO
+%%*euAE3Lsi?uRFuJj[-W,@GI;#_GG=@j>B#-4#2*WuM:qo5SeI1kWQ40E?_]_'c.XPFar4jRGNT9J)P9K/5e)*(HPnL;B9##S-[8
+%&MQ2>5]H;Qp-rDF^"i%-gJipeXM.Jg%UjMqhr",BT4WRaG-1iu$:fmk-f#!j;bb<BcNeH#QAV0>Q*5hlnY(9"gJ@iqa#u*\*@O=G
+%H#o^'\gS,J=K>I[lB4m-J]?g)NJ5BAcSOC$AJZa%=-gFkZcT."N#^3^\3'!JW&[YF20/,M\-W]:m[_$#iF:MJ$1_WQ/q8-'IU\BU
+%c8[3tr'3gJ24&61S2i;kD6Mdaj5R[>g<68)Mm,9$JrV9bh/&??G"OQEgG>8CfrIpJ&BkT;gKFn6E_#T69OEm+^[h1nnbOA0-aETF
+%l*a06o;je2[g'_,GnTB8'IhD4_(19[R)40!k1<2uiVKFj3s8hKpR.tD%+\'!"<#`:29e`ITE;U[D!-3/Q?JnSIGopLL6peAl@QsH
+%,EU)e`HpeD4[^E>WE?M)UN.`gMk)f9q8RTddlkJGmS/I&@OP>#dH[?S[[oe514N5o^"2'I1ZgI-2gt_"Y>a1]#VM&.T3KLIHb$i0
+%B=\H0h9(dfk,EFG06a0Elnm86V3qN*?_r#GIRBE6[r]6)i^7moZiFI%^K`#NhdLI8BP=hSBJb`%ZNjho2g"JAWuL,K+K[2*9`3[0
+%SpLmH,ic&qrc^6]C[G<Ze\8H\jlq!&rMeV_Bsas`C+6QPgN8t'f%"':?*>@"s*cNUeXi6&et]Wd/`cU5S!t>qV07&_\'jWMk20`3
+%F2r3VgKV)O*Y)s=++>L[eY)Y!opRR#/h+Zug0<jhMj;t#lggnd6a9gs[aoqXrHXh2Z*Te?V-D7@d[Kc-(Z/O^Q&:9TZYmm+5Ptn#
+%WTb5'nd7ie/p$:Sh6$$ecrnm<b=@ukh5R+bXmNGn]6ILC3@M)l<bb5(7'E[e2<Boa);4=U;C&[KG@W@L\WAJ$N@]^.AZlUTG&nVZ
+%O51W2H:8QV<"OgJqWAY!YNt\)\a$<RJ(s@K?prHKBDJ>#Y8R9Uj^!6`V,7[4Ft>3sZL@&D01b!UXKmkG53,O+ZI_cKHM)QVr&ON9
+%NGk@McMHarJ&a15F(.lk=SPqc]qpRV(F_TImQW?;SR:V-ZT[%%[^31l:rQ8S^qhdhic6c%mZoM,F4JZoSrH),[T?B\YQ%ol.:(eI
+%bi_0^hX+\hl_a!)=uDc)![\1M_1J3_.dq*iDIIc@>qN3;j!Dh[njWF4Z[R?]]3)$#Im/f-66YJ!+hm=+IoUs+N=,<S&rSj%]f"[7
+%l<EMJSbl,n^;!.ipc?Bf]q<lGI:&SJSRnPYSKh)3I(I[[$:\E;.4eVCL$GPm./se&K>+@;gfsc%4mupNTC2HjV#P`gkga*@q955X
+%Yl36SjVS$Crl#$Z$,=^O%sOHLAe3jEm4`bR[?JnE)n!54]j/1Z=[%6II9b(E(Ar=TKPD%HlhBk^c\K_gbN_k<Di[OK3YXdXN>dCF
+%Y?sD`WGi`eB2m&1F*i3,leZ-9lM$i<VEUL"#=Qt7L[sfonX&\'m"DpsI$S+c^*BkenoQ`=;%>4jig>e,MQ%!9Jb(0oDX\Gm)l7cM
+%[mpa)bZ8`BGgGOt?Yl!)-#tV2^H&KV9Tr?WF,6T<a\d"_]_T'C2.[CH/DVLb\PucrIuE!XO,$h(MRReUhk3j_nTOV!MsZ4kH1nnG
+%Agub'I0o3;m2tJu"DXU9h82cE=1bG/mBYJ^dL.5::]Yi[*W'MYBE+;T0.>9@/p"5"no=(=2P>)_=[e4elIONpG%p?Clb14M5mA>E
+%)CqkH8\Mu3R;Y:M51cqfgb>7eVU"j5,S420.<N9B^&>&VEUPG?h4/,VKmr5%D>8(e;k\7+lVl5q+gH]5:ZfdUlClqVfum0^W*&<M
+%&70V9iKNQh,6.RUQL>,q(TM,B9rtn09)H>.l8Nm@:2Qn)#t]SuSJfHa;!W>*<k>fUqMDbqE?k"/[8M#S`.pMHc#O=L:>]oRc?gYN
+%/]34MhbA]0+:P>.^03UQIM\I/C1o!,m!Uk=[5L32FR+\<(L,_U?$DEAX3KYd[t=nm?mjX(K.e8EQB%[:3OBkQndchTci(")LX<me
+%MJYL?`A#4Z"me=G.3<-!k*C3+i<"BQYj^T$]:rX"@XkT/(L'i&L\jm>`>Sab>YV&=N]3h!4M5P&\dY-A>dK3E["jiX`8?:A%(CD/
+%YMYSN2q^!no3d/irphrOru&\"#+[X(@SoTIoB%M!ODQZFA+^"bWRC[pbT<D.)r<kL<\XEUGD]Atb]Elsba%Ed1G"Atqhr>tRt^];
+%Q0Xugo@']io#E,CdUhR@hQ+@=BQjXf1tkLEkGM/DX_-grP<fDDSREODS_7@dFF,H;HZ^EA(L+No]Wq&+Wu^0Zp<Z'%kcCCe06=8'
+%WB2MspX]7+Md2iRF?Jc%rNKKljVJiUNu;HLNV)4#g2k"R`4un[+5VFJn%./>Sa\4\J'l8M<O]W11%3IVN/hgXV9A,(b@*UE3>Edg
+%r8("Ob5-R`f2n!8$X%d_HsN3<?G/YC4m8,*l]3i<_Yac5H9/\)rbPCZ3:GGE\`ic08hG3B9LE\A:qK^XXo.RIS[3\gGP7eR\TcKH
+%/g>tqUE?NAq;6*oAVL=^9aBPO>`I)l.;U"@q($sjaLe,4i<F-Fm?Q*)f*aaeD"3b'L&O8XN:*1\Ni;*7TpEP)P]1a]l'78Xed``]
+%k6S,u.,BrQY0s7):YNH9h't(EYFL`qmZK7J#rq<TPfU*a,*=<;NtOH27V(^7?\"Y+%Rq^Qjmsm_@q.pT/"L<M,0.]Z,l!mB;'O'#
+%LlANd!_VP+(m2n'T1=_X)^DWr4Rd8;O^hlhU>gM@-$!g\8FeGJ"_C?FLkJdB)V"*GOBs0j%/WmGa2Wpoi!fW#-$!g\a@$lL@?ej<
+%0d9s+Bf6<Fm,](H8`4tNPfU*a,,&LV!7eas,;KbQ3B9@E*_X/Fru=YlfGKatYmCJ5Nl$V=gA]#UCL:ZMk:]<]HN?S]f&_1AaK[HD
+%GqRF:7#m6=BprA#6&?R#,;NI$5;^(j@RSX[_uCjP%&jrH^?8?;a2Wq2M#9bV^9>D0m!4s_jn9u;OVGd+7>W!',Efj^SjeJU)^CM$
+%fOn&*a2Wr%c/i;/,%$3>)1OF`2P8CeTGQOfNVON0Yl+m;T-Z@e@4i425>,`T92/3nr@FrDN12@Fg4#@;Hq$.Tg%MbJjth=I38+#3
+%UujJ^r\2IfZ_Z`iYeBHhrXCc'Gb8[H=]4i/!=hi4r@FrDN4e7_gWu%OcV2OR,hpY.Ra6:&4oaV^YSg9<8[b8)V"*ieq$jdZ?N0!B
+%@&"r[PANNWC-KPH9Xt$PWVHr8RrJ7-;Y-<%@l;C%Z_Z_>I[`%=p9URW1\*5`D*L[.4u<)%PAEHVC-JD:(6`T"956ZNQF)LWT-Z@e
+%@J)#'Ib&9u>Jf<fNcS'4?1mrYV5C.VfrmV(h9uPq7D=6"BN;)4eCuFm1B6&&O8eSQQ6Wa_>SeJeU/imFZ[An:bZU33CAMB_f7#8/
+%C6+@d<jhme[7I+RS]]o'd9<p$[26>radNAlp'%V==*)m@Fo`(+;RVk.TB![a:O%9T*rl4m5Bb&d1G]M(GkQ2rpYaM<amr`lZO1ar
+%rLL5]2KA%IpooI%qul7;93F@-[r^<8U/A\$KQJt1^]^Hp)-a\hC8MtXB9XM1d4.;JnoVn'^&qR5hBZ:^^";3@_\:;U*ciahO.B.d
+%3@:DGlq?)i\9Bb6PY,(NGaZAA?/eH])'OD7RZm7CWJIT?Apch=.:EHT;jkGp,i@qI6DjPrWI1=Pg(CLL"@:%/[K+:m\?><Q@=rVB
+%9&gOT[ZD-1$PII<Aft;Po<Z8e+.15VJ]il3AX'PV\eLRJ'*6R0ge&i2K<'[-q/7SXN$FQUj/=*9BDelrUo-5_<"TA."eOd`*&f)F
+%%BU=H#`$FOJHY;]c$7BR6Q5"c<gCt_5*gdK[VoY4Q_]V/1.q[!U0Nh#nK`R\PB!CRnQdg.g!CfZ97o[R_6QDPCtCc_Ju2\_4r1t7
+%9S0on7CPTk!fnUp]#qpd>];)SOtpY8.5R3HKFa,c!^+S[0U2n:IAqL?"PD'bdfSX!201NrG\]RmXfu!=6/XKBo>%)q]aTf(:P?5d
+%O'6+25sb]UY&Bo1m;O=ilq&(pF(!K8UC3B'O64"k-a6aiHn:=!ON\hskX.lSXpg[EH/bKY;A$`r>cbZ5,_h(\(A`c@juA_K:C-Pm
+%O?1krs59`L)'FG$pc8qc6?ABKB$I@@qGuB6$8=6)9FEfV6(iL_Fb!>JiFjf"0:iT*a33JQ4=f2?'O7"77QfZH,#ZdCRaGm*$^L9k
+%aT8B*#ERm_"a'sTQZRaWMmQ`)QYrS[27I!ddT=YoE.,t6g^1+0:aSV4^oR['[Us'-otePMZAp/4VEXEZNL%ZEXn^[dR.Z5%nh&p'
+%n2QdsS;QrTNP@U?8p2pmoUH>8WR/c*QuAjbAf-k$9N6"W-HJ<#qh-uLjcCUd\3u++T!0oBK&B8GSl#5P=.p`;'TFs[%`OS*Oskl+
+%M%*-Z4!$W&'>cG8/&?t!)*)lU50`h<\dc[?&7<e'588aPrIF>Laq;i\*XomTfMYAR$8U%%)i&%L)P0?1a]uCur+:reJ`f*O(2VE?
+%E?BIP7:K>L&P.:mK.?G>jFJh3ET0XUM2WHg1*@auecUR2-l*eY+9s)=#WY)r,kMSd0,uO?$_rC8K:.$,-pCZ8WWED5rij]/E7lgQ
+%Hlqm@KN2I$03n8fl+7htR$clpf7U`4NtiC%KT=aZL]l&&"0u*60.7-(">'d+-[_c$bnnggFUFcT=@3ujcru/i;?l(9='`QSJ8Ga&
+%,SA:TmmZcsYot.PO^M1r`/:]Ac&u[unQ:huVC;;'a+[=kkTaBpfUBk/%]qh4K!,sD1]@pYk/552\D4k-N0AJEEj<nD?V$"/*J0r-
+%nH=M#`tJq]^nItDe4j=0?61SWYn/CMmE3ejiZkV$0J!&LLd9sA*LW;:DD2;`;I$(n3+QU,8c7!o6('!QHj39[U]g=U,tf0C@<f:s
+%-)DET)K>J9!$O1]ERVd%o^h<RXHU$I0VX<'fuC8<eJL.dZW>L"#rWb2;Z`\T!^SIs,Ut5l;4M\ncWDh'fo[<:%Bq8??U>Te<Ru_b
+%;2C#b"-$<iOBGrs\-oMND8E68We6Xg"_RXJk<b9aOV5ITQ/I1P8O,dRE=t_Lm:>km6On-)cmUR;h2mBd6o8`^.8^Ldn=RQd*^CF,
+%5PRS?Zmj6LnG%S#5XF?n@?+st@FM<2:5rj$BP!dZ/u?Z&n9c.>es'DVaZ%!BnGM5s9b&Rs>/'LY+_*fD8WQl9Hq7:UWM)tH#ojP2
+%1L,O-&mW6(Ze$uf%uHHYB+WFa#b07r5dT^]!DoZT6bIdU#D*lcm8EKu3M.Hl34PTF#=65#F=]V`TqH%\4]8SHFmF<0(k^RcBsB$a
+%TH!#H5)7(E-H]gpA21('"J;nV$.DQ``h9sWKGpin3C;ea(_?m:\Yt@+dNM'!6UX2m+sr:Cc?L+,<PX_-AV"H)FJN\-+UFFJNN5e;
+%,0+JoC1(Ba+N\+lFkC-\)KsC`2HA!+#6D\o$D+aPD8fG*J"rqc6[,5OXu/mJ*cTaSenM_81O,'o$q<?05.scE%T@p94(fQUU#lsh
+%MsS@2^]St,?t*80P?9.kEi:J#L:/NT;2>a]2M%4c.0+H=QjZM*8!%`b?_thT'?(3'9[Pc/3MQ;+-POlAAn=&o`cpl^R]G\uE-.r[
+%<)Z:LF=F!s+fE#SH8EK@Seb@ScF$WP`s&HSVF7J!>Sq/pO^)7I*l\jGLJsQ!6,br"`=gY0C_?1&#eHHR@)D)>63eq&@T?7nYgX:_
+%80/h@NC&aJ0L\TEAJCZNN<j5^.2(&0?e^^8AsZ$(=\6%3W$qcR7rYIT8<7Qs=?`+WPoBo37G/4]("U6tQ'BVBI;ZjZ:U&&'!R\Si
+%Q1@aE;Oq?57i27eD1l^b$-f<AFN?HbTR)VI=!:s^7=oI,Sh%[HcrWo)7a;`l23O70Oj`<2-MVT?.M7VVWXDCl=nIsSdJD6eE'Bp;
+%'I3CAGcOP^/<PXrSuK^@DoqCf5adSeKNg>n4<_l!a=D657FhR)#E)"?>[O]]#Zh2,I\ijn-<9_5mR6T'$=?E(WV/*(P0Y'Zn,c/.
+%U>Zj_!MZhd0Jo-Y7*6C5a4c9V/#rP^p;A@KPH<-DjJG&j<8:tDr?r'FTgCAR)L;D>EC*6<WiRVs)^a2dE#hQ-V^_G<EGLH[:7;g!
+%Rc`%\dNpj1Pmius_&Y9f\k4J`W`<`"fkhlkUre*:1,;@HiB@M.BXC4&4ko$K.!9s@<frPCj?ksA&Gnd55o2MGosrA!A\*?KKUV.P
+%j=67tn:lNdNB%`Jl\$:I&Oc!4eCeV6O[es8\.V*)::hr%c)//aN9*V`^r`aDEYR+U&h\sa)l\Lm:!)DC^&cW[ihHAQl#r\Ukp\6@
+%5kE%te*J@1/<h8<j9.<^3_c@oOSTHVLnKIq>qRN'+PIlHG6j'A4R_+oT&+O>4SFSC.Y3WtVo-t4,YpKn4>ARZCi`_2nHBe:[R0QU
+%-E=nd\ekZ0Uf;?I)ck8$#UN5Hp-GH-ZshF?S(FkV((uTa_5?7iD]HciK1L#+K5RP?_Asr5XWd.F89#G*kU,?8[#j?iP?`1aKc;*k
+%jQGQs?oVO.7Kf$Q!&P[oN04W=Z_;=S$]0SuaI*TI@tC"\Z"P-gkX/4^OIR:9,n[CmK4se>,bDFQjYhh2$n.Dip!ZH>g4UR%MPS4S
+%5&GDh,R*Q\po[a/nn_923g/b5X;T/A:*["ZT$(nBRlJ,?Q'.jN/m;"OF1?br$T9L0/=//,QaSb62Hg,?_hG*#Cu-K*-(a0=4PKKX
+%,^S/IIiNO/>Z8@[-S`V]=CDZ_.mEVO!@<OV-L068oM)faHhZXTI2R?/(*C`mitXjHeI^'5PHs^\`h&FH-YECr'uFo1dD*WIZ5]"l
+%ks\io&sV^nY@n8MZ$h01"Jc%Fru>f9-*=r]?XB(AqY4J9%!k'N/V:).!lH-W$nH0Y<L`[+elDZeo6LB+Y5M/gGq"Hhr0?8#J6+0Q
+%*7+&d64@oElPIn!Z.;M6iAP\>UtA2lYI$_&UEP'2j(i5^i;X9IR,j1JU$O%ck0Q"dnqHtbK_,+dQ+VAM>A@I6]@-NNeF`Crl:q5M
+%?#BMB[o55VlMoA9C9)LO=FI:.iu@<]?11#mFfTS1pD6\G96C"%FQl^aomb.>&V'~>
+%AI9_PrivateDataEnd
diff --git a/contrib/bind9/doc/arm/isc-logo.pdf b/contrib/bind9/doc/arm/isc-logo.pdf
new file mode 100644
index 0000000..71d3fdd
--- /dev/null
+++ b/contrib/bind9/doc/arm/isc-logo.pdf
Binary files differ
diff --git a/contrib/bind9/doc/arm/man.dig.html b/contrib/bind9/doc/arm/man.dig.html
new file mode 100644
index 0000000..942b7fe
--- /dev/null
+++ b/contrib/bind9/doc/arm/man.dig.html
@@ -0,0 +1,665 @@
+<!--
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: man.dig.html,v 1.2.2.37 2007/01/30 00:23:46 marka Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>dig</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="prev" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="next" href="man.host.html" title="host">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center">dig</th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="Bv9ARM.ch10.html">Prev</a> </td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right"> <a accesskey="n" href="man.host.html">Next</a>
+</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry" lang="en">
+<a name="man.dig"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p>dig &#8212; DNS lookup utility</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">dig</code> [@server] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-k <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-q <em class="replaceable"><code>name</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]name:key</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] [name] [type] [class] [queryopt...]</p></div>
+<div class="cmdsynopsis"><p><code class="command">dig</code> [<code class="option">-h</code>]</p></div>
+<div class="cmdsynopsis"><p><code class="command">dig</code> [global-queryopt...] [query...]</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2564009"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">dig</strong></span>
+ (domain information groper) is a flexible tool
+ for interrogating DNS name servers. It performs DNS lookups and
+ displays the answers that are returned from the name server(s) that
+ were queried. Most DNS administrators use <span><strong class="command">dig</strong></span> to
+ troubleshoot DNS problems because of its flexibility, ease of use and
+ clarity of output. Other lookup tools tend to have less functionality
+ than <span><strong class="command">dig</strong></span>.
+ </p>
+<p>
+ Although <span><strong class="command">dig</strong></span> is normally used with
+ command-line
+ arguments, it also has a batch mode of operation for reading lookup
+ requests from a file. A brief summary of its command-line arguments
+ and options is printed when the <code class="option">-h</code> option is given.
+ Unlike earlier versions, the BIND9 implementation of
+ <span><strong class="command">dig</strong></span> allows multiple lookups to be issued
+ from the
+ command line.
+ </p>
+<p>
+ Unless it is told to query a specific name server,
+ <span><strong class="command">dig</strong></span> will try each of the servers listed
+ in
+ <code class="filename">/etc/resolv.conf</code>.
+ </p>
+<p>
+ When no command line arguments or options are given, will perform an
+ NS query for "." (the root).
+ </p>
+<p>
+ It is possible to set per-user defaults for <span><strong class="command">dig</strong></span> via
+ <code class="filename">${HOME}/.digrc</code>. This file is read and
+ any options in it
+ are applied before the command line arguments.
+ </p>
+<p>
+ The IN and CH class names overlap with the IN and CH top level
+ domains names. Either use the <code class="option">-t</code> and
+ <code class="option">-c</code> options to specify the type and class or
+ use the <code class="option">-q</code> the specify the domain name or
+ use "IN." and "CH." when looking up these top level domains.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2572153"></a><h2>SIMPLE USAGE</h2>
+<p>
+ A typical invocation of <span><strong class="command">dig</strong></span> looks like:
+ </p>
+<pre class="programlisting"> dig @server name type </pre>
+<p>
+ where:
+
+ </p>
+<div class="variablelist"><dl>
+<dt><span class="term"><code class="constant">server</code></span></dt>
+<dd><p>
+ is the name or IP address of the name server to query. This can
+ be an IPv4
+ address in dotted-decimal notation or an IPv6
+ address in colon-delimited notation. When the supplied
+ <em class="parameter"><code>server</code></em> argument is a
+ hostname,
+ <span><strong class="command">dig</strong></span> resolves that name before
+ querying that name
+ server. If no <em class="parameter"><code>server</code></em>
+ argument is provided,
+ <span><strong class="command">dig</strong></span> consults <code class="filename">/etc/resolv.conf</code>
+ and queries the name servers listed there. The reply from the
+ name
+ server that responds is displayed.
+ </p></dd>
+<dt><span class="term"><code class="constant">name</code></span></dt>
+<dd><p>
+ is the name of the resource record that is to be looked up.
+ </p></dd>
+<dt><span class="term"><code class="constant">type</code></span></dt>
+<dd><p>
+ indicates what type of query is required &#8212;
+ ANY, A, MX, SIG, etc.
+ <em class="parameter"><code>type</code></em> can be any valid query
+ type. If no
+ <em class="parameter"><code>type</code></em> argument is supplied,
+ <span><strong class="command">dig</strong></span> will perform a lookup for an
+ A record.
+ </p></dd>
+</dl></div>
+<p>
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2572264"></a><h2>OPTIONS</h2>
+<p>
+ The <code class="option">-b</code> option sets the source IP address of the query
+ to <em class="parameter"><code>address</code></em>. This must be a valid
+ address on
+ one of the host's network interfaces or "0.0.0.0" or "::". An optional
+ port
+ may be specified by appending "#&lt;port&gt;"
+ </p>
+<p>
+ The default query class (IN for internet) is overridden by the
+ <code class="option">-c</code> option. <em class="parameter"><code>class</code></em> is
+ any valid
+ class, such as HS for Hesiod records or CH for CHAOSNET records.
+ </p>
+<p>
+ The <code class="option">-f</code> option makes <span><strong class="command">dig </strong></span>
+ operate
+ in batch mode by reading a list of lookup requests to process from the
+ file <em class="parameter"><code>filename</code></em>. The file contains a
+ number of
+ queries, one per line. Each entry in the file should be organised in
+ the same way they would be presented as queries to
+ <span><strong class="command">dig</strong></span> using the command-line interface.
+ </p>
+<p>
+ If a non-standard port number is to be queried, the
+ <code class="option">-p</code> option is used. <em class="parameter"><code>port#</code></em> is
+ the port number that <span><strong class="command">dig</strong></span> will send its
+ queries
+ instead of the standard DNS port number 53. This option would be used
+ to test a name server that has been configured to listen for queries
+ on a non-standard port number.
+ </p>
+<p>
+ The <code class="option">-4</code> option forces <span><strong class="command">dig</strong></span>
+ to only
+ use IPv4 query transport. The <code class="option">-6</code> option forces
+ <span><strong class="command">dig</strong></span> to only use IPv6 query transport.
+ </p>
+<p>
+ The <code class="option">-t</code> option sets the query type to
+ <em class="parameter"><code>type</code></em>. It can be any valid query type
+ which is
+ supported in BIND9. The default query type "A", unless the
+ <code class="option">-x</code> option is supplied to indicate a reverse lookup.
+ A zone transfer can be requested by specifying a type of AXFR. When
+ an incremental zone transfer (IXFR) is required,
+ <em class="parameter"><code>type</code></em> is set to <code class="literal">ixfr=N</code>.
+ The incremental zone transfer will contain the changes made to the zone
+ since the serial number in the zone's SOA record was
+ <em class="parameter"><code>N</code></em>.
+ </p>
+<p>
+ The <code class="option">-q</code> option sets the query name to
+ <em class="parameter"><code>name</code></em>. This useful do distingish the
+ <em class="parameter"><code>name</code></em> from other arguments.
+ </p>
+<p>
+ Reverse lookups - mapping addresses to names - are simplified by the
+ <code class="option">-x</code> option. <em class="parameter"><code>addr</code></em> is
+ an IPv4
+ address in dotted-decimal notation, or a colon-delimited IPv6 address.
+ When this option is used, there is no need to provide the
+ <em class="parameter"><code>name</code></em>, <em class="parameter"><code>class</code></em> and
+ <em class="parameter"><code>type</code></em> arguments. <span><strong class="command">dig</strong></span>
+ automatically performs a lookup for a name like
+ <code class="literal">11.12.13.10.in-addr.arpa</code> and sets the
+ query type and
+ class to PTR and IN respectively. By default, IPv6 addresses are
+ looked up using nibble format under the IP6.ARPA domain.
+ To use the older RFC1886 method using the IP6.INT domain
+ specify the <code class="option">-i</code> option. Bit string labels (RFC2874)
+ are now experimental and are not attempted.
+ </p>
+<p>
+ To sign the DNS queries sent by <span><strong class="command">dig</strong></span> and
+ their
+ responses using transaction signatures (TSIG), specify a TSIG key file
+ using the <code class="option">-k</code> option. You can also specify the TSIG
+ key itself on the command line using the <code class="option">-y</code> option;
+ <em class="parameter"><code>hmac</code></em> is the type of the TSIG, default HMAC-MD5,
+ <em class="parameter"><code>name</code></em> is the name of the TSIG key and
+ <em class="parameter"><code>key</code></em> is the actual key. The key is a
+ base-64
+ encoded string, typically generated by
+ <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
+
+ Caution should be taken when using the <code class="option">-y</code> option on
+ multi-user systems as the key can be visible in the output from
+ <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span>
+ or in the shell's history file. When
+ using TSIG authentication with <span><strong class="command">dig</strong></span>, the name
+ server that is queried needs to know the key and algorithm that is
+ being used. In BIND, this is done by providing appropriate
+ <span><strong class="command">key</strong></span> and <span><strong class="command">server</strong></span> statements in
+ <code class="filename">named.conf</code>.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2649124"></a><h2>QUERY OPTIONS</h2>
+<p><span><strong class="command">dig</strong></span>
+ provides a number of query options which affect
+ the way in which lookups are made and the results displayed. Some of
+ these set or reset flag bits in the query header, some determine which
+ sections of the answer get printed, and others determine the timeout
+ and retry strategies.
+ </p>
+<p>
+ Each query option is identified by a keyword preceded by a plus sign
+ (<code class="literal">+</code>). Some keywords set or reset an
+ option. These may be preceded
+ by the string <code class="literal">no</code> to negate the meaning of
+ that keyword. Other
+ keywords assign values to options like the timeout interval. They
+ have the form <code class="option">+keyword=value</code>.
+ The query options are:
+
+ </p>
+<div class="variablelist"><dl>
+<dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
+<dd><p>
+ Use [do not use] TCP when querying name servers. The default
+ behaviour is to use UDP unless an AXFR or IXFR query is
+ requested, in
+ which case a TCP connection is used.
+ </p></dd>
+<dt><span class="term"><code class="option">+[no]vc</code></span></dt>
+<dd><p>
+ Use [do not use] TCP when querying name servers. This alternate
+ syntax to <em class="parameter"><code>+[no]tcp</code></em> is
+ provided for backwards
+ compatibility. The "vc" stands for "virtual circuit".
+ </p></dd>
+<dt><span class="term"><code class="option">+[no]ignore</code></span></dt>
+<dd><p>
+ Ignore truncation in UDP responses instead of retrying with TCP.
+ By
+ default, TCP retries are performed.
+ </p></dd>
+<dt><span class="term"><code class="option">+domain=somename</code></span></dt>
+<dd><p>
+ Set the search list to contain the single domain
+ <em class="parameter"><code>somename</code></em>, as if specified in
+ a
+ <span><strong class="command">domain</strong></span> directive in
+ <code class="filename">/etc/resolv.conf</code>, and enable
+ search list
+ processing as if the <em class="parameter"><code>+search</code></em>
+ option were given.
+ </p></dd>
+<dt><span class="term"><code class="option">+[no]search</code></span></dt>
+<dd><p>
+ Use [do not use] the search list defined by the searchlist or
+ domain
+ directive in <code class="filename">resolv.conf</code> (if
+ any).
+ The search list is not used by default.
+ </p></dd>
+<dt><span class="term"><code class="option">+[no]showsearch</code></span></dt>
+<dd><p>
+ Perform [do not perform] a search showing intermediate
+ results.
+ </p></dd>
+<dt><span class="term"><code class="option">+[no]defname</code></span></dt>
+<dd><p>
+ Deprecated, treated as a synonym for <em class="parameter"><code>+[no]search</code></em>
+ </p></dd>
+<dt><span class="term"><code class="option">+[no]aaonly</code></span></dt>
+<dd><p>
+ Sets the "aa" flag in the query.
+ </p></dd>
+<dt><span class="term"><code class="option">+[no]aaflag</code></span></dt>
+<dd><p>
+ A synonym for <em class="parameter"><code>+[no]aaonly</code></em>.
+ </p></dd>
+<dt><span class="term"><code class="option">+[no]adflag</code></span></dt>
+<dd><p>
+ Set [do not set] the AD (authentic data) bit in the query. The
+ AD bit
+ currently has a standard meaning only in responses, not in
+ queries,
+ but the ability to set the bit in the query is provided for
+ completeness.
+ </p></dd>
+<dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
+<dd><p>
+ Set [do not set] the CD (checking disabled) bit in the query.
+ This
+ requests the server to not perform DNSSEC validation of
+ responses.
+ </p></dd>
+<dt><span class="term"><code class="option">+[no]cl</code></span></dt>
+<dd><p>
+ Display [do not display] the CLASS when printing the record.
+ </p></dd>
+<dt><span class="term"><code class="option">+[no]ttlid</code></span></dt>
+<dd><p>
+ Display [do not display] the TTL when printing the record.
+ </p></dd>
+<dt><span class="term"><code class="option">+[no]recurse</code></span></dt>
+<dd><p>
+ Toggle the setting of the RD (recursion desired) bit in the
+ query.
+ This bit is set by default, which means <span><strong class="command">dig</strong></span>
+ normally sends recursive queries. Recursion is automatically
+ disabled
+ when the <em class="parameter"><code>+nssearch</code></em> or
+ <em class="parameter"><code>+trace</code></em> query options are
+ used.
+ </p></dd>
+<dt><span class="term"><code class="option">+[no]nssearch</code></span></dt>
+<dd><p>
+ When this option is set, <span><strong class="command">dig</strong></span>
+ attempts to find the
+ authoritative name servers for the zone containing the name
+ being
+ looked up and display the SOA record that each name server has
+ for the
+ zone.
+ </p></dd>
+<dt><span class="term"><code class="option">+[no]trace</code></span></dt>
+<dd><p>
+ Toggle tracing of the delegation path from the root name servers
+ for
+ the name being looked up. Tracing is disabled by default. When
+ tracing is enabled, <span><strong class="command">dig</strong></span> makes
+ iterative queries to
+ resolve the name being looked up. It will follow referrals from
+ the
+ root servers, showing the answer from each server that was used
+ to
+ resolve the lookup.
+ </p></dd>
+<dt><span class="term"><code class="option">+[no]cmd</code></span></dt>
+<dd><p>
+ toggles the printing of the initial comment in the output
+ identifying
+ the version of <span><strong class="command">dig</strong></span> and the query
+ options that have
+ been applied. This comment is printed by default.
+ </p></dd>
+<dt><span class="term"><code class="option">+[no]short</code></span></dt>
+<dd><p>
+ Provide a terse answer. The default is to print the answer in a
+ verbose form.
+ </p></dd>
+<dt><span class="term"><code class="option">+[no]identify</code></span></dt>
+<dd><p>
+ Show [or do not show] the IP address and port number that
+ supplied the
+ answer when the <em class="parameter"><code>+short</code></em> option
+ is enabled. If
+ short form answers are requested, the default is not to show the
+ source address and port number of the server that provided the
+ answer.
+ </p></dd>
+<dt><span class="term"><code class="option">+[no]comments</code></span></dt>
+<dd><p>
+ Toggle the display of comment lines in the output. The default
+ is to
+ print comments.
+ </p></dd>
+<dt><span class="term"><code class="option">+[no]stats</code></span></dt>
+<dd><p>
+ This query option toggles the printing of statistics: when the
+ query
+ was made, the size of the reply and so on. The default
+ behaviour is
+ to print the query statistics.
+ </p></dd>
+<dt><span class="term"><code class="option">+[no]qr</code></span></dt>
+<dd><p>
+ Print [do not print] the query as it is sent.
+ By default, the query is not printed.
+ </p></dd>
+<dt><span class="term"><code class="option">+[no]question</code></span></dt>
+<dd><p>
+ Print [do not print] the question section of a query when an
+ answer is
+ returned. The default is to print the question section as a
+ comment.
+ </p></dd>
+<dt><span class="term"><code class="option">+[no]answer</code></span></dt>
+<dd><p>
+ Display [do not display] the answer section of a reply. The
+ default
+ is to display it.
+ </p></dd>
+<dt><span class="term"><code class="option">+[no]authority</code></span></dt>
+<dd><p>
+ Display [do not display] the authority section of a reply. The
+ default is to display it.
+ </p></dd>
+<dt><span class="term"><code class="option">+[no]additional</code></span></dt>
+<dd><p>
+ Display [do not display] the additional section of a reply.
+ The default is to display it.
+ </p></dd>
+<dt><span class="term"><code class="option">+[no]all</code></span></dt>
+<dd><p>
+ Set or clear all display flags.
+ </p></dd>
+<dt><span class="term"><code class="option">+time=T</code></span></dt>
+<dd><p>
+
+ Sets the timeout for a query to
+ <em class="parameter"><code>T</code></em> seconds. The default time
+ out is 5 seconds.
+ An attempt to set <em class="parameter"><code>T</code></em> to less
+ than 1 will result
+ in a query timeout of 1 second being applied.
+ </p></dd>
+<dt><span class="term"><code class="option">+tries=T</code></span></dt>
+<dd><p>
+ Sets the number of times to try UDP queries to server to
+ <em class="parameter"><code>T</code></em> instead of the default, 3.
+ If
+ <em class="parameter"><code>T</code></em> is less than or equal to
+ zero, the number of
+ tries is silently rounded up to 1.
+ </p></dd>
+<dt><span class="term"><code class="option">+retry=T</code></span></dt>
+<dd><p>
+ Sets the number of times to retry UDP queries to server to
+ <em class="parameter"><code>T</code></em> instead of the default, 2.
+ Unlike
+ <em class="parameter"><code>+tries</code></em>, this does not include
+ the initial
+ query.
+ </p></dd>
+<dt><span class="term"><code class="option">+ndots=D</code></span></dt>
+<dd><p>
+ Set the number of dots that have to appear in
+ <em class="parameter"><code>name</code></em> to <em class="parameter"><code>D</code></em> for it to be
+ considered absolute. The default value is that defined using
+ the
+ ndots statement in <code class="filename">/etc/resolv.conf</code>, or 1 if no
+ ndots statement is present. Names with fewer dots are
+ interpreted as
+ relative names and will be searched for in the domains listed in
+ the
+ <code class="option">search</code> or <code class="option">domain</code> directive in
+ <code class="filename">/etc/resolv.conf</code>.
+ </p></dd>
+<dt><span class="term"><code class="option">+bufsize=B</code></span></dt>
+<dd><p>
+ Set the UDP message buffer size advertised using EDNS0 to
+ <em class="parameter"><code>B</code></em> bytes. The maximum and minimum sizes
+ of this buffer are 65535 and 0 respectively. Values outside
+ this range are rounded up or down appropriately.
+ Values other than zero will cause a EDNS query to be sent.
+ </p></dd>
+<dt><span class="term"><code class="option">+edns=#</code></span></dt>
+<dd><p>
+ Specify the EDNS version to query with. Valid values
+ are 0 to 255. Setting the EDNS version will cause a
+ EDNS query to be sent. <code class="option">+noedns</code> clears the
+ remembered EDNS version.
+ </p></dd>
+<dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
+<dd><p>
+ Print records like the SOA records in a verbose multi-line
+ format with human-readable comments. The default is to print
+ each record on a single line, to facilitate machine parsing
+ of the <span><strong class="command">dig</strong></span> output.
+ </p></dd>
+<dt><span class="term"><code class="option">+[no]fail</code></span></dt>
+<dd><p>
+ Do not try the next server if you receive a SERVFAIL. The
+ default is
+ to not try the next server which is the reverse of normal stub
+ resolver
+ behaviour.
+ </p></dd>
+<dt><span class="term"><code class="option">+[no]besteffort</code></span></dt>
+<dd><p>
+ Attempt to display the contents of messages which are malformed.
+ The default is to not display malformed answers.
+ </p></dd>
+<dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
+<dd><p>
+ Requests DNSSEC records be sent by setting the DNSSEC OK bit
+ (DO)
+ in the OPT record in the additional section of the query.
+ </p></dd>
+<dt><span class="term"><code class="option">+[no]sigchase</code></span></dt>
+<dd><p>
+ Chase DNSSEC signature chains. Requires dig be compiled with
+ -DDIG_SIGCHASE.
+ </p></dd>
+<dt><span class="term"><code class="option">+trusted-key=####</code></span></dt>
+<dd>
+<p>
+ Specifies a file containing trusted keys to be used with
+ <code class="option">+sigchase</code>. Each DNSKEY record must be
+ on its own line.
+ </p>
+<p>
+ If not specified <span><strong class="command">dig</strong></span> will look for
+ <code class="filename">/etc/trusted-key.key</code> then
+ <code class="filename">trusted-key.key</code> in the current directory.
+ </p>
+<p>
+ Requires dig be compiled with -DDIG_SIGCHASE.
+ </p>
+</dd>
+<dt><span class="term"><code class="option">+[no]topdown</code></span></dt>
+<dd><p>
+ When chasing DNSSEC signature chains perform a top down
+ validation.
+ Requires dig be compiled with -DDIG_SIGCHASE.
+ </p></dd>
+</dl></div>
+<p>
+
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2650042"></a><h2>MULTIPLE QUERIES</h2>
+<p>
+ The BIND 9 implementation of <span><strong class="command">dig </strong></span>
+ supports
+ specifying multiple queries on the command line (in addition to
+ supporting the <code class="option">-f</code> batch file option). Each of those
+ queries can be supplied with its own set of flags, options and query
+ options.
+ </p>
+<p>
+ In this case, each <em class="parameter"><code>query</code></em> argument
+ represent an
+ individual query in the command-line syntax described above. Each
+ consists of any of the standard options and flags, the name to be
+ looked up, an optional query type and class and any query options that
+ should be applied to that query.
+ </p>
+<p>
+ A global set of query options, which should be applied to all queries,
+ can also be supplied. These global query options must precede the
+ first tuple of name, class, type, options, flags, and query options
+ supplied on the command line. Any global query options (except
+ the <code class="option">+[no]cmd</code> option) can be
+ overridden by a query-specific set of query options. For example:
+ </p>
+<pre class="programlisting">
+dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
+</pre>
+<p>
+ shows how <span><strong class="command">dig</strong></span> could be used from the
+ command line
+ to make three lookups: an ANY query for <code class="literal">www.isc.org</code>, a
+ reverse lookup of 127.0.0.1 and a query for the NS records of
+ <code class="literal">isc.org</code>.
+
+ A global query option of <em class="parameter"><code>+qr</code></em> is
+ applied, so
+ that <span><strong class="command">dig</strong></span> shows the initial query it made
+ for each
+ lookup. The final query has a local query option of
+ <em class="parameter"><code>+noqr</code></em> which means that <span><strong class="command">dig</strong></span>
+ will not print the initial query when it looks up the NS records for
+ <code class="literal">isc.org</code>.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2650196"></a><h2>IDN SUPPORT</h2>
+<p>
+ If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized
+ domain name) support, it can accept and display non-ASCII domain names.
+ <span><strong class="command">dig</strong></span> appropriately converts character encoding of
+ domain name before sending a request to DNS server or displaying a
+ reply from the server.
+ If you'd like to turn off the IDN support for some reason, defines
+ the <code class="envar">IDN_DISABLE</code> environment variable.
+ The IDN support is disabled if the variable is set when
+ <span><strong class="command">dig</strong></span> runs.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2650225"></a><h2>FILES</h2>
+<p><code class="filename">/etc/resolv.conf</code>
+ </p>
+<p><code class="filename">${HOME}/.digrc</code>
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2650246"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
+ <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+ <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+ <em class="citetitle">RFC1035</em>.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2650352"></a><h2>BUGS</h2>
+<p>
+ There are probably too many query options.
+ </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="Bv9ARM.ch10.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
+<td width="40%" align="right"> <a accesskey="n" href="man.host.html">Next</a>
+</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">Manual pages </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> host</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/contrib/bind9/doc/arm/man.dnssec-keygen.html b/contrib/bind9/doc/arm/man.dnssec-keygen.html
new file mode 100644
index 0000000..4836f04
--- /dev/null
+++ b/contrib/bind9/doc/arm/man.dnssec-keygen.html
@@ -0,0 +1,269 @@
+<!--
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: man.dnssec-keygen.html,v 1.2.2.37 2007/01/30 00:23:46 marka Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>dnssec-keygen</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="prev" href="man.host.html" title="host">
+<link rel="next" href="man.dnssec-signzone.html" title="dnssec-signzone">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="man.host.html">Prev</a> </td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right"> <a accesskey="n" href="man.dnssec-signzone.html">Next</a>
+</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry" lang="en">
+<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">dnssec-keygen</span> &#8212; DNSSEC key generation tool</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2597473"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">dnssec-keygen</strong></span>
+ generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
+ and RFC &lt;TBA\&gt;. It can also generate keys for use with
+ TSIG (Transaction Signatures), as defined in RFC 2845.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2597555"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
+<dd>
+<p>
+ Selects the cryptographic algorithm. The value of
+ <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1,
+ DSA, DH (Diffie Hellman), or HMAC-MD5. These values
+ are case insensitive.
+ </p>
+<p>
+ Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
+ algorithm,
+ and DSA is recommended. For TSIG, HMAC-MD5 is mandatory.
+ </p>
+<p>
+ Note 2: HMAC-MD5 and DH automatically set the -k flag.
+ </p>
+</dd>
+<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
+<dd><p>
+ Specifies the number of bits in the key. The choice of key
+ size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
+ between
+ 512 and 2048 bits. Diffie Hellman keys must be between
+ 128 and 4096 bits. DSA keys must be between 512 and 1024
+ bits and an exact multiple of 64. HMAC-MD5 keys must be
+ between 1 and 512 bits.
+ </p></dd>
+<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
+<dd><p>
+ Specifies the owner type of the key. The value of
+ <code class="option">nametype</code> must either be ZONE (for a DNSSEC
+ zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
+ a host (KEY)),
+ USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
+ These values are
+ case insensitive.
+ </p></dd>
+<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
+<dd><p>
+ Indicates that the DNS record containing the key should have
+ the specified class. If not specified, class IN is used.
+ </p></dd>
+<dt><span class="term">-e</span></dt>
+<dd><p>
+ If generating an RSAMD5/RSASHA1 key, use a large exponent.
+ </p></dd>
+<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
+<dd><p>
+ Set the specified flag in the flag field of the KEY/DNSKEY record.
+ The only recognized flag is KSK (Key Signing Key) DNSKEY.
+ </p></dd>
+<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
+<dd><p>
+ If generating a Diffie Hellman key, use this generator.
+ Allowed values are 2 and 5. If no generator
+ is specified, a known prime from RFC 2539 will be used
+ if possible; otherwise the default is 2.
+ </p></dd>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+ Prints a short summary of the options and arguments to
+ <span><strong class="command">dnssec-keygen</strong></span>.
+ </p></dd>
+<dt><span class="term">-k</span></dt>
+<dd><p>
+ Generate KEY records rather than DNSKEY records.
+ </p></dd>
+<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
+<dd><p>
+ Sets the protocol value for the generated key. The protocol
+ is a number between 0 and 255. The default is 3 (DNSSEC).
+ Other possible values for this argument are listed in
+ RFC 2535 and its successors.
+ </p></dd>
+<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
+<dd><p>
+ Specifies the source of randomness. If the operating
+ system does not provide a <code class="filename">/dev/random</code>
+ or equivalent device, the default source of randomness
+ is keyboard input. <code class="filename">randomdev</code>
+ specifies
+ the name of a character device or file containing random
+ data to be used instead of the default. The special value
+ <code class="filename">keyboard</code> indicates that keyboard
+ input should be used.
+ </p></dd>
+<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
+<dd><p>
+ Specifies the strength value of the key. The strength is
+ a number between 0 and 15, and currently has no defined
+ purpose in DNSSEC.
+ </p></dd>
+<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
+<dd><p>
+ Indicates the use of the key. <code class="option">type</code> must be
+ one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
+ is AUTHCONF. AUTH refers to the ability to authenticate
+ data, and CONF the ability to encrypt data.
+ </p></dd>
+<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
+<dd><p>
+ Sets the debugging level.
+ </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2597966"></a><h2>GENERATED KEYS</h2>
+<p>
+ When <span><strong class="command">dnssec-keygen</strong></span> completes
+ successfully,
+ it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
+ to the standard output. This is an identification string for
+ the key it has generated.
+ </p>
+<div class="itemizedlist"><ul type="disc">
+<li><p><code class="filename">nnnn</code> is the key name.
+ </p></li>
+<li><p><code class="filename">aaa</code> is the numeric representation
+ of the
+ algorithm.
+ </p></li>
+<li><p><code class="filename">iiiii</code> is the key identifier (or
+ footprint).
+ </p></li>
+</ul></div>
+<p><span><strong class="command">dnssec-keygen</strong></span>
+ creates two file, with names based
+ on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
+ contains the public key, and
+ <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
+ private
+ key.
+ </p>
+<p>
+ The <code class="filename">.key</code> file contains a DNS KEY record
+ that
+ can be inserted into a zone file (directly or with a $INCLUDE
+ statement).
+ </p>
+<p>
+ The <code class="filename">.private</code> file contains algorithm
+ specific
+ fields. For obvious security reasons, this file does not have
+ general read permission.
+ </p>
+<p>
+ Both <code class="filename">.key</code> and <code class="filename">.private</code>
+ files are generated for symmetric encryption algorithm such as
+ HMAC-MD5, even though the public and private key are equivalent.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2598074"></a><h2>EXAMPLE</h2>
+<p>
+ To generate a 768-bit DSA key for the domain
+ <strong class="userinput"><code>example.com</code></strong>, the following command would be
+ issued:
+ </p>
+<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
+ </p>
+<p>
+ The command would print a string of the form:
+ </p>
+<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
+ </p>
+<p>
+ In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
+ the files <code class="filename">Kexample.com.+003+26160.key</code>
+ and
+ <code class="filename">Kexample.com.+003+26160.private</code>
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2598131"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
+ <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+ <em class="citetitle">RFC 2535</em>,
+ <em class="citetitle">RFC 2845</em>,
+ <em class="citetitle">RFC 2539</em>.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2600824"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+ </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="man.host.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
+<td width="40%" align="right"> <a accesskey="n" href="man.dnssec-signzone.html">Next</a>
+</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">host </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> <span class="application">dnssec-signzone</span>
+</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/contrib/bind9/doc/arm/man.dnssec-signzone.html b/contrib/bind9/doc/arm/man.dnssec-signzone.html
new file mode 100644
index 0000000..84a7979
--- /dev/null
+++ b/contrib/bind9/doc/arm/man.dnssec-signzone.html
@@ -0,0 +1,318 @@
+<!--
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: man.dnssec-signzone.html,v 1.2.2.35 2007/01/30 00:23:46 marka Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>dnssec-signzone</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="prev" href="man.dnssec-keygen.html" title="dnssec-keygen">
+<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="man.dnssec-keygen.html">Prev</a> </td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right"> <a accesskey="n" href="man.named-checkconf.html">Next</a>
+</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry" lang="en">
+<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">dnssec-signzone</span> &#8212; DNSSEC zone signing tool</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {zonefile} [key...]</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2598526"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">dnssec-signzone</strong></span>
+ signs a zone. It generates
+ NSEC and RRSIG records and produces a signed version of the
+ zone. The security status of delegations from the signed zone
+ (that is, whether the child zones are secure or not) is
+ determined by the presence or absence of a
+ <code class="filename">keyset</code> file for each child zone.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2598546"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-a</span></dt>
+<dd><p>
+ Verify all generated signatures.
+ </p></dd>
+<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
+<dd><p>
+ Specifies the DNS class of the zone.
+ </p></dd>
+<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
+<dd><p>
+ Treat specified key as a key signing key ignoring any
+ key flags. This option may be specified multiple times.
+ </p></dd>
+<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
+<dd><p>
+ Generate a DLV set in addition to the key (DNSKEY) and DS sets.
+ The domain is appended to the name of the records.
+ </p></dd>
+<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
+<dd><p>
+ Look for <code class="filename">keyset</code> files in
+ <code class="option">directory</code> as the directory
+ </p></dd>
+<dt><span class="term">-g</span></dt>
+<dd><p>
+ Generate DS records for child zones from keyset files.
+ Existing DS records will be removed.
+ </p></dd>
+<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
+<dd><p>
+ Specify the date and time when the generated RRSIG records
+ become valid. This can be either an absolute or relative
+ time. An absolute start time is indicated by a number
+ in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+ 14:45:00 UTC on May 30th, 2000. A relative start time is
+ indicated by +N, which is N seconds from the current time.
+ If no <code class="option">start-time</code> is specified, the current
+ time minus 1 hour (to allow for clock skew) is used.
+ </p></dd>
+<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
+<dd><p>
+ Specify the date and time when the generated RRSIG records
+ expire. As with <code class="option">start-time</code>, an absolute
+ time is indicated in YYYYMMDDHHMMSS notation. A time relative
+ to the start time is indicated with +N, which is N seconds from
+ the start time. A time relative to the current time is
+ indicated with now+N. If no <code class="option">end-time</code> is
+ specified, 30 days from the start time is used as a default.
+ </p></dd>
+<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
+<dd><p>
+ The name of the output file containing the signed zone. The
+ default is to append <code class="filename">.signed</code> to
+ the
+ input file.
+ </p></dd>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+ Prints a short summary of the options and arguments to
+ <span><strong class="command">dnssec-signzone</strong></span>.
+ </p></dd>
+<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
+<dd>
+<p>
+ When a previously signed zone is passed as input, records
+ may be resigned. The <code class="option">interval</code> option
+ specifies the cycle interval as an offset from the current
+ time (in seconds). If a RRSIG record expires after the
+ cycle interval, it is retained. Otherwise, it is considered
+ to be expiring soon, and it will be replaced.
+ </p>
+<p>
+ The default cycle interval is one quarter of the difference
+ between the signature end and start times. So if neither
+ <code class="option">end-time</code> or <code class="option">start-time</code>
+ are specified, <span><strong class="command">dnssec-signzone</strong></span>
+ generates
+ signatures that are valid for 30 days, with a cycle
+ interval of 7.5 days. Therefore, if any existing RRSIG records
+ are due to expire in less than 7.5 days, they would be
+ replaced.
+ </p>
+</dd>
+<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
+<dd><p>
+ The format of the input zone file.
+ Possible formats are <span><strong class="command">"text"</strong></span> (default)
+ and <span><strong class="command">"raw"</strong></span>.
+ This option is primarily intended to be used for dynamic
+ signed zones so that the dumped zone file in a non-text
+ format containing updates can be signed directly.
+ The use of this option does not make much sense for
+ non-dynamic zones.
+ </p></dd>
+<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
+<dd>
+<p>
+ When signing a zone with a fixed signature lifetime, all
+ RRSIG records issued at the time of signing expires
+ simultaneously. If the zone is incrementally signed, i.e.
+ a previously signed zone is passed as input to the signer,
+ all expired signatures has to be regenerated at about the
+ same time. The <code class="option">jitter</code> option specifies a
+ jitter window that will be used to randomize the signature
+ expire time, thus spreading incremental signature
+ regeneration over time.
+ </p>
+<p>
+ Signature lifetime jitter also to some extent benefits
+ validators and servers by spreading out cache expiration,
+ i.e. if large numbers of RRSIGs don't expire at the same time
+ from all caches there will be less congestion than if all
+ validators need to refetch at mostly the same time.
+ </p>
+</dd>
+<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
+<dd><p>
+ Specifies the number of threads to use. By default, one
+ thread is started for each detected CPU.
+ </p></dd>
+<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
+<dd>
+<p>
+ The SOA serial number format of the signed zone.
+ Possible formats are <span><strong class="command">"keep"</strong></span> (default),
+ <span><strong class="command">"increment"</strong></span> and
+ <span><strong class="command">"unixtime"</strong></span>.
+ </p>
+<div class="variablelist"><dl>
+<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
+<dd><p>Do not modify the SOA serial number.</p></dd>
+<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
+<dd><p>Increment the SOA serial number using RFC 1982
+ arithmetics.</p></dd>
+<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
+<dd><p>Set the SOA serial number to the number of seconds
+ since epoch.</p></dd>
+</dl></div>
+</dd>
+<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
+<dd><p>
+ The zone origin. If not specified, the name of the zone file
+ is assumed to be the origin.
+ </p></dd>
+<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
+<dd><p>
+ The format of the output file containing the signed zone.
+ Possible formats are <span><strong class="command">"text"</strong></span> (default)
+ and <span><strong class="command">"raw"</strong></span>.
+ </p></dd>
+<dt><span class="term">-p</span></dt>
+<dd><p>
+ Use pseudo-random data when signing the zone. This is faster,
+ but less secure, than using real random data. This option
+ may be useful when signing large zones or when the entropy
+ source is limited.
+ </p></dd>
+<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
+<dd><p>
+ Specifies the source of randomness. If the operating
+ system does not provide a <code class="filename">/dev/random</code>
+ or equivalent device, the default source of randomness
+ is keyboard input. <code class="filename">randomdev</code>
+ specifies
+ the name of a character device or file containing random
+ data to be used instead of the default. The special value
+ <code class="filename">keyboard</code> indicates that keyboard
+ input should be used.
+ </p></dd>
+<dt><span class="term">-t</span></dt>
+<dd><p>
+ Print statistics at completion.
+ </p></dd>
+<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
+<dd><p>
+ Sets the debugging level.
+ </p></dd>
+<dt><span class="term">-z</span></dt>
+<dd><p>
+ Ignore KSK flag on key when determining what to sign.
+ </p></dd>
+<dt><span class="term">zonefile</span></dt>
+<dd><p>
+ The file containing the zone to be signed.
+ </p></dd>
+<dt><span class="term">key</span></dt>
+<dd><p>
+ The keys used to sign the zone. If no keys are specified, the
+ default all zone keys that have private key files in the
+ current directory.
+ </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2623261"></a><h2>EXAMPLE</h2>
+<p>
+ The following command signs the <strong class="userinput"><code>example.com</code></strong>
+ zone with the DSA key generated in the <span><strong class="command">dnssec-keygen</strong></span>
+ man page. The zone's keys must be in the zone. If there are
+ <code class="filename">keyset</code> files associated with child
+ zones,
+ they must be in the current directory.
+ <strong class="userinput"><code>example.com</code></strong>, the following command would be
+ issued:
+ </p>
+<p><strong class="userinput"><code>dnssec-signzone -o example.com db.example.com
+ Kexample.com.+003+26160</code></strong>
+ </p>
+<p>
+ The command would print a string of the form:
+ </p>
+<p>
+ In this example, <span><strong class="command">dnssec-signzone</strong></span> creates
+ the file <code class="filename">db.example.com.signed</code>. This
+ file
+ should be referenced in a zone statement in a
+ <code class="filename">named.conf</code> file.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2641212"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+ <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+ <em class="citetitle">RFC 2535</em>.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2652706"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+ </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="man.dnssec-keygen.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
+<td width="40%" align="right"> <a accesskey="n" href="man.named-checkconf.html">Next</a>
+</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">
+<span class="application">dnssec-keygen</span> </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> <span class="application">named-checkconf</span>
+</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/contrib/bind9/doc/arm/man.host.html b/contrib/bind9/doc/arm/man.host.html
new file mode 100644
index 0000000..4d3e6f3
--- /dev/null
+++ b/contrib/bind9/doc/arm/man.host.html
@@ -0,0 +1,249 @@
+<!--
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: man.host.html,v 1.2.2.36 2007/01/30 00:23:46 marka Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>host</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="prev" href="man.dig.html" title="dig">
+<link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center">host</th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="man.dig.html">Prev</a> </td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right"> <a accesskey="n" href="man.dnssec-keygen.html">Next</a>
+</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry" lang="en">
+<a name="man.host"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p>host &#8212; DNS lookup utility</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">host</code> [<code class="option">-aCdlnrsTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] {name} [server]</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2596643"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">host</strong></span>
+ is a simple utility for performing DNS lookups.
+ It is normally used to convert names to IP addresses and vice versa.
+ When no arguments or options are given,
+ <span><strong class="command">host</strong></span>
+ prints a short summary of its command line arguments and options.
+ </p>
+<p><em class="parameter"><code>name</code></em> is the domain name that is to be
+ looked
+ up. It can also be a dotted-decimal IPv4 address or a colon-delimited
+ IPv6 address, in which case <span><strong class="command">host</strong></span> will by
+ default
+ perform a reverse lookup for that address.
+ <em class="parameter"><code>server</code></em> is an optional argument which
+ is either
+ the name or IP address of the name server that <span><strong class="command">host</strong></span>
+ should query instead of the server or servers listed in
+ <code class="filename">/etc/resolv.conf</code>.
+ </p>
+<p>
+ The <code class="option">-a</code> (all) option is equivalent to setting the
+ <code class="option">-v</code> option and asking <span><strong class="command">host</strong></span> to make
+ a query of type ANY.
+ </p>
+<p>
+ When the <code class="option">-C</code> option is used, <span><strong class="command">host</strong></span>
+ will attempt to display the SOA records for zone
+ <em class="parameter"><code>name</code></em> from all the listed
+ authoritative name
+ servers for that zone. The list of name servers is defined by the NS
+ records that are found for the zone.
+ </p>
+<p>
+ The <code class="option">-c</code> option instructs to make a DNS query of class
+ <em class="parameter"><code>class</code></em>. This can be used to lookup
+ Hesiod or
+ Chaosnet class resource records. The default class is IN (Internet).
+ </p>
+<p>
+ Verbose output is generated by <span><strong class="command">host</strong></span> when
+ the
+ <code class="option">-d</code> or <code class="option">-v</code> option is used. The two
+ options are equivalent. They have been provided for backwards
+ compatibility. In previous versions, the <code class="option">-d</code> option
+ switched on debugging traces and <code class="option">-v</code> enabled verbose
+ output.
+ </p>
+<p>
+ List mode is selected by the <code class="option">-l</code> option. This makes
+ <span><strong class="command">host</strong></span> perform a zone transfer for zone
+ <em class="parameter"><code>name</code></em>. Transfer the zone printing out
+ the NS, PTR
+ and address records (A/AAAA). If combined with <code class="option">-a</code>
+ all records will be printed.
+ </p>
+<p>
+ The <code class="option">-i</code>
+ option specifies that reverse lookups of IPv6 addresses should
+ use the IP6.INT domain as defined in RFC1886.
+ The default is to use IP6.ARPA.
+ </p>
+<p>
+ The <code class="option">-N</code> option sets the number of dots that have to be
+ in <em class="parameter"><code>name</code></em> for it to be considered
+ absolute. The
+ default value is that defined using the ndots statement in
+ <code class="filename">/etc/resolv.conf</code>, or 1 if no ndots
+ statement is
+ present. Names with fewer dots are interpreted as relative names and
+ will be searched for in the domains listed in the <span class="type">search</span>
+ or <span class="type">domain</span> directive in
+ <code class="filename">/etc/resolv.conf</code>.
+ </p>
+<p>
+ The number of UDP retries for a lookup can be changed with the
+ <code class="option">-R</code> option. <em class="parameter"><code>number</code></em>
+ indicates
+ how many times <span><strong class="command">host</strong></span> will repeat a query
+ that does
+ not get answered. The default number of retries is 1. If
+ <em class="parameter"><code>number</code></em> is negative or zero, the
+ number of
+ retries will default to 1.
+ </p>
+<p>
+ Non-recursive queries can be made via the <code class="option">-r</code> option.
+ Setting this option clears the <span class="type">RD</span> &#8212; recursion
+ desired &#8212; bit in the query which <span><strong class="command">host</strong></span> makes.
+ This should mean that the name server receiving the query will not
+ attempt to resolve <em class="parameter"><code>name</code></em>. The
+ <code class="option">-r</code> option enables <span><strong class="command">host</strong></span>
+ to mimic
+ the behaviour of a name server by making non-recursive queries and
+ expecting to receive answers to those queries that are usually
+ referrals to other name servers.
+ </p>
+<p>
+ By default <span><strong class="command">host</strong></span> uses UDP when making
+ queries. The
+ <code class="option">-T</code> option makes it use a TCP connection when querying
+ the name server. TCP will be automatically selected for queries that
+ require it, such as zone transfer (AXFR) requests.
+ </p>
+<p>
+ The <code class="option">-4</code> option forces <span><strong class="command">host</strong></span> to only
+ use IPv4 query transport. The <code class="option">-6</code> option forces
+ <span><strong class="command">host</strong></span> to only use IPv6 query transport.
+ </p>
+<p>
+ The <code class="option">-t</code> option is used to select the query type.
+ <em class="parameter"><code>type</code></em> can be any recognised query
+ type: CNAME,
+ NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified,
+ <span><strong class="command">host</strong></span> automatically selects an appropriate
+ query
+ type. By default it looks for A records, but if the
+ <code class="option">-C</code> option was given, queries will be made for SOA
+ records, and if <em class="parameter"><code>name</code></em> is a
+ dotted-decimal IPv4
+ address or colon-delimited IPv6 address, <span><strong class="command">host</strong></span> will
+ query for PTR records. If a query type of IXFR is chosen the starting
+ serial number can be specified by appending an equal followed by the
+ starting serial number (e.g. -t IXFR=12345678).
+ </p>
+<p>
+ The time to wait for a reply can be controlled through the
+ <code class="option">-W</code> and <code class="option">-w</code> options. The
+ <code class="option">-W</code> option makes <span><strong class="command">host</strong></span>
+ wait for
+ <em class="parameter"><code>wait</code></em> seconds. If <em class="parameter"><code>wait</code></em>
+ is less than one, the wait interval is set to one second. When the
+ <code class="option">-w</code> option is used, <span><strong class="command">host</strong></span>
+ will
+ effectively wait forever for a reply. The time to wait for a response
+ will be set to the number of seconds given by the hardware's maximum
+ value for an integer quantity.
+ </p>
+<p>
+ The <code class="option">-s</code> option tells <span><strong class="command">host</strong></span>
+ <span class="emphasis"><em>not</em></span> to send the query to the next nameserver
+ if any server responds with a SERVFAIL response, which is the
+ reverse of normal stub resolver behaviour.
+ </p>
+<p>
+ The <code class="option">-m</code> can be used to set the memory usage debugging
+ flags
+ <em class="parameter"><code>record</code></em>, <em class="parameter"><code>usage</code></em> and
+ <em class="parameter"><code>trace</code></em>.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2597157"></a><h2>IDN SUPPORT</h2>
+<p>
+ If <span><strong class="command">host</strong></span> has been built with IDN (internationalized
+ domain name) support, it can accept and display non-ASCII domain names.
+ <span><strong class="command">host</strong></span> appropriately converts character encoding of
+ domain name before sending a request to DNS server or displaying a
+ reply from the server.
+ If you'd like to turn off the IDN support for some reason, defines
+ the <code class="envar">IDN_DISABLE</code> environment variable.
+ The IDN support is disabled if the variable is set when
+ <span><strong class="command">host</strong></span> runs.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2597186"></a><h2>FILES</h2>
+<p><code class="filename">/etc/resolv.conf</code>
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2597200"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
+ <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
+ </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="man.dig.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
+<td width="40%" align="right"> <a accesskey="n" href="man.dnssec-keygen.html">Next</a>
+</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">dig </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> <span class="application">dnssec-keygen</span>
+</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/contrib/bind9/doc/arm/man.named-checkconf.html b/contrib/bind9/doc/arm/man.named-checkconf.html
new file mode 100644
index 0000000..d71bb2e
--- /dev/null
+++ b/contrib/bind9/doc/arm/man.named-checkconf.html
@@ -0,0 +1,129 @@
+<!--
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: man.named-checkconf.html,v 1.2.2.38 2007/01/30 00:23:46 marka Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>named-checkconf</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="prev" href="man.dnssec-signzone.html" title="dnssec-signzone">
+<link rel="next" href="man.named-checkzone.html" title="named-checkzone">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center"><span class="application">named-checkconf</span></th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="man.dnssec-signzone.html">Prev</a> </td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right"> <a accesskey="n" href="man.named-checkzone.html">Next</a>
+</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry" lang="en">
+<a name="man.named-checkconf"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">named-checkconf</span> &#8212; named configuration file syntax checking tool</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-z</code>]</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2600049"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">named-checkconf</strong></span>
+ checks the syntax, but not the semantics, of a named
+ configuration file.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2600062"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
+<dd><p>
+ chroot to <code class="filename">directory</code> so that
+ include
+ directives in the configuration file are processed as if
+ run by a similarly chrooted named.
+ </p></dd>
+<dt><span class="term">-v</span></dt>
+<dd><p>
+ Print the version of the <span><strong class="command">named-checkconf</strong></span>
+ program and exit.
+ </p></dd>
+<dt><span class="term">-z</span></dt>
+<dd><p>
+ Perform a check load the master zonefiles found in
+ <code class="filename">named.conf</code>.
+ </p></dd>
+<dt><span class="term">-j</span></dt>
+<dd><p>
+ When loading a zonefile read the journal if it exists.
+ </p></dd>
+<dt><span class="term">filename</span></dt>
+<dd><p>
+ The name of the configuration file to be checked. If not
+ specified, it defaults to <code class="filename">/etc/named.conf</code>.
+ </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2600164"></a><h2>RETURN VALUES</h2>
+<p><span><strong class="command">named-checkconf</strong></span>
+ returns an exit status of 1 if
+ errors were detected and 0 otherwise.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2600178"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+ <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2600199"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+ </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="man.dnssec-signzone.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
+<td width="40%" align="right"> <a accesskey="n" href="man.named-checkzone.html">Next</a>
+</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">
+<span class="application">dnssec-signzone</span> </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> <span class="application">named-checkzone</span>
+</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/contrib/bind9/doc/arm/man.named-checkzone.html b/contrib/bind9/doc/arm/man.named-checkzone.html
new file mode 100644
index 0000000..5f0b066
--- /dev/null
+++ b/contrib/bind9/doc/arm/man.named-checkzone.html
@@ -0,0 +1,293 @@
+<!--
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: man.named-checkzone.html,v 1.2.2.40 2007/01/30 00:23:46 marka Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>named-checkzone</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="prev" href="man.named-checkconf.html" title="named-checkconf">
+<link rel="next" href="man.named.html" title="named">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center"><span class="application">named-checkzone</span></th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="man.named-checkconf.html">Prev</a> </td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right"> <a accesskey="n" href="man.named.html">Next</a>
+</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry" lang="en">
+<a name="man.named-checkzone"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">named-checkzone</span>, <span class="application">named-compilezone</span> &#8212; zone file validity checking or converting tool</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">named-checkzone</code> [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
+<div class="cmdsynopsis"><p><code class="command">named-compilezone</code> [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2602354"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">named-checkzone</strong></span>
+ checks the syntax and integrity of a zone file. It performs the
+ same checks as <span><strong class="command">named</strong></span> does when loading a
+ zone. This makes <span><strong class="command">named-checkzone</strong></span> useful for
+ checking zone files before configuring them into a name server.
+ </p>
+<p>
+ <span><strong class="command">named-compilezone</strong></span> is similar to
+ <span><strong class="command">named-checkzone</strong></span>, but it always dumps the
+ zone contents to a specified file in a specified format.
+ Additionally, it applies stricter check levels by default,
+ since the dump output will be used as an actual zone file
+ loaded by <span><strong class="command">named</strong></span>.
+ When manaully specified otherwise, the check levels must at
+ least be as strict as those specified in the
+ <span><strong class="command">named</strong></span> configuration file.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2602404"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-d</span></dt>
+<dd><p>
+ Enable debugging.
+ </p></dd>
+<dt><span class="term">-q</span></dt>
+<dd><p>
+ Quiet mode - exit code only.
+ </p></dd>
+<dt><span class="term">-v</span></dt>
+<dd><p>
+ Print the version of the <span><strong class="command">named-checkzone</strong></span>
+ program and exit.
+ </p></dd>
+<dt><span class="term">-j</span></dt>
+<dd><p>
+ When loading the zone file read the journal if it exists.
+ </p></dd>
+<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
+<dd><p>
+ Specify the class of the zone. If not specified "IN" is assumed.
+ </p></dd>
+<dt><span class="term">-i <em class="replaceable"><code>mode</code></em></span></dt>
+<dd>
+<p>
+ Perform post load zone integrity checks. Possible modes are
+ <span><strong class="command">"full"</strong></span> (default),
+ <span><strong class="command">"full-sibling"</strong></span>,
+ <span><strong class="command">"local"</strong></span>,
+ <span><strong class="command">"local-sibling"</strong></span> and
+ <span><strong class="command">"none"</strong></span>.
+ </p>
+<p>
+ Mode <span><strong class="command">"full"</strong></span> checks that MX records
+ refer to A or AAAA record (both in-zone and out-of-zone
+ hostnames). Mode <span><strong class="command">"local"</strong></span> only
+ checks MX records which refer to in-zone hostnames.
+ </p>
+<p>
+ Mode <span><strong class="command">"full"</strong></span> checks that SRV records
+ refer to A or AAAA record (both in-zone and out-of-zone
+ hostnames). Mode <span><strong class="command">"local"</strong></span> only
+ checks SRV records which refer to in-zone hostnames.
+ </p>
+<p>
+ Mode <span><strong class="command">"full"</strong></span> checks that delegation NS
+ records refer to A or AAAA record (both in-zone and out-of-zone
+ hostnames). It also checks that glue addresses records
+ in the zone match those advertised by the child.
+ Mode <span><strong class="command">"local"</strong></span> only checks NS records which
+ refer to in-zone hostnames or that some required glue exists,
+ that is when the nameserver is in a child zone.
+ </p>
+<p>
+ Mode <span><strong class="command">"full-sibling"</strong></span> and
+ <span><strong class="command">"local-sibling"</strong></span> disable sibling glue
+ checks but are otherwise the same as <span><strong class="command">"full"</strong></span>
+ and <span><strong class="command">"local"</strong></span> respectively.
+ </p>
+<p>
+ Mode <span><strong class="command">"none"</strong></span> disables the checks.
+ </p>
+</dd>
+<dt><span class="term">-f <em class="replaceable"><code>format</code></em></span></dt>
+<dd><p>
+ Specify the format of the zone file.
+ Possible formats are <span><strong class="command">"text"</strong></span> (default)
+ and <span><strong class="command">"raw"</strong></span>.
+ </p></dd>
+<dt><span class="term">-F <em class="replaceable"><code>format</code></em></span></dt>
+<dd><p>
+ Specify the format of the output file specified.
+ Possible formats are <span><strong class="command">"text"</strong></span> (default)
+ and <span><strong class="command">"raw"</strong></span>.
+ For <span><strong class="command">named-checkzone</strong></span>,
+ this does not cause any effects unless it dumps the zone
+ contents.
+ </p></dd>
+<dt><span class="term">-k <em class="replaceable"><code>mode</code></em></span></dt>
+<dd><p>
+ Perform <span><strong class="command">"check-names"</strong></span> checks with the
+ specified failure mode.
+ Possible modes are <span><strong class="command">"fail"</strong></span>
+ (default for <span><strong class="command">named-compilezone</strong></span>),
+ <span><strong class="command">"warn"</strong></span>
+ (default for <span><strong class="command">named-checkzone</strong></span>) and
+ <span><strong class="command">"ignore"</strong></span>.
+ </p></dd>
+<dt><span class="term">-m <em class="replaceable"><code>mode</code></em></span></dt>
+<dd><p>
+ Specify whether MX records should be checked to see if they
+ are addresses. Possible modes are <span><strong class="command">"fail"</strong></span>,
+ <span><strong class="command">"warn"</strong></span> (default) and
+ <span><strong class="command">"ignore"</strong></span>.
+ </p></dd>
+<dt><span class="term">-M <em class="replaceable"><code>mode</code></em></span></dt>
+<dd><p>
+ Check if a MX record refers to a CNAME.
+ Possible modes are <span><strong class="command">"fail"</strong></span>,
+ <span><strong class="command">"warn"</strong></span> (default) and
+ <span><strong class="command">"ignore"</strong></span>.
+ </p></dd>
+<dt><span class="term">-n <em class="replaceable"><code>mode</code></em></span></dt>
+<dd><p>
+ Specify whether NS records should be checked to see if they
+ are addresses.
+ Possible modes are <span><strong class="command">"fail"</strong></span>
+ (default for <span><strong class="command">named-compilezone</strong></span>),
+ <span><strong class="command">"warn"</strong></span>
+ (default for <span><strong class="command">named-checkzone</strong></span>) and
+ <span><strong class="command">"ignore"</strong></span>.
+ </p></dd>
+<dt><span class="term">-o <em class="replaceable"><code>filename</code></em></span></dt>
+<dd><p>
+ Write zone output to <code class="filename">filename</code>.
+ This is mandatory for <span><strong class="command">named-compilezone</strong></span>.
+ </p></dd>
+<dt><span class="term">-s <em class="replaceable"><code>style</code></em></span></dt>
+<dd><p>
+ Specify the style of the dumped zone file.
+ Possible styles are <span><strong class="command">"full"</strong></span> (default)
+ and <span><strong class="command">"relative"</strong></span>.
+ The full format is most suitable for processing
+ automatically by a separate script.
+ On the other hand, the relative format is more
+ human-readable and is thus suitable for editing by hand.
+ For <span><strong class="command">named-checkzone</strong></span>
+ this does not cause any effects unless it dumps the zone
+ contents.
+ It also does not have any meaning if the output format
+ is not text.
+ </p></dd>
+<dt><span class="term">-S <em class="replaceable"><code>mode</code></em></span></dt>
+<dd><p>
+ Check if a SRV record refers to a CNAME.
+ Possible modes are <span><strong class="command">"fail"</strong></span>,
+ <span><strong class="command">"warn"</strong></span> (default) and
+ <span><strong class="command">"ignore"</strong></span>.
+ </p></dd>
+<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
+<dd><p>
+ chroot to <code class="filename">directory</code> so that
+ include
+ directives in the configuration file are processed as if
+ run by a similarly chrooted named.
+ </p></dd>
+<dt><span class="term">-w <em class="replaceable"><code>directory</code></em></span></dt>
+<dd><p>
+ chdir to <code class="filename">directory</code> so that
+ relative
+ filenames in master file $INCLUDE directives work. This
+ is similar to the directory clause in
+ <code class="filename">named.conf</code>.
+ </p></dd>
+<dt><span class="term">-D</span></dt>
+<dd><p>
+ Dump zone file in canonical format.
+ This is always enabled for <span><strong class="command">named-compilezone</strong></span>.
+ </p></dd>
+<dt><span class="term">-W <em class="replaceable"><code>mode</code></em></span></dt>
+<dd><p>
+ Specify whether to check for non-terminal wildcards.
+ Non-terminal wildcards are almost always the result of a
+ failure to understand the wildcard matching algorithm (RFC 1034).
+ Possible modes are <span><strong class="command">"warn"</strong></span> (default)
+ and
+ <span><strong class="command">"ignore"</strong></span>.
+ </p></dd>
+<dt><span class="term">zonename</span></dt>
+<dd><p>
+ The domain name of the zone being checked.
+ </p></dd>
+<dt><span class="term">filename</span></dt>
+<dd><p>
+ The name of the zone file.
+ </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2654862"></a><h2>RETURN VALUES</h2>
+<p><span><strong class="command">named-checkzone</strong></span>
+ returns an exit status of 1 if
+ errors were detected and 0 otherwise.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2654876"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+ <em class="citetitle">RFC 1035</em>,
+ <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2654901"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+ </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="man.named-checkconf.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
+<td width="40%" align="right"> <a accesskey="n" href="man.named.html">Next</a>
+</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">
+<span class="application">named-checkconf</span> </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> <span class="application">named</span>
+</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/contrib/bind9/doc/arm/man.named.html b/contrib/bind9/doc/arm/man.named.html
new file mode 100644
index 0000000..4b44640
--- /dev/null
+++ b/contrib/bind9/doc/arm/man.named.html
@@ -0,0 +1,280 @@
+<!--
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: man.named.html,v 1.2.2.43 2007/02/02 04:33:09 marka Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>named</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="prev" href="man.named-checkzone.html" title="named-checkzone">
+<link rel="next" href="man.rndc.html" title="rndc">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center"><span class="application">named</span></th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="man.named-checkzone.html">Prev</a> </td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right"> <a accesskey="n" href="man.rndc.html">Next</a>
+</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry" lang="en">
+<a name="man.named"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">named</span> &#8212; Internet domain name server</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">named</code> [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2602900"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">named</strong></span>
+ is a Domain Name System (DNS) server,
+ part of the BIND 9 distribution from ISC. For more
+ information on the DNS, see RFCs 1033, 1034, and 1035.
+ </p>
+<p>
+ When invoked without arguments, <span><strong class="command">named</strong></span>
+ will
+ read the default configuration file
+ <code class="filename">/etc/named.conf</code>, read any initial
+ data, and listen for queries.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2602931"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-4</span></dt>
+<dd><p>
+ Use IPv4 only even if the host machine is capable of IPv6.
+ <code class="option">-4</code> and <code class="option">-6</code> are mutually
+ exclusive.
+ </p></dd>
+<dt><span class="term">-6</span></dt>
+<dd><p>
+ Use IPv6 only even if the host machine is capable of IPv4.
+ <code class="option">-4</code> and <code class="option">-6</code> are mutually
+ exclusive.
+ </p></dd>
+<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
+<dd><p>
+ Use <em class="replaceable"><code>config-file</code></em> as the
+ configuration file instead of the default,
+ <code class="filename">/etc/named.conf</code>. To
+ ensure that reloading the configuration file continues
+ to work after the server has changed its working
+ directory due to to a possible
+ <code class="option">directory</code> option in the configuration
+ file, <em class="replaceable"><code>config-file</code></em> should be
+ an absolute pathname.
+ </p></dd>
+<dt><span class="term">-d <em class="replaceable"><code>debug-level</code></em></span></dt>
+<dd><p>
+ Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>.
+ Debugging traces from <span><strong class="command">named</strong></span> become
+ more verbose as the debug level increases.
+ </p></dd>
+<dt><span class="term">-f</span></dt>
+<dd><p>
+ Run the server in the foreground (i.e. do not daemonize).
+ </p></dd>
+<dt><span class="term">-g</span></dt>
+<dd><p>
+ Run the server in the foreground and force all logging
+ to <code class="filename">stderr</code>.
+ </p></dd>
+<dt><span class="term">-n <em class="replaceable"><code>#cpus</code></em></span></dt>
+<dd><p>
+ Create <em class="replaceable"><code>#cpus</code></em> worker threads
+ to take advantage of multiple CPUs. If not specified,
+ <span><strong class="command">named</strong></span> will try to determine the
+ number of CPUs present and create one thread per CPU.
+ If it is unable to determine the number of CPUs, a
+ single worker thread will be created.
+ </p></dd>
+<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
+<dd><p>
+ Listen for queries on port <em class="replaceable"><code>port</code></em>. If not
+ specified, the default is port 53.
+ </p></dd>
+<dt><span class="term">-s</span></dt>
+<dd>
+<p>
+ Write memory usage statistics to <code class="filename">stdout</code> on exit.
+ </p>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+<p>
+ This option is mainly of interest to BIND 9 developers
+ and may be removed or changed in a future release.
+ </p>
+</div>
+</dd>
+<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
+<dd>
+<p><code class="function">chroot()</code>
+ to <em class="replaceable"><code>directory</code></em> after
+ processing the command line arguments, but before
+ reading the configuration file.
+ </p>
+<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Warning</h3>
+<p>
+ This option should be used in conjunction with the
+ <code class="option">-u</code> option, as chrooting a process
+ running as root doesn't enhance security on most
+ systems; the way <code class="function">chroot()</code> is
+ defined allows a process with root privileges to
+ escape a chroot jail.
+ </p>
+</div>
+</dd>
+<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
+<dd>
+<p><code class="function">setuid()</code>
+ to <em class="replaceable"><code>user</code></em> after completing
+ privileged operations, such as creating sockets that
+ listen on privileged ports.
+ </p>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+<p>
+ On Linux, <span><strong class="command">named</strong></span> uses the kernel's
+ capability mechanism to drop all root privileges
+ except the ability to <code class="function">bind()</code> to
+ a
+ privileged port and set process resource limits.
+ Unfortunately, this means that the <code class="option">-u</code>
+ option only works when <span><strong class="command">named</strong></span> is
+ run
+ on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or
+ later, since previous kernels did not allow privileges
+ to be retained after <code class="function">setuid()</code>.
+ </p>
+</div>
+</dd>
+<dt><span class="term">-v</span></dt>
+<dd><p>
+ Report the version number and exit.
+ </p></dd>
+<dt><span class="term">-x <em class="replaceable"><code>cache-file</code></em></span></dt>
+<dd>
+<p>
+ Load data from <em class="replaceable"><code>cache-file</code></em> into the
+ cache of the default view.
+ </p>
+<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Warning</h3>
+<p>
+ This option must not be used. It is only of interest
+ to BIND 9 developers and may be removed or changed in a
+ future release.
+ </p>
+</div>
+</dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2604871"></a><h2>SIGNALS</h2>
+<p>
+ In routine operation, signals should not be used to control
+ the nameserver; <span><strong class="command">rndc</strong></span> should be used
+ instead.
+ </p>
+<div class="variablelist"><dl>
+<dt><span class="term">SIGHUP</span></dt>
+<dd><p>
+ Force a reload of the server.
+ </p></dd>
+<dt><span class="term">SIGINT, SIGTERM</span></dt>
+<dd><p>
+ Shut down the server.
+ </p></dd>
+</dl></div>
+<p>
+ The result of sending any other signals to the server is undefined.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2604921"></a><h2>CONFIGURATION</h2>
+<p>
+ The <span><strong class="command">named</strong></span> configuration file is too complex
+ to describe in detail here. A complete description is provided
+ in the
+ <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2604940"></a><h2>FILES</h2>
+<div class="variablelist"><dl>
+<dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt>
+<dd><p>
+ The default configuration file.
+ </p></dd>
+<dt><span class="term"><code class="filename">/var/run/named.pid</code></span></dt>
+<dd><p>
+ The default process-id file.
+ </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2604984"></a><h2>SEE ALSO</h2>
+<p><em class="citetitle">RFC 1033</em>,
+ <em class="citetitle">RFC 1034</em>,
+ <em class="citetitle">RFC 1035</em>,
+ <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
+ <span class="citerefentry"><span class="refentrytitle">lwresd</span>(8)</span>,
+ <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
+ <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2605035"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+ </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="man.named-checkzone.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
+<td width="40%" align="right"> <a accesskey="n" href="man.rndc.html">Next</a>
+</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">
+<span class="application">named-checkzone</span> </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> <span class="application">rndc</span>
+</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/contrib/bind9/doc/arm/man.rndc-confgen.html b/contrib/bind9/doc/arm/man.rndc-confgen.html
new file mode 100644
index 0000000..25186f2
--- /dev/null
+++ b/contrib/bind9/doc/arm/man.rndc-confgen.html
@@ -0,0 +1,222 @@
+<!--
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: man.rndc-confgen.html,v 1.2.2.44 2007/02/02 04:33:09 marka Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>rndc-confgen</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="prev" href="man.rndc.conf.html" title="rndc.conf">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center"><span class="application">rndc-confgen</span></th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="man.rndc.conf.html">Prev</a> </td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right"> </td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry" lang="en">
+<a name="man.rndc-confgen"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">rndc-confgen</span> &#8212; rndc key generation tool</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">rndc-confgen</code> [<code class="option">-a</code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2605267"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">rndc-confgen</strong></span>
+ generates configuration files
+ for <span><strong class="command">rndc</strong></span>. It can be used as a
+ convenient alternative to writing the
+ <code class="filename">rndc.conf</code> file
+ and the corresponding <span><strong class="command">controls</strong></span>
+ and <span><strong class="command">key</strong></span>
+ statements in <code class="filename">named.conf</code> by hand.
+ Alternatively, it can be run with the <span><strong class="command">-a</strong></span>
+ option to set up a <code class="filename">rndc.key</code> file and
+ avoid the need for a <code class="filename">rndc.conf</code> file
+ and a <span><strong class="command">controls</strong></span> statement altogether.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2605469"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-a</span></dt>
+<dd>
+<p>
+ Do automatic <span><strong class="command">rndc</strong></span> configuration.
+ This creates a file <code class="filename">rndc.key</code>
+ in <code class="filename">/etc</code> (or whatever
+ <code class="varname">sysconfdir</code>
+ was specified as when <acronym class="acronym">BIND</acronym> was
+ built)
+ that is read by both <span><strong class="command">rndc</strong></span>
+ and <span><strong class="command">named</strong></span> on startup. The
+ <code class="filename">rndc.key</code> file defines a default
+ command channel and authentication key allowing
+ <span><strong class="command">rndc</strong></span> to communicate with
+ <span><strong class="command">named</strong></span> on the local host
+ with no further configuration.
+ </p>
+<p>
+ Running <span><strong class="command">rndc-confgen -a</strong></span> allows
+ BIND 9 and <span><strong class="command">rndc</strong></span> to be used as
+ drop-in
+ replacements for BIND 8 and <span><strong class="command">ndc</strong></span>,
+ with no changes to the existing BIND 8
+ <code class="filename">named.conf</code> file.
+ </p>
+<p>
+ If a more elaborate configuration than that
+ generated by <span><strong class="command">rndc-confgen -a</strong></span>
+ is required, for example if rndc is to be used remotely,
+ you should run <span><strong class="command">rndc-confgen</strong></span> without
+ the
+ <span><strong class="command">-a</strong></span> option and set up a
+ <code class="filename">rndc.conf</code> and
+ <code class="filename">named.conf</code>
+ as directed.
+ </p>
+</dd>
+<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
+<dd><p>
+ Specifies the size of the authentication key in bits.
+ Must be between 1 and 512 bits; the default is 128.
+ </p></dd>
+<dt><span class="term">-c <em class="replaceable"><code>keyfile</code></em></span></dt>
+<dd><p>
+ Used with the <span><strong class="command">-a</strong></span> option to specify
+ an alternate location for <code class="filename">rndc.key</code>.
+ </p></dd>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+ Prints a short summary of the options and arguments to
+ <span><strong class="command">rndc-confgen</strong></span>.
+ </p></dd>
+<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
+<dd><p>
+ Specifies the key name of the rndc authentication key.
+ This must be a valid domain name.
+ The default is <code class="constant">rndc-key</code>.
+ </p></dd>
+<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
+<dd><p>
+ Specifies the command channel port where <span><strong class="command">named</strong></span>
+ listens for connections from <span><strong class="command">rndc</strong></span>.
+ The default is 953.
+ </p></dd>
+<dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
+<dd><p>
+ Specifies a source of random data for generating the
+ authorization. If the operating
+ system does not provide a <code class="filename">/dev/random</code>
+ or equivalent device, the default source of randomness
+ is keyboard input. <code class="filename">randomdev</code>
+ specifies
+ the name of a character device or file containing random
+ data to be used instead of the default. The special value
+ <code class="filename">keyboard</code> indicates that keyboard
+ input should be used.
+ </p></dd>
+<dt><span class="term">-s <em class="replaceable"><code>address</code></em></span></dt>
+<dd><p>
+ Specifies the IP address where <span><strong class="command">named</strong></span>
+ listens for command channel connections from
+ <span><strong class="command">rndc</strong></span>. The default is the loopback
+ address 127.0.0.1.
+ </p></dd>
+<dt><span class="term">-t <em class="replaceable"><code>chrootdir</code></em></span></dt>
+<dd><p>
+ Used with the <span><strong class="command">-a</strong></span> option to specify
+ a directory where <span><strong class="command">named</strong></span> will run
+ chrooted. An additional copy of the <code class="filename">rndc.key</code>
+ will be written relative to this directory so that
+ it will be found by the chrooted <span><strong class="command">named</strong></span>.
+ </p></dd>
+<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
+<dd><p>
+ Used with the <span><strong class="command">-a</strong></span> option to set the
+ owner
+ of the <code class="filename">rndc.key</code> file generated.
+ If
+ <span><strong class="command">-t</strong></span> is also specified only the file
+ in
+ the chroot area has its owner changed.
+ </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2605856"></a><h2>EXAMPLES</h2>
+<p>
+ To allow <span><strong class="command">rndc</strong></span> to be used with
+ no manual configuration, run
+ </p>
+<p><strong class="userinput"><code>rndc-confgen -a</code></strong>
+ </p>
+<p>
+ To print a sample <code class="filename">rndc.conf</code> file and
+ corresponding <span><strong class="command">controls</strong></span> and <span><strong class="command">key</strong></span>
+ statements to be manually inserted into <code class="filename">named.conf</code>,
+ run
+ </p>
+<p><strong class="userinput"><code>rndc-confgen</code></strong>
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2605912"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
+ <span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
+ <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+ <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2608476"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+ </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="man.rndc.conf.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
+<td width="40%" align="right"> </td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">
+<code class="filename">rndc.conf</code> </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> </td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/contrib/bind9/doc/arm/man.rndc.conf.html b/contrib/bind9/doc/arm/man.rndc.conf.html
new file mode 100644
index 0000000..7e873ba
--- /dev/null
+++ b/contrib/bind9/doc/arm/man.rndc.conf.html
@@ -0,0 +1,255 @@
+<!--
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: man.rndc.conf.html,v 1.2.2.43 2007/02/02 04:33:09 marka Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>rndc.conf</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="prev" href="man.rndc.html" title="rndc">
+<link rel="next" href="man.rndc-confgen.html" title="rndc-confgen">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center"><code class="filename">rndc.conf</code></th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="man.rndc.html">Prev</a> </td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right"> <a accesskey="n" href="man.rndc-confgen.html">Next</a>
+</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry" lang="en">
+<a name="man.rndc.conf"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><code class="filename">rndc.conf</code> &#8212; rndc configuration file</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2604307"></a><h2>DESCRIPTION</h2>
+<p><code class="filename">rndc.conf</code> is the configuration file
+ for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control
+ utility. This file has a similar structure and syntax to
+ <code class="filename">named.conf</code>. Statements are enclosed
+ in braces and terminated with a semi-colon. Clauses in
+ the statements are also semi-colon terminated. The usual
+ comment styles are supported:
+ </p>
+<p>
+ C style: /* */
+ </p>
+<p>
+ C++ style: // to end of line
+ </p>
+<p>
+ Unix style: # to end of line
+ </p>
+<p><code class="filename">rndc.conf</code> is much simpler than
+ <code class="filename">named.conf</code>. The file uses three
+ statements: an options statement, a server statement
+ and a key statement.
+ </p>
+<p>
+ The <code class="option">options</code> statement contains five clauses.
+ The <code class="option">default-server</code> clause is followed by the
+ name or address of a name server. This host will be used when
+ no name server is given as an argument to
+ <span><strong class="command">rndc</strong></span>. The <code class="option">default-key</code>
+ clause is followed by the name of a key which is identified by
+ a <code class="option">key</code> statement. If no
+ <code class="option">keyid</code> is provided on the rndc command line,
+ and no <code class="option">key</code> clause is found in a matching
+ <code class="option">server</code> statement, this default key will be
+ used to authenticate the server's commands and responses. The
+ <code class="option">default-port</code> clause is followed by the port
+ to connect to on the remote name server. If no
+ <code class="option">port</code> option is provided on the rndc command
+ line, and no <code class="option">port</code> clause is found in a
+ matching <code class="option">server</code> statement, this default port
+ will be used to connect.
+ The <code class="option">default-source-address</code> and
+ <code class="option">default-source-address-v6</code> clauses which
+ can be used to set the IPv4 and IPv6 source addresses
+ respectively.
+ </p>
+<p>
+ After the <code class="option">server</code> keyword, the server
+ statement includes a string which is the hostname or address
+ for a name server. The statement has three possible clauses:
+ <code class="option">key</code>, <code class="option">port</code> and
+ <code class="option">addresses</code>. The key name must match the
+ name of a key statement in the file. The port number
+ specifies the port to connect to. If an <code class="option">addresses</code>
+ clause is supplied these addresses will be used instead of
+ the server name. Each address can take a optional port.
+ If an <code class="option">source-address</code> or <code class="option">source-address-v6</code>
+ of supplied then these will be used to specify the IPv4 and IPv6
+ source addresses respectively.
+ </p>
+<p>
+ The <code class="option">key</code> statement begins with an identifying
+ string, the name of the key. The statement has two clauses.
+ <code class="option">algorithm</code> identifies the encryption algorithm
+ for <span><strong class="command">rndc</strong></span> to use; currently only HMAC-MD5
+ is
+ supported. This is followed by a secret clause which contains
+ the base-64 encoding of the algorithm's encryption key. The
+ base-64 string is enclosed in double quotes.
+ </p>
+<p>
+ There are two common ways to generate the base-64 string for the
+ secret. The BIND 9 program <span><strong class="command">rndc-confgen</strong></span>
+ can
+ be used to generate a random key, or the
+ <span><strong class="command">mmencode</strong></span> program, also known as
+ <span><strong class="command">mimencode</strong></span>, can be used to generate a
+ base-64
+ string from known input. <span><strong class="command">mmencode</strong></span> does
+ not
+ ship with BIND 9 but is available on many systems. See the
+ EXAMPLE section for sample command lines for each.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2604478"></a><h2>EXAMPLE</h2>
+<pre class="programlisting">
+ options {
+ default-server localhost;
+ default-key samplekey;
+ };
+</pre>
+<p>
+ </p>
+<pre class="programlisting">
+ server localhost {
+ key samplekey;
+ };
+</pre>
+<p>
+ </p>
+<pre class="programlisting">
+ server testserver {
+ key testkey;
+ addresses { localhost port 5353; };
+ };
+</pre>
+<p>
+ </p>
+<pre class="programlisting">
+ key samplekey {
+ algorithm hmac-md5;
+ secret "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
+ };
+</pre>
+<p>
+ </p>
+<pre class="programlisting">
+ key testkey {
+ algorithm hmac-md5;
+ secret "R3HI8P6BKw9ZwXwN3VZKuQ==";
+ }
+ </pre>
+<p>
+ </p>
+<p>
+ In the above example, <span><strong class="command">rndc</strong></span> will by
+ default use
+ the server at localhost (127.0.0.1) and the key called samplekey.
+ Commands to the localhost server will use the samplekey key, which
+ must also be defined in the server's configuration file with the
+ same name and secret. The key statement indicates that samplekey
+ uses the HMAC-MD5 algorithm and its secret clause contains the
+ base-64 encoding of the HMAC-MD5 secret enclosed in double quotes.
+ </p>
+<p>
+ If <span><strong class="command">rndc -s testserver</strong></span> is used then <span><strong class="command">rndc</strong></span> will
+ connect to server on localhost port 5353 using the key testkey.
+ </p>
+<p>
+ To generate a random secret with <span><strong class="command">rndc-confgen</strong></span>:
+ </p>
+<p><strong class="userinput"><code>rndc-confgen</code></strong>
+ </p>
+<p>
+ A complete <code class="filename">rndc.conf</code> file, including
+ the
+ randomly generated key, will be written to the standard
+ output. Commented out <code class="option">key</code> and
+ <code class="option">controls</code> statements for
+ <code class="filename">named.conf</code> are also printed.
+ </p>
+<p>
+ To generate a base-64 secret with <span><strong class="command">mmencode</strong></span>:
+ </p>
+<p><strong class="userinput"><code>echo "known plaintext for a secret" | mmencode</code></strong>
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2605078"></a><h2>NAME SERVER CONFIGURATION</h2>
+<p>
+ The name server must be configured to accept rndc connections and
+ to recognize the key specified in the <code class="filename">rndc.conf</code>
+ file, using the controls statement in <code class="filename">named.conf</code>.
+ See the sections on the <code class="option">controls</code> statement in the
+ BIND 9 Administrator Reference Manual for details.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2605104"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
+ <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
+ <span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>,
+ <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2605142"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+ </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="man.rndc.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
+<td width="40%" align="right"> <a accesskey="n" href="man.rndc-confgen.html">Next</a>
+</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">
+<span class="application">rndc</span> </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> <span class="application">rndc-confgen</span>
+</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/contrib/bind9/doc/arm/man.rndc.html b/contrib/bind9/doc/arm/man.rndc.html
new file mode 100644
index 0000000..efe4bd0
--- /dev/null
+++ b/contrib/bind9/doc/arm/man.rndc.html
@@ -0,0 +1,203 @@
+<!--
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: man.rndc.html,v 1.2.2.42 2007/02/02 04:33:09 marka Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>rndc</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="prev" href="man.named.html" title="named">
+<link rel="next" href="man.rndc.conf.html" title="rndc.conf">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center"><span class="application">rndc</span></th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="man.named.html">Prev</a> </td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right"> <a accesskey="n" href="man.rndc.conf.html">Next</a>
+</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry" lang="en">
+<a name="man.rndc"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">rndc</span> &#8212; name server control utility</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">rndc</code> [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2603458"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">rndc</strong></span>
+ controls the operation of a name
+ server. It supersedes the <span><strong class="command">ndc</strong></span> utility
+ that was provided in old BIND releases. If
+ <span><strong class="command">rndc</strong></span> is invoked with no command line
+ options or arguments, it prints a short summary of the
+ supported commands and the available options and their
+ arguments.
+ </p>
+<p><span><strong class="command">rndc</strong></span>
+ communicates with the name server
+ over a TCP connection, sending commands authenticated with
+ digital signatures. In the current versions of
+ <span><strong class="command">rndc</strong></span> and <span><strong class="command">named</strong></span> named
+ the only supported authentication algorithm is HMAC-MD5,
+ which uses a shared secret on each end of the connection.
+ This provides TSIG-style authentication for the command
+ request and the name server's response. All commands sent
+ over the channel must be signed by a key_id known to the
+ server.
+ </p>
+<p><span><strong class="command">rndc</strong></span>
+ reads a configuration file to
+ determine how to contact the name server and decide what
+ algorithm and key it should use.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2603508"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
+<dd><p>
+ Use <em class="replaceable"><code>source-address</code></em>
+ as the source address for the connection to the server.
+ Multiple instances are permitted to allow setting of both
+ the IPv4 and IPv6 source addresses.
+ </p></dd>
+<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
+<dd><p>
+ Use <em class="replaceable"><code>config-file</code></em>
+ as the configuration file instead of the default,
+ <code class="filename">/etc/rndc.conf</code>.
+ </p></dd>
+<dt><span class="term">-k <em class="replaceable"><code>key-file</code></em></span></dt>
+<dd><p>
+ Use <em class="replaceable"><code>key-file</code></em>
+ as the key file instead of the default,
+ <code class="filename">/etc/rndc.key</code>. The key in
+ <code class="filename">/etc/rndc.key</code> will be used to
+ authenticate
+ commands sent to the server if the <em class="replaceable"><code>config-file</code></em>
+ does not exist.
+ </p></dd>
+<dt><span class="term">-s <em class="replaceable"><code>server</code></em></span></dt>
+<dd><p><em class="replaceable"><code>server</code></em> is
+ the name or address of the server which matches a
+ server statement in the configuration file for
+ <span><strong class="command">rndc</strong></span>. If no server is supplied on
+ the
+ command line, the host named by the default-server clause
+ in the option statement of the configuration file will be
+ used.
+ </p></dd>
+<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
+<dd><p>
+ Send commands to TCP port
+ <em class="replaceable"><code>port</code></em>
+ instead
+ of BIND 9's default control channel port, 953.
+ </p></dd>
+<dt><span class="term">-V</span></dt>
+<dd><p>
+ Enable verbose logging.
+ </p></dd>
+<dt><span class="term">-y <em class="replaceable"><code>keyid</code></em></span></dt>
+<dd><p>
+ Use the key <em class="replaceable"><code>keyid</code></em>
+ from the configuration file.
+ <em class="replaceable"><code>keyid</code></em>
+ must be
+ known by named with the same algorithm and secret string
+ in order for control message validation to succeed.
+ If no <em class="replaceable"><code>keyid</code></em>
+ is specified, <span><strong class="command">rndc</strong></span> will first look
+ for a key clause in the server statement of the server
+ being used, or if no server statement is present for that
+ host, then the default-key clause of the options statement.
+ Note that the configuration file contains shared secrets
+ which are used to send authenticated control commands
+ to name servers. It should therefore not have general read
+ or write access.
+ </p></dd>
+</dl></div>
+<p>
+ For the complete set of commands supported by <span><strong class="command">rndc</strong></span>,
+ see the BIND 9 Administrator Reference Manual or run
+ <span><strong class="command">rndc</strong></span> without arguments to see its help
+ message.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2604136"></a><h2>LIMITATIONS</h2>
+<p><span><strong class="command">rndc</strong></span>
+ does not yet support all the commands of
+ the BIND 8 <span><strong class="command">ndc</strong></span> utility.
+ </p>
+<p>
+ There is currently no way to provide the shared secret for a
+ <code class="option">key_id</code> without using the configuration file.
+ </p>
+<p>
+ Several error messages could be clearer.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2604167"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
+ <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+ <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>
+ <span class="citerefentry"><span class="refentrytitle">ndc</span>(8)</span>,
+ <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2604282"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+ </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="man.named.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
+<td width="40%" align="right"> <a accesskey="n" href="man.rndc.conf.html">Next</a>
+</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">
+<span class="application">named</span> </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> <code class="filename">rndc.conf</code>
+</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-dhcid-rr-12.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-dhcid-rr-12.txt
new file mode 100644
index 0000000..07749d9
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsext-dhcid-rr-12.txt
@@ -0,0 +1,674 @@
+
+
+
+
+DNSEXT M. Stapp
+Internet-Draft Cisco Systems, Inc.
+Expires: September 1, 2006 T. Lemon
+ Nominum, Inc.
+ A. Gustafsson
+ Araneus Information Systems Oy
+ February 28, 2006
+
+
+ A DNS RR for Encoding DHCP Information (DHCID RR)
+ <draft-ietf-dnsext-dhcid-rr-12.txt>
+
+Status of this Memo
+
+ By submitting this Internet-Draft, each author represents that any
+ applicable patent or other IPR claims of which he or she is aware
+ have been or will be disclosed, and any of which he or she becomes
+ aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF), its areas, and its working groups. Note that
+ other groups may also distribute working documents as Internet-
+ Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ The list of current Internet-Drafts can be accessed at
+ http://www.ietf.org/ietf/1id-abstracts.txt.
+
+ The list of Internet-Draft Shadow Directories can be accessed at
+ http://www.ietf.org/shadow.html.
+
+ This Internet-Draft will expire on September 1, 2006.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2006).
+
+Abstract
+
+ It is possible for DHCP clients to attempt to update the same DNS
+ FQDN or attempt to update a DNS FQDN that has been added to the DNS
+ for another purpose as they obtain DHCP leases. Whether the DHCP
+ server or the clients themselves perform the DNS updates, conflicts
+ can arise. To resolve such conflicts, "Resolution of DNS Name
+
+
+
+Stapp, et al. Expires September 1, 2006 [Page 1]
+
+Internet-Draft The DHCID RR February 2006
+
+
+ Conflicts" [1] proposes storing client identifiers in the DNS to
+ unambiguously associate domain names with the DHCP clients to which
+ they refer. This memo defines a distinct RR type for this purpose
+ for use by DHCP clients and servers, the "DHCID" RR.
+
+
+Table of Contents
+
+ 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 3. The DHCID RR . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 3.1. DHCID RDATA format . . . . . . . . . . . . . . . . . . . . 3
+ 3.2. DHCID Presentation Format . . . . . . . . . . . . . . . . 4
+ 3.3. The DHCID RR Identifier Type Codes . . . . . . . . . . . . 4
+ 3.4. The DHCID RR Digest Type Code . . . . . . . . . . . . . . 4
+ 3.5. Computation of the RDATA . . . . . . . . . . . . . . . . . 5
+ 3.5.1. Using the Client's DUID . . . . . . . . . . . . . . . 5
+ 3.5.2. Using the Client Identifier Option . . . . . . . . . . 5
+ 3.5.3. Using the Client's htype and chaddr . . . . . . . . . 6
+ 3.6. Examples . . . . . . . . . . . . . . . . . . . . . . . . . 6
+ 3.6.1. Example 1 . . . . . . . . . . . . . . . . . . . . . . 6
+ 3.6.2. Example 2 . . . . . . . . . . . . . . . . . . . . . . 6
+ 3.6.3. Example 3 . . . . . . . . . . . . . . . . . . . . . . 7
+ 4. Use of the DHCID RR . . . . . . . . . . . . . . . . . . . . . 7
+ 5. Updater Behavior . . . . . . . . . . . . . . . . . . . . . . . 8
+ 6. Security Considerations . . . . . . . . . . . . . . . . . . . 8
+ 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
+ 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9
+ 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9
+ 9.1. Normative References . . . . . . . . . . . . . . . . . . . 9
+ 9.2. Informative References . . . . . . . . . . . . . . . . . . 10
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11
+ Intellectual Property and Copyright Statements . . . . . . . . . . 12
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Stapp, et al. Expires September 1, 2006 [Page 2]
+
+Internet-Draft The DHCID RR February 2006
+
+
+1. Terminology
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in RFC 2119 [2].
+
+
+2. Introduction
+
+ A set of procedures to allow DHCP [6] [10] clients and servers to
+ automatically update the DNS (RFC 1034 [3], RFC 1035 [4]) is proposed
+ in "Resolution of DNS Name Conflicts" [1].
+
+ Conflicts can arise if multiple DHCP clients wish to use the same DNS
+ name or a DHCP client attempts to use a name added for another
+ purpose. To resolve such conflicts, "Resolution of DNS Name
+ Conflicts" [1] proposes storing client identifiers in the DNS to
+ unambiguously associate domain names with the DHCP clients using
+ them. In the interest of clarity, it is preferable for this DHCP
+ information to use a distinct RR type. This memo defines a distinct
+ RR for this purpose for use by DHCP clients or servers, the "DHCID"
+ RR.
+
+ In order to obscure potentially sensitive client identifying
+ information, the data stored is the result of a one-way SHA-256 hash
+ computation. The hash includes information from the DHCP client's
+ message as well as the domain name itself, so that the data stored in
+ the DHCID RR will be dependent on both the client identification used
+ in the DHCP protocol interaction and the domain name. This means
+ that the DHCID RDATA will vary if a single client is associated over
+ time with more than one name. This makes it difficult to 'track' a
+ client as it is associated with various domain names.
+
+
+3. The DHCID RR
+
+ The DHCID RR is defined with mnemonic DHCID and type code [TBD]. The
+ DHCID RR is only defined in the IN class. DHCID RRs cause no
+ additional section processing. The DHCID RR is not a singleton type.
+
+3.1. DHCID RDATA format
+
+ The RDATA section of a DHCID RR in transmission contains RDLENGTH
+ octets of binary data. The format of this data and its
+ interpretation by DHCP servers and clients are described below.
+
+ DNS software should consider the RDATA section to be opaque. DHCP
+ clients or servers use the DHCID RR to associate a DHCP client's
+
+
+
+Stapp, et al. Expires September 1, 2006 [Page 3]
+
+Internet-Draft The DHCID RR February 2006
+
+
+ identity with a DNS name, so that multiple DHCP clients and servers
+ may deterministically perform dynamic DNS updates to the same zone.
+ From the updater's perspective, the DHCID resource record RDATA
+ consists of a 2-octet identifier type, in network byte order,
+ followed by a 1-octet digest type, followed by one or more octets
+ representing the actual identifier:
+
+ < 2 octets > Identifier type code
+ < 1 octet > Digest type code
+ < n octets > Digest (length depends on digest type)
+
+3.2. DHCID Presentation Format
+
+ In DNS master files, the RDATA is represented as a single block in
+ base 64 encoding identical to that used for representing binary data
+ in RFC 3548 [7]. The data may be divided up into any number of white
+ space separated substrings, down to single base 64 digits, which are
+ concatenated to form the complete RDATA. These substrings can span
+ lines using the standard parentheses.
+
+3.3. The DHCID RR Identifier Type Codes
+
+ The DHCID RR Identifier Type Code specifies what data from the DHCP
+ client's request was used as input into the hash function. The
+ identifier type codes are defined in a registry maintained by IANA,
+ as specified in Section 7. The initial list of assigned values for
+ the identifier type code is:
+
+ 0x0000 = htype, chaddr from a DHCPv4 client's DHCPREQUEST [6].
+ 0x0001 = The data octets (i.e., the Type and Client-Identifier
+ fields) from a DHCPv4 client's Client Identifier option [9].
+ 0x0002 = The client's DUID (i.e., the data octets of a DHCPv6
+ client's Client Identifier option [10] or the DUID field from a
+ DHCPv4 client's Client Identifier option [12]).
+
+ 0x0003 - 0xfffe = Available to be assigned by IANA.
+
+ 0xffff = RESERVED
+
+3.4. The DHCID RR Digest Type Code
+
+ The DHCID RR Digest Type Code is an identifier for the digest
+ algorithm used. The digest is calculated over an identifier and the
+ canonical FQDN as described in the next section.
+
+ The digest type codes are defined in a registry maintained by IANA,
+ as specified in Section 7. The initial list of assigned values for
+ the digest type codes is: value 0 is reserved and value 1 is SHA-256.
+
+
+
+Stapp, et al. Expires September 1, 2006 [Page 4]
+
+Internet-Draft The DHCID RR February 2006
+
+
+ Reserving other types requires IETF standards action. Defining new
+ values will also require IETF standards action to document how DNS
+ updaters are to deal with multiple digest types.
+
+3.5. Computation of the RDATA
+
+ The DHCID RDATA is formed by concatenating the 2-octet identifier
+ type code with variable-length data.
+
+ The RDATA for all type codes other than 0xffff, which is reserved for
+ future expansion, is formed by concatenating the 2-octet identifier
+ type code, the 1-octet digest type code, and the digest value (32
+ octets for SHA-256).
+
+ < identifier-type > < digest-type > < digest >
+
+ The input to the digest hash function is defined to be:
+
+ digest = SHA-256(< identifier > < FQDN >)
+
+ The FQDN is represented in the buffer in unambiguous canonical form
+ as described in RFC 4034 [8], section 6.1. The identifier type code
+ and the identifier are related as specified in Section 3.3: the
+ identifier type code describes the source of the identifier.
+
+ A DHCPv4 updater uses the 0x0002 type code if a Client Identifier
+ option is present in the DHCPv4 messages and it is encoded as
+ specified in [12]. Otherwise, the updater uses 0x0001 if a Client
+ Identifier option is present and 0x0000 if not.
+
+ A DHCPv6 updater always uses the 0x0002 type code.
+
+3.5.1. Using the Client's DUID
+
+ When the updater is using the Client's DUID (either from a DHCPv6
+ Client Identifier option or from a portion of the DHCPv4 Client
+ Identifier option encoded as specified in [12]), the first two octets
+ of the DHCID RR MUST be 0x0002, in network byte order. The third
+ octet is the digest type code (1 for SHA-256). The rest of the DHCID
+ RR MUST contain the results of computing the SHA-256 hash across the
+ octets of the DUID followed by the FQDN.
+
+3.5.2. Using the Client Identifier Option
+
+ When the updater is using the DHCPv4 Client Identifier option sent by
+ the client in its DHCPREQUEST message, the first two octets of the
+ DHCID RR MUST be 0x0001, in network byte order. The third octet is
+ the digest type code (1 for SHA-256). The rest of the DHCID RR MUST
+
+
+
+Stapp, et al. Expires September 1, 2006 [Page 5]
+
+Internet-Draft The DHCID RR February 2006
+
+
+ contain the results of computing the SHA-256 hash across the data
+ octets (i.e., the Type and Client-Identifier fields) of the option,
+ followed by the FQDN.
+
+3.5.3. Using the Client's htype and chaddr
+
+ When the updater is using the client's link-layer address as the
+ identifier, the first two octets of the DHCID RDATA MUST be zero.
+ The third octet is the digest type code (1 for SHA-256). To generate
+ the rest of the resource record, the updater computes a one-way hash
+ using the SHA-256 algorithm across a buffer containing the client's
+ network hardware type, link-layer address, and the FQDN data.
+ Specifically, the first octet of the buffer contains the network
+ hardware type as it appeared in the DHCP 'htype' field of the
+ client's DHCPREQUEST message. All of the significant octets of the
+ 'chaddr' field in the client's DHCPREQUEST message follow, in the
+ same order in which the octets appear in the DHCPREQUEST message.
+ The number of significant octets in the 'chaddr' field is specified
+ in the 'hlen' field of the DHCPREQUEST message. The FQDN data, as
+ specified above, follows.
+
+3.6. Examples
+
+3.6.1. Example 1
+
+ A DHCP server allocating the IPv4 address 10.0.0.1 to a client with
+ Ethernet MAC address 01:02:03:04:05:06 using domain name
+ "client.example.com" uses the client's link-layer address to identify
+ the client. The DHCID RDATA is composed by setting the two type
+ octets to zero, the 1-octet digest type to 1 for SHA-256, and
+ performing an SHA-256 hash computation across a buffer containing the
+ Ethernet MAC type octet, 0x01, the six octets of MAC address, and the
+ domain name (represented as specified in Section 3.5).
+
+ client.example.com. A 10.0.0.1
+ client.example.com. DHCID ( AAABxLmlskllE0MVjd57zHcWmEH3pCQ6V
+ ytcKD//7es/deY= )
+
+ If the DHCID RR type is not supported, the RDATA would be encoded
+ [13] as:
+
+ \# 35 ( 000001c4b9a5b249651343158dde7bcc77169841f7a4243a572b5c283
+ fffedeb3f75e6 )
+
+3.6.2. Example 2
+
+ A DHCP server allocates the IPv4 address 10.0.12.99 to a client which
+ included the DHCP client-identifier option data 01:07:08:09:0a:0b:0c
+
+
+
+Stapp, et al. Expires September 1, 2006 [Page 6]
+
+Internet-Draft The DHCID RR February 2006
+
+
+ in its DHCP request. The server updates the name "chi.example.com"
+ on the client's behalf, and uses the DHCP client identifier option
+ data as input in forming a DHCID RR. The DHCID RDATA is formed by
+ setting the two type octets to the value 0x0001, the 1-octet digest
+ type to 1 for SHA-256, and performing a SHA-256 hash computation
+ across a buffer containing the seven octets from the client-id option
+ and the FQDN (represented as specified in Section 3.5).
+
+ chi.example.com. A 10.0.12.99
+ chi.example.com. DHCID ( AAEBOSD+XR3Os/0LozeXVqcNc7FwCfQdW
+ L3b/NaiUDlW2No= )
+
+ If the DHCID RR type is not supported, the RDATA would be encoded
+ [13] as:
+
+ \# 35 ( 0001013920fe5d1dceb3fd0ba3379756a70d73b17009f41d58bddbfcd
+ 6a2503956d8da )
+
+3.6.3. Example 3
+
+ A DHCP server allocates the IPv6 address 2000::1234:5678 to a client
+ which included the DHCPv6 client-identifier option data 00:01:00:06:
+ 41:2d:f1:66:01:02:03:04:05:06 in its DHCPv6 request. The server
+ updates the name "chi6.example.com" on the client's behalf, and uses
+ the DHCP client identifier option data as input in forming a DHCID
+ RR. The DHCID RDATA is formed by setting the two type octets to the
+ value 0x0002, the 1-octet digest type to 1 for SHA-256, and
+ performing a SHA-256 hash computation across a buffer containing the
+ 14 octets from the client-id option and the FQDN (represented as
+ specified in Section 3.5).
+
+ chi6.example.com. AAAA 2000::1234:5678
+ chi6.example.com. DHCID ( AAIBY2/AuCccgoJbsaxcQc9TUapptP69l
+ OjxfNuVAA2kjEA= )
+
+ If the DHCID RR type is not supported, the RDATA would be encoded
+ [13] as:
+
+ \# 35 ( 000201636fc0b8271c82825bb1ac5c41cf5351aa69b4febd94e8f17cd
+ b95000da48c40 )
+
+
+4. Use of the DHCID RR
+
+ This RR MUST NOT be used for any purpose other than that detailed in
+ "Resolution of DNS Name Conflicts" [1]. Although this RR contains
+ data that is opaque to DNS servers, the data must be consistent
+ across all entities that update and interpret this record.
+
+
+
+Stapp, et al. Expires September 1, 2006 [Page 7]
+
+Internet-Draft The DHCID RR February 2006
+
+
+ Therefore, new data formats may only be defined through actions of
+ the DHC Working Group, as a result of revising [1].
+
+
+5. Updater Behavior
+
+ The data in the DHCID RR allows updaters to determine whether more
+ than one DHCP client desires to use a particular FQDN. This allows
+ site administrators to establish policy about DNS updates. The DHCID
+ RR does not establish any policy itself.
+
+ Updaters use data from a DHCP client's request and the domain name
+ that the client desires to use to compute a client identity hash, and
+ then compare that hash to the data in any DHCID RRs on the name that
+ they wish to associate with the client's IP address. If an updater
+ discovers DHCID RRs whose RDATA does not match the client identity
+ that they have computed, the updater SHOULD conclude that a different
+ client is currently associated with the name in question. The
+ updater SHOULD then proceed according to the site's administrative
+ policy. That policy might dictate that a different name be selected,
+ or it might permit the updater to continue.
+
+
+6. Security Considerations
+
+ The DHCID record as such does not introduce any new security problems
+ into the DNS. In order to obscure the client's identity information,
+ a one-way hash is used. And, in order to make it difficult to
+ 'track' a client by examining the names associated with a particular
+ hash value, the FQDN is included in the hash computation. Thus, the
+ RDATA is dependent on both the DHCP client identification data and on
+ each FQDN associated with the client.
+
+ However, it should be noted that an attacker that has some knowledge,
+ such as of MAC addresses commonly used in DHCP client identification
+ data, may be able to discover the client's DHCP identify by using a
+ brute-force attack. Even without any additional knowledge, the
+ number of unknown bits used in computing the hash is typically only
+ 48 to 80.
+
+ Administrators should be wary of permitting unsecured DNS updates to
+ zones, whether or not they are exposed to the global Internet. Both
+ DHCP clients and servers SHOULD use some form of update
+ authentication (e.g., TSIG [11]) when performing DNS updates.
+
+
+7. IANA Considerations
+
+
+
+
+Stapp, et al. Expires September 1, 2006 [Page 8]
+
+Internet-Draft The DHCID RR February 2006
+
+
+ IANA is requested to allocate a DNS RR type number for the DHCID
+ record type.
+
+ This specification defines a new number-space for the 2-octet
+ identifier type codes associated with the DHCID RR. IANA is
+ requested to establish a registry of the values for this number-
+ space. Three initial values are assigned in Section 3.3, and the
+ value 0xFFFF is reserved for future use. New DHCID RR identifier
+ type codes are assigned through Standards Action, as defined in RFC
+ 2434 [5].
+
+ This specification defines a new number-space for the 1-octet digest
+ type codes associated with the DHCID RR. IANA is requested to
+ establish a registry of the values for this number-space. Two
+ initial values are assigned in Section 3.4. New DHCID RR digest type
+ codes are assigned through Standards Action, as defined in RFC 2434
+ [5].
+
+
+8. Acknowledgements
+
+ Many thanks to Harald Alvestrand, Ralph Droms, Olafur Gudmundsson,
+ Sam Hartman, Josh Littlefield, Pekka Savola, and especially Bernie
+ Volz for their review and suggestions.
+
+
+9. References
+
+9.1. Normative References
+
+ [1] Stapp, M. and B. Volz, "Resolution of DNS Name Conflicts Among
+ DHCP Clients (draft-ietf-dhc-dns-resolution-*)", February 2006.
+
+ [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement
+ Levels", BCP 14, RFC 2119, March 1997.
+
+ [3] Mockapetris, P., "Domain names - concepts and facilities",
+ STD 13, RFC 1034, November 1987.
+
+ [4] Mockapetris, P., "Domain names - implementation and
+ specification", STD 13, RFC 1035, November 1987.
+
+ [5] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
+ Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
+
+
+
+
+
+
+
+Stapp, et al. Expires September 1, 2006 [Page 9]
+
+Internet-Draft The DHCID RR February 2006
+
+
+9.2. Informative References
+
+ [6] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
+ March 1997.
+
+ [7] Josefsson, S., "The Base16, Base32, and Base64 Data Encodings",
+ RFC 3548, July 2003.
+
+ [8] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "Resource Records for the DNS Security Extensions", RFC 4034,
+ March 2005.
+
+ [9] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
+ Extensions", RFC 2132, March 1997.
+
+ [10] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and M.
+ Carney, "Dynamic Host Configuration Protocol for IPv6
+ (DHCPv6)", RFC 3315, July 2003.
+
+ [11] Vixie, P., Gudmundsson, O., Eastlake, D., and B. Wellington,
+ "Secret Key Transaction Authentication for DNS (TSIG)",
+ RFC 2845, May 2000.
+
+ [12] Lemon, T. and B. Sommerfeld, "Node-specific Client Identifiers
+ for Dynamic Host Configuration Protocol Version Four (DHCPv4)",
+ RFC 4361, February 2006.
+
+ [13] Gustafsson, A., "Handling of Unknown DNS Resource Record (RR)
+ Types", RFC 3597, September 2003.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Stapp, et al. Expires September 1, 2006 [Page 10]
+
+Internet-Draft The DHCID RR February 2006
+
+
+Authors' Addresses
+
+ Mark Stapp
+ Cisco Systems, Inc.
+ 1414 Massachusetts Ave.
+ Boxborough, MA 01719
+ USA
+
+ Phone: 978.936.1535
+ Email: mjs@cisco.com
+
+
+ Ted Lemon
+ Nominum, Inc.
+ 950 Charter St.
+ Redwood City, CA 94063
+ USA
+
+ Email: mellon@nominum.com
+
+
+ Andreas Gustafsson
+ Araneus Information Systems Oy
+ Ulappakatu 1
+ 02320 Espoo
+ Finland
+
+ Email: gson@araneus.fi
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Stapp, et al. Expires September 1, 2006 [Page 11]
+
+Internet-Draft The DHCID RR February 2006
+
+
+Intellectual Property Statement
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+
+Disclaimer of Validity
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Copyright Statement
+
+ Copyright (C) The Internet Society (2006). This document is subject
+ to the rights, licenses and restrictions contained in BCP 78, and
+ except as set forth therein, the authors retain all their rights.
+
+
+Acknowledgment
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+Stapp, et al. Expires September 1, 2006 [Page 12]
+
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-online-signing-02.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-online-signing-02.txt
new file mode 100644
index 0000000..7503c66
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-online-signing-02.txt
@@ -0,0 +1,616 @@
+
+
+
+Network Working Group S. Weiler
+Internet-Draft SPARTA, Inc
+Updates: 4034, 4035 (if approved) J. Ihren
+Expires: July 24, 2006 Autonomica AB
+ January 20, 2006
+
+
+ Minimally Covering NSEC Records and DNSSEC On-line Signing
+ draft-ietf-dnsext-dnssec-online-signing-02
+
+Status of this Memo
+
+ By submitting this Internet-Draft, each author represents that any
+ applicable patent or other IPR claims of which he or she is aware
+ have been or will be disclosed, and any of which he or she becomes
+ aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF), its areas, and its working groups. Note that
+ other groups may also distribute working documents as Internet-
+ Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ The list of current Internet-Drafts can be accessed at
+ http://www.ietf.org/ietf/1id-abstracts.txt.
+
+ The list of Internet-Draft Shadow Directories can be accessed at
+ http://www.ietf.org/shadow.html.
+
+ This Internet-Draft will expire on July 24, 2006.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2006).
+
+Abstract
+
+ This document describes how to construct DNSSEC NSEC resource records
+ that cover a smaller range of names than called for by RFC4034. By
+ generating and signing these records on demand, authoritative name
+ servers can effectively stop the disclosure of zone contents
+ otherwise made possible by walking the chain of NSEC records in a
+ signed zone.
+
+
+
+
+Weiler & Ihren Expires July 24, 2006 [Page 1]
+
+Internet-Draft NSEC Epsilon January 2006
+
+
+Changes from ietf-01 to ietf-02
+
+ Clarified that a generated NSEC RR's type bitmap MUST have the RRSIG
+ and NSEC bits set, to be consistent with DNSSECbis -- previous text
+ said SHOULD.
+
+ Made the applicability statement a little less oppressive.
+
+Changes from ietf-00 to ietf-01
+
+ Added an applicability statement, making reference to ongoing work on
+ NSEC3.
+
+ Added the phrase "epsilon functions", which has been commonly used to
+ describe the technique and already appeared in the header of each
+ page, in place of "increment and decrement functions". Also added an
+ explanatory sentence.
+
+ Corrected references from 4034 section 6.2 to section 6.1.
+
+ Fixed an out-of-date reference to [-bis] and other typos.
+
+ Replaced IANA Considerations text.
+
+ Escaped close parentheses in examples.
+
+ Added some more acknowledgements.
+
+Changes from weiler-01 to ietf-00
+
+ Inserted RFC numbers for 4033, 4034, and 4035.
+
+ Specified contents of bitmap field in synthesized NSEC RR's, pointing
+ out that this relaxes a constraint in 4035. Added 4035 to the
+ Updates header.
+
+Changes from weiler-00 to weiler-01
+
+ Clarified that this updates RFC4034 by relaxing requirements on the
+ next name field.
+
+ Added examples covering wildcard names.
+
+ In the 'better functions' section, reiterated that perfect functions
+ aren't needed.
+
+ Added a reference to RFC 2119.
+
+
+
+
+Weiler & Ihren Expires July 24, 2006 [Page 2]
+
+Internet-Draft NSEC Epsilon January 2006
+
+
+Table of Contents
+
+ 1. Introduction and Terminology . . . . . . . . . . . . . . . . . 4
+ 2. Applicability of This Technique . . . . . . . . . . . . . . . 4
+ 3. Minimally Covering NSEC Records . . . . . . . . . . . . . . . 5
+ 4. Better Epsilon Functions . . . . . . . . . . . . . . . . . . . 6
+ 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
+ 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7
+ 7. Normative References . . . . . . . . . . . . . . . . . . . . . 8
+ Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 8
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10
+ Intellectual Property and Copyright Statements . . . . . . . . . . 11
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Weiler & Ihren Expires July 24, 2006 [Page 3]
+
+Internet-Draft NSEC Epsilon January 2006
+
+
+1. Introduction and Terminology
+
+ With DNSSEC [1], an NSEC record lists the next instantiated name in
+ its zone, proving that no names exist in the "span" between the
+ NSEC's owner name and the name in the "next name" field. In this
+ document, an NSEC record is said to "cover" the names between its
+ owner name and next name.
+
+ Through repeated queries that return NSEC records, it is possible to
+ retrieve all of the names in the zone, a process commonly called
+ "walking" the zone. Some zone owners have policies forbidding zone
+ transfers by arbitrary clients; this side-effect of the NSEC
+ architecture subverts those policies.
+
+ This document presents a way to prevent zone walking by constructing
+ NSEC records that cover fewer names. These records can make zone
+ walking take approximately as many queries as simply asking for all
+ possible names in a zone, making zone walking impractical. Some of
+ these records must be created and signed on demand, which requires
+ on-line private keys. Anyone contemplating use of this technique is
+ strongly encouraged to review the discussion of the risks of on-line
+ signing in Section 6.
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in RFC 2119 [4].
+
+
+2. Applicability of This Technique
+
+ The technique presented here may be useful to a zone owner that wants
+ to use DNSSEC, is concerned about exposure of its zone contents via
+ zone walking, and is willing to bear the costs of on-line signing.
+
+ As discussed in Section 6, on-line signing has several security
+ risks, including an increased likelihood of private keys being
+ disclosed and an increased risk of denial of service attack. Anyone
+ contemplating use of this technique is strongly encouraged to review
+ the discussion of the risks of on-line signing in Section 6.
+
+ Furthermore, at the time this document was published, the DNSEXT
+ working group was actively working on a mechanism to prevent zone
+ walking that does not require on-line signing (tentatively called
+ NSEC3). The new mechanism is likely to expose slightly more
+ information about the zone than this technique (e.g. the number of
+ instantiated names), but it may be preferable to this technique.
+
+
+
+
+
+Weiler & Ihren Expires July 24, 2006 [Page 4]
+
+Internet-Draft NSEC Epsilon January 2006
+
+
+3. Minimally Covering NSEC Records
+
+ This mechanism involves changes to NSEC records for instantiated
+ names, which can still be generated and signed in advance, as well as
+ the on-demand generation and signing of new NSEC records whenever a
+ name must be proven not to exist.
+
+ In the 'next name' field of instantiated names' NSEC records, rather
+ than list the next instantiated name in the zone, list any name that
+ falls lexically after the NSEC's owner name and before the next
+ instantiated name in the zone, according to the ordering function in
+ RFC4034 [2] section 6.1. This relaxes the requirement in section
+ 4.1.1 of RFC4034 that the 'next name' field contains the next owner
+ name in the zone. This change is expected to be fully compatible
+ with all existing DNSSEC validators. These NSEC records are returned
+ whenever proving something specifically about the owner name (e.g.
+ that no resource records of a given type appear at that name).
+
+ Whenever an NSEC record is needed to prove the non-existence of a
+ name, a new NSEC record is dynamically produced and signed. The new
+ NSEC record has an owner name lexically before the QNAME but
+ lexically following any existing name and a 'next name' lexically
+ following the QNAME but before any existing name.
+
+ The generated NSEC record's type bitmap MUST have the RRSIG and NSEC
+ bits set and SHOULD NOT have any other bits set. This relaxes the
+ requirement in Section 2.3 of RFC4035 that NSEC RRs not appear at
+ names that did not exist before the zone was signed.
+
+ The functions to generate the lexically following and proceeding
+ names need not be perfect nor consistent, but the generated NSEC
+ records must not cover any existing names. Furthermore, this
+ technique works best when the generated NSEC records cover as few
+ names as possible. In this document, the functions that generate the
+ nearby names are called 'epsilon' functions, a reference to the
+ mathematical convention of using the greek letter epsilon to
+ represent small deviations.
+
+ An NSEC record denying the existence of a wildcard may be generated
+ in the same way. Since the NSEC record covering a non-existent
+ wildcard is likely to be used in response to many queries,
+ authoritative name servers using the techniques described here may
+ want to pregenerate or cache that record and its corresponding RRSIG.
+
+ For example, a query for an A record at the non-instantiated name
+ example.com might produce the following two NSEC records, the first
+ denying the existence of the name example.com and the second denying
+ the existence of a wildcard:
+
+
+
+Weiler & Ihren Expires July 24, 2006 [Page 5]
+
+Internet-Draft NSEC Epsilon January 2006
+
+
+ exampld.com 3600 IN NSEC example-.com ( RRSIG NSEC )
+
+ \).com 3600 IN NSEC +.com ( RRSIG NSEC )
+
+ Before answering a query with these records, an authoritative server
+ must test for the existence of names between these endpoints. If the
+ generated NSEC would cover existing names (e.g. exampldd.com or
+ *bizarre.example.com), a better epsilon function may be used or the
+ covered name closest to the QNAME could be used as the NSEC owner
+ name or next name, as appropriate. If an existing name is used as
+ the NSEC owner name, that name's real NSEC record MUST be returned.
+ Using the same example, assuming an exampldd.com delegation exists,
+ this record might be returned from the parent:
+
+ exampldd.com 3600 IN NSEC example-.com ( NS DS RRSIG NSEC )
+
+ Like every authoritative record in the zone, each generated NSEC
+ record MUST have corresponding RRSIGs generated using each algorithm
+ (but not necessarily each DNSKEY) in the zone's DNSKEY RRset, as
+ described in RFC4035 [3] section 2.2. To minimize the number of
+ signatures that must be generated, a zone may wish to limit the
+ number of algorithms in its DNSKEY RRset.
+
+
+4. Better Epsilon Functions
+
+ Section 6.1 of RFC4034 defines a strict ordering of DNS names.
+ Working backwards from that definition, it should be possible to
+ define epsilon functions that generate the immediately following and
+ preceding names, respectively. This document does not define such
+ functions. Instead, this section presents functions that come
+ reasonably close to the perfect ones. As described above, an
+ authoritative server should still ensure than no generated NSEC
+ covers any existing name.
+
+ To increment a name, add a leading label with a single null (zero-
+ value) octet.
+
+ To decrement a name, decrement the last character of the leftmost
+ label, then fill that label to a length of 63 octets with octets of
+ value 255. To decrement a null (zero-value) octet, remove the octet
+ -- if an empty label is left, remove the label. Defining this
+ function numerically: fill the left-most label to its maximum length
+ with zeros (numeric, not ASCII zeros) and subtract one.
+
+ In response to a query for the non-existent name foo.example.com,
+ these functions produce NSEC records of:
+
+
+
+
+Weiler & Ihren Expires July 24, 2006 [Page 6]
+
+Internet-Draft NSEC Epsilon January 2006
+
+
+ fon\255\255\255\255\255\255\255\255\255\255\255\255\255\255
+ \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
+ \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
+ \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
+ \255.example.com 3600 IN NSEC \000.foo.example.com ( NSEC RRSIG )
+
+ \)\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
+ \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
+ \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
+ \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
+ \255\255.example.com 3600 IN NSEC \000.*.example.com ( NSEC RRSIG )
+
+ The first of these NSEC RRs proves that no exact match for
+ foo.example.com exists, and the second proves that there is no
+ wildcard in example.com.
+
+ Both of these functions are imperfect: they don't take into account
+ constraints on number of labels in a name nor total length of a name.
+ As noted in the previous section, though, this technique does not
+ depend on the use of perfect epsilon functions: it is sufficient to
+ test whether any instantiated names fall into the span covered by the
+ generated NSEC and, if so, substitute those instantiated owner names
+ for the NSEC owner name or next name, as appropriate.
+
+
+5. IANA Considerations
+
+ This document specifies no IANA Actions.
+
+
+6. Security Considerations
+
+ This approach requires on-demand generation of RRSIG records. This
+ creates several new vulnerabilities.
+
+ First, on-demand signing requires that a zone's authoritative servers
+ have access to its private keys. Storing private keys on well-known
+ internet-accessible servers may make them more vulnerable to
+ unintended disclosure.
+
+ Second, since generation of digital signatures tends to be
+ computationally demanding, the requirement for on-demand signing
+ makes authoritative servers vulnerable to a denial of service attack.
+
+ Lastly, if the epsilon functions are predictable, on-demand signing
+ may enable a chosen-plaintext attack on a zone's private keys. Zones
+ using this approach should attempt to use cryptographic algorithms
+ that are resistant to chosen-plaintext attacks. It's worth noting
+
+
+
+Weiler & Ihren Expires July 24, 2006 [Page 7]
+
+Internet-Draft NSEC Epsilon January 2006
+
+
+ that while DNSSEC has a "mandatory to implement" algorithm, that is a
+ requirement on resolvers and validators -- there is no requirement
+ that a zone be signed with any given algorithm.
+
+ The success of using minimally covering NSEC record to prevent zone
+ walking depends greatly on the quality of the epsilon functions
+ chosen. An increment function that chooses a name obviously derived
+ from the next instantiated name may be easily reverse engineered,
+ destroying the value of this technique. An increment function that
+ always returns a name close to the next instantiated name is likewise
+ a poor choice. Good choices of epsilon functions are the ones that
+ produce the immediately following and preceding names, respectively,
+ though zone administrators may wish to use less perfect functions
+ that return more human-friendly names than the functions described in
+ Section 4 above.
+
+ Another obvious but misguided concern is the danger from synthesized
+ NSEC records being replayed. It's possible for an attacker to replay
+ an old but still validly signed NSEC record after a new name has been
+ added in the span covered by that NSEC, incorrectly proving that
+ there is no record at that name. This danger exists with DNSSEC as
+ defined in [3]. The techniques described here actually decrease the
+ danger, since the span covered by any NSEC record is smaller than
+ before. Choosing better epsilon functions will further reduce this
+ danger.
+
+7. Normative References
+
+ [1] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "DNS Security Introduction and Requirements", RFC 4033,
+ March 2005.
+
+ [2] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "Resource Records for the DNS Security Extensions", RFC 4034,
+ March 2005.
+
+ [3] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "Protocol Modifications for the DNS Security Extensions",
+ RFC 4035, March 2005.
+
+ [4] Bradner, S., "Key words for use in RFCs to Indicate Requirement
+ Levels", BCP 14, RFC 2119, March 1997.
+
+
+Appendix A. Acknowledgments
+
+ Many individuals contributed to this design. They include, in
+ addition to the authors of this document, Olaf Kolkman, Ed Lewis,
+
+
+
+Weiler & Ihren Expires July 24, 2006 [Page 8]
+
+Internet-Draft NSEC Epsilon January 2006
+
+
+ Peter Koch, Matt Larson, David Blacka, Suzanne Woolf, Jaap Akkerhuis,
+ Jakob Schlyter, Bill Manning, and Joao Damas.
+
+ In addition, the editors would like to thank Ed Lewis, Scott Rose,
+ and David Blacka for their careful review of the document.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Weiler & Ihren Expires July 24, 2006 [Page 9]
+
+Internet-Draft NSEC Epsilon January 2006
+
+
+Authors' Addresses
+
+ Samuel Weiler
+ SPARTA, Inc
+ 7075 Samuel Morse Drive
+ Columbia, Maryland 21046
+ US
+
+ Email: weiler@tislabs.com
+
+
+ Johan Ihren
+ Autonomica AB
+ Bellmansgatan 30
+ Stockholm SE-118 47
+ Sweden
+
+ Email: johani@autonomica.se
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Weiler & Ihren Expires July 24, 2006 [Page 10]
+
+Internet-Draft NSEC Epsilon January 2006
+
+
+Intellectual Property Statement
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+
+Disclaimer of Validity
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Copyright Statement
+
+ Copyright (C) The Internet Society (2006). This document is subject
+ to the rights, licenses and restrictions contained in BCP 78, and
+ except as set forth therein, the authors retain all their rights.
+
+
+Acknowledgment
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+Weiler & Ihren Expires July 24, 2006 [Page 11]
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-rsasha256-00.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-rsasha256-00.txt
new file mode 100644
index 0000000..390420a
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-rsasha256-00.txt
@@ -0,0 +1,392 @@
+
+
+
+DNS Extensions working group J. Jansen
+Internet-Draft NLnet Labs
+Expires: July 5, 2006 January 2006
+
+
+ Use of RSA/SHA-256 DNSKEY and RRSIG Resource Records in DNSSEC
+ draft-ietf-dnsext-dnssec-rsasha256-00
+
+Status of this Memo
+
+ By submitting this Internet-Draft, each author represents that any
+ applicable patent or other IPR claims of which he or she is aware
+ have been or will be disclosed, and any of which he or she becomes
+ aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF), its areas, and its working groups. Note that
+ other groups may also distribute working documents as Internet-
+ Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ The list of current Internet-Drafts can be accessed at
+ http://www.ietf.org/ietf/1id-abstracts.txt.
+
+ The list of Internet-Draft Shadow Directories can be accessed at
+ http://www.ietf.org/shadow.html.
+
+ This Internet-Draft will expire on July 5, 2006.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2006).
+
+Abstract
+
+ This document describes how to produce RSA/SHA-256 DNSKEY and RRSIG
+ resource records for use in the Domain Name System Security
+ Extensions (DNSSEC, RFC4033, RFC4034, and RFC4035).
+
+
+
+
+
+
+
+
+
+Jansen Expires July 5, 2006 [Page 1]
+
+Internet-Draft RSA/SHA-256 DNSKEYs and RRSIGS January 2006
+
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 2. RSA/SHA-256 DNSKEY Resource Records . . . . . . . . . . . . . . 3
+ 3. RSA/SHA-256 RRSIG Resource Records . . . . . . . . . . . . . . 3
+ 4. Implementation Considerations . . . . . . . . . . . . . . . . . 4
+ 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 4
+ 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 4
+ 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 5
+ 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 5
+ 8.1. Normative References . . . . . . . . . . . . . . . . . . . 5
+ 8.2. Informative References . . . . . . . . . . . . . . . . . . 5
+ Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 6
+ Intellectual Property and Copyright Statements . . . . . . . . . . 7
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Jansen Expires July 5, 2006 [Page 2]
+
+Internet-Draft RSA/SHA-256 DNSKEYs and RRSIGS January 2006
+
+
+1. Introduction
+
+ The Domain Name System (DNS) is the global hierarchical distributed
+ database for Internet Addressing. The DNS has been extended to use
+ digital signatures and cryptographic keys for the verification of
+ data. RFC4033 [1], RFC4034 [2], and RFC4035 [3] describe these DNS
+ Security Extensions.
+
+ RFC4034 describes how to store DNSKEY and RRSIG resource records, and
+ specifies a list of cryptographic algorithms to use. This document
+ extends that list with the algorithm RSA/SHA-256, and specifies how
+ to store RSA/SHA-256 DNSKEY data and how to produce RSA/SHA-256 RRSIG
+ resource records.
+
+ Familiarity with the RSA [7] and SHA-256 [5] algorithms is assumed in
+ this document.
+
+
+2. RSA/SHA-256 DNSKEY Resource Records
+
+ RSA public keys for use with RSA/SHA-256 are stored in DNSKEY
+ resource records (RRs) with the algorithm number [TBA].
+
+ The format of the DNSKEY RR can be found in RFC4034 [2] and RFC3110
+ [6].
+
+
+3. RSA/SHA-256 RRSIG Resource Records
+
+ RSA/SHA-256 signatures are stored in the DNS using RRSIG resource
+ records (RRs) with algorithm number [TBA].
+
+ The value of the signature field in the RRSIG RR is calculated as
+ follows. The values for the fields that precede the signature data
+ are specified in RFC4034 [2].
+
+ hash = SHA-256(data)
+
+ signature = ( 00 | 01 | FF* | 00 | prefix | hash ) ** e (mod n)
+
+ Where SHA-256 is the message digest algorithm as specified in FIPS
+ 180 [5], | is concatenation, 00, 01, FF and 00 are fixed octets of
+ corresponding hexadecimal value, "e" is the private exponent of the
+ signing RSA key, and "n" is the public modulus of the signing key.
+ The FF octet MUST be repeated the maximum number of times so that the
+ total length of the signature equals the length of the modulus of the
+ signer's public key ("n"). "data" is the data of the resource record
+ set that is signed, as specified in RFC4034 [2].
+
+
+
+Jansen Expires July 5, 2006 [Page 3]
+
+Internet-Draft RSA/SHA-256 DNSKEYs and RRSIGS January 2006
+
+
+ The prefix is the ASN.1 BER SHA-256 algorithm designator prefix as
+ specified in PKCS 2.1 [4]:
+
+ hex 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20
+
+ This prefix should make the use of standard cryptographic libraries
+ easier. These specifications are taken directly from PKCS #1 v2.1
+ section 9.2 [4].
+
+
+4. Implementation Considerations
+
+ DNSSEC aware implementations MUST be able to support RRSIG resource
+ records with the RSA/SHA-256 algorithm.
+
+ If both RSA/SHA-256 and RSA/SHA-1 RRSIG resource records are
+ available for a certain rrset, with a secure path to their keys, the
+ validator SHOULD ignore the SHA-1 signature. If the RSA/SHA-256
+ signature does not verify the data, and the RSA/SHA-1 does, the
+ validator SHOULD mark the data with the security status from the RSA/
+ SHA-256 signature.
+
+
+5. IANA Considerations
+
+ IANA has not yet assigned an algorithm number for RSA/SHA-256.
+
+ The algorithm list from RFC4034 Appendix A.1 [2] is extended with the
+ following entry:
+
+ Zone
+ Value Algorithm [Mnemonic] Signing References Status
+ ----- ----------- ----------- -------- ---------- ---------
+ [tba] RSA/SHA-256 [RSASHA256] y [TBA] MANDATORY
+
+
+6. Security Considerations
+
+ Recently, weaknesses have been discovered in the SHA-1 hashing
+ algorithm. It is therefore strongly encouraged to deploy SHA-256
+ where SHA-1 is used now, as soon as the DNS software supports it.
+
+ SHA-256 is considered sufficiently strong for the immediate future,
+ but predictions about future development in cryptography and
+ cryptanalysis are beyond the scope of this document.
+
+
+
+
+
+
+Jansen Expires July 5, 2006 [Page 4]
+
+Internet-Draft RSA/SHA-256 DNSKEYs and RRSIGS January 2006
+
+
+7. Acknowledgments
+
+ This document is a minor extension to RFC4034 [2]. Also, we try to
+ follow the documents RFC3110 [6] and draft-ietf-dnsext-ds-sha256.txt
+ [8] for consistency. The authors of and contributors to these
+ documents are gratefully acknowledged for their hard work.
+
+ The following people provided additional feedback and text: Jaap
+ Akkerhuis, Miek Gieben and Wouter Wijngaards.
+
+
+8. References
+
+8.1. Normative References
+
+ [1] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "DNS Security Introduction and Requirements", RFC 4033,
+ March 2005.
+
+ [2] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "Resource Records for the DNS Security Extensions", RFC 4034,
+ March 2005.
+
+ [3] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "Protocol Modifications for the DNS Security Extensions",
+ RFC 4035, March 2005.
+
+ [4] Jonsson, J. and B. Kaliski, "Public-Key Cryptography Standards
+ (PKCS) #1: RSA Cryptography Specifications Version 2.1",
+ RFC 3447, February 2003.
+
+ [5] National Institute of Standards and Technology, "Secure Hash
+ Standard", FIPS PUB 180-2, August 2002.
+
+ [6] Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain Name
+ System (DNS)", RFC 3110, May 2001.
+
+8.2. Informative References
+
+ [7] Schneier, B., "Applied Cryptography Second Edition: protocols,
+ algorithms, and source code in C", Wiley and Sons , ISBN 0-471-
+ 11709-9, 1996.
+
+ [8] Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer (DS)
+ Resource Records (RRs)", Work in Progress Feb 2006.
+
+
+
+
+
+
+Jansen Expires July 5, 2006 [Page 5]
+
+Internet-Draft RSA/SHA-256 DNSKEYs and RRSIGS January 2006
+
+
+Author's Address
+
+ Jelte Jansen
+ NLnet Labs
+ Kruislaan 419
+ Amsterdam 1098VA
+ NL
+
+ Email: jelte@NLnetLabs.nl
+ URI: http://www.nlnetlabs.nl/
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Jansen Expires July 5, 2006 [Page 6]
+
+Internet-Draft RSA/SHA-256 DNSKEYs and RRSIGS January 2006
+
+
+Intellectual Property Statement
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+
+Disclaimer of Validity
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Copyright Statement
+
+ Copyright (C) The Internet Society (2006). This document is subject
+ to the rights, licenses and restrictions contained in BCP 78, and
+ except as set forth therein, the authors retain all their rights.
+
+
+Acknowledgment
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+Jansen Expires July 5, 2006 [Page 7]
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-ds-sha256-05.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-ds-sha256-05.txt
new file mode 100644
index 0000000..2460cb6
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsext-ds-sha256-05.txt
@@ -0,0 +1,504 @@
+
+
+
+Network Working Group W. Hardaker
+Internet-Draft Sparta
+Expires: August 25, 2006 February 21, 2006
+
+
+ Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs)
+ draft-ietf-dnsext-ds-sha256-05.txt
+
+Status of this Memo
+
+ By submitting this Internet-Draft, each author represents that any
+ applicable patent or other IPR claims of which he or she is aware
+ have been or will be disclosed, and any of which he or she becomes
+ aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF), its areas, and its working groups. Note that
+ other groups may also distribute working documents as Internet-
+ Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ The list of current Internet-Drafts can be accessed at
+ http://www.ietf.org/ietf/1id-abstracts.txt.
+
+ The list of Internet-Draft Shadow Directories can be accessed at
+ http://www.ietf.org/shadow.html.
+
+ This Internet-Draft will expire on August 25, 2006.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2006).
+
+Abstract
+
+ This document specifies how to use the SHA-256 digest type in DNS
+ Delegation Signer (DS) Resource Records (RRs). DS records, when
+ stored in a parent zone, point to key signing DNSKEY key(s) in a
+ child zone.
+
+
+
+
+
+
+
+
+Hardaker Expires August 25, 2006 [Page 1]
+
+Internet-Draft Use of SHA-256 in DNSSEC DS RRs February 2006
+
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 2. Implementing the SHA-256 algorithm for DS record support . . . 3
+ 2.1. DS record field values . . . . . . . . . . . . . . . . . . 3
+ 2.2. DS Record with SHA-256 Wire Format . . . . . . . . . . . . 3
+ 2.3. Example DS Record Using SHA-256 . . . . . . . . . . . . . . 4
+ 3. Implementation Requirements . . . . . . . . . . . . . . . . . . 4
+ 4. Deployment Considerations . . . . . . . . . . . . . . . . . . . 4
+ 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5
+ 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 5
+ 6.1. Potential Digest Type Downgrade Attacks . . . . . . . . . . 5
+ 6.2. SHA-1 vs SHA-256 Considerations for DS Records . . . . . . 6
+ 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 6
+ 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7
+ 8.1. Normative References . . . . . . . . . . . . . . . . . . . 7
+ 8.2. Informative References . . . . . . . . . . . . . . . . . . 7
+ Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 8
+ Intellectual Property and Copyright Statements . . . . . . . . . . 9
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hardaker Expires August 25, 2006 [Page 2]
+
+Internet-Draft Use of SHA-256 in DNSSEC DS RRs February 2006
+
+
+1. Introduction
+
+ The DNSSEC [RFC4033] [RFC4034] [RFC4035] DS RR is published in parent
+ zones to distribute a cryptographic digest of a child's Key Signing
+ Key (KSK) DNSKEY RR. The DS RRset is signed by at least one of the
+ parent zone's private zone data signing keys for each algorithm in
+ use by the parent. Each signature is published in an RRSIG resource
+ record, owned by the same domain as the DS RRset and with a type
+ covered of DS.
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC2119].
+
+
+2. Implementing the SHA-256 algorithm for DS record support
+
+ This document specifies that the digest type code [XXX: To be
+ assigned by IANA; likely 2] is to be assigned to SHA-256 [SHA256]
+ [SHA256CODE] for use within DS records. The results of the digest
+ algorithm MUST NOT be truncated and the entire 32 byte digest result
+ is to be published in the DS record.
+
+2.1. DS record field values
+
+ Using the SHA-256 digest algorithm within a DS record will make use
+ of the following DS-record fields:
+
+ Digest type: [XXX: To be assigned by IANA; likely 2]
+
+ Digest: A SHA-256 bit digest value calculated by using the following
+ formula ("|" denotes concatenation). The resulting value is not
+ truncated and the entire 32 byte result is to used in the
+ resulting DS record and related calculations.
+
+ digest = SHA_256(DNSKEY owner name | DNSKEY RDATA)
+
+ where DNSKEY RDATA is defined by [RFC4034] as:
+
+ DNSKEY RDATA = Flags | Protocol | Algorithm | Public Key
+
+ The Key Tag field and Algorithm fields remain unchanged by this
+ document and are specified in the [RFC4034] specification.
+
+2.2. DS Record with SHA-256 Wire Format
+
+ The resulting on-the-wire format for the resulting DS record will be
+ [XXX: IANA assignment should replace the 2 below]:
+
+
+
+Hardaker Expires August 25, 2006 [Page 3]
+
+Internet-Draft Use of SHA-256 in DNSSEC DS RRs February 2006
+
+
+ 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Key Tag | Algorithm | DigestType=2 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ / /
+ / Digest (length for SHA-256 is 32 bytes) /
+ / /
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
+
+2.3. Example DS Record Using SHA-256
+
+ The following is an example DNSKEY and matching DS record. This
+ DNSKEY record comes from the example DNSKEY/DS records found in
+ section 5.4 of [RFC4034].
+
+ The DNSKEY record:
+
+ dskey.example.com. 86400 IN DNSKEY 256 3 5 ( AQOeiiR0GOMYkDshWoSKz9Xz
+ fwJr1AYtsmx3TGkJaNXVbfi/
+ 2pHm822aJ5iI9BMzNXxeYCmZ
+ DRD99WYwYqUSdjMmmAphXdvx
+ egXd/M5+X7OrzKBaMbCVdFLU
+ Uh6DhweJBjEVv5f2wwjM9Xzc
+ nOf+EPbtG9DMBmADjFDc2w/r
+ ljwvFw==
+ ) ; key id = 60485
+
+ The resulting DS record covering the above DNSKEY record using a SHA-
+ 256 digest: [RFC Editor: please replace XXX with the assigned digest
+ type (likely 2):]
+
+ dskey.example.com. 86400 IN DS 60485 5 XXX ( D4B7D520E7BB5F0F67674A0C
+ CEB1E3E0614B93C4F9E99B83
+ 83F6A1E4469DA50A )
+
+
+3. Implementation Requirements
+
+ Implementations MUST support the use of the SHA-256 algorithm in DS
+ RRs. Validator implementations SHOULD ignore DS RRs containing SHA-1
+ digests if DS RRs with SHA-256 digests are present in the DS RRset.
+
+
+4. Deployment Considerations
+
+ If a validator does not support the SHA-256 digest type and no other
+ DS RR exists in a zone's DS RRset with a supported digest type, then
+
+
+
+Hardaker Expires August 25, 2006 [Page 4]
+
+Internet-Draft Use of SHA-256 in DNSSEC DS RRs February 2006
+
+
+ the validator has no supported authentication path leading from the
+ parent to the child. The resolver should treat this case as it would
+ the case of an authenticated NSEC RRset proving that no DS RRset
+ exists, as described in [RFC4035], section 5.2.
+
+ Because zone administrators can not control the deployment speed of
+ support for SHA-256 in validators that may be referencing any of
+ their zones, zone operators should consider deploying both SHA-1 and
+ SHA-256 based DS records. This should be done for every DNSKEY for
+ which DS records are being generated. Whether to make use of both
+ digest types and for how long is a policy decision that extends
+ beyond the scope of this document.
+
+
+5. IANA Considerations
+
+ Only one IANA action is required by this document:
+
+ The Digest Type to be used for supporting SHA-256 within DS records
+ needs to be assigned by IANA. This document requests that the Digest
+ Type value of 2 be assigned to the SHA-256 digest algorithm.
+
+ At the time of this writing, the current digest types assigned for
+ use in DS records are as follows:
+
+ VALUE Digest Type Status
+ 0 Reserved -
+ 1 SHA-1 MANDATORY
+ 2 SHA-256 MANDATORY
+ 3-255 Unassigned -
+
+
+6. Security Considerations
+
+6.1. Potential Digest Type Downgrade Attacks
+
+ A downgrade attack from a stronger digest type to a weaker one is
+ possible if all of the following are true:
+
+ o A zone includes multiple DS records for a given child's DNSKEY,
+ each of which use a different digest type.
+
+ o A validator accepts a weaker digest even if a stronger one is
+ present but invalid.
+
+ For example, if the following conditions are all true:
+
+
+
+
+
+Hardaker Expires August 25, 2006 [Page 5]
+
+Internet-Draft Use of SHA-256 in DNSSEC DS RRs February 2006
+
+
+ o Both SHA-1 and SHA-256 based digests are published in DS records
+ within a parent zone for a given child zone's DNSKEY.
+
+ o The DS record with the SHA-1 digest matches the digest computed
+ using the child zone's DNSKEY.
+
+ o The DS record with the SHA-256 digest fails to match the digest
+ computed using the child zone's DNSKEY.
+
+ Then if the validator accepts the above situation as secure then this
+ can be used as a downgrade attack since the stronger SHA-256 digest
+ is ignored.
+
+6.2. SHA-1 vs SHA-256 Considerations for DS Records
+
+ Users of DNSSEC are encouraged to deploy SHA-256 as soon as software
+ implementations allow for it. SHA-256 is widely believed to be more
+ resilient to attack than SHA-1, and confidence in SHA-1's strength is
+ being eroded by recently-announced attacks. Regardless of whether or
+ not the attacks on SHA-1 will affect DNSSEC, it is believed (at the
+ time of this writing) that SHA-256 is the better choice for use in DS
+ records.
+
+ At the time of this publication, the SHA-256 digest algorithm is
+ considered sufficiently strong for the immediate future. It is also
+ considered sufficient for use in DNSSEC DS RRs for the immediate
+ future. However, future published attacks may weaken the usability
+ of this algorithm within the DS RRs. It is beyond the scope of this
+ document to speculate extensively on the cryptographic strength of
+ the SHA-256 digest algorithm.
+
+ Likewise, it is also beyond the scope of this document to specify
+ whether or for how long SHA-1 based DS records should be
+ simultaneously published alongside SHA-256 based DS records.
+
+
+7. Acknowledgments
+
+ This document is a minor extension to the existing DNSSEC documents
+ and those authors are gratefully appreciated for the hard work that
+ went into the base documents.
+
+ The following people contributed to portions of this document in some
+ fashion: Mark Andrews, Roy Arends, Olafur Gudmundsson, Paul Hoffman,
+ Olaf M. Kolkman, Edward Lewis, Scott Rose, Stuart E. Schechter, Sam
+ Weiler.
+
+
+
+
+
+Hardaker Expires August 25, 2006 [Page 6]
+
+Internet-Draft Use of SHA-256 in DNSSEC DS RRs February 2006
+
+
+8. References
+
+8.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "DNS Security Introduction and Requirements",
+ RFC 4033, March 2005.
+
+ [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "Resource Records for the DNS Security Extensions",
+ RFC 4034, March 2005.
+
+ [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "Protocol Modifications for the DNS Security
+ Extensions", RFC 4035, March 2005.
+
+ [SHA256] National Institute of Standards and Technology, "Secure
+ Hash Algorithm. NIST FIPS 180-2", August 2002.
+
+8.2. Informative References
+
+ [SHA256CODE]
+ Eastlake, D., "US Secure Hash Algorithms (SHA)",
+ June 2005.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hardaker Expires August 25, 2006 [Page 7]
+
+Internet-Draft Use of SHA-256 in DNSSEC DS RRs February 2006
+
+
+Author's Address
+
+ Wes Hardaker
+ Sparta
+ P.O. Box 382
+ Davis, CA 95617
+ US
+
+ Email: hardaker@tislabs.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hardaker Expires August 25, 2006 [Page 8]
+
+Internet-Draft Use of SHA-256 in DNSSEC DS RRs February 2006
+
+
+Intellectual Property Statement
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+
+Disclaimer of Validity
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Copyright Statement
+
+ Copyright (C) The Internet Society (2006). This document is subject
+ to the rights, licenses and restrictions contained in BCP 78, and
+ except as set forth therein, the authors retain all their rights.
+
+
+Acknowledgment
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+Hardaker Expires August 25, 2006 [Page 9]
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-nsec3-04.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-nsec3-04.txt
new file mode 100644
index 0000000..8c6c5b1
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsext-nsec3-04.txt
@@ -0,0 +1,2352 @@
+
+
+
+Network Working Group B. Laurie
+Internet-Draft G. Sisson
+Expires: August 5, 2006 R. Arends
+ Nominet
+ February 2006
+
+
+ DNSSEC Hash Authenticated Denial of Existence
+ draft-ietf-dnsext-nsec3-04
+
+Status of this Memo
+
+ By submitting this Internet-Draft, each author represents that any
+ applicable patent or other IPR claims of which he or she is aware
+ have been or will be disclosed, and any of which he or she becomes
+ aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF), its areas, and its working groups. Note that
+ other groups may also distribute working documents as Internet-
+ Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ The list of current Internet-Drafts can be accessed at
+ http://www.ietf.org/ietf/1id-abstracts.txt.
+
+ The list of Internet-Draft Shadow Directories can be accessed at
+ http://www.ietf.org/shadow.html.
+
+ This Internet-Draft will expire on August 5, 2006.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2006).
+
+Abstract
+
+ The DNS Security Extensions introduces the NSEC resource record for
+ authenticated denial of existence. This document introduces a new
+ resource record as an alternative to NSEC that provides measures
+ against zone enumeration and allows for gradual expansion of
+ delegation-centric zones.
+
+
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 1]
+
+Internet-Draft nsec3 February 2006
+
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
+ 1.1. Rationale . . . . . . . . . . . . . . . . . . . . . . . . 4
+ 1.2. Reserved Words . . . . . . . . . . . . . . . . . . . . . . 4
+ 1.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
+ 2. NSEC versus NSEC3 . . . . . . . . . . . . . . . . . . . . . . 5
+ 3. The NSEC3 Resource Record . . . . . . . . . . . . . . . . . . 5
+ 3.1. NSEC3 RDATA Wire Format . . . . . . . . . . . . . . . . . 6
+ 3.1.1. The Hash Function Field . . . . . . . . . . . . . . . 6
+ 3.1.2. The Opt-In Flag Field . . . . . . . . . . . . . . . . 7
+ 3.1.3. The Iterations Field . . . . . . . . . . . . . . . . . 8
+ 3.1.4. The Salt Length Field . . . . . . . . . . . . . . . . 8
+ 3.1.5. The Salt Field . . . . . . . . . . . . . . . . . . . . 8
+ 3.1.6. The Next Hashed Ownername Field . . . . . . . . . . . 9
+ 3.1.7. The Type Bit Maps Field . . . . . . . . . . . . . . . 9
+ 3.2. The NSEC3 RR Presentation Format . . . . . . . . . . . . . 10
+ 4. Creating Additional NSEC3 RRs for Empty Non-Terminals . . . . 11
+ 5. Calculation of the Hash . . . . . . . . . . . . . . . . . . . 11
+ 6. Including NSEC3 RRs in a Zone . . . . . . . . . . . . . . . . 11
+ 7. Responding to NSEC3 Queries . . . . . . . . . . . . . . . . . 12
+ 8. Special Considerations . . . . . . . . . . . . . . . . . . . . 13
+ 8.1. Proving Nonexistence . . . . . . . . . . . . . . . . . . . 13
+ 8.2. Salting . . . . . . . . . . . . . . . . . . . . . . . . . 14
+ 8.3. Iterations . . . . . . . . . . . . . . . . . . . . . . . . 15
+ 8.4. Hash Collision . . . . . . . . . . . . . . . . . . . . . . 16
+ 8.4.1. Avoiding Hash Collisions during generation . . . . . . 16
+ 8.4.2. Second Preimage Requirement Analysis . . . . . . . . . 16
+ 8.4.3. Possible Hash Value Truncation Method . . . . . . . . 17
+ 8.4.4. Server Response to a Run-time Collision . . . . . . . 17
+ 8.4.5. Parameters that Cover the Zone . . . . . . . . . . . . 18
+ 9. Performance Considerations . . . . . . . . . . . . . . . . . . 18
+ 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18
+ 11. Security Considerations . . . . . . . . . . . . . . . . . . . 18
+ 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21
+ 12.1. Normative References . . . . . . . . . . . . . . . . . . . 21
+ 12.2. Informative References . . . . . . . . . . . . . . . . . . 22
+ Editorial Comments . . . . . . . . . . . . . . . . . . . . . . . .
+ Appendix A. Example Zone . . . . . . . . . . . . . . . . . . . . 22
+ Appendix B. Example Responses . . . . . . . . . . . . . . . . . . 27
+ B.1. answer . . . . . . . . . . . . . . . . . . . . . . . . . . 27
+ B.1.1. Authenticating the Example DNSKEY RRset . . . . . . . 29
+ B.2. Name Error . . . . . . . . . . . . . . . . . . . . . . . . 30
+ B.3. No Data Error . . . . . . . . . . . . . . . . . . . . . . 32
+ B.3.1. No Data Error, Empty Non-Terminal . . . . . . . . . . 33
+ B.4. Referral to Signed Zone . . . . . . . . . . . . . . . . . 34
+ B.5. Referral to Unsigned Zone using the Opt-In Flag . . . . . 35
+ B.6. Wildcard Expansion . . . . . . . . . . . . . . . . . . . . 36
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 2]
+
+Internet-Draft nsec3 February 2006
+
+
+ B.7. Wildcard No Data Error . . . . . . . . . . . . . . . . . . 38
+ B.8. DS Child Zone No Data Error . . . . . . . . . . . . . . . 39
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 41
+ Intellectual Property and Copyright Statements . . . . . . . . . . 42
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 3]
+
+Internet-Draft nsec3 February 2006
+
+
+1. Introduction
+
+1.1. Rationale
+
+ The DNS Security Extensions included the NSEC RR to provide
+ authenticated denial of existence. Though the NSEC RR meets the
+ requirements for authenticated denial of existence, it introduced a
+ side-effect in that the contents of a zone can be enumerated. This
+ property introduces undesired policy issues.
+
+ An enumerated zone can be used either directly as a source of
+ probable e-mail addresses for spam, or indirectly as a key for
+ multiple WHOIS queries to reveal registrant data which many
+ registries may be under strict legal obligations to protect. Many
+ registries therefore prohibit copying of their zone file; however the
+ use of NSEC RRs renders these policies unenforceable.
+
+ A second problem was the requirement that the existence of all record
+ types in a zone - including unsigned delegation points - must be
+ accounted for, despite the fact that unsigned delegation point
+ records are not signed. This requirement has a side-effect that the
+ overhead of signed zones is not related to the increase in security
+ of subzones. This requirement does not allow the zones' size to grow
+ in relation to the growth of signed subzones.
+
+ In the past, solutions (draft-ietf-dnsext-dnssec-opt-in) have been
+ proposed as a measure against these side effects but at the time were
+ regarded as secondary over the need to have a stable DNSSEC
+ specification. With (draft-vixie-dnssec-ter) [14] a graceful
+ transition path to future enhancements is introduced, while current
+ DNSSEC deployment can continue. This document presents the NSEC3
+ Resource Record which mitigates these issues with the NSEC RR.
+
+ The reader is assumed to be familiar with the basic DNS and DNSSEC
+ concepts described in RFC 1034 [1], RFC 1035 [2], RFC 4033 [3], RFC
+ 4034 [4], RFC 4035 [5] and subsequent RFCs that update them: RFC 2136
+ [6], RFC2181 [7] and RFC2308 [8].
+
+1.2. Reserved Words
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in RFC 2119 [9].
+
+1.3. Terminology
+
+ The practice of discovering the contents of a zone, i.e. enumerating
+ the domains within a zone, is known as "zone enumeration". Zone
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 4]
+
+Internet-Draft nsec3 February 2006
+
+
+ enumeration was not practical prior to the introduction of DNSSEC.
+
+ In this document the term "original ownername" refers to a standard
+ ownername. Because this proposal uses the result of a hash function
+ over the original (unmodified) ownername, this result is referred to
+ as "hashed ownername".
+
+ "Hash order" means the order in which hashed ownernames are arranged
+ according to their numerical value, treating the leftmost (lowest
+ numbered) octet as the most significant octet. Note that this is the
+ same as the canonical ordering specified in RFC 4034 [4].
+
+ An "empty non-terminal" is a domain name that owns no resource
+ records but has subdomains that do.
+
+ The "closest encloser" of a (nonexistent) domain name is the longest
+ domain name, including empty non-terminals, that matches the
+ rightmost part of the nonexistent domain name.
+
+ "Base32 encoding" is "Base 32 Encoding with Extended Hex Alphabet" as
+ specified in RFC 3548bis [15].
+
+
+2. NSEC versus NSEC3
+
+ This document does NOT obsolete the NSEC record, but gives an
+ alternative for authenticated denial of existence. NSEC and NSEC3
+ RRs can not co-exist in a zone. See draft-vixie-dnssec-ter [14] for
+ a signaling mechanism to allow for graceful transition towards NSEC3.
+
+
+3. The NSEC3 Resource Record
+
+ The NSEC3 RR provides Authenticated Denial of Existence for DNS
+ Resource Record Sets.
+
+ The NSEC3 Resource Record (RR) lists RR types present at the NSEC3
+ RR's original ownername. It includes the next hashed ownername in
+ the hash order of the zone. The complete set of NSEC3 RRs in a zone
+ indicates which RRsets exist for the original ownername of the RRset
+ and form a chain of hashed ownernames in the zone. This information
+ is used to provide authenticated denial of existence for DNS data, as
+ described in RFC 4035 [5]. To provide protection against zone
+ enumeration, the ownernames used in the NSEC3 RR are cryptographic
+ hashes of the original ownername prepended to the name of the zone.
+ The NSEC3 RR indicates which hash function is used to construct the
+ hash, which salt is used, and how many iterations of the hash
+ function are performed over the original ownername. The hashing
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 5]
+
+Internet-Draft nsec3 February 2006
+
+
+ technique is described fully in Section 5.
+
+ Hashed ownernames of unsigned delegations may be excluded from the
+ chain. An NSEC3 record which span covers the hash of an unsigned
+ delegation's ownername is referred to as an Opt-In NSEC3 record and
+ is indicated by the presence of a flag.
+
+ The ownername for the NSEC3 RR is the base32 encoding of the hashed
+ ownername prepended to the name of the zone..
+
+ The type value for the NSEC3 RR is XX.
+
+ The NSEC3 RR RDATA format is class independent and is described
+ below.
+
+ The class MUST be the same as the original ownername's class.
+
+ The NSEC3 RR SHOULD have the same TTL value as the SOA minimum TTL
+ field. This is in the spirit of negative caching [8].
+
+3.1. NSEC3 RDATA Wire Format
+
+ The RDATA of the NSEC3 RR is as shown below:
+
+ 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Hash Function |O| Iterations |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Salt Length | Salt /
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ / Next Hashed Ownername /
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ / Type Bit Maps /
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ "O" is the Opt-In Flag field.
+
+3.1.1. The Hash Function Field
+
+ The Hash Function field identifies the cryptographic hash function
+ used to construct the hash-value.
+
+ The values are as defined for the DS record (see RFC 3658 [10]).
+
+ On reception, a resolver MUST ignore an NSEC3 RR with an unknown hash
+ function value.
+
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 6]
+
+Internet-Draft nsec3 February 2006
+
+
+3.1.2. The Opt-In Flag Field
+
+ The Opt-In Flag field indicates whether this NSEC3 RR covers unsigned
+ delegations.
+
+ In DNSSEC, NS RRsets at delegation points are not signed, and may be
+ accompanied by a DS record. The security status of the subzone is
+ determined by the presence or absence of the DS RRset,
+ cryptographically proven by the NSEC record or the signed DS RRset.
+ The presence of the Opt-In flag expands this definition by allowing
+ insecure delegations to exist within an otherwise signed zone without
+ the corresponding NSEC3 record at the delegation's (hashed) owner
+ name. These delegations are proven insecure by using a covering
+ NSEC3 record.
+
+ Resolvers must be able to distinguish between NSEC3 records and
+ Opt-In NSEC3 records. This is accomplished by setting the Opt-In
+ flag of the NSEC3 records that cover (or potentially cover) insecure
+ delegation nodes.
+
+ An Opt-In NSEC3 record does not assert the existence or non-existence
+ of the insecure delegations that it covers. This allows for the
+ addition or removal of these delegations without recalculating or
+ resigning records in the NSEC3 chain. However, Opt-In NSEC3 records
+ do assert the (non)existence of other, authoritative RRsets.
+
+ An Opt-In NSEC3 record MAY have the same original owner name as an
+ insecure delegation. In this case, the delegation is proven insecure
+ by the lack of a DS bit in type map and the signed NSEC3 record does
+ assert the existence of the delegation.
+
+ Zones using Opt-In MAY contain a mixture of Opt-In NSEC3 records and
+ non-Opt-In NSEC3 records. If an NSEC3 record is not Opt-In, there
+ MUST NOT be any hashed ownernames of insecure delegations (nor any
+ other records) between it and the RRsets indicated by the 'Next
+ Hashed Ownername' in the NSEC3 RDATA. If it is Opt-In, there MUST
+ only be hashed ownernames of insecure delegations between it and the
+ next node indicated by the 'Next Hashed Ownername' in the NSEC3
+ RDATA.
+
+ In summary,
+ o An Opt-In NSEC3 type is identified by an Opt-In Flag field value
+ of 1.
+ o A non Opt-In NSEC3 type is identified by an Opt-In Flag field
+ value of 0.
+ and,
+
+
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 7]
+
+Internet-Draft nsec3 February 2006
+
+
+ o An Opt-In NSEC3 record does not assert the non-existence of a hash
+ ownername between its ownername and next hashed ownername,
+ although it does assert that any hashed name in this span MUST be
+ of an insecure delegation.
+ o An Opt-In NSEC3 record does assert the (non)existence of RRsets
+ with the same hashed owner name.
+
+3.1.3. The Iterations Field
+
+ The Iterations field defines the number of times the hash has been
+ iterated. More iterations results in greater resiliency of the hash
+ value against dictionary attacks, but at a higher cost for both the
+ server and resolver. See Section 5 for details of this field's use.
+
+ Iterations make an attack more costly by making the hash computation
+ more computationally intensive, e.g. by iterating the hash function a
+ number of times.
+
+ When generating a few hashes this performance loss will not be a
+ problem, as a validator can handle a delay of a few milliseconds.
+ But when doing a dictionary attack it will also multiply the attack
+ workload by a factor, which is a problem for the attacker.
+
+3.1.4. The Salt Length Field
+
+ The salt length field defines the length of the salt in octets.
+
+3.1.5. The Salt Field
+
+ The Salt field is not present when the Salt Length Field has a value
+ of 0.
+
+ The Salt field is appended to the original ownername before hashing
+ in order to defend against precalculated dictionary attacks. See
+ Section 5 for details on how the salt is used.
+
+ Salt is used to make dictionary attacks using precomputation more
+ costly. A dictionary can only be computed after the attacker has the
+ salt, hence a new salt means that the dictionary has to be
+ regenerated with the new salt.
+
+ There MUST be a complete set of NSEC3 records covering the entire
+ zone that use the same salt value. The requirement exists so that,
+ given any qname within a zone, at least one covering NSEC3 RRset may
+ be found. While it may be theoretically possible to produce a set of
+ NSEC3s that use different salts that cover the entire zone, it is
+ computationally infeasible to generate such a set. See Section 8.2
+ for further discussion.
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 8]
+
+Internet-Draft nsec3 February 2006
+
+
+ The salt value SHOULD be changed from time to time - this is to
+ prevent the use of a precomputed dictionary to reduce the cost of
+ enumeration.
+
+3.1.6. The Next Hashed Ownername Field
+
+ The Next Hashed Ownername field contains the next hashed ownername in
+ hash order. That is, given the set of all hashed owernames, the Next
+ Hashed Ownername contains the hash value that immediately follows the
+ owner hash value for the given NSEC3 record. The value of the Next
+ Hashed Ownername Field in the last NSEC3 record in the zone is the
+ same as the ownername of the first NSEC3 RR in the zone in hash
+ order.
+
+ Hashed ownernames of glue RRsets MUST NOT be listed in the Next
+ Hashed Ownername unless at least one authoritative RRset exists at
+ the same ownername. Hashed ownernames of delegation NS RRsets MUST
+ be listed if the Opt-In bit is clear.
+
+ Note that the Next Hashed Ownername field is not encoded, unlike the
+ NSEC3 RR's ownername. It is the unmodified binary hash value. It
+ does not include the name of the containing zone.
+
+ The length of this field is the length of the hash value produced by
+ the hash function selected by the Hash Function field.
+
+3.1.7. The Type Bit Maps Field
+
+ The Type Bit Maps field identifies the RRset types which exist at the
+ NSEC3 RR's original ownername.
+
+ The Type bits for the NSEC3 RR and RRSIG RR MUST be set during
+ generation, and MUST be ignored during processing.
+
+ The RR type space is split into 256 window blocks, each representing
+ the low-order 8 bits of the 16-bit RR type space. Each block that
+ has at least one active RR type is encoded using a single octet
+ window number (from 0 to 255), a single octet bitmap length (from 1
+ to 32) indicating the number of octets used for the window block's
+ bitmap, and up to 32 octets (256 bits) of bitmap.
+
+ Blocks are present in the NSEC3 RR RDATA in increasing numerical
+ order.
+
+ "|" denotes concatenation
+
+ Type Bit Map(s) Field = ( Window Block # | Bitmap Length | Bitmap ) +
+
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 9]
+
+Internet-Draft nsec3 February 2006
+
+
+ Each bitmap encodes the low-order 8 bits of RR types within the
+ window block, in network bit order. The first bit is bit 0. For
+ window block 0, bit 1 corresponds to RR type 1 (A), bit 2 corresponds
+ to RR type 2 (NS), and so forth. For window block 1, bit 1
+ corresponds to RR type 257, bit 2 to RR type 258. If a bit is set to
+ 1, it indicates that an RRset of that type is present for the NSEC3
+ RR's ownername. If a bit is set to 0, it indicates that no RRset of
+ that type is present for the NSEC3 RR's ownername.
+
+ Since bit 0 in window block 0 refers to the non-existing RR type 0,
+ it MUST be set to 0. After verification, the validator MUST ignore
+ the value of bit 0 in window block 0.
+
+ Bits representing Meta-TYPEs or QTYPEs as specified in RFC 2929 [11]
+ (section 3.1) or within the range reserved for assignment only to
+ QTYPEs and Meta-TYPEs MUST be set to 0, since they do not appear in
+ zone data. If encountered, they must be ignored upon reading.
+
+ Blocks with no types present MUST NOT be included. Trailing zero
+ octets in the bitmap MUST be omitted. The length of each block's
+ bitmap is determined by the type code with the largest numerical
+ value, within that block, among the set of RR types present at the
+ NSEC3 RR's actual ownername. Trailing zero octets not specified MUST
+ be interpreted as zero octets.
+
+3.2. The NSEC3 RR Presentation Format
+
+ The presentation format of the RDATA portion is as follows:
+
+ The Opt-In Flag Field is represented as an unsigned decimal integer.
+ The value is either 0 or 1.
+
+ The Hash field is presented as a mnemonic of the hash or as an
+ unsigned decimal integer. The value has a maximum of 127.
+
+ The Iterations field is presented as an unsigned decimal integer.
+
+ The Salt Length field is not presented.
+
+ The Salt field is represented as a sequence of case-insensitive
+ hexadecimal digits. Whitespace is not allowed within the sequence.
+ The Salt Field is represented as "-" (without the quotes) when the
+ Salt Length field has value 0.
+
+ The Next Hashed Ownername field is represented as a sequence of case-
+ insensitive base32 digits, without whitespace.
+
+ The Type Bit Maps Field is represented as a sequence of RR type
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 10]
+
+Internet-Draft nsec3 February 2006
+
+
+ mnemonics. When the mnemonic is not known, the TYPE representation
+ as described in RFC 3597 [12] (section 5) MUST be used.
+
+
+4. Creating Additional NSEC3 RRs for Empty Non-Terminals
+
+ In order to prove the non-existence of a record that might be covered
+ by a wildcard, it is necessary to prove the existence of its closest
+ encloser. A closest encloser might be an empty non-terminal.
+
+ Additional NSEC3 RRs are generated for empty non-terminals. These
+ additional NSEC3 RRs are identical in format to NSEC3 RRs that cover
+ existing RRs in the zone except that their type-maps only indicated
+ the existence of an NSEC3 RRset and an RRSIG RRset.
+
+ This relaxes the requirement in Section 2.3 of RFC4035 that NSEC RRs
+ not appear at names that did not exist before the zone was signed.
+ [Comment.1]
+
+
+5. Calculation of the Hash
+
+ Define H(x) to be the hash of x using the hash function selected by
+ the NSEC3 record and || to indicate concatenation. Then define:
+
+ IH(salt,x,0)=H(x || salt)
+
+ IH(salt,x,k)=H(IH(salt,x,k-1) || salt) if k > 0
+
+ Then the calculated hash of an ownername is
+ IH(salt,ownername,iterations-1), where the ownername is the canonical
+ form.
+
+ The canonical form of the ownername is the wire format of the
+ ownername where:
+ 1. The ownername is fully expanded (no DNS name compression) and
+ fully qualified;
+ 2. All uppercase US-ASCII letters are replaced by the corresponding
+ lowercase US-ASCII letters;
+ 3. If the ownername is a wildcard name, the ownername is in its
+ original unexpanded form, including the "*" label (no wildcard
+ substitution);
+ This form is as defined in section 6.2 of RFC 4034 ([4]).
+
+
+6. Including NSEC3 RRs in a Zone
+
+ Each ownername within the zone that owns authoritative RRsets MUST
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 11]
+
+Internet-Draft nsec3 February 2006
+
+
+ have a corresponding NSEC3 RR. Ownernames that correspond to
+ unsigned delegations MAY have a corresponding NSEC3 RR, however, if
+ there is not, there MUST be a covering NSEC3 RR with the Opt-In flag
+ set to 1. Other non-authoritative RRs are not included in the set of
+ NSEC3 RRs.
+
+ Each empty non-terminal MUST have an NSEC3 record.
+
+ The TTL value for any NSEC3 RR SHOULD be the same as the minimum TTL
+ value field in the zone SOA RR.
+
+ The type bitmap of every NSEC3 resource record in a signed zone MUST
+ indicate the presence of both the NSEC3 RR type itself and its
+ corresponding RRSIG RR type.
+
+ The following steps describe the proper construction of NSEC3
+ records. [Comment.2]
+ 1. For each unique original ownername in the zone, add an NSEC3
+ RRset. If Opt-In is being used, ownernames of unsigned
+ delegations may be excluded, but must be considered for empty-
+ non-terminals. The ownername of the NSEC3 RR is the hashed
+ equivalent of the original owner name, prepended to the zone
+ name. The Next Hashed Ownername field is left blank for the
+ moment. If Opt-In is being used, set the Opt-In bit to one.
+ 2. For each RRset at the original owner name, set the corresponding
+ bit in the type bit map.
+ 3. If the difference in number of labels between the apex and the
+ original ownername is greater then 1, additional NSEC3s need to
+ be added for every empty non-terminal between the apex and the
+ original ownername. This process may generate NSEC3 RRs with
+ duplicate hashed ownernames.
+ 4. Sort the set of NSEC3 RRs into hash order. Hash order is the
+ ascending numerical order of the non-encoded hash values.
+ 5. Combine NSEC3 RRs with identical hashed ownernames by replacing
+ with a single NSEC3 RR with the type map consisting of the union
+ of the types represented by the set of NSEC3 RRs.
+ 6. In each NSEC3 RR, insert the Next Hashed Ownername by using the
+ value of the next NSEC3 RR in hash order. The Next Hashed
+ Ownername of the last NSEC3 in the zone contains the value of the
+ hashed ownername of the first NSEC3 in the hash order.
+
+
+7. Responding to NSEC3 Queries
+
+ Since NSEC3 ownernames are not represented in the NSEC3 chain like
+ other zone ownernames, direct queries for NSEC3 ownernames present a
+ special case.
+
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 12]
+
+Internet-Draft nsec3 February 2006
+
+
+ The special case arises when the following are all true:
+ o The QNAME equals an existing NSEC3 ownername, and
+ o There are no other record types that exist at QNAME, and
+ o The QTYPE does not equal NSEC3.
+ These conditions describe a particular case: the answer should be a
+ NOERROR/NODATA response, but there is no NSEC3 RRset for H(QNAME) to
+ include in the authority section.
+
+ However, the NSEC3 RRset with ownername equal to QNAME is able to
+ prove its own existence. Thus, when answering this query, the
+ authoritative server MUST include the NSEC3 RRset whose ownername
+ equals QNAME. This RRset proves that QNAME is an existing name with
+ types NSEC3 and RRSIG. The authoritative server MUST also include
+ the NSEC3 RRset that covers the hash of QNAME. This RRset proves
+ that no other types exist.
+
+ When validating a NOERROR/NODATA response, validators MUST check for
+ a NSEC3 RRset with ownername equals to QNAME, and MUST accept that
+ (validated) NSEC3 RRset as proof that QNAME exists. The validator
+ MUST also check for an NSEC3 RRset that covers the hash of QNAME as
+ proof that QTYPE doesn't exist.
+
+ Other cases where the QNAME equals an existing NSEC3 ownername may be
+ answered normally.
+
+
+8. Special Considerations
+
+ The following paragraphs clarify specific behaviour explain special
+ considerations for implementations.
+
+8.1. Proving Nonexistence
+
+ If a wildcard resource record appears in a zone, its asterisk label
+ is treated as a literal symbol and is treated in the same way as any
+ other ownername for purposes of generating NSEC3 RRs. RFC 4035 [5]
+ describes the impact of wildcards on authenticated denial of
+ existence.
+
+ In order to prove there exist no RRs for a domain, as well as no
+ source of synthesis, an RR must be shown for the closest encloser,
+ and non-existence must be shown for all closer labels and for the
+ wildcard at the closest encloser.
+
+ This can be done as follows. If the QNAME in the query is
+ omega.alfa.beta.example, and the closest encloser is beta.example
+ (the nearest ancestor to omega.alfa.beta.example), then the server
+ should return an NSEC3 that demonstrates the nonexistence of
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 13]
+
+Internet-Draft nsec3 February 2006
+
+
+ alfa.beta.example, an NSEC3 that demonstrates the nonexistence of
+ *.beta.example, and an NSEC3 that demonstrates the existence of
+ beta.example. This takes between one and three NSEC3 records, since
+ a single record can, by chance, prove more than one of these facts.
+
+ When a verifier checks this response, then the existence of
+ beta.example together with the non-existence of alfa.beta.example
+ proves that the closest encloser is indeed beta.example. The non-
+ existence of *.beta.example shows that there is no wildcard at the
+ closest encloser, and so no source of synthesis for
+ omega.alfa.beta.example. These two facts are sufficient to satisfy
+ the resolver that the QNAME cannot be resolved.
+
+ In practice, since the NSEC3 owner and next names are hashed, if the
+ server responds with an NSEC3 for beta.example, the resolver will
+ have to try successively longer names, starting with example, moving
+ to beta.example, alfa.beta.example, and so on, until one of them
+ hashes to a value that matches the interval (but not the ownername
+ nor next owner name) of one of the returned NSEC3s (this name will be
+ alfa.beta.example). Once it has done this, it knows the closest
+ encloser (i.e. beta.example), and can then easily check the other two
+ required proofs.
+
+ Note that it is not possible for one of the shorter names tried by
+ the resolver to be denied by one of the returned NSEC3s, since, by
+ definition, all these names exist and so cannot appear within the
+ range covered by an NSEC3. Note, however, that the first name that
+ the resolver tries MUST be the apex of the zone, since names above
+ the apex could be denied by one of the returned NSEC3s.
+
+8.2. Salting
+
+ Augmenting original ownernames with salt before hashing increases the
+ cost of a dictionary of pre-generated hash-values. For every bit of
+ salt, the cost of a precomputed dictionary doubles (because there
+ must be an entry for each word combined with each possible salt
+ value). The NSEC3 RR can use a maximum of 2040 bits (255 octets) of
+ salt, multiplying the cost by 2^2040. This means that an attacker
+ must, in practice, recompute the dictionary each time the salt is
+ changed.
+
+ There MUST be at least one complete set of NSEC3s for the zone using
+ the same salt value.
+
+ The salt SHOULD be changed periodically to prevent precomputation
+ using a single salt. It is RECOMMENDED that the salt be changed for
+ every resigning.
+
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 14]
+
+Internet-Draft nsec3 February 2006
+
+
+ Note that this could cause a resolver to see records with different
+ salt values for the same zone. This is harmless, since each record
+ stands alone (that is, it denies the set of ownernames whose hashes,
+ using the salt in the NSEC3 record, fall between the two hashes in
+ the NSEC3 record) - it is only the server that needs a complete set
+ of NSEC3 records with the same salt in order to be able to answer
+ every possible query.
+
+ There is no prohibition with having NSEC3 with different salts within
+ the same zone. However, in order for authoritative servers to be
+ able to consistently find covering NSEC3 RRs, the authoritative
+ server MUST choose a single set of parameters (algorithm, salt, and
+ iterations) to use when selecting NSEC3s. In the absence of any
+ other metadata, the server does this by using the parameters from the
+ zone apex NSEC3, recognizable by the presence of the SOA bit in the
+ type map. If there is more than one NSEC3 record that meets this
+ description, then the server may arbitrarily choose one. Because of
+ this, if there is a zone apex NSEC3 RR within a zone, it MUST be part
+ of a complete NSEC3 set. Conversely, if there exists an incomplete
+ set of NSEC3 RRs using the same parameters within a zone, there MUST
+ NOT be an NSEC3 RR using those parameters with the SOA bit set.
+
+8.3. Iterations
+
+ Setting the number of iterations used allows the zone owner to choose
+ the cost of computing a hash, and so the cost of generating a
+ dictionary. Note that this is distinct from the effect of salt,
+ which prevents the use of a single precomputed dictionary for all
+ time.
+
+ Obviously the number of iterations also affects the zone owner's cost
+ of signing the zone as well as the verifiers cost of verifying the
+ zone. We therefore impose an upper limit on the number of
+ iterations. We base this on the number of iterations that
+ approximately doubles the cost of signing the zone.
+
+ A zone owner MUST NOT use a value higher than shown in the table
+ below for iterations. A resolver MAY treat a response with a higher
+ value as bogus.
+
+ +--------------+------------+
+ | RSA Key Size | Iterations |
+ +--------------+------------+
+ | 1024 | 3,000 |
+ | 2048 | 20,000 |
+ | 4096 | 150,000 |
+ +--------------+------------+
+
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 15]
+
+Internet-Draft nsec3 February 2006
+
+
+ +--------------+------------+
+ | DSA Key Size | Iterations |
+ +--------------+------------+
+ | 1024 | 1,500 |
+ | 2048 | 5,000 |
+ +--------------+------------+
+
+ This table is based on 150,000 SHA-1's per second, 50 RSA signs per
+ second for 1024 bit keys, 7 signs per second for 2048 bit keys, 1
+ sign per second for 4096 bit keys, 100 DSA signs per second for 1024
+ bit keys and 30 signs per second for 2048 bit keys.
+
+ Note that since RSA verifications are 10-100 times faster than
+ signatures (depending on key size), in the case of RSA the legal
+ values of iterations can substantially increase the cost of
+ verification.
+
+8.4. Hash Collision
+
+ Hash collisions occur when different messages have the same hash
+ value. The expected number of domain names needed to give a 1 in 2
+ chance of a single collision is about 2^(n/2) for a hash of length n
+ bits (i.e. 2^80 for SHA-1). Though this probability is extremely
+ low, the following paragraphs deal with avoiding collisions and
+ assessing possible damage in the event of an attack using hash
+ collisions.
+
+8.4.1. Avoiding Hash Collisions during generation
+
+ During generation of NSEC3 RRs, hash values are supposedly unique.
+ In the (academic) case of a collision occurring, an alternative salt
+ MUST be chosen and all hash values MUST be regenerated.
+
+8.4.2. Second Preimage Requirement Analysis
+
+ A cryptographic hash function has a second-preimage resistance
+ property. The second-preimage resistance property means that it is
+ computationally infeasible to find another message with the same hash
+ value as a given message, i.e. given preimage X, to find a second
+ preimage X' != X such that hash(X) = hash(X'). The work factor for
+ finding a second preimage is of the order of 2^160 for SHA-1. To
+ mount an attack using an existing NSEC3 RR, an adversary needs to
+ find a second preimage.
+
+ Assuming an adversary is capable of mounting such an extreme attack,
+ the actual damage is that a response message can be generated which
+ claims that a certain QNAME (i.e. the second pre-image) does exist,
+ while in reality QNAME does not exist (a false positive), which will
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 16]
+
+Internet-Draft nsec3 February 2006
+
+
+ either cause a security aware resolver to re-query for the non-
+ existent name, or to fail the initial query. Note that the adversary
+ can't mount this attack on an existing name but only on a name that
+ the adversary can't choose and does not yet exist.
+
+8.4.3. Possible Hash Value Truncation Method
+
+ The previous sections outlined the low probability and low impact of
+ a second-preimage attack. When impact and probability are low, while
+ space in a DNS message is costly, truncation is tempting. Truncation
+ might be considered to allow for shorter ownernames and rdata for
+ hashed labels. In general, if a cryptographic hash is truncated to n
+ bits, then the expected number of domains required to give a 1 in 2
+ probability of a single collision is approximately 2^(n/2) and the
+ work factor to produce a second preimage is 2^n.
+
+ An extreme hash value truncation would be truncating to the shortest
+ possible unique label value. This would be unwise, since the work
+ factor to produce second preimages would then approximate the size of
+ the zone (sketch of proof: if the zone has k entries, then the length
+ of the names when truncated down to uniqueness should be proportional
+ to log_2(k). Since the work factor to produce a second pre-image is
+ 2^n for an n-bit hash, then in this case it is 2^(C log_2(k)) (where
+ C is some constant), i.e. C'k - a work factor of k).
+
+ Though the mentioned truncation can be maximized to a certain
+ extreme, the probability of collision increases exponentially for
+ every truncated bit. Given the low impact of hash value collisions
+ and limited space in DNS messages, the balance between truncation
+ profit and collision damage may be determined by local policy. Of
+ course, the size of the corresponding RRSIG RR is not reduced, so
+ truncation is of limited benefit.
+
+ Truncation could be signaled simply by reducing the length of the
+ first label in the ownername. Note that there would have to be a
+ corresponding reduction in the length of the Next Hashed Ownername
+ field.
+
+8.4.4. Server Response to a Run-time Collision
+
+ In the astronomically unlikely event that a server is unable to prove
+ nonexistence because the hash of the name that does not exist
+ collides with a name that does exist, the server is obviously broken,
+ and should, therefore, return a response with an RCODE of 2 (server
+ failure).
+
+
+
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 17]
+
+Internet-Draft nsec3 February 2006
+
+
+8.4.5. Parameters that Cover the Zone
+
+ Secondary servers (and perhaps other entities) need to reliably
+ determine which NSEC3 parameters (that is, hash, salt and iterations)
+ are present at every hashed ownername, in order to be able to choose
+ an appropriate set of NSEC3 records for negative responses. This is
+ indicated by the parameters at the apex: any set of parameters that
+ is used in an NSEC3 record whose original ownername is the apex of
+ the zone MUST be present throughout the zone.
+
+ A method to determine which NSEC3 in a complete chain corresponds to
+ the apex is to look for a NSEC3 RRset which has the SOA bit set in
+ the RDATA bit type maps field.
+
+
+9. Performance Considerations
+
+ Iterated hashes impose a performance penalty on both authoritative
+ servers and resolvers. Therefore, the number of iterations should be
+ carefully chosen. In particular it should be noted that a high value
+ for iterations gives an attacker a very good denial of service
+ attack, since the attacker need not bother to verify the results of
+ their queries, and hence has no performance penalty of his own.
+
+ On the other hand, nameservers with low query rates and limited
+ bandwidth are already subject to a bandwidth based denial of service
+ attack, since responses are typically an order of magnitude larger
+ than queries, and hence these servers may choose a high value of
+ iterations in order to increase the difficulty of offline attempts to
+ enumerate their namespace without significantly increasing their
+ vulnerability to denial of service attacks.
+
+
+10. IANA Considerations
+
+ IANA needs to allocate a RR type code for NSEC3 from the standard RR
+ type space (type XXX requested). IANA needs to open a new registry
+ for the NSEC3 Hash Functions. The range for this registry is 0-127.
+ Defined types are:
+
+ 0 is reserved.
+ 1 is SHA-1 ([13]).
+ 127 is experimental.
+
+
+11. Security Considerations
+
+ The NSEC3 records are still susceptible to dictionary attacks (i.e.
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 18]
+
+Internet-Draft nsec3 February 2006
+
+
+ the attacker retrieves all the NSEC3 records, then calculates the
+ hashes of all likely domain names, comparing against the hashes found
+ in the NSEC3 records, and thus enumerating the zone). These are
+ substantially more expensive than enumerating the original NSEC
+ records would have been, and in any case, such an attack could also
+ be used directly against the name server itself by performing queries
+ for all likely names, though this would obviously be more detectable.
+ The expense of this off-line attack can be chosen by setting the
+ number of iterations in the NSEC3 RR.
+
+ Domains are also susceptible to a precalculated dictionary attack -
+ that is, a list of hashes for all likely names is computed once, then
+ NSEC3 is scanned periodically and compared against the precomputed
+ hashes. This attack is prevented by changing the salt on a regular
+ basis.
+
+ Walking the NSEC3 RRs will reveal the total number of records in the
+ zone, and also what types they are. This could be mitigated by
+ adding dummy entries, but certainly an upper limit can always be
+ found.
+
+ Hash collisions may occur. If they do, it will be impossible to
+ prove the non-existence of the colliding domain - however, this is
+ fantastically unlikely, and, in any case, DNSSEC already relies on
+ SHA-1 to not collide.
+
+ Responses to queries where QNAME equals an NSEC3 ownername that has
+ no other types may be undetectably changed from a NOERROR/NODATA
+ response to a NAME ERROR response.
+
+ The Opt-In Flag (O) allows for unsigned names, in the form of
+ delegations to unsigned subzones, to exist within an otherwise signed
+ zone. All unsigned names are, by definition, insecure, and their
+ validity or existence cannot by cryptographically proven.
+
+ In general:
+ Records with unsigned names (whether existing or not) suffer from
+ the same vulnerabilities as records in an unsigned zone. These
+ vulnerabilities are described in more detail in [16] (note in
+ particular sections 2.3, "Name Games" and 2.6, "Authenticated
+ Denial").
+ Records with signed names have the same security whether or not
+ Opt-In is used.
+
+ Note that with or without Opt-In, an insecure delegation may be
+ undetectably altered by an attacker. Because of this, the primary
+ difference in security when using Opt-In is the loss of the ability
+ to prove the existence or nonexistence of an insecure delegation
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 19]
+
+Internet-Draft nsec3 February 2006
+
+
+ within the span of an Opt-In NSEC3 record.
+
+ In particular, this means that a malicious entity may be able to
+ insert or delete records with unsigned names. These records are
+ normally NS records, but this also includes signed wildcard
+ expansions (while the wildcard record itself is signed, its expanded
+ name is an unsigned name).
+
+ For example, if a resolver received the following response from the
+ example zone above:
+
+ Example S.1: Response to query for WWW.DOES-NOT-EXIST.EXAMPLE. A
+
+ RCODE=NOERROR
+
+ Answer Section:
+
+ Authority Section:
+ DOES-NOT-EXIST.EXAMPLE. NS NS.FORGED.
+ EXAMPLE. NSEC FIRST-SECURE.EXAMPLE. SOA NS \
+ RRSIG DNSKEY
+ abcd... RRSIG NSEC3 ...
+
+ Additional Section:
+
+ The resolver would have no choice but to accept that the referral to
+ NS.FORGED. is valid. If a wildcard existed that would have been
+ expanded to cover "WWW.DOES-NOT-EXIST.EXAMPLE.", an attacker could
+ have undetectably removed it and replaced it with the forged
+ delegation.
+
+ Note that being able to add a delegation is functionally equivalent
+ to being able to add any record type: an attacker merely has to forge
+ a delegation to nameserver under his/her control and place whatever
+ records needed at the subzone apex.
+
+ While in particular cases, this issue may not present a significant
+ security problem, in general it should not be lightly dismissed.
+ Therefore, it is strongly RECOMMENDED that Opt-In be used sparingly.
+ In particular, zone signing tools SHOULD NOT default to using Opt-In,
+ and MAY choose to not support Opt-In at all.
+
+
+12. References
+
+
+
+
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 20]
+
+Internet-Draft nsec3 February 2006
+
+
+12.1. Normative References
+
+ [1] Mockapetris, P., "Domain names - concepts and facilities",
+ STD 13, RFC 1034, November 1987.
+
+ [2] Mockapetris, P., "Domain names - implementation and
+ specification", STD 13, RFC 1035, November 1987.
+
+ [3] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "DNS Security Introduction and Requirements", RFC 4033,
+ March 2005.
+
+ [4] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "Resource Records for the DNS Security Extensions", RFC 4034,
+ March 2005.
+
+ [5] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "Protocol Modifications for the DNS Security Extensions",
+ RFC 4035, March 2005.
+
+ [6] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound, "Dynamic
+ Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
+ April 1997.
+
+ [7] Elz, R. and R. Bush, "Clarifications to the DNS Specification",
+ RFC 2181, July 1997.
+
+ [8] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
+ RFC 2308, March 1998.
+
+ [9] Bradner, S., "Key words for use in RFCs to Indicate Requirement
+ Levels", BCP 14, RFC 2119, March 1997.
+
+ [10] Gudmundsson, O., "Delegation Signer (DS) Resource Record (RR)",
+ RFC 3658, December 2003.
+
+ [11] Eastlake, D., Brunner-Williams, E., and B. Manning, "Domain
+ Name System (DNS) IANA Considerations", BCP 42, RFC 2929,
+ September 2000.
+
+ [12] Gustafsson, A., "Handling of Unknown DNS Resource Record (RR)
+ Types", RFC 3597, September 2003.
+
+ [13] Eastlake, D. and P. Jones, "US Secure Hash Algorithm 1 (SHA1)",
+ RFC 3174, September 2001.
+
+
+
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 21]
+
+Internet-Draft nsec3 February 2006
+
+
+12.2. Informative References
+
+ [14] Vixie, P., "Extending DNSSEC-BIS (DNSSEC-TER)",
+ draft-vixie-dnssec-ter-01 (work in progress), June 2004.
+
+ [15] Josefsson, Ed., S,., "The Base16, Base32, and Base64 Data
+ Encodings.", draft-josefsson-rfc3548bis-00 (work in progress),
+ October 2005.
+
+ [16] Atkins, D. and R. Austein, "Threat Analysis of the Domain Name
+ System (DNS)", RFC 3833, August 2004.
+
+Editorial Comments
+
+ [Comment.1] Although, strictly speaking, the names *did* exist.
+
+ [Comment.2] Note that this method makes it impossible to detect
+ (extremely unlikely) hash collisions.
+
+
+Appendix A. Example Zone
+
+ This is a zone showing its NSEC3 records. They can also be used as
+ test vectors for the hash algorithm.
+
+ The data in the example zone is currently broken, as it uses a
+ different base32 alphabet. This shall be fixed in the next release.
+
+
+ example. 3600 IN SOA ns1.example. bugs.x.w.example. (
+ 1
+ 3600
+ 300
+ 3600000
+ 3600 )
+ 3600 RRSIG SOA 5 1 3600 20050712112304 (
+ 20050612112304 62699 example.
+ RtctD6aLUU5Md5wOOItilS7JXX1tf58Ql3sK
+ mTXkL13jqLiUFOGg0uzqRh1U9GbydS0P7M0g
+ qYIt90txzE/4+g== )
+ 3600 NS ns1.example.
+ 3600 NS ns2.example.
+ 3600 RRSIG NS 5 1 3600 20050712112304 (
+ 20050612112304 62699 example.
+ hNyyin2JpECIFxW4vsj8RhHcWCQKUXgO+z4l
+ m7g2zM8q3Qpsm/gYIXSF2Rhj6lAG7esR/X9d
+ 1SH5r/wfjuCg+g== )
+ 3600 MX 1 xx.example.
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 22]
+
+Internet-Draft nsec3 February 2006
+
+
+ 3600 RRSIG MX 5 1 3600 20050712112304 (
+ 20050612112304 62699 example.
+ L/ZDLMSZJKITmSxmM9Kni37/wKQsdSg6FT0l
+ NMm14jy2Stp91Pwp1HQ1hAMkGWAqCMEKPMtU
+ S/o/g5C8VM6ftQ== )
+ 3600 DNSKEY 257 3 5 (
+ AQOnsGyJvywVjYmiLbh0EwIRuWYcDiB/8blX
+ cpkoxtpe19Oicv6Zko+8brVsTMeMOpcUeGB1
+ zsYKWJ7BvR2894hX
+ ) ; Key ID = 21960
+ 3600 DNSKEY 256 3 5 (
+ AQO0gEmbZUL6xbD/xQczHbnwYnf+jQjwz/sU
+ 5k44rHTt0Ty+3aOdYoome9TjGMhwkkGby1TL
+ ExXT48OGGdbfIme5
+ ) ; Key ID = 62699
+ 3600 RRSIG DNSKEY 5 1 3600 20050712112304 (
+ 20050612112304 62699 example.
+ e6EB+K21HbyZzoLUeRDb6+g0+n8XASYe6h+Z
+ xtnB31sQXZgq8MBHeNFDQW9eZw2hjT9zMClx
+ mTkunTYzqWJrmQ== )
+ 3600 RRSIG DNSKEY 5 1 3600 20050712112304 (
+ 20050612112304 21960 example.
+ SnWLiNWLbOuiKU/F/wVMokvcg6JVzGpQ2VUk
+ ZbKjB9ON0t3cdc+FZbOCMnEHRJiwgqlnncik
+ 3w7ZY2UWyYIvpw== )
+ 5pe7ctl7pfs2cilroy5dcofx4rcnlypd.example. 3600 NSEC3 0 1 1 (
+ deadbeaf
+ 7nomf47k3vlidh4vxahhpp47l3tgv7a2
+ NSEC3 RRSIG )
+ 3600 RRSIG NSEC3 5 2 3600 20050712112304 (
+ 20050612112304 62699 example.
+ PTWYq4WZmmtgh9UQif342HWf9DD9RuuM4ii5
+ Z1oZQgRi5zrsoKHAgl2YXprF2Rfk1TLgsiFQ
+ sb7KfbaUo/vzAg== )
+ 7nomf47k3vlidh4vxahhpp47l3tgv7a2.example. 3600 NSEC3 0 1 1 (
+ deadbeaf
+ dw4o7j64wnel3j4jh7fb3c5n7w3js2yb
+ MX NSEC3 RRSIG )
+ 3600 RRSIG NSEC3 5 2 3600 20050712112304 (
+ 20050612112304 62699 example.
+ YTcqole3h8EOsTT3HKnwhR1QS8borR0XtZaA
+ ZrLsx6n0RDC1AAdZONYOvdqvcal9PmwtWjlo
+ MEFQmc/gEuxojA== )
+ a.example. 3600 IN NS ns1.a.example.
+ 3600 IN NS ns2.a.example.
+ 3600 DS 58470 5 1 3079F1593EBAD6DC121E202A8B
+ 766A6A4837206C )
+ 3600 RRSIG DS 5 2 3600 20050712112304 (
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 23]
+
+Internet-Draft nsec3 February 2006
+
+
+ 20050612112304 62699 example.
+ QavhbsSmEvJLSUzGoTpsV3SKXCpaL1UO3Ehn
+ cB0ObBIlex/Zs9kJyG/9uW1cYYt/1wvgzmX2
+ 0kx7rGKTc3RQDA== )
+ ns1.a.example. 3600 IN A 192.0.2.5
+ ns2.a.example. 3600 IN A 192.0.2.6
+ ai.example. 3600 IN A 192.0.2.9
+ 3600 RRSIG A 5 2 3600 20050712112304 (
+ 20050612112304 62699 example.
+ plY5M26ED3Owe3YX0pBIhgg44j89NxUaoBrU
+ 6bLRr99HpKfFl1sIy18JiRS7evlxCETZgubq
+ ZXW5S+1VjMZYzQ== )
+ 3600 HINFO "KLH-10" "ITS"
+ 3600 RRSIG HINFO 5 2 3600 20050712112304 (
+ 20050612112304 62699 example.
+ AR0hG/Z/e+vlRhxRQSVIFORzrJTBpdNHhwUk
+ tiuqg+zGqKK84eIqtrqXelcE2szKnF3YPneg
+ VGNmbgPnqDVPiA== )
+ 3600 AAAA 2001:db8:0:0:0:0:f00:baa9
+ 3600 RRSIG AAAA 5 2 3600 20050712112304 (
+ 20050612112304 62699 example.
+ PNF/t7+DeosEjhfuL0kmsNJvn16qhYyLI9FV
+ ypSCorFx/PKIlEL3syomkYM2zcXVSRwUXMns
+ l5/UqLCJJ9BDMg== )
+ b.example. 3600 IN NS ns1.b.example.
+ 3600 IN NS ns2.b.example.
+ ns1.b.example. 3600 IN A 192.0.2.7
+ ns2.b.example. 3600 IN A 192.0.2.8
+ dw4o7j64wnel3j4jh7fb3c5n7w3js2yb.example. 3600 NSEC3 0 1 1 (
+ deadbeaf
+ gmnfcccja7wkax3iv26bs75myptje3qk
+ MX DNSKEY NS SOA NSEC3 RRSIG )
+ 3600 RRSIG NSEC3 5 2 3600 20050712112304 (
+ 20050612112304 62699 example.
+ VqEbXiZLJVYmo25fmO3IuHkAX155y8NuA50D
+ C0NmJV/D4R3rLm6tsL6HB3a3f6IBw6kKEa2R
+ MOiKMSHozVebqw== )
+ gmnfcccja7wkax3iv26bs75myptje3qk.example. 3600 NSEC3 0 1 1 (
+ deadbeaf
+ jt4bbfokgbmr57qx4nqucvvn7fmo6ab6
+ DS NS NSEC3 RRSIG )
+ 3600 RRSIG NSEC3 5 2 3600 20050712112304 (
+ 20050612112304 62699 example.
+ ZqkdmF6eICpHyn1Cj7Yvw+nLcbji46Qpe76/
+ ZetqdZV7K5sO3ol5dOc0dZyXDqsJp1is5StW
+ OwQBGbOegrW/Zw== )
+ jt4bbfokgbmr57qx4nqucvvn7fmo6ab6.example. 3600 NSEC3 0 1 1 (
+ deadbeaf
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 24]
+
+Internet-Draft nsec3 February 2006
+
+
+ kcll7fqfnisuhfekckeeqnmbbd4maanu
+ NSEC3 RRSIG )
+ 3600 RRSIG NSEC3 5 2 3600 20050712112304 (
+ 20050612112304 62699 example.
+ FXyCVQUdFF1EW1NcgD2V724/It0rn3lr+30V
+ IyjmqwOMvQ4G599InTpiH46xhX3U/FmUzHOK
+ 94Zbq3k8lgdpZA== )
+ kcll7fqfnisuhfekckeeqnmbbd4maanu.example. 3600 NSEC3 1 1 1 (
+ deadbeaf
+ n42hbhnjj333xdxeybycax5ufvntux5d
+ MX NSEC3 RRSIG )
+ 3600 RRSIG NSEC3 5 2 3600 20050712112304 (
+ 20050612112304 62699 example.
+ d0g8MTOvVwByOAIwvYV9JrTHwJof1VhnMKuA
+ IBj6Xaeney86RBZYgg7Qyt9WnQSK3uCEeNpx
+ TOLtc5jPrkL4zQ== )
+ n42hbhnjj333xdxeybycax5ufvntux5d.example. 3600 NSEC3 0 1 1 (
+ deadbeaf
+ nimwfwcnbeoodmsc6npv3vuaagaevxxu
+ A NSEC3 RRSIG )
+ 3600 RRSIG NSEC3 5 2 3600 20050712112304 (
+ 20050612112304 62699 example.
+ MZGzllh+YFqZbY8SkHxARhXFiMDPS0tvQYyy
+ 91tj+lbl45L/BElD3xxB/LZMO8vQejYtMLHj
+ xFPFGRIW3wKnrA== )
+ nimwfwcnbeoodmsc6npv3vuaagaevxxu.example. 3600 NSEC3 0 1 1 (
+ deadbeaf
+ vhgwr2qgykdkf4m6iv6vkagbxozphazr
+ HINFO A AAAA NSEC3 RRSIG )
+ 3600 RRSIG NSEC3 5 2 3600 20050712112304 (
+ 20050612112304 62699 example.
+ c3zQdK68cYTHTjh1cD6pi0vblXwzyoU/m7Qx
+ z8kaPYikbJ9vgSl9YegjZukgQSwybHUC0SYG
+ jL33Wm1p07TBdw== )
+ ns1.example. 3600 A 192.0.2.1
+ 3600 RRSIG A 5 2 3600 20050712112304 (
+ 20050612112304 62699 example.
+ QLGkaqWXxRuE+MHKkMvVlswg65HcyjvD1fyb
+ BDZpcfiMHH9w4x1eRqRamtSDTcqLfUrcYkrr
+ nWWLepz1PjjShQ== )
+ ns2.example. 3600 A 192.0.2.2
+ 3600 RRSIG A 5 2 3600 20050712112304 (
+ 20050612112304 62699 example.
+ UoIZaC1O6XHRWGHBOl8XFQKPdYTkRCz6SYh3
+ P2mZ3xfY22fLBCBDrEnOc8pGDGijJaLl26Cz
+ AkeTJu3J3auUiA== )
+ vhgwr2qgykdkf4m6iv6vkagbxozphazr.example. 3600 NSEC3 0 1 1 (
+ deadbeaf
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 25]
+
+Internet-Draft nsec3 February 2006
+
+
+ wbyijvpnyj33pcpi3i44ecnibnaj7eiw
+ HINFO A AAAA NSEC3 RRSIG )
+ 3600 RRSIG NSEC3 5 2 3600 20050712112304 (
+ 20050612112304 62699 example.
+ leFhoF5FXZAiNOxK4OBOOA0WKdbaD5lLDT/W
+ kLoyWnQ6WGBwsUOdsEcVmqz+1n7q9bDf8G8M
+ 5SNSHIyfpfsi6A== )
+ *.w.example. 3600 MX 1 ai.example.
+ 3600 RRSIG MX 5 3 3600 20050712112304 (
+ 20050612112304 62699 example.
+ sYNUPHn1/gJ87wTHNksGdRm3vfnSFa2BbofF
+ xGfJLF5A4deRu5f0hvxhAFDCcXfIASj7z0wQ
+ gQlgxEwhvQDEaQ== )
+ x.w.example. 3600 MX 1 xx.example.
+ 3600 RRSIG MX 5 3 3600 20050712112304 (
+ 20050612112304 62699 example.
+ s1XQ/8SlViiEDik9edYs1Ooe3XiXo453Dg7w
+ lqQoewuDzmtd6RaLNu52W44zTM1EHJES8ujP
+ U9VazOa1KEIq1w== )
+ x.y.w.example. 3600 MX 1 xx.example.
+ 3600 RRSIG MX 5 4 3600 20050712112304 (
+ 20050612112304 62699 example.
+ aKVCGO/Fx9rm04UUsHRTTYaDA8o8dGfyq6t7
+ uqAcYxU9xiXP+xNtLHBv7er6Q6f2JbOs6SGF
+ 9VrQvJjwbllAfA== )
+ wbyijvpnyj33pcpi3i44ecnibnaj7eiw.example. 3600 NSEC3 0 1 1 (
+ deadbeaf
+ zjxfz5o7t4ty4u3f6fa7mhhqzjln4mui
+ A NSEC3 RRSIG )
+ 3600 RRSIG NSEC3 5 2 3600 20050712112304 (
+ 20050612112304 62699 example.
+ ledFAaDCqDxapQ1FvBAjjK2DP06iQj8AN6gN
+ ZycTeSmobKLTpzbgQp8uKYYe/DPHjXYmuEhd
+ oorBv4xkb0flXw== )
+ xx.example. 3600 A 192.0.2.10
+ 3600 RRSIG A 5 2 3600 20050712112304 (
+ 20050612112304 62699 example.
+ XSuMVjNxovbZUsnKU6oQDygaK+WB+O5HYQG9
+ tJgphHIX7TM4uZggfR3pNM+4jeC8nt2OxZZj
+ cxwCXWj82GVGdw== )
+ 3600 HINFO "KLH-10" "TOPS-20"
+ 3600 RRSIG HINFO 5 2 3600 20050712112304 (
+ 20050612112304 62699 example.
+ ghS2DimOqPSacG9j6KMgXSfTMSjLxvoxvx3q
+ OKzzPst4tEbAmocF2QX8IrSHr67m4ZLmd2Fk
+ KMf4DgNBDj+dIQ== )
+ 3600 AAAA 2001:db8:0:0:0:0:f00:baaa
+ 3600 RRSIG AAAA 5 2 3600 20050712112304 (
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 26]
+
+Internet-Draft nsec3 February 2006
+
+
+ 20050612112304 62699 example.
+ rto7afZkXYB17IfmQCT5QoEMMrlkeOoAGXzo
+ w8Wmcg86Fc+MQP0hyXFScI1gYNSgSSoDMXIy
+ rzKKwb8J04/ILw== )
+ zjxfz5o7t4ty4u3f6fa7mhhqzjln4mui.example. 3600 NSEC3 0 1 1 (
+ deadbeaf
+ 5pe7ctl7pfs2cilroy5dcofx4rcnlypd
+ MX NSEC3 RRSIG )
+ 3600 RRSIG NSEC3 5 2 3600 20050712112304 (
+ 20050612112304 62699 example.
+ eULkdWjcjmM+wXQcr7zXNfnGLgHjZSJINGkt
+ 7Zmvp7WKVAqoHMm1RXV8IfBH1aRgv5+/Lgny
+ OcFlrPGPMm48/A== )
+
+
+Appendix B. Example Responses
+
+ The examples in this section show response messages using the signed
+ zone example in Appendix A.
+
+B.1. answer
+
+ A successful query to an authoritative server.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 27]
+
+Internet-Draft nsec3 February 2006
+
+
+ ;; Header: QR AA DO RCODE=0
+ ;;
+ ;; Question
+ x.w.example. IN MX
+
+ ;; Answer
+ x.w.example. 3600 IN MX 1 xx.example.
+ x.w.example. 3600 IN RRSIG MX 5 3 3600 20050712112304 (
+ 20050612112304 62699 example.
+ s1XQ/8SlViiEDik9edYs1Ooe3XiXo453Dg7w
+ lqQoewuDzmtd6RaLNu52W44zTM1EHJES8ujP
+ U9VazOa1KEIq1w== )
+
+ ;; Authority
+ example. 3600 IN NS ns1.example.
+ example. 3600 IN NS ns2.example.
+ example. 3600 IN RRSIG NS 5 1 3600 20050712112304 (
+ 20050612112304 62699 example.
+ hNyyin2JpECIFxW4vsj8RhHcWCQKUXgO+z4l
+ m7g2zM8q3Qpsm/gYIXSF2Rhj6lAG7esR/X9d
+ 1SH5r/wfjuCg+g== )
+
+ ;; Additional
+ xx.example. 3600 IN A 192.0.2.10
+ xx.example. 3600 IN RRSIG A 5 2 3600 20050712112304 (
+ 20050612112304 62699 example.
+ XSuMVjNxovbZUsnKU6oQDygaK+WB+O5HYQG9
+ tJgphHIX7TM4uZggfR3pNM+4jeC8nt2OxZZj
+ cxwCXWj82GVGdw== )
+ xx.example. 3600 IN AAAA 2001:db8::f00:baaa
+ xx.example. 3600 IN RRSIG AAAA 5 2 3600 20050712112304 (
+ 20050612112304 62699 example.
+ rto7afZkXYB17IfmQCT5QoEMMrlkeOoAGXzo
+ w8Wmcg86Fc+MQP0hyXFScI1gYNSgSSoDMXIy
+ rzKKwb8J04/ILw== )
+ ns1.example. 3600 IN A 192.0.2.1
+ ns1.example. 3600 IN RRSIG A 5 2 3600 20050712112304 (
+ 20050612112304 62699 example.
+ QLGkaqWXxRuE+MHKkMvVlswg65HcyjvD1fyb
+ BDZpcfiMHH9w4x1eRqRamtSDTcqLfUrcYkrr
+ nWWLepz1PjjShQ== )
+ ns2.example. 3600 IN A 192.0.2.2
+ ns2.example. 3600 IN RRSIG A 5 2 3600 20050712112304 (
+ 20050612112304 62699 example.
+ UoIZaC1O6XHRWGHBOl8XFQKPdYTkRCz6SYh3
+ P2mZ3xfY22fLBCBDrEnOc8pGDGijJaLl26Cz
+ AkeTJu3J3auUiA== )
+
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 28]
+
+Internet-Draft nsec3 February 2006
+
+
+ The query returned an MX RRset for "x.w.example". The corresponding
+ RRSIG RR indicates that the MX RRset was signed by an "example"
+ DNSKEY with algorithm 5 and key tag 62699. The resolver needs the
+ corresponding DNSKEY RR in order to authenticate this answer. The
+ discussion below describes how a resolver might obtain this DNSKEY
+ RR.
+
+ The RRSIG RR indicates the original TTL of the MX RRset was 3600,
+ and, for the purpose of authentication, the current TTL is replaced
+ by 3600. The RRSIG RR's labels field value of 3 indicates that the
+ answer was not the result of wildcard expansion. The "x.w.example"
+ MX RRset is placed in canonical form, and, assuming the current time
+ falls between the signature inception and expiration dates, the
+ signature is authenticated.
+
+B.1.1. Authenticating the Example DNSKEY RRset
+
+ This example shows the logical authentication process that starts
+ from a configured root DNSKEY RRset (or DS RRset) and moves down the
+ tree to authenticate the desired "example" DNSKEY RRset. Note that
+ the logical order is presented for clarity. An implementation may
+ choose to construct the authentication as referrals are received or
+ to construct the authentication chain only after all RRsets have been
+ obtained, or in any other combination it sees fit. The example here
+ demonstrates only the logical process and does not dictate any
+ implementation rules.
+
+ We assume the resolver starts with a configured DNSKEY RRset for the
+ root zone (or a configured DS RRset for the root zone). The resolver
+ checks whether this configured DNSKEY RRset is present in the root
+ DNSKEY RRset (or whether a DS RR in the DS RRset matches some DNSKEY
+ RR in the root DNSKEY RRset), whether this DNSKEY RR has signed the
+ root DNSKEY RRset, and whether the signature lifetime is valid. If
+ all these conditions are met, all keys in the DNSKEY RRset are
+ considered authenticated. The resolver then uses one (or more) of
+ the root DNSKEY RRs to authenticate the "example" DS RRset. Note
+ that the resolver may have to query the root zone to obtain the root
+ DNSKEY RRset or "example" DS RRset.
+
+ Once the DS RRset has been authenticated using the root DNSKEY, the
+ resolver checks the "example" DNSKEY RRset for some "example" DNSKEY
+ RR that matches one of the authenticated "example" DS RRs. If such a
+ matching "example" DNSKEY is found, the resolver checks whether this
+ DNSKEY RR has signed the "example" DNSKEY RRset and the signature
+ lifetime is valid. If these conditions are met, all keys in the
+ "example" DNSKEY RRset are considered authenticated.
+
+ Finally, the resolver checks that some DNSKEY RR in the "example"
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 29]
+
+Internet-Draft nsec3 February 2006
+
+
+ DNSKEY RRset uses algorithm 5 and has a key tag of 62699. This
+ DNSKEY is used to authenticate the RRSIG included in the response.
+ If multiple "example" DNSKEY RRs match this algorithm and key tag,
+ then each DNSKEY RR is tried, and the answer is authenticated if any
+ of the matching DNSKEY RRs validate the signature as described above.
+
+B.2. Name Error
+
+ An authoritative name error. The NSEC3 RRs prove that the name does
+ not exist and that no covering wildcard exists.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 30]
+
+Internet-Draft nsec3 February 2006
+
+
+ ;; Header: QR AA DO RCODE=3
+ ;;
+ ;; Question
+ a.c.x.w.example. IN A
+
+ ;; Answer
+ ;; (empty)
+
+ ;; Authority
+ example. 3600 IN SOA ns1.example. bugs.x.w.example. (
+ 1
+ 3600
+ 300
+ 3600000
+ 3600
+ )
+ example. 3600 IN RRSIG SOA 5 1 3600 20050712112304 (
+ 20050612112304 62699 example.
+ RtctD6aLUU5Md5wOOItilS7JXX1tf58Ql3sK
+ mTXkL13jqLiUFOGg0uzqRh1U9GbydS0P7M0g
+ qYIt90txzE/4+g== )
+ 7nomf47k3vlidh4vxahhpp47l3tgv7a2.example. 3600 IN NSEC3 0 1 1 (
+ deadbeaf
+ dw4o7j64wnel3j4jh7fb3c5n7w3js2yb
+ MX NSEC3 RRSIG )
+ 7nomf47k3vlidh4vxahhpp47l3tgv7a2.example. 3600 IN RRSIG NSEC3 (
+ 5 2 3600 20050712112304
+ 20050612112304 62699 example.
+ YTcqole3h8EOsTT3HKnwhR1QS8borR0XtZaA
+ ZrLsx6n0RDC1AAdZONYOvdqvcal9PmwtWjlo
+ MEFQmc/gEuxojA== )
+ nimwfwcnbeoodmsc6npv3vuaagaevxxu.example. 3600 IN NSEC3 0 1 1 (
+ deadbeaf
+ vhgwr2qgykdkf4m6iv6vkagbxozphazr
+ HINFO A AAAA NSEC3 RRSIG )
+ nimwfwcnbeoodmsc6npv3vuaagaevxxu.example. 3600 IN RRSIG NSEC3 (
+ 5 2 3600 20050712112304
+ 20050612112304 62699 example.
+ c3zQdK68cYTHTjh1cD6pi0vblXwzyoU/m7Qx
+ z8kaPYikbJ9vgSl9YegjZukgQSwybHUC0SYG
+ jL33Wm1p07TBdw== )
+ ;; Additional
+ ;; (empty)
+
+ The query returned two NSEC3 RRs that prove that the requested data
+ does not exist and no wildcard applies. The negative reply is
+ authenticated by verifying both NSEC3 RRs. The NSEC3 RRs are
+ authenticated in a manner identical to that of the MX RRset discussed
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 31]
+
+Internet-Draft nsec3 February 2006
+
+
+ above. At least one of the owner names of the NSEC3 RRs will match
+ the closest encloser. At least one of the NSEC3 RRs prove that there
+ exists no longer name. At least one of the NSEC3 RRs prove that
+ there exists no wildcard RRsets that should have been expanded. The
+ closest encloser can be found by hashing the apex ownername (The SOA
+ RR's ownername, or the ownername of the DNSKEY RRset referred by an
+ RRSIG RR), matching it to the ownername of one of the NSEC3 RRs, and
+ if that fails, continue by adding labels. In other words, the
+ resolver first hashes example, checks for a matching NSEC3 ownername,
+ then hashes w.example, checks, and finally hashes w.x.example and
+ checks.
+
+ In the above example, the name 'x.w.example' hashes to
+ '7nomf47k3vlidh4vxahhpp47l3tgv7a2'. This indicates that this might
+ be the closest encloser. To prove that 'c.x.w.example' and
+ '*.x.w.example' do not exists, these names are hashed to respectively
+ 'qsgoxsf2lanysajhtmaylde4tqwnqppl' and
+ 'cvljzyf6nsckjowghch4tt3nohocpdka'. The two NSEC3 records prove that
+ these hashed ownernames do not exists, since the names are within the
+ given intervals.
+
+B.3. No Data Error
+
+ A "no data" response. The NSEC3 RR proves that the name exists and
+ that the requested RR type does not.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 32]
+
+Internet-Draft nsec3 February 2006
+
+
+ ;; Header: QR AA DO RCODE=0
+ ;;
+ ;; Question
+ ns1.example. IN MX
+
+ ;; Answer
+ ;; (empty)
+
+ ;; Authority
+ example. 3600 IN SOA ns1.example. bugs.x.w.example. (
+ 1
+ 3600
+ 300
+ 3600000
+ 3600
+ )
+ example. 3600 IN RRSIG SOA 5 1 3600 20050712112304 (
+ 20050612112304 62699 example.
+ RtctD6aLUU5Md5wOOItilS7JXX1tf58Ql3sK
+ mTXkL13jqLiUFOGg0uzqRh1U9GbydS0P7M0g
+ qYIt90txzE/4+g== )
+ wbyijvpnyj33pcpi3i44ecnibnaj7eiw.example. 3600 IN NSEC3 0 1 1 (
+ deadbeaf
+ zjxfz5o7t4ty4u3f6fa7mhhqzjln4mui
+ A NSEC3 RRSIG )
+ wbyijvpnyj33pcpi3i44ecnibnaj7eiw.example. 3600 IN RRSIG NSEC3 (
+ 5 2 3600 20050712112304
+ 20050612112304 62699 example.
+ ledFAaDCqDxapQ1FvBAjjK2DP06iQj8AN6gN
+ ZycTeSmobKLTpzbgQp8uKYYe/DPHjXYmuEhd
+ oorBv4xkb0flXw== )
+ ;; Additional
+ ;; (empty)
+
+ The query returned an NSEC3 RR that proves that the requested name
+ exists ("ns1.example." hashes to "wbyijvpnyj33pcpi3i44ecnibnaj7eiw"),
+ but the requested RR type does not exist (type MX is absent in the
+ type code list of the NSEC RR). The negative reply is authenticated
+ by verifying the NSEC3 RR. The NSEC3 RR is authenticated in a manner
+ identical to that of the MX RRset discussed above.
+
+B.3.1. No Data Error, Empty Non-Terminal
+
+ A "no data" response because of an empty non-terminal. The NSEC3 RR
+ proves that the name exists and that the requested RR type does not.
+
+
+
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 33]
+
+Internet-Draft nsec3 February 2006
+
+
+ ;; Header: QR AA DO RCODE=0
+ ;;
+ ;; Question
+ y.w.example. IN A
+
+ ;; Answer
+ ;; (empty)
+
+ ;; Authority
+ example. 3600 IN SOA ns1.example. bugs.x.w.example. (
+ 1
+ 3600
+ 300
+ 3600000
+ 3600
+ )
+ example. 3600 IN RRSIG SOA 5 1 3600 20050712112304 (
+ 20050612112304 62699 example.
+ RtctD6aLUU5Md5wOOItilS7JXX1tf58Ql3sK
+ mTXkL13jqLiUFOGg0uzqRh1U9GbydS0P7M0g
+ qYIt90txzE/4+g== )
+ jt4bbfokgbmr57qx4nqucvvn7fmo6ab6.example. 3600 IN NSEC3 0 1 1 (
+ deadbeaf
+ kcll7fqfnisuhfekckeeqnmbbd4maanu
+ NSEC3 RRSIG )
+ jt4bbfokgbmr57qx4nqucvvn7fmo6ab6.example. 3600 IN RRSIG NSEC3 (
+ 5 2 3600 20050712112304
+ 20050612112304 62699 example.
+ FXyCVQUdFF1EW1NcgD2V724/It0rn3lr+30V
+ IyjmqwOMvQ4G599InTpiH46xhX3U/FmUzHOK
+ 94Zbq3k8lgdpZA== )
+
+ The query returned an NSEC3 RR that proves that the requested name
+ exists ("y.w.example." hashes to "jt4bbfokgbmr57qx4nqucvvn7fmo6ab6"),
+ but the requested RR type does not exist (Type A is absent in the
+ type-bit-maps of the NSEC3 RR). The negative reply is authenticated
+ by verifying the NSEC3 RR. The NSEC3 RR is authenticated in a manner
+ identical to that of the MX RRset discussed above. Note that, unlike
+ generic empty non terminal proof using NSECs, this is identical to
+ proving a No Data Error. This example is solely mentioned to be
+ complete.
+
+B.4. Referral to Signed Zone
+
+ Referral to a signed zone. The DS RR contains the data which the
+ resolver will need to validate the corresponding DNSKEY RR in the
+ child zone's apex.
+
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 34]
+
+Internet-Draft nsec3 February 2006
+
+
+ ;; Header: QR DO RCODE=0
+ ;;
+
+ ;; Question
+ mc.a.example. IN MX
+
+ ;; Answer
+ ;; (empty)
+
+ ;; Authority
+ a.example. 3600 IN NS ns1.a.example.
+ a.example. 3600 IN NS ns2.a.example.
+ a.example. 3600 IN DS 58470 5 1 (
+ 3079F1593EBAD6DC121E202A8B766A6A4837
+ 206C )
+ a.example. 3600 IN RRSIG DS 5 2 3600 20050712112304 (
+ 20050612112304 62699 example.
+ QavhbsSmEvJLSUzGoTpsV3SKXCpaL1UO3Ehn
+ cB0ObBIlex/Zs9kJyG/9uW1cYYt/1wvgzmX2
+ 0kx7rGKTc3RQDA== )
+
+ ;; Additional
+ ns1.a.example. 3600 IN A 192.0.2.5
+ ns2.a.example. 3600 IN A 192.0.2.6
+
+ The query returned a referral to the signed "a.example." zone. The
+ DS RR is authenticated in a manner identical to that of the MX RRset
+ discussed above. This DS RR is used to authenticate the "a.example"
+ DNSKEY RRset.
+
+ Once the "a.example" DS RRset has been authenticated using the
+ "example" DNSKEY, the resolver checks the "a.example" DNSKEY RRset
+ for some "a.example" DNSKEY RR that matches the DS RR. If such a
+ matching "a.example" DNSKEY is found, the resolver checks whether
+ this DNSKEY RR has signed the "a.example" DNSKEY RRset and whether
+ the signature lifetime is valid. If all these conditions are met,
+ all keys in the "a.example" DNSKEY RRset are considered
+ authenticated.
+
+B.5. Referral to Unsigned Zone using the Opt-In Flag
+
+ The NSEC3 RR proves that nothing for this delegation was signed in
+ the parent zone. There is no proof that the delegation exists
+
+
+
+
+
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 35]
+
+Internet-Draft nsec3 February 2006
+
+
+ ;; Header: QR DO RCODE=0
+ ;;
+ ;; Question
+ mc.b.example. IN MX
+
+ ;; Answer
+ ;; (empty)
+
+ ;; Authority
+ b.example. 3600 IN NS ns1.b.example.
+ b.example. 3600 IN NS ns2.b.example.
+ kcll7fqfnisuhfekckeeqnmbbd4maanu.example. 3600 IN NSEC3 1 1 1 (
+ deadbeaf
+ n42hbhnjj333xdxeybycax5ufvntux5d
+ MX NSEC3 RRSIG )
+ kcll7fqfnisuhfekckeeqnmbbd4maanu.example. 3600 IN RRSIG NSEC3 (
+ 5 2 3600 20050712112304
+ 20050612112304 62699 example.
+ d0g8MTOvVwByOAIwvYV9JrTHwJof1VhnMKuA
+ IBj6Xaeney86RBZYgg7Qyt9WnQSK3uCEeNpx
+ TOLtc5jPrkL4zQ== )
+
+ ;; Additional
+ ns1.b.example. 3600 IN A 192.0.2.7
+ ns2.b.example. 3600 IN A 192.0.2.8
+
+ The query returned a referral to the unsigned "b.example." zone. The
+ NSEC3 proves that no authentication leads from "example" to
+ "b.example", since the hash of "b.example"
+ ("ldjpfcucebeks5azmzpty4qlel4cftzo") is within the NSEC3 interval and
+ the NSEC3 opt-in bit is set. The NSEC3 RR is authenticated in a
+ manner identical to that of the MX RRset discussed above.
+
+B.6. Wildcard Expansion
+
+ A successful query that was answered via wildcard expansion. The
+ label count in the answer's RRSIG RR indicates that a wildcard RRset
+ was expanded to produce this response, and the NSEC3 RR proves that
+ no closer match exists in the zone.
+
+
+
+
+
+
+
+
+
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 36]
+
+Internet-Draft nsec3 February 2006
+
+
+ ;; Header: QR AA DO RCODE=0
+ ;;
+ ;; Question
+ a.z.w.example. IN MX
+
+ ;; Answer
+ a.z.w.example. 3600 IN MX 1 ai.example.
+ a.z.w.example. 3600 IN RRSIG MX 5 3 3600 20050712112304 (
+ 20050612112304 62699 example.
+ sYNUPHn1/gJ87wTHNksGdRm3vfnSFa2BbofF
+ xGfJLF5A4deRu5f0hvxhAFDCcXfIASj7z0wQ
+ gQlgxEwhvQDEaQ== )
+ ;; Authority
+ example. 3600 NS ns1.example.
+ example. 3600 NS ns2.example.
+ example. 3600 IN RRSIG NS 5 1 3600 20050712112304 (
+ 20050612112304 62699 example.
+ hNyyin2JpECIFxW4vsj8RhHcWCQKUXgO+z4l
+ m7g2zM8q3Qpsm/gYIXSF2Rhj6lAG7esR/X9d
+ 1SH5r/wfjuCg+g== )
+ zjxfz5o7t4ty4u3f6fa7mhhqzjln4mui.example. 3600 IN NSEC3 0 1 1 (
+ deadbeaf
+ 5pe7ctl7pfs2cilroy5dcofx4rcnlypd
+ MX NSEC3 RRSIG )
+ zjxfz5o7t4ty4u3f6fa7mhhqzjln4mui.example. 3600 IN RRSIG NSEC3 (
+ 5 2 3600 20050712112304
+ 20050612112304 62699 example.
+ eULkdWjcjmM+wXQcr7zXNfnGLgHjZSJINGkt
+ 7Zmvp7WKVAqoHMm1RXV8IfBH1aRgv5+/Lgny
+ OcFlrPGPMm48/A== )
+ ;; Additional
+ ai.example. 3600 IN A 192.0.2.9
+ ai.example. 3600 IN RRSIG A 5 2 3600 20050712112304 (
+ 20050612112304 62699 example.
+ plY5M26ED3Owe3YX0pBIhgg44j89NxUaoBrU
+ 6bLRr99HpKfFl1sIy18JiRS7evlxCETZgubq
+ ZXW5S+1VjMZYzQ== )
+ ai.example. 3600 AAAA 2001:db8::f00:baa9
+ ai.example. 3600 IN RRSIG AAAA 5 2 3600 20050712112304 (
+ 20050612112304 62699 example.
+ PNF/t7+DeosEjhfuL0kmsNJvn16qhYyLI9FV
+ ypSCorFx/PKIlEL3syomkYM2zcXVSRwUXMns
+ l5/UqLCJJ9BDMg== )
+
+ The query returned an answer that was produced as a result of
+ wildcard expansion. The answer section contains a wildcard RRset
+ expanded as it would be in a traditional DNS response, and the
+ corresponding RRSIG indicates that the expanded wildcard MX RRset was
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 37]
+
+Internet-Draft nsec3 February 2006
+
+
+ signed by an "example" DNSKEY with algorithm 5 and key tag 62699.
+ The RRSIG indicates that the original TTL of the MX RRset was 3600,
+ and, for the purpose of authentication, the current TTL is replaced
+ by 3600. The RRSIG labels field value of 2 indicates that the answer
+ is the result of wildcard expansion, as the "a.z.w.example" name
+ contains 4 labels. The name "a.z.w.example" is replaced by
+ "*.w.example", the MX RRset is placed in canonical form, and,
+ assuming that the current time falls between the signature inception
+ and expiration dates, the signature is authenticated.
+
+ The NSEC3 proves that no closer match (exact or closer wildcard)
+ could have been used to answer this query, and the NSEC3 RR must also
+ be authenticated before the answer is considered valid.
+
+B.7. Wildcard No Data Error
+
+ A "no data" response for a name covered by a wildcard. The NSEC3 RRs
+ prove that the matching wildcard name does not have any RRs of the
+ requested type and that no closer match exists in the zone.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 38]
+
+Internet-Draft nsec3 February 2006
+
+
+ ;; Header: QR AA DO RCODE=0
+ ;;
+ ;; Question
+ a.z.w.example. IN AAAA
+
+ ;; Answer
+ ;; (empty)
+
+ ;; Authority
+ example. 3600 IN SOA ns1.example. bugs.x.w.example. (
+ 1
+ 3600
+ 300
+ 3600000
+ 3600
+ )
+ example. 3600 IN RRSIG SOA 5 1 3600 20050712112304 (
+ 20050612112304 62699 example.
+ RtctD6aLUU5Md5wOOItilS7JXX1tf58Ql3sK
+ mTXkL13jqLiUFOGg0uzqRh1U9GbydS0P7M0g
+ qYIt90txzE/4+g== )
+ zjxfz5o7t4ty4u3f6fa7mhhqzjln4mui.example. 3600 IN NSEC3 0 1 1 (
+ deadbeaf
+ 5pe7ctl7pfs2cilroy5dcofx4rcnlypd
+ MX NSEC3 RRSIG )
+ zjxfz5o7t4ty4u3f6fa7mhhqzjln4mui.example. 3600 IN RRSIG NSEC3 (
+ 5 2 3600 20050712112304
+ 20050612112304 62699 example.
+ eULkdWjcjmM+wXQcr7zXNfnGLgHjZSJINGkt
+ 7Zmvp7WKVAqoHMm1RXV8IfBH1aRgv5+/Lgny
+ OcFlrPGPMm48/A== )
+ ;; Additional
+ ;; (empty)
+
+ The query returned NSEC3 RRs that prove that the requested data does
+ not exist and no wildcard applies. The negative reply is
+ authenticated by verifying both NSEC3 RRs.
+
+B.8. DS Child Zone No Data Error
+
+ A "no data" response for a QTYPE=DS query that was mistakenly sent to
+ a name server for the child zone.
+
+
+
+
+
+
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 39]
+
+Internet-Draft nsec3 February 2006
+
+
+ ;; Header: QR AA DO RCODE=0
+ ;;
+ ;; Question
+ example. IN DS
+
+ ;; Answer
+ ;; (empty)
+
+ ;; Authority
+ example. 3600 IN SOA ns1.example. bugs.x.w.example. (
+ 1
+ 3600
+ 300
+ 3600000
+ 3600
+ )
+ example. 3600 IN RRSIG SOA 5 1 3600 20050712112304 (
+ 20050612112304 62699 example.
+ RtctD6aLUU5Md5wOOItilS7JXX1tf58Ql3sK
+ mTXkL13jqLiUFOGg0uzqRh1U9GbydS0P7M0g
+ qYIt90txzE/4+g== )
+ dw4o7j64wnel3j4jh7fb3c5n7w3js2yb.example. 3600 IN NSEC3 0 1 1 (
+ deadbeaf
+ gmnfcccja7wkax3iv26bs75myptje3qk
+ MX DNSKEY NS SOA NSEC3 RRSIG )
+ dw4o7j64wnel3j4jh7fb3c5n7w3js2yb.example. 3600 IN RRSIG NSEC3 (
+ 5 2 3600 20050712112304
+ 20050612112304 62699 example.
+ VqEbXiZLJVYmo25fmO3IuHkAX155y8NuA50D
+ C0NmJV/D4R3rLm6tsL6HB3a3f6IBw6kKEa2R
+ MOiKMSHozVebqw== )
+
+ ;; Additional
+ ;; (empty)
+
+ The query returned NSEC RRs that shows the requested was answered by
+ a child server ("example" server). The NSEC RR indicates the
+ presence of an SOA RR, showing that the answer is from the child .
+ Queries for the "example" DS RRset should be sent to the parent
+ servers ("root" servers).
+
+
+
+
+
+
+
+
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 40]
+
+Internet-Draft nsec3 February 2006
+
+
+Authors' Addresses
+
+ Ben Laurie
+ Nominet
+ 17 Perryn Road
+ London W3 7LR
+ England
+
+ Phone: +44 (20) 8735 0686
+ Email: ben@algroup.co.uk
+
+
+ Geoffrey Sisson
+ Nominet
+
+
+ Roy Arends
+ Nominet
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 41]
+
+Internet-Draft nsec3 February 2006
+
+
+Intellectual Property Statement
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+
+Disclaimer of Validity
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Copyright Statement
+
+ Copyright (C) The Internet Society (2006). This document is subject
+ to the rights, licenses and restrictions contained in BCP 78, and
+ except as set forth therein, the authors retain all their rights.
+
+
+Acknowledgment
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+Laurie, et al. Expires August 5, 2006 [Page 42]
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-nsid-01.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-nsid-01.txt
new file mode 100644
index 0000000..90d1a06
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsext-nsid-01.txt
@@ -0,0 +1,840 @@
+
+
+
+Network Working Group R. Austein
+Internet-Draft ISC
+Expires: July 15, 2006 January 11, 2006
+
+
+ DNS Name Server Identifier Option (NSID)
+ draft-ietf-dnsext-nsid-01
+
+Status of this Memo
+
+ By submitting this Internet-Draft, each author represents that any
+ applicable patent or other IPR claims of which he or she is aware
+ have been or will be disclosed, and any of which he or she becomes
+ aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF), its areas, and its working groups. Note that
+ other groups may also distribute working documents as Internet-
+ Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ The list of current Internet-Drafts can be accessed at
+ http://www.ietf.org/ietf/1id-abstracts.txt.
+
+ The list of Internet-Draft Shadow Directories can be accessed at
+ http://www.ietf.org/shadow.html.
+
+ This Internet-Draft will expire on July 15, 2006.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2006).
+
+Abstract
+
+ With the increased use of DNS anycast, load balancing, and other
+ mechanisms allowing more than one DNS name server to share a single
+ IP address, it is sometimes difficult to tell which of a pool of name
+ servers has answered a particular query. While existing ad-hoc
+ mechanism allow an operator to send follow-up queries when it is
+ necessary to debug such a configuration, the only completely reliable
+ way to obtain the identity of the name server which responded is to
+ have the name server include this information in the response itself.
+ This note defines a protocol extension to support this functionality.
+
+
+
+Austein Expires July 15, 2006 [Page 1]
+
+Internet-Draft DNS NSID January 2006
+
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 1.1. Reserved Words . . . . . . . . . . . . . . . . . . . . . . 3
+ 2. Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
+ 2.1. Resolver Behavior . . . . . . . . . . . . . . . . . . . . 4
+ 2.2. Name Server Behavior . . . . . . . . . . . . . . . . . . . 4
+ 2.3. The NSID Option . . . . . . . . . . . . . . . . . . . . . 4
+ 2.4. Presentation Format . . . . . . . . . . . . . . . . . . . 5
+ 3. Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . 6
+ 3.1. The NSID Payload . . . . . . . . . . . . . . . . . . . . . 6
+ 3.2. NSID Is Not Transitive . . . . . . . . . . . . . . . . . . 8
+ 3.3. User Interface Issues . . . . . . . . . . . . . . . . . . 8
+ 3.4. Truncation . . . . . . . . . . . . . . . . . . . . . . . . 9
+ 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
+ 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11
+ 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 12
+ 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
+ 7.1. Normative References . . . . . . . . . . . . . . . . . . . 13
+ 7.2. Informative References . . . . . . . . . . . . . . . . . . 13
+ Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 14
+ Intellectual Property and Copyright Statements . . . . . . . . . . 15
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Austein Expires July 15, 2006 [Page 2]
+
+Internet-Draft DNS NSID January 2006
+
+
+1. Introduction
+
+ With the increased use of DNS anycast, load balancing, and other
+ mechanisms allowing more than one DNS name server to share a single
+ IP address, it is sometimes difficult to tell which of a pool of name
+ servers has answered a particular query.
+
+ Existing ad-hoc mechanisms allow an operator to send follow-up
+ queries when it is necessary to debug such a configuration, but there
+ are situations in which this is not a totally satisfactory solution,
+ since anycast routing may have changed, or the server pool in
+ question may be behind some kind of extremely dynamic load balancing
+ hardware. Thus, while these ad-hoc mechanisms are certainly better
+ than nothing (and have the advantage of already being deployed), a
+ better solution seems desirable.
+
+ Given that a DNS query is an idempotent operation with no retained
+ state, it would appear that the only completely reliable way to
+ obtain the identity of the name server which responded to a
+ particular query is to have that name server include identifying
+ information in the response itself. This note defines a protocol
+ enhancement to achieve this.
+
+1.1. Reserved Words
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC2119].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Austein Expires July 15, 2006 [Page 3]
+
+Internet-Draft DNS NSID January 2006
+
+
+2. Protocol
+
+ This note uses an EDNS [RFC2671] option to signal the resolver's
+ desire for information identifying the name server and to hold the
+ name server's response, if any.
+
+2.1. Resolver Behavior
+
+ A resolver signals its desire for information identifying a name
+ server by sending an empty NSID option (Section 2.3) in an EDNS OPT
+ pseudo-RR in the query message.
+
+ The resolver MUST NOT include any NSID payload data in the query
+ message.
+
+ The semantics of an NSID request are not transitive. That is: the
+ presence of an NSID option in a query is a request that the name
+ server which receives the query identify itself. If the name server
+ side of a recursive name server receives an NSID request, the client
+ is asking the recursive name server to identify itself; if the
+ resolver side of the recursive name server wishes to receive
+ identifying information, it is free to add NSID requests in its own
+ queries, but that is a separate matter.
+
+2.2. Name Server Behavior
+
+ A name server which understands the NSID option and chooses to honor
+ a particular NSID request responds by including identifying
+ information in a NSID option (Section 2.3) in an EDNS OPT pseudo-RR
+ in the response message.
+
+ The name server MUST ignore any NSID payload data that might be
+ present in the query message.
+
+ The NSID option is not transitive. A name server MUST NOT send an
+ NSID option back to a resolver which did not request it. In
+ particular, while a recursive name server may choose to add an NSID
+ option when sending a query, this has no effect on the presence or
+ absence of the NSID option in the recursive name server's response to
+ the original client.
+
+ As stated in Section 2.1, this mechanism is not restricted to
+ authoritative name servers; the semantics are intended to be equally
+ applicable to recursive name servers.
+
+2.3. The NSID Option
+
+ The OPTION-CODE for the NSID option is [TBD].
+
+
+
+Austein Expires July 15, 2006 [Page 4]
+
+Internet-Draft DNS NSID January 2006
+
+
+ The OPTION-DATA for the NSID option is an opaque byte string the
+ semantics of which are deliberately left outside the protocol. See
+ Section 3.1 for discussion.
+
+2.4. Presentation Format
+
+ User interfaces MUST read and write the content of the NSID option as
+ a sequence of hexadecimal digits, two digits per payload octet.
+
+ The NSID payload is binary data. Any comparison between NSID
+ payloads MUST be a comparison of the raw binary data. Copy
+ operations MUST NOT assume that the raw NSID payload is null-
+ terminated. Any resemblance between raw NSID payload data and any
+ form of text is purely a convenience, and does not change the
+ underlying nature of the payload data.
+
+ See Section 3.3 for discussion.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Austein Expires July 15, 2006 [Page 5]
+
+Internet-Draft DNS NSID January 2006
+
+
+3. Discussion
+
+ This section discusses certain aspects of the protocol and explains
+ considerations that led to the chosen design.
+
+3.1. The NSID Payload
+
+ The syntax and semantics of the content of the NSID option is
+ deliberately left outside the scope of this specification. This
+ section describe some of the kinds of data that server administrators
+ might choose to provide as the content of the NSID option, and
+ explains the reasoning behind choosing a simple opaque byte string.
+
+ There are several possibilities for the payload of the NSID option:
+
+ o It could be the "real" name of the specific name server within the
+ name server pool.
+
+ o It could be the "real" IP address (IPv4 or IPv6) of the name
+ server within the name server pool.
+
+ o It could be some sort of pseudo-random number generated in a
+ predictable fashion somehow using the server's IP address or name
+ as a seed value.
+
+ o It could be some sort of probabilisticly unique identifier
+ initially derived from some sort of random number generator then
+ preserved across reboots of the name server.
+
+ o It could be some sort of dynamicly generated identifier so that
+ only the name server operator could tell whether or not any two
+ queries had been answered by the same server.
+
+ o It could be a blob of signed data, with a corresponding key which
+ might (or might not) be available via DNS lookups.
+
+ o It could be a blob of encrypted data, the key for which could be
+ restricted to parties with a need to know (in the opinion of the
+ server operator).
+
+ o It could be an arbitrary string of octets chosen at the discretion
+ of the name server operator.
+
+ Each of these options has advantages and disadvantages:
+
+ o Using the "real" name is simple, but the name server may not have
+ a "real" name.
+
+
+
+
+Austein Expires July 15, 2006 [Page 6]
+
+Internet-Draft DNS NSID January 2006
+
+
+ o Using the "real" address is also simple, and the name server
+ almost certainly does have at least one non-anycast IP address for
+ maintenance operations, but the operator of the name server may
+ not be willing to divulge its non-anycast address.
+
+ o Given that one common reason for using anycast DNS techniques is
+ an attempt to harden a critical name server against denial of
+ service attacks, some name server operators are likely to want an
+ identifier other than the "real" name or "real" address of the
+ name server instance.
+
+ o Using a hash or pseudo-random number can provide a fixed length
+ value that the resolver can use to tell two name servers apart
+ without necessarily being able to tell where either one of them
+ "really" is, but makes debugging more difficult if one happens to
+ be in a friendly open environment. Furthermore, hashing might not
+ add much value, since a hash based on an IPv4 address still only
+ involves a 32-bit search space, and DNS names used for servers
+ that operators might have to debug at 4am tend not to be very
+ random.
+
+ o Probabilisticly unique identifiers have similar properties to
+ hashed identifiers, but (given a sufficiently good random number
+ generator) are immune to the search space issues. However, the
+ strength of this approach is also its weakness: there is no
+ algorithmic transformation by which even the server operator can
+ associate name server instances with identifiers while debugging,
+ which might be annoying. This approach also requires the name
+ server instance to preserve the probabilisticly unique identifier
+ across reboots, but this does not appear to be a serious
+ restriction, since authoritative nameservers almost always have
+ some form of nonvolatile storage in any case, and in the rare case
+ of a name server that does not have any way to store such an
+ identifier, nothing terrible will happen if the name server just
+ generates a new identifier every time it reboots.
+
+ o Using an arbitrary octet string gives name server operators yet
+ another thing to configure, or mis-configure, or forget to
+ configure. Having all the nodes in an anycast name server
+ constellation identify themselves as "My Name Server" would not be
+ particularly useful.
+
+ Given all of the issues listed above, there does not appear to be a
+ single solution that will meet all needs. Section 2.3 therefore
+ defines the NSID payload to be an opaque byte string and leaves the
+ choice up to the implementor and name server operator. The following
+ guidelines may be useful to implementors and server operators:
+
+
+
+
+Austein Expires July 15, 2006 [Page 7]
+
+Internet-Draft DNS NSID January 2006
+
+
+ o Operators for whom divulging the unicast address is an issue could
+ use the raw binary representation of a probabilisticly unique
+ random number. This should probably be the default implementation
+ behavior.
+
+ o Operators for whom divulging the unicast address is not an issue
+ could just use the raw binary representation of a unicast address
+ for simplicity. This should only be done via an explicit
+ configuration choice by the operator.
+
+ o Operators who really need or want the ability to set the NSID
+ payload to an arbitrary value could do so, but this should only be
+ done via an explicit configuration choice by the operator.
+
+ This approach appears to provide enough information for useful
+ debugging without unintentionally leaking the maintenance addresses
+ of anycast name servers to nogoodniks, while also allowing name
+ server operators who do not find such leakage threatening to provide
+ more information at their own discretion.
+
+3.2. NSID Is Not Transitive
+
+ As specified in Section 2.1 and Section 2.2, the NSID option is not
+ transitive. This is strictly a hop-by-hop mechanism.
+
+ Most of the discussion of name server identification to date has
+ focused on identifying authoritative name servers, since the best
+ known cases of anycast name servers are a subset of the name servers
+ for the root zone. However, given that anycast DNS techniques are
+ also applicable to recursive name servers, the mechanism may also be
+ useful with recursive name servers. The hop-by-hop semantics support
+ this.
+
+ While there might be some utility in having a transitive variant of
+ this mechanism (so that, for example, a stub resolver could ask a
+ recursive server to tell it which authoritative name server provided
+ a particular answer to the recursive name server), the semantics of
+ such a variant would be more complicated, and are left for future
+ work.
+
+3.3. User Interface Issues
+
+ Given the range of possible payload contents described in
+ Section 3.1, it is not possible to define a single presentation
+ format for the NSID payload that is efficient, convenient,
+ unambiguous, and aesthetically pleasing. In particular, while it is
+ tempting to use a presentation format that uses some form of textual
+ strings, attempting to support this would significantly complicate
+
+
+
+Austein Expires July 15, 2006 [Page 8]
+
+Internet-Draft DNS NSID January 2006
+
+
+ what's intended to be a very simple debugging mechanism.
+
+ In some cases the content of the NSID payload may be binary data
+ meaningful only to the name server operator, and may not be
+ meaningful to the user or application, but the user or application
+ must be able to capture the entire content anyway in order for it to
+ be useful. Thus, the presentation format must support arbitrary
+ binary data.
+
+ In cases where the name server operator derives the NSID payload from
+ textual data, a textual form such as US-ASCII or UTF-8 strings might
+ at first glance seem easier for a user to deal with. There are,
+ however, a number of complex issues involving internationalized text
+ which, if fully addressed here, would require a set of rules
+ significantly longer than the rest of this specification. See
+ [RFC2277] for an overview of some of these issues.
+
+ It is much more important for the NSID payload data to be passed
+ unambiguously from server administrator to user and back again than
+ it is for the payload data data to be pretty while in transit. In
+ particular, it's critical that it be straightforward for a user to
+ cut and paste an exact copy of the NSID payload output by a debugging
+ tool into other formats such as email messages or web forms without
+ distortion. Hexadecimal strings, while ugly, are also robust.
+
+3.4. Truncation
+
+ In some cases, adding the NSID option to a response message may
+ trigger message truncation. This specification does not change the
+ rules for DNS message truncation in any way, but implementors will
+ need to pay attention to this issue.
+
+ Including the NSID option in a response is always optional, so this
+ specification never requires name servers to truncate response
+ messages.
+
+ By definition, a resolver that requests NSID responses also supports
+ EDNS, so a resolver that requests NSID responses can also use the
+ "sender's UDP payload size" field of the OPT pseudo-RR to signal a
+ receive buffer size large enough to make truncation unlikely.
+
+
+
+
+
+
+
+
+
+
+
+Austein Expires July 15, 2006 [Page 9]
+
+Internet-Draft DNS NSID January 2006
+
+
+4. IANA Considerations
+
+ This mechanism requires allocation of one ENDS option code for the
+ NSID option (Section 2.3).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Austein Expires July 15, 2006 [Page 10]
+
+Internet-Draft DNS NSID January 2006
+
+
+5. Security Considerations
+
+ This document describes a channel signaling mechanism, intended
+ primarily for debugging. Channel signaling mechanisms are outside
+ the scope of DNSSEC per se. Applications that require integrity
+ protection for the data being signaled will need to use a channel
+ security mechanism such as TSIG [RFC2845].
+
+ Section 3.1 discusses a number of different kinds of information that
+ a name server operator might choose to provide as the value of the
+ NSID option. Some of these kinds of information are security
+ sensitive in some environments. This specification deliberately
+ leaves the syntax and semantics of the NSID option content up to the
+ implementation and the name server operator.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Austein Expires July 15, 2006 [Page 11]
+
+Internet-Draft DNS NSID January 2006
+
+
+6. Acknowledgements
+
+ Joe Abley, Harald Alvestrand, Mark Andrews, Roy Arends, Steve
+ Bellovin, Randy Bush, David Conrad, Johan Ihren, Daniel Karrenberg,
+ Peter Koch, Mike Patton, Mike StJohns, Paul Vixie, Sam Weiler, and
+ Suzanne Woolf. Apologies to anyone inadvertently omitted from the
+ above list.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Austein Expires July 15, 2006 [Page 12]
+
+Internet-Draft DNS NSID January 2006
+
+
+7. References
+
+7.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", RFC 2119, BCP 14, March 1997.
+
+ [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)",
+ RFC 2671, August 1999.
+
+ [RFC2845] Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
+ Wellington, "Secret Key Transaction Authentication for DNS
+ (TSIG)", RFC 2845, May 2000.
+
+7.2. Informative References
+
+ [RFC2277] Alvestrand, H., "IETF Policy on Character Sets and
+ Languages", RFC 2277, BCP 18, January 1998.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Austein Expires July 15, 2006 [Page 13]
+
+Internet-Draft DNS NSID January 2006
+
+
+Author's Address
+
+ Rob Austein
+ ISC
+ 950 Charter Street
+ Redwood City, CA 94063
+ USA
+
+ Email: sra@isc.org
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Austein Expires July 15, 2006 [Page 14]
+
+Internet-Draft DNS NSID January 2006
+
+
+Intellectual Property Statement
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+
+Disclaimer of Validity
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Copyright Statement
+
+ Copyright (C) The Internet Society (2006). This document is subject
+ to the rights, licenses and restrictions contained in BCP 78, and
+ except as set forth therein, the authors retain all their rights.
+
+
+Acknowledgment
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+Austein Expires July 15, 2006 [Page 15]
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-trustupdate-threshold-00.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-trustupdate-threshold-00.txt
index b5aaad2..a598826 100644
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-trustupdate-threshold-00.txt
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsext-trustupdate-threshold-00.txt
@@ -1380,7 +1380,7 @@ Appendix B. Document History
to the RFC editor.
- The version you are reading is tagged as $Revision: 1.1.232.1 $.
+ The version you are reading is tagged as $Revision: 1.1.230.1 $.
Text between square brackets, other than references, are editorial
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-trustupdate-timers-02.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-trustupdate-timers-02.txt
new file mode 100644
index 0000000..7cb9063
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsext-trustupdate-timers-02.txt
@@ -0,0 +1,730 @@
+
+
+
+
+Network Working Group M. StJohns
+Internet-Draft Nominum, Inc.
+Expires: July 14, 2006 January 10, 2006
+
+
+ Automated Updates of DNSSEC Trust Anchors
+ draft-ietf-dnsext-trustupdate-timers-02
+
+Status of this Memo
+
+ By submitting this Internet-Draft, each author represents that any
+ applicable patent or other IPR claims of which he or she is aware
+ have been or will be disclosed, and any of which he or she becomes
+ aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF), its areas, and its working groups. Note that
+ other groups may also distribute working documents as Internet-
+ Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ The list of current Internet-Drafts can be accessed at
+ http://www.ietf.org/ietf/1id-abstracts.txt.
+
+ The list of Internet-Draft Shadow Directories can be accessed at
+ http://www.ietf.org/shadow.html.
+
+ This Internet-Draft will expire on July 14, 2006.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2006).
+
+Abstract
+
+ This document describes a means for automated, authenticated and
+ authorized updating of DNSSEC "trust anchors". The method provides
+ protection against single key compromise of a key in the trust point
+ key set. Based on the trust established by the presence of a current
+ anchor, other anchors may be added at the same place in the
+ hierarchy, and, ultimately, supplant the existing anchor.
+
+ This mechanism, if adopted, will require changes to resolver
+ management behavior (but not resolver resolution behavior), and the
+
+
+
+StJohns Expires July 14, 2006 [Page 1]
+
+Internet-Draft trustanchor-update January 2006
+
+
+ addition of a single flag bit to the DNSKEY record.
+
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 1.1. Compliance Nomenclature . . . . . . . . . . . . . . . . . 3
+ 1.2. Changes since -00 . . . . . . . . . . . . . . . . . . . . 3
+ 2. Theory of Operation . . . . . . . . . . . . . . . . . . . . . 4
+ 2.1. Revocation . . . . . . . . . . . . . . . . . . . . . . . . 4
+ 2.2. Add Hold-Down . . . . . . . . . . . . . . . . . . . . . . 5
+ 2.3. Remove Hold-down . . . . . . . . . . . . . . . . . . . . . 5
+ 2.4. Active Refresh . . . . . . . . . . . . . . . . . . . . . . 6
+ 2.5. Resolver Parameters . . . . . . . . . . . . . . . . . . . 6
+ 2.5.1. Add Hold-Down Time . . . . . . . . . . . . . . . . . . 6
+ 2.5.2. Remove Hold-Down Time . . . . . . . . . . . . . . . . 6
+ 2.5.3. Minimum Trust Anchors per Trust Point . . . . . . . . 6
+ 3. Changes to DNSKEY RDATA Wire Format . . . . . . . . . . . . . 6
+ 4. State Table . . . . . . . . . . . . . . . . . . . . . . . . . 7
+ 4.1. Events . . . . . . . . . . . . . . . . . . . . . . . . . . 7
+ 4.2. States . . . . . . . . . . . . . . . . . . . . . . . . . . 8
+ 4.3. Trust Point Deletion . . . . . . . . . . . . . . . . . . . 8
+ 5. Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . 8
+ 5.1. Adding A Trust Anchor . . . . . . . . . . . . . . . . . . 9
+ 5.2. Deleting a Trust Anchor . . . . . . . . . . . . . . . . . 9
+ 5.3. Key Roll-Over . . . . . . . . . . . . . . . . . . . . . . 9
+ 5.4. Active Key Compromised . . . . . . . . . . . . . . . . . . 9
+ 5.5. Stand-by Key Compromised . . . . . . . . . . . . . . . . . 10
+ 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
+ 7. Security Considerations . . . . . . . . . . . . . . . . . . . 10
+ 7.1. Key Ownership vs Acceptance Policy . . . . . . . . . . . . 10
+ 7.2. Multiple Key Compromise . . . . . . . . . . . . . . . . . 10
+ 7.3. Dynamic Updates . . . . . . . . . . . . . . . . . . . . . 11
+ 8. Normative References . . . . . . . . . . . . . . . . . . . . . 11
+ Editorial Comments . . . . . . . . . . . . . . . . . . . . . . . .
+ Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 12
+ Intellectual Property and Copyright Statements . . . . . . . . . . 13
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+StJohns Expires July 14, 2006 [Page 2]
+
+Internet-Draft trustanchor-update January 2006
+
+
+1. Introduction
+
+ As part of the reality of fielding DNSSEC (Domain Name System
+ Security Extensions) [RFC2535] [RFC4033][RFC4034][RFC4035], the
+ community has come to the realization that there will not be one
+ signed name space, but rather islands of signed name space each
+ originating from specific points (i.e. 'trust points') in the DNS
+ tree. Each of those islands will be identified by the trust point
+ name, and validated by at least one associated public key. For the
+ purpose of this document we'll call the association of that name and
+ a particular key a 'trust anchor'. A particular trust point can have
+ more than one key designated as a trust anchor.
+
+ For a DNSSEC-aware resolver to validate information in a DNSSEC
+ protected branch of the hierarchy, it must have knowledge of a trust
+ anchor applicable to that branch. It may also have more than one
+ trust anchor for any given trust point. Under current rules, a chain
+ of trust for DNSSEC-protected data that chains its way back to ANY
+ known trust anchor is considered 'secure'.
+
+ Because of the probable balkanization of the DNSSEC tree due to
+ signing voids at key locations, a resolver may need to know literally
+ thousands of trust anchors to perform its duties. (e.g. Consider an
+ unsigned ".COM".) Requiring the owner of the resolver to manually
+ manage this many relationships is problematic. It's even more
+ problematic when considering the eventual requirement for key
+ replacement/update for a given trust anchor. The mechanism described
+ herein won't help with the initial configuration of the trust anchors
+ in the resolvers, but should make trust point key replacement/
+ rollover more viable.
+
+ As mentioned above, this document describes a mechanism whereby a
+ resolver can update the trust anchors for a given trust point, mainly
+ without human intervention at the resolver. There are some corner
+ cases discussed (e.g. multiple key compromise) that may require
+ manual intervention, but they should be few and far between. This
+ document DOES NOT discuss the general problem of the initial
+ configuration of trust anchors for the resolver.
+
+1.1. Compliance Nomenclature
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in BCP 14, [RFC2119].
+
+1.2. Changes since -00
+
+ Added the concept of timer triggered resolver queries to refresh the
+
+
+
+StJohns Expires July 14, 2006 [Page 3]
+
+Internet-Draft trustanchor-update January 2006
+
+
+ resolvers view of the trust anchor key RRSet.
+
+ Re-submitted expired draft as -01. Updated DNSSEC RFC References.
+
+ Draft -02. Added the IANA Considerations section. Added text to
+ describe what happens if all trust anchors at a trust point are
+ deleted.
+
+
+2. Theory of Operation
+
+ The general concept of this mechanism is that existing trust anchors
+ can be used to authenticate new trust anchors at the same point in
+ the DNS hierarchy. When a new SEP key is added to a trust point
+ DNSKEY RRSet, and when that RRSet is validated by an existing trust
+ anchor, then the new key can be added to the set of trust anchors.
+
+ There are some issues with this approach which need to be mitigated.
+ For example, a compromise of one of the existing keys could allow an
+ attacker to add their own 'valid' data. This implies a need for a
+ method to revoke an existing key regardless of whether or not that
+ key is compromised. As another example assuming a single key
+ compromise, an attacker could add a new key and revoke all the other
+ old keys.
+
+2.1. Revocation
+
+ Assume two trust anchor keys A and B. Assume that B has been
+ compromised. Without a specific revocation bit, B could invalidate A
+ simply by sending out a signed trust point key set which didn't
+ contain A. To fix this, we add a mechanism which requires knowledge
+ of the private key of a DNSKEY to revoke that DNSKEY.
+
+ A key is considered revoked when the resolver sees the key in a self-
+ signed RRSet and the key has the REVOKE bit (see Section 6 below) set
+ to '1'. Once the resolver sees the REVOKE bit, it MUST NOT use this
+ key as a trust anchor or for any other purposes except validating the
+ RRSIG over the DNSKEY RRSet specifically for the purpose of
+ validating the revocation. Unlike the 'Add' operation below,
+ revocation is immediate and permanent upon receipt of a valid
+ revocation at the resolver.
+
+ N.B. A DNSKEY with the REVOKE bit set has a different fingerprint
+ than one without the bit set. This affects the matching of a DNSKEY
+ to DS records in the parent, or the fingerprint stored at a resolver
+ used to configure a trust point. [msj3]
+
+ In the given example, the attacker could revoke B because it has
+
+
+
+StJohns Expires July 14, 2006 [Page 4]
+
+Internet-Draft trustanchor-update January 2006
+
+
+ knowledge of B's private key, but could not revoke A.
+
+2.2. Add Hold-Down
+
+ Assume two trust point keys A and B. Assume that B has been
+ compromised. An attacker could generate and add a new trust anchor
+ key - C (by adding C to the DNSKEY RRSet and signing it with B), and
+ then invalidate the compromised key. This would result in the both
+ the attacker and owner being able to sign data in the zone and have
+ it accepted as valid by resolvers.
+
+ To mitigate, but not completely solve, this problem, we add a hold-
+ down time to the addition of the trust anchor. When the resolver
+ sees a new SEP key in a validated trust point DNSKEY RRSet, the
+ resolver starts an acceptance timer, and remembers all the keys that
+ validated the RRSet. If the resolver ever sees the DNSKEY RRSet
+ without the new key but validly signed, it stops the acceptance
+ process and resets the acceptance timer. If all of the keys which
+ were originally used to validate this key are revoked prior to the
+ timer expiring, the resolver stops the acceptance process and resets
+ the timer.
+
+ Once the timer expires, the new key will be added as a trust anchor
+ the next time the validated RRSet with the new key is seen at the
+ resolver. The resolver MUST NOT treat the new key as a trust anchor
+ until the hold down time expires AND it has retrieved and validated a
+ DNSKEY RRSet after the hold down time which contains the new key.
+
+ N.B.: Once the resolver has accepted a key as a trust anchor, the key
+ MUST be considered a valid trust anchor by that resolver until
+ explictly revoked as described above.
+
+ In the given example, the zone owner can recover from a compromise by
+ revoking B and adding a new key D and signing the DNSKEY RRSet with
+ both A and B.
+
+ The reason this does not completely solve the problem has to do with
+ the distributed nature of DNS. The resolver only knows what it sees.
+ A determined attacker who holds one compromised key could keep a
+ single resolver from realizing that key had been compromised by
+ intercepting 'real' data from the originating zone and substituting
+ their own (e.g. using the example, signed only by B). This is no
+ worse than the current situation assuming a compromised key.
+
+2.3. Remove Hold-down
+
+ A new key which has been seen by the resolver, but hasn't reached
+ it's add hold-down time, MAY be removed from the DNSKEY RRSet by the
+
+
+
+StJohns Expires July 14, 2006 [Page 5]
+
+Internet-Draft trustanchor-update January 2006
+
+
+ zone owner. If the resolver sees a validated DNSKEY RRSet without
+ this key, it waits for the remove hold-down time and then, if the key
+ hasn't reappeared, SHOULD discard any information about the key.
+
+2.4. Active Refresh
+
+ A resolver which has been configured for automatic update of keys
+ from a particular trust point MUST query that trust point (e.g. do a
+ lookup for the DNSKEY RRSet and related RRSIG records) no less often
+ than the lesser of 15 days or half the original TTL for the DNSKEY
+ RRSet or half the RRSIG expiration interval. The expiration interval
+ is the amount of time from when the RRSIG was last retrieved until
+ the expiration time in the RRSIG.
+
+ If the query fails, the resolver MUST repeat the query until
+ satisfied no more often than once an hour and no less often than the
+ lesser of 1 day or 10% of the original TTL or 10% of the original
+ expiration interval.
+
+2.5. Resolver Parameters
+
+2.5.1. Add Hold-Down Time
+
+ The add hold-down time is 30 days or the expiration time of the TTL
+ of the first trust point DNSKEY RRSet which contained the key,
+ whichever is greater. This ensures that at least two validated
+ DNSKEY RRSets which contain the new key MUST be seen by the resolver
+ prior to the key's acceptance.
+
+2.5.2. Remove Hold-Down Time
+
+ The remove hold-down time is 30 days.
+
+2.5.3. Minimum Trust Anchors per Trust Point
+
+ A compliant resolver MUST be able to manage at least five SEP keys
+ per trust point.
+
+
+3. Changes to DNSKEY RDATA Wire Format
+
+ Bit n [msj2] of the DNSKEY Flags field is designated as the 'REVOKE'
+ flag. If this bit is set to '1', AND the resolver sees an
+ RRSIG(DNSKEY) signed by the associated key, then the resolver MUST
+ consider this key permanently invalid for all purposes except for
+ validing the revocation.
+
+
+
+
+
+StJohns Expires July 14, 2006 [Page 6]
+
+Internet-Draft trustanchor-update January 2006
+
+
+4. State Table
+
+ The most important thing to understand is the resolver's view of any
+ key at a trust point. The following state table describes that view
+ at various points in the key's lifetime. The table is a normative
+ part of this specification. The initial state of the key is 'Start'.
+ The resolver's view of the state of the key changes as various events
+ occur.
+
+ [msj1] This is the state of a trust point key as seen from the
+ resolver. The column on the left indicates the current state. The
+ header at the top shows the next state. The intersection of the two
+ shows the event that will cause the state to transition from the
+ current state to the next.
+
+ NEXT STATE
+ --------------------------------------------------
+ FROM |Start |AddPend |Valid |Missing|Revoked|Removed|
+ ----------------------------------------------------------
+ Start | |NewKey | | | | |
+ ----------------------------------------------------------
+ AddPend |KeyRem | |AddTime| | |
+ ----------------------------------------------------------
+ Valid | | | |KeyRem |Revbit | |
+ ----------------------------------------------------------
+ Missing | | |KeyPres| |Revbit | |
+ ----------------------------------------------------------
+ Revoked | | | | | |RemTime|
+ ----------------------------------------------------------
+ Removed | | | | | | |
+ ----------------------------------------------------------
+
+4.1. Events
+ NewKey The resolver sees a valid DNSKEY RRSet with a new SEP key.
+ That key will become a new trust anchor for the named trust point
+ after its been present in the RRSet for at least 'add time'.
+ KeyPres The key has returned to the valid DNSKEY RRSet.
+ KeyRem The resolver sees a valid DNSKEY RRSet that does not contain
+ this key.
+ AddTime The key has been in every valid DNSKEY RRSet seen for at
+ least the 'add time'.
+ RemTime A revoked key has been missing from the trust point DNSKEY
+ RRSet for sufficient time to be removed from the trust set.
+ RevBit The key has appeared in the trust anchor DNSKEY RRSet with its
+ "REVOKED" bit set, and there is an RRSig over the DNSKEY RRSet
+ signed by this key.
+
+
+
+
+
+StJohns Expires July 14, 2006 [Page 7]
+
+Internet-Draft trustanchor-update January 2006
+
+
+4.2. States
+ Start The key doesn't yet exist as a trust anchor at the resolver.
+ It may or may not exist at the zone server, but hasn't yet been
+ seen at the resolver.
+ AddPend The key has been seen at the resolver, has its 'SEP' bit set,
+ and has been included in a validated DNSKEY RRSet. There is a
+ hold-down time for the key before it can be used as a trust
+ anchor.
+ Valid The key has been seen at the resolver and has been included in
+ all validated DNSKEY RRSets from the time it was first seen up
+ through the hold-down time. It is now valid for verifying RRSets
+ that arrive after the hold down time. Clarification: The DNSKEY
+ RRSet does not need to be continuously present at the resolver
+ (e.g. its TTL might expire). If the RRSet is seen, and is
+ validated (i.e. verifies against an existing trust anchor), this
+ key MUST be in the RRSet otherwise a 'KeyRem' event is triggered.
+ Missing This is an abnormal state. The key remains as a valid trust
+ point key, but was not seen at the resolver in the last validated
+ DNSKEY RRSet. This is an abnormal state because the zone operator
+ should be using the REVOKE bit prior to removal. [Discussion
+ item: Should a missing key be considered revoked after some period
+ of time?]
+ Revoked This is the state a key moves to once the resolver sees an
+ RRSIG(DNSKEY) signed by this key where that DNSKEY RRSet contains
+ this key with its REVOKE bit set to '1'. Once in this state, this
+ key MUST permanently be considered invalid as a trust anchor.
+ Removed After a fairly long hold-down time, information about this
+ key may be purged from the resolver. A key in the removed state
+ MUST NOT be considered a valid trust anchor.
+
+4.3. Trust Point Deletion
+
+ A trust point which has all of its trust anchors revoked is
+ considered deleted and is treated as if the trust point was never
+ configured. If there are no superior trust points, data at and below
+ the deleted trust point are considered insecure. If there there ARE
+ superior trust points, data at and below the deleted trust point are
+ evaluated with respect to the superior trust point.
+
+
+5. Scenarios
+
+ The suggested model for operation is to have one active key and one
+ stand-by key at each trust point. The active key will be used to
+ sign the DNSKEY RRSet. The stand-by key will not normally sign this
+ RRSet, but the resolver will accept it as a trust anchor if/when it
+ sees the signature on the trust point DNSKEY RRSet.
+
+
+
+
+StJohns Expires July 14, 2006 [Page 8]
+
+Internet-Draft trustanchor-update January 2006
+
+
+ Since the stand-by key is not in active signing use, the associated
+ private key may (and SHOULD) be provided with additional protections
+ not normally available to a key that must be used frequently. E.g.
+ locked in a safe, split among many parties, etc. Notionally, the
+ stand-by key should be less subject to compromise than an active key,
+ but that will be dependent on operational concerns not addressed
+ here.
+
+5.1. Adding A Trust Anchor
+
+ Assume an existing trust anchor key 'A'.
+ 1. Generate a new key pair.
+ 2. Create a DNSKEY record from the key pair and set the SEP and Zone
+ Key bits.
+ 3. Add the DNSKEY to the RRSet.
+ 4. Sign the DNSKEY RRSet ONLY with the existing trust anchor key -
+ 'A'.
+ 5. Wait a while.
+
+5.2. Deleting a Trust Anchor
+
+ Assume existing trust anchors 'A' and 'B' and that you want to revoke
+ and delete 'A'.
+ 1. Set the revolcation bit on key 'A'.
+ 2. Sign the DNSKEY RRSet with both 'A' and 'B'.
+ 'A' is now revoked. The operator SHOULD include the revoked 'A' in
+ the RRSet for at least the remove hold-down time, but then may remove
+ it from the DNSKEY RRSet.
+
+5.3. Key Roll-Over
+
+ Assume existing keys A and B. 'A' is actively in use (i.e. has been
+ signing the DNSKEY RRSet.) 'B' was the stand-by key. (i.e. has been
+ in the DNSKEY RRSet and is a valid trust anchor, but wasn't being
+ used to sign the RRSet.)
+ 1. Generate a new key pair 'C'.
+ 2. Add 'C' to the DNSKEY RRSet.
+ 3. Set the revocation bit on key 'A'.
+ 4. Sign the RRSet with 'A' and 'B'.
+ 'A' is now revoked, 'B' is now the active key, and 'C' will be the
+ stand-by key once the hold-down expires. The operator SHOULD include
+ the revoked 'A' in the RRSet for at least the remove hold-down time,
+ but may then remove it from the DNSKEY RRSet.
+
+5.4. Active Key Compromised
+
+ This is the same as the mechanism for Key Roll-Over (Section 5.3)
+ above assuming 'A' is the active key.
+
+
+
+StJohns Expires July 14, 2006 [Page 9]
+
+Internet-Draft trustanchor-update January 2006
+
+
+5.5. Stand-by Key Compromised
+
+ Using the same assumptions and naming conventions as Key Roll-Over
+ (Section 5.3) above:
+ 1. Generate a new key pair 'C'.
+ 2. Add 'C' to the DNSKEY RRSet.
+ 3. Set the revocation bit on key 'B'.
+ 4. Sign the RRSet with 'A' and 'B'.
+ 'B' is now revoked, 'A' remains the active key, and 'C' will be the
+ stand-by key once the hold-down expires. 'B' SHOULD continue to be
+ included in the RRSet for the remove hold-down time.
+
+
+6. IANA Considerations
+
+ The IANA will need to assign a bit in the DNSKEY flags field (see
+ section 4.3 of [RFC3755]) for the REVOKE bit. There are no other
+ IANA actions required.
+
+
+7. Security Considerations
+
+7.1. Key Ownership vs Acceptance Policy
+
+ The reader should note that, while the zone owner is responsible
+ creating and distributing keys, it's wholly the decision of the
+ resolver owner as to whether to accept such keys for the
+ authentication of the zone information. This implies the decision
+ update trust anchor keys based on trust for a current trust anchor
+ key is also the resolver owner's decision.
+
+ The resolver owner (and resolver implementers) MAY choose to permit
+ or prevent key status updates based on this mechanism for specific
+ trust points. If they choose to prevent the automated updates, they
+ will need to establish a mechanism for manual or other out-of-band
+ updates outside the scope of this document.
+
+7.2. Multiple Key Compromise
+
+ This scheme permits recovery as long as at least one valid trust
+ anchor key remains uncompromised. E.g. if there are three keys, you
+ can recover if two of them are compromised. The zone owner should
+ determine their own level of comfort with respect to the number of
+ active valid trust anchors in a zone and should be prepared to
+ implement recovery procedures once they detect a compromise. A
+ manual or other out-of-band update of all resolvers will be required
+ if all trust anchor keys at a trust point are compromised.
+
+
+
+
+StJohns Expires July 14, 2006 [Page 10]
+
+Internet-Draft trustanchor-update January 2006
+
+
+7.3. Dynamic Updates
+
+ Allowing a resolver to update its trust anchor set based in-band key
+ information is potentially less secure than a manual process.
+ However, given the nature of the DNS, the number of resolvers that
+ would require update if a trust anchor key were compromised, and the
+ lack of a standard management framework for DNS, this approach is no
+ worse than the existing situation.
+
+8. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC2535] Eastlake, D., "Domain Name System Security Extensions",
+ RFC 2535, March 1999.
+
+ [RFC3755] Weiler, S., "Legacy Resolver Compatibility for Delegation
+ Signer (DS)", RFC 3755, May 2004.
+
+ [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "DNS Security Introduction and Requirements",
+ RFC 4033, March 2005.
+
+ [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "Resource Records for the DNS Security Extensions",
+ RFC 4034, March 2005.
+
+ [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "Protocol Modifications for the DNS Security
+ Extensions", RFC 4035, March 2005.
+
+Editorial Comments
+
+ [msj1] msj: N.B. This table is preliminary and will be revised to
+ match implementation experience. For example, should there
+ be a state for "Add hold-down expired, but haven't seen the
+ new RRSet"?
+
+ [msj2] msj: To be assigned.
+
+ [msj3] msj: For discussion: What's the implementation guidance for
+ resolvers currently with respect to the non-assigned flag
+ bits? If they consider the flag bit when doing key matching
+ at the trust anchor, they won't be able to match.
+
+
+
+
+
+
+StJohns Expires July 14, 2006 [Page 11]
+
+Internet-Draft trustanchor-update January 2006
+
+
+Author's Address
+
+ Michael StJohns
+ Nominum, Inc.
+ 2385 Bay Road
+ Redwood City, CA 94063
+ USA
+
+ Phone: +1-301-528-4729
+ Email: Mike.StJohns@nominum.com
+ URI: www.nominum.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+StJohns Expires July 14, 2006 [Page 12]
+
+Internet-Draft trustanchor-update January 2006
+
+
+Intellectual Property Statement
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+
+Disclaimer of Validity
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Copyright Statement
+
+ Copyright (C) The Internet Society (2006). This document is subject
+ to the rights, licenses and restrictions contained in BCP 78, and
+ except as set forth therein, the authors retain all their rights.
+
+
+Acknowledgment
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+StJohns Expires July 14, 2006 [Page 13]
+
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-tsig-sha-06.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-tsig-sha-06.txt
new file mode 100644
index 0000000..00476ae
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsext-tsig-sha-06.txt
@@ -0,0 +1,522 @@
+
+INTERNET-DRAFT Donald E. Eastlake 3rd
+UPDATES RFC 2845 Motorola Laboratories
+Expires: July 2006 January 2006
+
+ HMAC SHA TSIG Algorithm Identifiers
+ ---- --- ---- --------- -----------
+ <draft-ietf-dnsext-tsig-sha-06.txt>
+
+
+Status of This Document
+
+ By submitting this Internet-Draft, each author represents that any
+ applicable patent or other IPR claims of which he or she is aware
+ have been or will be disclosed, and any of which he or she becomes
+ aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+ This draft is intended to be become a Proposed Standard RFC.
+ Distribution of this document is unlimited. Comments should be sent
+ to the DNSEXT working group mailing list <namedroppers@ops.ietf.org>.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF), its areas, and its working groups. Note that
+ other groups may also distribute working documents as Internet-
+ Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ The list of current Internet-Drafts can be accessed at
+ http://www.ietf.org/1id-abstracts.html
+
+ The list of Internet-Draft Shadow Directories can be accessed at
+ http://www.ietf.org/shadow.html
+
+
+Abstract
+
+ Use of the Domain Name System TSIG resource record requires
+ specification of a cryptographic message authentication code.
+ Currently identifiers have been specified only for the HMAC MD5
+ (Message Digest) and GSS (Generic Security Service) TSIG algorithms.
+ This document standardizes identifiers and implementation
+ requirements for additional HMAC SHA (Secure Hash Algorithm) TSIG
+ algorithms and standardizes how to specify and handle the truncation
+ of HMAC values in TSIG.
+
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2006).
+
+
+
+D. Eastlake 3rd [Page 1]
+
+
+INTERNET-DRAFT HMAC-SHA TSIG Identifiers
+
+
+Table of Contents
+
+ Status of This Document....................................1
+ Abstract...................................................1
+ Copyright Notice...........................................1
+
+ Table of Contents..........................................2
+
+ 1. Introduction............................................3
+
+ 2. Algorithms and Identifiers..............................4
+
+ 3. Specifying Truncation...................................5
+ 3.1 Truncation Specification...............................5
+
+ 4. TSIG Truncation Policy and Error Provisions.............6
+
+ 5. IANA Considerations.....................................7
+ 6. Security Considerations.................................7
+ 7. Copyright and Disclaimer................................7
+
+ 8. Normative References....................................8
+ 9. Informative References..................................8
+
+ Author's Address...........................................9
+ Additional IPR Provisions..................................9
+ Expiration and File Name...................................9
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+D. Eastlake 3rd [Page 2]
+
+
+INTERNET-DRAFT HMAC-SHA TSIG Identifiers
+
+
+1. Introduction
+
+ [RFC 2845] specifies a TSIG Resource Record (RR) that can be used to
+ authenticate DNS (Domain Name System [STD 13]) queries and responses.
+ This RR contains a domain name syntax data item which names the
+ authentication algorithm used. [RFC 2845] defines the HMAC-MD5.SIG-
+ ALG.REG.INT name for authentication codes using the HMAC [RFC 2104]
+ algorithm with the MD5 [RFC 1321] hash algorithm. IANA has also
+ registered "gss-tsig" as an identifier for TSIG authentication where
+ the cryptographic operations are delegated to the Generic Security
+ Service (GSS) [RFC 3645].
+
+ It should be noted that use of TSIG presumes prior agreement, between
+ the resolver and server involved, as to the algorithm and key to be
+ used.
+
+ In Section 2, this document specifies additional names for TSIG
+ authentication algorithms based on US NIST SHA (United States,
+ National Institute of Science and Technology, Secure Hash Algorithm)
+ algorithms and HMAC and specifies the implementation requirements for
+ those algorithms.
+
+ In Section 3, this document specifies the effect of inequality
+ between the normal output size of the specified hash function and the
+ length of MAC (message authentication code) data given in the TSIG
+ RR. In particular, it specifies that a shorter length field value
+ specifies truncation and a longer length field is an error.
+
+ In Section 4, policy restrictions and implications related to
+ truncation and a new error code to indicate truncation shorter than
+ permitted by policy are described and specified.
+
+ The use herein of MUST, SHOULD, MAY, MUST NOT, and SHOULD NOT is as
+ defined in [RFC 2119].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+D. Eastlake 3rd [Page 3]
+
+
+INTERNET-DRAFT HMAC-SHA TSIG Identifiers
+
+
+2. Algorithms and Identifiers
+
+ TSIG Resource Records (RRs) [RFC 2845] are used to authenticate DNS
+ queries and responses. They are intended to be efficient symmetric
+ authentication codes based on a shared secret. (Asymmetric signatures
+ can be provided using the SIG RR [RFC 2931]. In particular, SIG(0)
+ can be used for transaction signatures.) Used with a strong hash
+ function, HMAC [RFC 2104] provides a way to calculate such symmetric
+ authentication codes. The only specified HMAC based TSIG algorithm
+ identifier has been HMAC-MD5.SIG-ALG.REG.INT based on MD5 [RFC 1321].
+
+ The use of SHA-1 [FIPS 180-2, RFC 3174], which is a 160 bit hash, as
+ compared with the 128 bits for MD5, and additional hash algorithms in
+ the SHA family [FIPS 180-2, RFC 3874, SHA2draft] with 224, 256, 384,
+ and 512 bits, may be preferred in some cases particularly since
+ increasingly successful cryptanalytic attacks are being made on the
+ shorter hashes.
+
+ Use of TSIG between a DNS resolver and server is by mutual agreement.
+ That agreement can include the support of additional algorithms and
+ criteria as to which algorithms and truncations are acceptable,
+ subject to the restriction and guidelines in Section 3 and 4 below.
+ Key agreement can be by the TKEY mechanism [RFC 2930] or other
+ mutually agreeable method.
+
+ The current HMAC-MD5.SIG-ALG.REG.INT and gss-tsig identifiers are
+ included in the table below for convenience. Implementations which
+ support TSIG MUST also implement HMAC SHA1 and HMAC SHA256 and MAY
+ implement gss-tsig and the other algorithms listed below.
+
+ Mandatory HMAC-MD5.SIG-ALG.REG.INT
+ Optional gss-tsig
+ Mandatory hmac-sha1
+ Optional hmac-sha224
+ Mandatory hmac-sha256
+ Optional hamc-sha384
+ Optional hmac-sha512
+
+ SHA-1 truncated to 96 bits (12 octets) SHOULD be implemented.
+
+
+
+
+
+
+
+
+
+
+
+
+
+D. Eastlake 3rd [Page 4]
+
+
+INTERNET-DRAFT HMAC-SHA TSIG Identifiers
+
+
+3. Specifying Truncation
+
+ When space is at a premium and the strength of the full length of an
+ HMAC is not needed, it is reasonable to truncate the HMAC output and
+ use the truncated value for authentication. HMAC SHA-1 truncated to
+ 96 bits is an option available in several IETF protocols including
+ IPSEC and TLS.
+
+ The TSIG RR [RFC 2845] includes a "MAC size" field, which gives the
+ size of the MAC field in octets. But [RFC 2845] does not specify what
+ to do if this MAC size differs from the length of the output of HMAC
+ for a particular hash function. Truncation is indicated by a MAC size
+ less than the HMAC size as specified below.
+
+
+
+3.1 Truncation Specification
+
+ The specification for TSIG handling is changed as follows:
+
+ 1. If "MAC size" field is greater than HMAC output length:
+ This case MUST NOT be generated and if received MUST cause the
+ packet to be dropped and RCODE 1 (FORMERR) to be returned.
+
+ 2. If "MAC size" field equals HMAC output length:
+ Operation is as described in [RFC 2845] with the entire output
+ HMAC output present.
+
+ 3. "MAC size" field is less than HMAC output length but greater than
+ that specified in case 4 below:
+ This is sent when the signer has truncated the HMAC output to
+ an allowable length, as described in RFC 2104, taking initial
+ octets and discarding trailing octets. TSIG truncation can only be
+ to an integral number of octets. On receipt of a packet with
+ truncation thus indicated, the locally calculated MAC is similarly
+ truncated and only the truncated values compared for
+ authentication. The request MAC used when calculating the TSIG MAC
+ for a reply is the truncated request MAC.
+
+ 4. "MAC size" field is less than the larger of 10 (octets) and half
+ the length of the hash function in use:
+ With the exception of certain TSIG error messages described in
+ RFC 2845 section 3.2 where it is permitted that the MAC size be
+ zero, this case MUST NOT be generated and if received MUST cause
+ the packet to be dropped and RCODE 1 (FORMERR) to be returned. The
+ size limit for this case can also, for the hash functions
+ mentioned in this document, be stated as less than half the hash
+ function length for hash functions other than MD5 and less than 10
+ octets for MD5.
+
+
+
+D. Eastlake 3rd [Page 5]
+
+
+INTERNET-DRAFT HMAC-SHA TSIG Identifiers
+
+
+4. TSIG Truncation Policy and Error Provisions
+
+ Use of TSIG is by mutual agreement between a resolver and server.
+ Implicit in such "agreement" are criterion as to acceptable keys and
+ algorithms and, with the extensions in this document, truncations.
+ Note that it is common for implementations to bind the TSIG secret
+ key or keys that may be in place at a resolver and server to
+ particular algorithms. Thus such implementations only permit the use
+ of an algorithm if there is an associated key in place. Receipt of an
+ unknown, unimplemented, or disabled algorithm typically results in a
+ BADKEY error.
+
+ Local policies MAY require the rejection of TSIGs even though they
+ use an algorithm for which implementation is mandatory.
+
+ When a local policy permits acceptance of a TSIG with a particular
+ algorithm and a particular non-zero amount of truncation it SHOULD
+ also permit the use of that algorithm with lesser truncation (a
+ longer MAC) up to the full HMAC output.
+
+ Regardless of a lower acceptable truncated MAC length specified by
+ local policy, a reply SHOULD be sent with a MAC at least as long as
+ that in the corresponding request unless the request specified a MAC
+ length longer than the HMAC output.
+
+ Implementations permitting multiple acceptable algorithms and/or
+ truncations SHOULD permit this list to be ordered by presumed
+ strength and SHOULD allow different truncations for the same
+ algorithm to be treated as separate entities in this list. When so
+ implemented, policies SHOULD accept a presumed stronger algorithm and
+ truncation than the minimum strength required by the policy.
+
+ If a TSIG is received with truncation which is permitted under
+ Section 3 above but the MAC is too short for the local policy in
+ force, an RCODE of TBA [22 suggested](BADTRUNC) MUST be returned.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+D. Eastlake 3rd [Page 6]
+
+
+INTERNET-DRAFT HMAC-SHA TSIG Identifiers
+
+
+5. IANA Considerations
+
+ This document, on approval for publication as a standards track RFC,
+ (1) registers the new TSIG algorithm identifiers listed in Section 2
+ with IANA and (2) allocates the BADTRUNC RCODE TBA [22 suggested] in
+ Section 4. [RFC 2845]
+
+
+
+6. Security Considerations
+
+ For all of the message authentication code algorithms listed herein,
+ those producing longer values are believed to be stronger; however,
+ while there have been some arguments that mild truncation can
+ strengthen a MAC by reducing the information available to an
+ attacker, excessive truncation clearly weakens authentication by
+ reducing the number of bits an attacker has to try to break the
+ authentication by brute force [RFC 2104].
+
+ Significant progress has been made recently in cryptanalysis of hash
+ function of the type used herein, all of which ultimately derive from
+ the design of MD4. While the results so far should not effect HMAC,
+ the stronger SHA-1 and SHA-256 algorithms are being made mandatory
+ due to caution.
+
+ See the Security Considerations section of [RFC 2845]. See also the
+ Security Considerations section of [RFC 2104] from which the limits
+ on truncation in this RFC were taken.
+
+
+
+7. Copyright and Disclaimer
+
+ Copyright (C) The Internet Society (2006).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+
+
+
+D. Eastlake 3rd [Page 7]
+
+
+INTERNET-DRAFT HMAC-SHA TSIG Identifiers
+
+
+8. Normative References
+
+ [FIPS 180-2] - "Secure Hash Standard", (SHA-1/224/256/384/512) US
+ Federal Information Processing Standard, with Change Notice 1,
+ February 2004.
+
+ [RFC 1321] - Rivest, R., "The MD5 Message-Digest Algorithm ", RFC
+ 1321, April 1992.
+
+ [RFC 2104] - Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
+ Hashing for Message Authentication", RFC 2104, February 1997.
+
+ [RFC 2119] - Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC 2845] - Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
+ Wellington, "Secret Key Transaction Authentication for DNS (TSIG)",
+ RFC 2845, May 2000.
+
+ [RFC 3174] - Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm
+ 1 (SHA1)", RFC 3174, September 2001.
+
+ [RFC 3874] - R. Housely, "A 224-bit One-way Hash Function: SHA-224",
+ September 2004,
+
+ [SHA2draft] - Eastlake, D., T. Hansen, "US Secure Hash Algorithms
+ (SHA)", draft-eastlake-sha2-*.txt, work in progress.
+
+ [STD 13]
+ Mockapetris, P., "Domain names - concepts and facilities", STD
+ 13, RFC 1034, November 1987.
+
+ Mockapetris, P., "Domain names - implementation and
+ specification", STD 13, RFC 1035, November 1987.
+
+
+
+9. Informative References.
+
+ [RFC 2930] - Eastlake 3rd, D., "Secret Key Establishment for DNS
+ (TKEY RR)", RFC 2930, September 2000.
+
+ [RFC 2931] - Eastlake 3rd, D., "DNS Request and Transaction
+ Signatures ( SIG(0)s )", RFC 2931, September 2000.
+
+ [RFC 3645] - Kwan, S., Garg, P., Gilroy, J., Esibov, L., Westhead,
+ J., and R. Hall, "Generic Security Service Algorithm for Secret Key
+ Transaction Authentication for DNS (GSS-TSIG)", RFC 3645, October
+ 2003.
+
+
+
+D. Eastlake 3rd [Page 8]
+
+
+INTERNET-DRAFT HMAC-SHA TSIG Identifiers
+
+
+Author's Address
+
+ Donald E. Eastlake 3rd
+ Motorola Laboratories
+ 155 Beaver Street
+ Milford, MA 01757 USA
+
+ Telephone: +1-508-786-7554 (w)
+
+ EMail: Donald.Eastlake@motorola.com
+
+
+
+Additional IPR Provisions
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed
+ to pertain to the implementation or use of the technology
+ described in this document or the extent to which any license
+ under such rights might or might not be available; nor does it
+ represent that it has made any independent effort to identify any
+ such rights. Information on the procedures with respect to
+ rights in RFC documents can be found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use
+ of such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository
+ at http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention
+ any copyrights, patents or patent applications, or other
+ proprietary rights that may cover technology that may be required
+ to implement this standard. Please address the information to the
+ IETF at ietf-ipr@ietf.org.
+
+
+
+Expiration and File Name
+
+ This draft expires in July 2006.
+
+ Its file name is draft-ietf-dnsext-tsig-sha-06.txt
+
+
+
+
+
+
+
+
+D. Eastlake 3rd [Page 9]
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-wcard-clarify-10.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-wcard-clarify-10.txt
new file mode 100644
index 0000000..9cf88a5
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsext-wcard-clarify-10.txt
@@ -0,0 +1,1063 @@
+Internet-Draft dnsext-wcard January 9, 2006
+
+DNSEXT Working Group E. Lewis
+INTERNET DRAFT NeuStar
+Expiration Date: July 9, 2006 January 9, 2006
+Updates RFC 1034, RFC 2672
+
+ The Role of Wildcards
+ in the Domain Name System
+ draft-ietf-dnsext-wcard-clarify-10.txt
+
+Status of this Memo
+
+ By submitting this Internet-Draft, each author represents that
+ any applicable patent or other IPR claims of which he or she is
+ aware have been or will be disclosed, and any of which he or she
+ becomes aware will be disclosed, in accordance with Section 6 of
+ BCP 79.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF), its areas, and its working groups. Note that
+ other groups may also distribute working documents as Internet-
+ Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six
+ months and may be updated, replaced, or obsoleted by other
+ documents at any time. It is inappropriate to use Internet-Drafts
+ as reference material or to cite them other than as "work in
+ progress."
+
+ The list of current Internet-Drafts can be accessed at
+ http://www.ietf.org/ietf/1id-abstracts.txt
+
+ The list of Internet-Draft Shadow Directories can be accessed at
+ http://www.ietf.org/shadow.html
+
+ This Internet-Draft will expire on July 9, 2006.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2006).
+
+Abstract
+
+ This is an update to the wildcard definition of RFC 1034. The
+ interaction with wildcards and CNAME is changed, an error
+ condition removed, and the words defining some concepts central
+ to wildcards are changed. The overall goal is not to change
+ wildcards, but to refine the definition of RFC 1034.
+
+
+
+
+DNSEXT Working Group Expires July 9, 2006 [Page 1]
+
+Internet-Draft dnsext-wcard January 9, 2006
+
+Table of Contents
+
+1. Introduction . . . . . . . . . . . . . . . . 3
+1 1 Motivation 3
+1 2 The Original Definition 3
+1 3 Roadmap to This Document 4
+1 3 1 New Terms 4
+1.3.2 Changed Text 5
+1.3.3 Considerations with Special Types 5
+1.4 Standards Terminology 5
+2. Wildcard Syntax . . . . . . . . . . . . . . . 6
+2.1 Identifying a Wildcard 6
+2.1.1 Wild Card Domain Name and Asterisk Label 6
+2.1.2 Asterisks and Other Characters 6
+2.1.3 Non-terminal Wild Card Domain Names 6
+2.2 Existence Rules 7
+2.2.1 An Example 7
+2.2.2 Empty Non-terminals 9
+2.2.3 Yet Another Definition of Existence 10
+2.3 When is a Wild Card Domain Name Not Special 10
+3. Impact of a Wild Card Domain Name On a Response . . . . . 10
+3.1 Step 2 10
+3.2 Step 3 11
+3.3 Part 'c' 11
+3.3.1 Closest Encloser and the Source of Synthesis 12
+3.3.2 Closest Encloser and Source of Synthesis Examples 12
+3.3.3 Type Matching 13
+4. Considerations with Special Types . . . . . . . . . 13
+4.1 SOA RRSet at a Wild Card Domain Name 13
+4.2 NS RRSet at a Wild Card Domain Name 14
+4.2.1 Discarded Notions 14
+4.3 CNAME RRSet at a Wild Card Domain Name 15
+4.4 DNAME RRSet at a Wild Card Domain Name 15
+4.5 SRV RRSet at a Wild Card Domain Name 16
+4.6 DS RRSet at a Wild Card Domain Name 16
+4.7 NSEC RRSet at a Wild Card Domain Name 17
+4.8 RRSIG at a Wild Card Domain Name 17
+4.9 Empty Non-terminal Wild Card Domain Name 17
+5. Security Considerations . . . . . . . . . . . . . 17
+6. IANA Considerations . . . . . . . . . . . . . 17
+7. References . . . . . . . . . . . . . 17
+8. Editor . . . . . . . . . . . . . 18
+9. Others Contributing to the Document . . . . . . . . 18
+10. Trailing Boilerplate . . . . . . . . . . . . . 19
+
+
+
+
+
+
+
+
+DNSEXT Working Group Expires July 9, 2006 [Page 2]
+
+Internet-Draft dnsext-wcard January 9, 2006
+
+1. Introduction
+
+ In RFC 1034 [RFC1034], sections 4.3.2 and 4.3.3 describe the
+ synthesis of answers from special resource records called
+ wildcards. The definition in RFC 1034 is incomplete and has
+ proven to be confusing. This document describes the wildcard
+ synthesis by adding to the discussion and making limited
+ modifications. Modifications are made to close inconsistencies
+ that have led to interoperability issues. This description
+ does not expand the service intended by the original definition.
+
+ Staying within the spirit and style of the original documents,
+ this document avoids specifying rules for DNS implementations
+ regarding wildcards. The intention is to only describe what is
+ needed for interoperability, not restrict implementation choices.
+ In addition, consideration is given to minimize any backwards
+ compatibility issues with implementations that comply with RFC
+ 1034's definition.
+
+ This document is focused on the concept of wildcards as defined
+ in RFC 1034. Nothing is implied regarding alternative means of
+ synthesizing resource record sets, nor are alternatives discussed.
+
+1.1 Motivation
+
+ Many DNS implementations diverge, in different ways, from the
+ original definition of wildcards. Although there is clearly a
+ need to clarify the original documents in light of this alone,
+ the impetus for this document lay in the engineering of the DNS
+ security extensions [RFC4033]. With an unclear definition of
+ wildcards the design of authenticated denial became entangled.
+
+ This document is intended to limit its changes, documenting only
+ those based on implementation experience, and to remain as close
+ to the original document as possible. To reinforce that this
+ document is meant to clarify and adjust and not redefine wildcards,
+ relevant sections of RFC 1034 are repeated verbatim to facilitate
+ comparison of the old and new text.
+
+1.2 The Original Definition
+
+ The definition of the wildcard concept is comprised by the
+ documentation of the algorithm by which a name server prepares
+ a response (in RFC 1034's section 4.3.2) and the way in which
+ a resource record (set) is identified as being a source of
+ synthetic data (section 4.3.3).
+
+ This is the definition of the term "wildcard" as it appears in
+ RFC 1034, section 4.3.3.
+
+
+
+DNSEXT Working Group Expires July 9, 2006 [Page 3]
+
+Internet-Draft dnsext-wcard January 9, 2006
+
+# In the previous algorithm, special treatment was given to RRs with
+# owner names starting with the label "*". Such RRs are called
+# wildcards. Wildcard RRs can be thought of as instructions for
+# synthesizing RRs. When the appropriate conditions are met, the name
+# server creates RRs with an owner name equal to the query name and
+# contents taken from the wildcard RRs.
+
+ This passage follows the algorithm in which the term wildcard
+ is first used. In this definition, wildcard refers to resource
+ records. In other usage, wildcard has referred to domain names,
+ and it has been used to describe the operational practice of
+ relying on wildcards to generate answers. It is clear from this
+ that there is a need to define clear and unambiguous terminology
+ in the process of discussing wildcards.
+
+ The mention of the use of wildcards in the preparation of a
+ response is contained in step 3c of RFC 1034's section 4.3.2
+ entitled "Algorithm." Note that "wildcard" does not appear in
+ the algorithm, instead references are made to the "*" label.
+ The portion of the algorithm relating to wildcards is
+ deconstructed in detail in section 3 of this document, this is
+ the beginning of the relevant portion of the "Algorithm."
+
+# c. If at some label, a match is impossible (i.e., the
+# corresponding label does not exist), look to see if [...]
+# the "*" label exists.
+
+ The scope of this document is the RFC 1034 definition of
+ wildcards and the implications of updates to those documents,
+ such as DNSSEC. Alternate schemes for synthesizing answers are
+ not considered. (Note that there is no reference listed. No
+ document is known to describe any alternate schemes, although
+ there has been some mention of them in mailing lists.)
+
+1.3 Roadmap to This Document
+
+ This document accomplishes these three items.
+ o Defines new terms
+ o Makes minor changes to avoid conflicting concepts
+ o Describes the actions of certain resource records as wildcards
+
+1.3.1 New Terms
+
+ To help in discussing what resource records are wildcards, two
+ terms will be defined - "asterisk label" and "wild card domain
+ name". These are defined in section 2.1.1.
+
+ To assist in clarifying the role of wildcards in the name server
+ algorithm in RFC 1034, 4.3.2, "source of synthesis" and "closest
+ encloser" are defined. These definitions are in section 3.3.2.
+ "Label match" is defined in section 3.2.
+
+DNSEXT Working Group Expires July 9, 2006 [Page 4]
+
+Internet-Draft dnsext-wcard January 9, 2006
+
+ The new terms are used to make discussions of wildcards clearer.
+ Terminology doesn't directly have an impact on implementations.
+
+1.3.2 Changed Text
+
+ The definition of "existence" is changed superficially. This
+ change will not be apparent to implementations; it is needed to
+ make descriptions more precise. The change appears in section
+ 2.2.3.
+
+ RFC 1034, section 4.3.3., seems to prohibit having two asterisk
+ labels in a wildcard owner name. With this document the
+ restriction is removed entirely. This change and its implications
+ are in section 2.1.3.
+
+ The actions when a source of synthesis owns a CNAME RR are
+ changed to mirror the actions if an exact match name owns a
+ CNAME RR. This is an addition to the words in RFC 1034,
+ section 4.3.2, step 3, part c. The discussion of this is in
+ section 3.3.3.
+
+ Only the latter change represents an impact to implementations.
+ The definition of existence is not a protocol impact. The change
+ to the restriction on names is unlikely to have an impact, as
+ RFC 1034 contained no specification on when and how to enforce the
+ restriction.
+
+1.3.3 Considerations with Special Types
+
+ This document describes semantics of wildcard RRSets for
+ "interesting" types as well as empty non-terminal wildcards.
+ Understanding these situations in the context of wildcards has
+ been clouded because these types incur special processing if
+ they are the result of an exact match. This discussion is in
+ section 4.
+
+ These discussions do not have an implementation impact, they cover
+ existing knowledge of the types, but to a greater level of detail.
+
+1.4 Standards Terminology
+
+ This document does not use terms as defined in "Key words for use
+ in RFCs to Indicate Requirement Levels." [RFC2119]
+
+ Quotations of RFC 1034 are denoted by a '#' in the leftmost
+ column. References to section "4.3.2" are assumed to refer
+ to RFC 1034's section 4.3.2, simply titled "Algorithm."
+
+
+
+
+
+DNSEXT Working Group Expires July 9, 2006 [Page 5]
+
+Internet-Draft dnsext-wcard January 9, 2006
+
+2. Wildcard Syntax
+
+ The syntax of a wildcard is the same as any other DNS resource
+ record, across all classes and types. The only significant
+ feature is the owner name.
+
+ Because wildcards are encoded as resource records with special
+ names, they are included in zone transfers and incremental zone
+ transfers[RFC1995] just as non-wildcard resource records are.
+ This feature has been under appreciated until discussions on
+ alternative approaches to wildcards appeared on mailing lists.
+
+2.1 Identifying a Wildcard
+
+ To provide a more accurate description of wildcards, the
+ definition has to start with a discussion of the domain names
+ that appear as owners. Two new terms are needed, "Asterisk
+ Label" and "Wild Card Domain Name."
+
+2.1.1 Wild Card Domain Name and Asterisk Label
+
+ A "wild card domain name" is defined by having its initial
+ (i.e., left-most or least significant) label be, in binary format:
+
+ 0000 0001 0010 1010 (binary) = 0x01 0x2a (hexadecimal)
+
+ The first octet is the normal label type and length for a 1 octet
+ long label, the second octet is the ASCII representation [RFC20]
+ for the '*' character.
+
+ A descriptive name of a label equaling that value is an "asterisk
+ label."
+
+ RFC 1034's definition of wildcard would be "a resource record
+ owned by a wild card domain name."
+
+2.1.2 Asterisks and Other Characters
+
+ No label values other than that in section 2.1.1 are asterisk
+ labels, hence names beginning with other labels are never wild
+ card domain names. Labels such as 'the*' and '**' are not
+ asterisk labels so these labels do not start wild card domain
+ names.
+
+2.1.3 Non-terminal Wild Card Domain Names
+
+ In section 4.3.3, the following is stated:
+
+# .......................... The owner name of the wildcard RRs is of
+# the form "*.<anydomain>", where <anydomain> is any domain name.
+# <anydomain> should not contain other * labels......................
+
+DNSEXT Working Group Expires July 9, 2006 [Page 6]
+
+Internet-Draft dnsext-wcard January 9, 2006
+
+ The restriction is now removed. The original documentation of it
+ is incomplete and the restriction does not serve any purpose
+ given years of operational experience.
+
+ There are three possible reasons for putting the restriction in
+ place, but none of the three has held up over time. One is
+ that the restriction meant that there would never be subdomains
+ of wild card domain names, but the restriciton as stated still
+ permits "example.*.example." for instance. Another is that
+ wild card domain names are not intended to be empty non-terminals,
+ but this situation does not disrupt the algorithm in 4.3.2.
+ Finally, "nested" wild card domain names are not ambiguous once
+ the concept of the closest encloser had been documented.
+
+ A wild card domain name can have subdomains. There is no need
+ to inspect the subdomains to see if there is another asterisk
+ label in any subdomain.
+
+ A wild card domain name can be an empty non-terminal. (See the
+ upcoming sections on empty non-terminals.) In this case, any
+ lookup encountering it will terminate as would any empty
+ non-terminal match.
+
+2.2 Existence Rules
+
+ The notion that a domain name 'exists' is mentioned in the
+ definition of wildcards. In section 4.3.3 of RFC 1034:
+
+# Wildcard RRs do not apply:
+#
+...
+# - When the query name or a name between the wildcard domain and
+# the query name is know[n] to exist. For example, if a wildcard
+
+ "Existence" is therefore an important concept in the understanding
+ of wildcards. Unfortunately, the definition of what exists, in RFC
+ 1034, is unclear. So, in sections 2.2.2. and 2.2.3, another look is
+ taken at the definition of existence.
+
+2.2.1 An Example
+
+ To illustrate what is meant by existence consider this complete
+ zone:
+
+
+
+
+
+
+
+
+
+DNSEXT Working Group Expires July 9, 2006 [Page 7]
+
+Internet-Draft dnsext-wcard January 9, 2006
+
+ $ORIGIN example.
+ example. 3600 IN SOA <SOA RDATA>
+ example. 3600 NS ns.example.com.
+ example. 3600 NS ns.example.net.
+ *.example. 3600 TXT "this is a wild card"
+ *.example. 3600 MX 10 host1.example.
+ sub.*.example. 3600 TXT "this is not a wild card"
+ host1.example. 3600 A 192.0.4.1
+ _ssh._tcp.host1.example. 3600 SRV <SRV RDATA>
+ _ssh._tcp.host2.example. 3600 SRV <SRV RDATA>
+ subdel.example. 3600 NS ns.example.com.
+ subdel.example. 3600 NS ns.example.net.
+
+ A look at the domain names in a tree structure is helpful:
+
+ |
+ -------------example------------
+ / / \ \
+ / / \ \
+ / / \ \
+ * host1 host2 subdel
+ | | |
+ | | |
+ sub _tcp _tcp
+ | |
+ | |
+ _ssh _ssh
+
+ The following responses would be synthesized from one of the
+ wildcards in the zone:
+
+ QNAME=host3.example. QTYPE=MX, QCLASS=IN
+ the answer will be a "host3.example. IN MX ..."
+
+ QNAME=host3.example. QTYPE=A, QCLASS=IN
+ the answer will reflect "no error, but no data"
+ because there is no A RR set at '*.example.'
+
+ QNAME=foo.bar.example. QTYPE=TXT, QCLASS=IN
+ the answer will be "foo.bar.example. IN TXT ..."
+ because bar.example. does not exist, but the wildcard
+ does.
+
+ The following responses would not be synthesized from any of the
+ wildcards in the zone:
+
+ QNAME=host1.example., QTYPE=MX, QCLASS=IN
+ because host1.example. exists
+
+ QNAME=sub.*.example., QTYPE=MX, QCLASS=IN
+ because sub.*.example. exists
+
+DNSEXT Working Group Expires July 9, 2006 [Page 8]
+
+Internet-Draft dnsext-wcard January 9, 2006
+
+ QNAME=_telnet._tcp.host1.example., QTYPE=SRV, QCLASS=IN
+ because _tcp.host1.example. exists (without data)
+
+ QNAME=host.subdel.example., QTYPE=A, QCLASS=IN
+ because subdel.example. exists (and is a zone cut)
+
+ QNAME=ghost.*.example., QTYPE=MX, QCLASS=IN
+ because *.example. exists
+
+ The final example highlights one common misconception about
+ wildcards. A wildcard "blocks itself" in the sense that a
+ wildcard does not match its own subdomains. I.e. "*.example."
+ does not match all names in the "example." zone, it fails to
+ match the names below "*.example." To cover names under
+ "*.example.", another wild card domain name is needed -
+ "*.*.example." - which covers all but it's own subdomains.
+
+2.2.2 Empty Non-terminals
+
+ Empty non-terminals [RFC2136, Section 7.16] are domain names
+ that own no resource records but have subdomains that do. In
+ section 2.2.1, "_tcp.host1.example." is an example of a empty
+ non-terminal name. Empty non-terminals are introduced by this
+ text in section 3.1 of RFC 1034:
+
+# The domain name space is a tree structure. Each node and leaf on
+# the tree corresponds to a resource set (which may be empty). The
+# domain system makes no distinctions between the uses of the
+# interior nodes and leaves, and this memo uses the term "node" to
+# refer to both.
+
+ The parenthesized "which may be empty" specifies that empty non-
+ terminals are explicitly recognized, and that empty non-terminals
+ "exist."
+
+ Pedantically reading the above paragraph can lead to an
+ interpretation that all possible domains exist - up to the
+ suggested limit of 255 octets for a domain name [RFC1035].
+ For example, www.example. may have an A RR, and as far as is
+ practically concerned, is a leaf of the domain tree. But the
+ definition can be taken to mean that sub.www.example. also
+ exists, albeit with no data. By extension, all possible domains
+ exist, from the root on down.
+
+ As RFC 1034 also defines "an authoritative name error indicating
+ that the name does not exist" in section 4.3.1, so this apparently
+ is not the intent of the original definition, justifying the
+ need for an updated definition in the next section.
+
+
+
+
+DNSEXT Working Group Expires July 9, 2006 [Page 9]
+
+Internet-Draft dnsext-wcard January 9, 2006
+
+2.2.3 Yet Another Definition of Existence
+
+ RFC1034's wording is fixed by the following paragraph:
+
+ The domain name space is a tree structure. Nodes in the tree
+ either own at least one RRSet and/or have descendants that
+ collectively own at least one RRSet. A node may exist with no
+ RRSets only if it has descendents that do, this node is an empty
+ non-terminal.
+
+ A node with no descendants is a leaf node. Empty leaf nodes do
+ not exist.
+
+ Note that at a zone boundary, the domain name owns data,
+ including the NS RR set. In the delegating zone, the NS RR
+ set is not authoritative, but that is of no consequence here.
+ The domain name owns data, therefore, it exists.
+
+2.3 When is a Wild Card Domain Name Not Special
+
+ When a wild card domain name appears in a message's query section,
+ no special processing occurs. An asterisk label in a query name
+ only matches a single, corresponding asterisk label in the
+ existing zone tree when the 4.3.2 algorithm is being followed.
+
+ When a wild card domain name appears in the resource data of a
+ record, no special processing occurs. An asterisk label in that
+ context literally means just an asterisk.
+
+3. Impact of a Wild Card Domain Name On a Response
+
+ RFC 1034's description of how wildcards impact response
+ generation is in its section 4.3.2. That passage contains the
+ algorithm followed by a server in constructing a response.
+ Within that algorithm, step 3, part 'c' defines the behavior of
+ the wildcard.
+
+ The algorithm in section 4.3.2. is not intended to be pseudo-code,
+ i.e., its steps are not intended to be followed in strict order.
+ The "algorithm" is a suggested means of implementing the
+ requirements. As such, in step 3, parts a, b, and c, do not have
+ to be implemented in that order, provided that the result of the
+ implemented code is compliant with the protocol's specification.
+
+3.1 Step 2
+
+ Step 2 of section 4.3.2 reads:
+
+# 2. Search the available zones for the zone which is the nearest
+# ancestor to QNAME. If such a zone is found, go to step 3,
+# otherwise step 4.
+
+DNSEXT Working Group Expires July 9, 2006 [Page 10]
+
+Internet-Draft dnsext-wcard January 9, 2006
+
+ In this step, the most appropriate zone for the response is
+ chosen. The significance of this step is that it means all of
+ step 3 is being performed within one zone. This has significance
+ when considering whether or not an SOA RR can be ever be used for
+ synthesis.
+
+3.2 Step 3
+
+ Step 3 is dominated by three parts, labelled 'a', 'b', and 'c'.
+ But the beginning of the step is important and needs explanation.
+
+# 3. Start matching down, label by label, in the zone. The
+# matching process can terminate several ways:
+
+ The word 'matching' refers to label matching. The concept
+ is based in the view of the zone as the tree of existing names.
+ The query name is considered to be an ordered sequence of
+ labels - as if the name were a path from the root to the owner
+ of the desired data. (Which it is - 3rd paragraph of RFC 1034,
+ section 3.1.)
+
+ The process of label matching a query name ends in exactly one of
+ three choices, the parts 'a', 'b', and 'c'. Either the name is
+ found, the name is below a cut point, or the name is not found.
+
+ Once one of the parts is chosen, the other parts are not
+ considered. (E.g., do not execute part 'c' and then change
+ the execution path to finish in part 'b'.) The process of label
+ matching is also done independent of the query type (QTYPE).
+
+ Parts 'a' and 'b' are not an issue for this clarification as they
+ do not relate to record synthesis. Part 'a' is an exact match
+ that results in an answer, part 'b' is a referral.
+
+3.3 Part 'c'
+
+ The context of part 'c' is that the process of label matching the
+ labels of the query name has resulted in a situation in which
+ there is no corresponding label in the tree. It is as if the
+ lookup has "fallen off the tree."
+
+# c. If at some label, a match is impossible (i.e., the
+# corresponding label does not exist), look to see if [...]
+# the "*" label exists.
+
+ To help describe the process of looking 'to see if [...] the "*"
+ label exists' a term has been coined to describe the last domain
+ (node) matched. The term is "closest encloser."
+
+
+
+
+DNSEXT Working Group Expires July 9, 2006 [Page 11]
+
+Internet-Draft dnsext-wcard January 9, 2006
+
+3.3.1 Closest Encloser and the Source of Synthesis
+
+ The closest encloser is the node in the zone's tree of existing
+ domain names that has the most labels matching the query name
+ (consecutively, counting from the root label downward). Each match
+ is a "label match" and the order of the labels is the same.
+
+ The closest encloser is, by definition, an existing name in the
+ zone. The closest encloser might be an empty non-terminal or even
+ be a wild card domain name itself. In no circumstances is the
+ closest encloser to be used to synthesize records for the current
+ query.
+
+ The source of synthesis is defined in the context of a query
+ process as that wild card domain name immediately descending
+ from the closest encloser, provided that this wild card domain
+ name exists. "Immediately descending" means that the source
+ of synthesis has a name of the form:
+ <asterisk label>.<closest encloser>.
+ A source of synthesis does not guarantee having a RRSet to use
+ for synthesis. The source of synthesis could be an empty
+ non-terminal.
+
+ If the source of synthesis does not exist (not on the domain
+ tree), there will be no wildcard synthesis. There is no search
+ for an alternate.
+
+ The important concept is that for any given lookup process, there
+ is at most one place at which wildcard synthetic records can be
+ obtained. If the source of synthesis does not exist, the lookup
+ terminates, the lookup does not look for other wildcard records.
+
+3.3.2 Closest Encloser and Source of Synthesis Examples
+
+ To illustrate, using the example zone in section 2.2.1 of this
+ document, the following chart shows QNAMEs and the closest
+ enclosers.
+
+ QNAME Closest Encloser Source of Synthesis
+ host3.example. example. *.example.
+ _telnet._tcp.host1.example. _tcp.host1.example. no source
+ _telnet._tcp.host2.example. host2.example. no source
+ _telnet._tcp.host3.example. example. *.example.
+ _chat._udp.host3.example. example. *.example.
+ foobar.*.example. *.example. no source
+
+
+
+
+
+
+
+DNSEXT Working Group Expires July 9, 2006 [Page 12]
+
+Internet-Draft dnsext-wcard January 9, 2006
+
+3.3.3 Type Matching
+
+ RFC 1034 concludes part 'c' with this:
+
+# If the "*" label does not exist, check whether the name
+# we are looking for is the original QNAME in the query
+# or a name we have followed due to a CNAME. If the name
+# is original, set an authoritative name error in the
+# response and exit. Otherwise just exit.
+#
+# If the "*" label does exist, match RRs at that node
+# against QTYPE. If any match, copy them into the answer
+# section, but set the owner of the RR to be QNAME, and
+# not the node with the "*" label. Go to step 6.
+
+ The final paragraph covers the role of the QTYPE in the lookup
+ process.
+
+ Based on implementation feedback and similarities between step
+ 'a' and step 'c' a change to this passage has been made.
+
+ The change is to add the following text to step 'c' prior to the
+ instructions to "go to step 6":
+
+ If the data at the source of synthesis is a CNAME, and
+ QTYPE doesn't match CNAME, copy the CNAME RR into the
+ answer section of the response changing the owner name
+ to the QNAME, change QNAME to the canonical name in the
+ CNAME RR, and go back to step 1.
+
+ This is essentially the same text in step a covering the
+ processing of CNAME RRSets.
+
+4. Considerations with Special Types
+
+ Sections 2 and 3 of this document discuss wildcard synthesis
+ with respect to names in the domain tree and ignore the impact
+ of types. In this section, the implication of wildcards of
+ specific types are discussed. The types covered are those
+ that have proven to be the most difficult to understand. The
+ types are SOA, NS, CNAME, DNAME, SRV, DS, NSEC, RRSIG and
+ "none," i.e., empty non-terminal wild card domain names.
+
+4.1 SOA RRSet at a Wild Card Domain Name
+
+ A wild card domain name owning an SOA RRSet means that the
+ domain is at the root of the zone (apex). The domain can not
+ be a source of synthesis because that is, by definition, a
+ descendent node (of the closest encloser) and a zone apex is
+ at the top of the zone.
+
+
+DNSEXT Working Group Expires July 9, 2006 [Page 13]
+
+Internet-Draft dnsext-wcard January 9, 2006
+
+ Although a wild card domain name owning an SOA RRSet can never
+ be a source of synthesis, there is no reason to forbid the
+ ownership of an SOA RRSet.
+
+ E.g., given this zone:
+ $ORIGIN *.example.
+ @ 3600 IN SOA <SOA RDATA>
+ 3600 NS ns1.example.com.
+ 3600 NS ns1.example.net.
+ www 3600 TXT "the www txt record"
+
+ A query for www.*.example.'s TXT record would still find the
+ "the www txt record" answer. The asterisk label only becomes
+ significant when section 4.3.2, step 3 part 'c' is in effect.
+
+ Of course, there would need to be a delegation in the parent
+ zone, "example." for this to work too. This is covered in the
+ next section.
+
+4.2 NS RRSet at a Wild Card Domain Name
+
+ With the definition of DNSSEC [RFC4033, RFC4034, RFC4035] now
+ in place, the semantics of a wild card domain name owning an
+ NS RRSet has come to be poorly defined. The dilemma relates to
+ a conflict between the rules for synthesis in part 'c' and the
+ fact that the resulting synthesis generates a record for which
+ the zone is not authoritative. In a DNSSEC signed zone, the
+ mechanics of signature management (generation and inclusion
+ in a message) have become unclear.
+
+ Salient points of the working group discussion on this topic is
+ summarized in section 4.2.1.
+
+ As a result of these discussion, there is no definition given for
+ wild card domain names owning an NS RRSet. The semantics are
+ left undefined until there is a clear need to have a set defined,
+ and until there is a clear direction to proceed. Operationally,
+ inclusion of wild card NS RRSets in a zone is discouraged, but
+ not barred.
+
+4.2.1 Discarded Notions
+
+ Prior to DNSSEC, a wild card domain name owning a NS RRSet
+ appeared to be workable, and there are some instances in which
+ it is found in deployments using implementations that support
+ this. Continuing to allow this in the specification is not
+ tenable with DNSSEC. The reason is that the synthesis of the
+ NS RRSet is being done in a zone that has delegated away the
+ responsibility for the name. This "unauthorized" synthesis is
+ not a problem for the base DNS protocol, but DNSSEC, in affirming
+ the authorization model for DNS exposes the problem.
+
+DNSEXT Working Group Expires July 9, 2006 [Page 14]
+
+Internet-Draft dnsext-wcard January 9, 2006
+
+ Outright banning of wildcards of type NS is also untenable as
+ the DNS protocol does not define how to handle "illegal" data.
+ Implementations may choose not to load a zone, but there is no
+ protocol definition. The lack of the definition is complicated
+ by having to cover dynamic update [RFC 2136], zone transfers,
+ as well as loading at the master server. The case of a client
+ (resolver, caching server) getting a wildcard of type NS in
+ a reply would also have to be considered.
+
+ Given the daunting challenge of a complete definition of how to
+ ban such records, dealing with existing implementations that
+ permit the records today is a further complication. There are
+ uses of wild card domain name owning NS RRSets.
+
+ One compromise proposed would have redefined wildcards of type
+ NS to not be used in synthesis, this compromise fell apart
+ because it would have required significant edits to the DNSSEC
+ signing and validation work. (Again, DNSSEC catches
+ unauthorized data.)
+
+ With no clear consensus forming on the solution to this dilemma,
+ and the realization that wildcards of type NS are a rarity in
+ operations, the best course of action is to leave this open-ended
+ until "it matters."
+
+4.3 CNAME RRSet at a Wild Card Domain Name
+
+ The issue of a CNAME RRSet owned by a wild card domain name has
+ prompted a suggested change to the last paragraph of step 3c of
+ the algorithm in 4.3.2. The changed text appears in section
+ 3.3.3 of this document.
+
+4.4 DNAME RRSet at a Wild Card Domain Name
+
+ Ownership of a DNAME [RFC2672] RRSet by a wild card domain name
+ represents a threat to the coherency of the DNS and is to be
+ avoided or outright rejected. Such a DNAME RRSet represents
+ non-deterministic synthesis of rules fed to different caches.
+ As caches are fed the different rules (in an unpredictable
+ manner) the caches will cease to be coherent. ("As caches
+ are fed" refers to the storage in a cache of records obtained
+ in responses by recursive or iterative servers.)
+
+ For example, assume one cache, responding to a recursive
+ request, obtains the record:
+ "a.b.example. DNAME foo.bar.example.net."
+ and another cache obtains:
+ "b.example. DNAME foo.bar.example.net."
+ both generated from the record:
+ "*.example. DNAME foo.bar.example.net."
+ by an authoritative server.
+
+DNSEXT Working Group Expires July 9, 2006 [Page 15]
+
+Internet-Draft dnsext-wcard January 9, 2006
+
+ The DNAME specification is not clear on whether DNAME records
+ in a cache are used to rewrite queries. In some interpretations,
+ the rewrite occurs, in some, it is not. Allowing for the
+ occurrence of rewriting, queries for "sub.a.b.example. A" may
+ be rewritten as "sub.foo.bar.tld. A" by the former caching
+ server and may be rewritten as "sub.a.foo.bar.tld. A" by the
+ latter. Coherency is lost, an operational nightmare ensues.
+
+ Another justification for banning or avoiding wildcard DNAME
+ records is the observation that such a record could synthesize
+ a DNAME owned by "sub.foo.bar.example." and "foo.bar.example."
+ There is a restriction in the DNAME definition that no domain
+ exist below a DNAME-owning domain, hence, the wildcard DNAME
+ is not to be permitted.
+
+4.5 SRV RRSet at a Wild Card Domain Name
+
+ The definition of the SRV RRset is RFC 2782 [RFC2782]. In the
+ definition of the record, there is some confusion over the term
+ "Name." The definition reads as follows:
+
+# The format of the SRV RR
+...
+# _Service._Proto.Name TTL Class SRV Priority Weight Port Target
+...
+# Name
+# The domain this RR refers to. The SRV RR is unique in that the
+# name one searches for is not this name; the example near the end
+# shows this clearly.
+
+ Do not confuse the definition "Name" with the owner name. I.e.,
+ once removing the _Service and _Proto labels from the owner name
+ of the SRV RRSet, what remains could be a wild card domain name
+ but this is immaterial to the SRV RRSet.
+
+ E.g., If an SRV record is:
+ _foo._udp.*.example. 10800 IN SRV 0 1 9 old-slow-box.example.
+
+ *.example is a wild card domain name and although it is the Name
+ of the SRV RR, it is not the owner (domain name). The owner
+ domain name is "_foo._udp.*.example." which is not a wild card
+ domain name.
+
+ The confusion is likely based on the mixture of the specification
+ of the SRV RR and the description of a "use case."
+
+4.6 DS RRSet at a Wild Card Domain Name
+
+ A DS RRSet owned by a wild card domain name is meaningless and
+ harmless. This statement is made in the context that an NS RRSet
+ at a wild card domain name is undefined. At a non-delegation
+
+DNSEXT Working Group Expires July 9, 2006 [Page 16]
+
+Internet-Draft dnsext-wcard January 9, 2006
+
+ point, a DS RRSet has no value (no corresponding DNSKEY RRSet
+ will be used in DNSSEC validation). If there is a synthesized
+ DS RRSet, it alone will not be very useful as it exists in the
+ context of a delegation point.
+
+4.7 NSEC RRSet at a Wild Card Domain Name
+
+ Wild card domain names in DNSSEC signed zones will have an NSEC
+ RRSet. Synthesis of these records will only occur when the
+ query exactly matches the record. Synthesized NSEC RR's will not
+ be harmful as they will never be used in negative caching or to
+ generate a negative response. [RFC2308]
+
+4.8 RRSIG at a Wild Card Domain Name
+
+ RRSIG records will be present at a wild card domain name in a
+ signed zone, and will be synthesized along with data sought in a
+ query. The fact that the owner name is synthesized is not a
+ problem as the label count in the RRSIG will instruct the
+ verifying code to ignore it.
+
+4.9 Empty Non-terminal Wild Card Domain Name
+
+ If a source of synthesis is an empty non-terminal, then the
+ response will be one of no error in the return code and no RRSet
+ in the answer section.
+
+5. Security Considerations
+
+ This document is refining the specifications to make it more
+ likely that security can be added to DNS. No functional
+ additions are being made, just refining what is considered
+ proper to allow the DNS, security of the DNS, and extending
+ the DNS to be more predictable.
+
+6. IANA Considerations
+
+ None.
+
+7. References
+
+ Normative References
+
+ [RFC20] ASCII Format for Network Interchange, V.G. Cerf,
+ Oct-16-1969
+
+ [RFC1034] Domain Names - Concepts and Facilities,
+ P.V. Mockapetris, Nov-01-1987
+
+ [RFC1035] Domain Names - Implementation and Specification, P.V
+ Mockapetris, Nov-01-1987
+
+DNSEXT Working Group Expires July 9, 2006 [Page 17]
+
+Internet-Draft dnsext-wcard January 9, 2006
+
+ [RFC1995] Incremental Zone Transfer in DNS, M. Ohta, August 1996
+
+ [RFC2119] Key Words for Use in RFCs to Indicate Requirement
+ Levels, S Bradner, March 1997
+
+ [RFC2308] Negative Caching of DNS Queries (DNS NCACHE),
+ M. Andrews, March 1998
+
+ [RFC2672] Non-Terminal DNS Name Redirection, M. Crawford,
+ August 1999.
+
+ [RFC2782] A DNS RR for specifying the location of services (DNS
+ SRV), A. Gulbrandsen, et.al., February 2000
+
+ [RFC4033] DNS Security Introduction and Requirements, R. Arends,
+ et.al., March 2005
+
+ [RFC4034] Resource Records for the DNS Security Extensions,
+ R. Arends, et.al., March 2005
+
+ [RFC4035] Protocol Modifications for the DNS Security Extensions,
+ R. Arends, et.al., March 2005
+
+ Informative References
+
+ [RFC2136] Dynamic Updates in the Domain Name System (DNS UPDATE),
+ P. Vixie, Ed., S. Thomson, Y. Rekhter, J. Bound,
+ April 1997
+
+8. Editor
+
+ Name: Edward Lewis
+ Affiliation: NeuStar
+ Address: 46000 Center Oak Plaza, Sterling, VA, 20166, US
+ Phone: +1-571-434-5468
+ Email: ed.lewis@neustar.biz
+
+ Comments on this document can be sent to the editor or the mailing
+ list for the DNSEXT WG, namedroppers@ops.ietf.org.
+
+9. Others Contributing to the Document
+
+ This document represents the work of a large working group. The
+ editor merely recorded the collective wisdom of the working group.
+
+
+
+
+
+
+
+
+
+DNSEXT Working Group Expires July 9, 2006 [Page 17]
+
+Internet-Draft dnsext-wcard January 9, 2006
+
+10. Trailing Boilerplate
+
+ Copyright (C) The Internet Society (2006).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+
+ This document and the information contained herein are provided
+ on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION
+ HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET
+ SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL
+ WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO
+ ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT
+ INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of
+ any Intellectual Property Rights or other rights that might
+ be claimed to pertain to the implementation or use of the
+ technology described in this document or the extent to which
+ any license under such rights might or might not be available;
+ nor does it represent that it has made any independent effort
+ to identify any such rights. Information on the procedures
+ with respect to rights in RFC documents can be found in BCP 78
+ and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the
+ use of such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR
+ repository at http://www.ietf.org/ipr. The IETF invites any
+ interested party to bring to its attention any copyrights,
+ patents or patent applications, or other proprietary rights
+ that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+Expiration
+
+ This document expires on or about July 9, 2006.
+
+
+
+DNSEXT Working Group Expires July 9, 2006 [Page 19]
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsop-bad-dns-res-05.txt b/contrib/bind9/doc/draft/draft-ietf-dnsop-bad-dns-res-05.txt
new file mode 100644
index 0000000..0855ba3
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsop-bad-dns-res-05.txt
@@ -0,0 +1,1232 @@
+
+
+
+DNS Operations M. Larson
+Internet-Draft P. Barber
+Expires: August 14, 2006 VeriSign
+ February 10, 2006
+
+
+ Observed DNS Resolution Misbehavior
+ draft-ietf-dnsop-bad-dns-res-05
+
+Status of this Memo
+
+ By submitting this Internet-Draft, each author represents that any
+ applicable patent or other IPR claims of which he or she is aware
+ have been or will be disclosed, and any of which he or she becomes
+ aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF), its areas, and its working groups. Note that
+ other groups may also distribute working documents as Internet-
+ Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ The list of current Internet-Drafts can be accessed at
+ http://www.ietf.org/ietf/1id-abstracts.txt.
+
+ The list of Internet-Draft Shadow Directories can be accessed at
+ http://www.ietf.org/shadow.html.
+
+ This Internet-Draft will expire on August 14, 2006.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2006).
+
+Abstract
+
+ This memo describes DNS iterative resolver behavior that results in a
+ significant query volume sent to the root and top-level domain (TLD)
+ name servers. We offer implementation advice to iterative resolver
+ developers to alleviate these unnecessary queries. The
+ recommendations made in this document are a direct byproduct of
+ observation and analysis of abnormal query traffic patterns seen at
+ two of the thirteen root name servers and all thirteen com/net TLD
+ name servers.
+
+
+
+Larson & Barber Expires August 14, 2006 [Page 1]
+
+Internet-Draft Observed DNS Resolution Misbehavior February 2006
+
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in RFC 2119 [1].
+
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 1.1. A note about terminology in this memo . . . . . . . . . . 3
+ 2. Observed iterative resolver misbehavior . . . . . . . . . . . 5
+ 2.1. Aggressive requerying for delegation information . . . . . 5
+ 2.1.1. Recommendation . . . . . . . . . . . . . . . . . . . . 6
+ 2.2. Repeated queries to lame servers . . . . . . . . . . . . . 7
+ 2.2.1. Recommendation . . . . . . . . . . . . . . . . . . . . 7
+ 2.3. Inability to follow multiple levels of indirection . . . . 8
+ 2.3.1. Recommendation . . . . . . . . . . . . . . . . . . . . 9
+ 2.4. Aggressive retransmission when fetching glue . . . . . . . 9
+ 2.4.1. Recommendation . . . . . . . . . . . . . . . . . . . . 10
+ 2.5. Aggressive retransmission behind firewalls . . . . . . . . 10
+ 2.5.1. Recommendation . . . . . . . . . . . . . . . . . . . . 11
+ 2.6. Misconfigured NS records . . . . . . . . . . . . . . . . . 11
+ 2.6.1. Recommendation . . . . . . . . . . . . . . . . . . . . 12
+ 2.7. Name server records with zero TTL . . . . . . . . . . . . 12
+ 2.7.1. Recommendation . . . . . . . . . . . . . . . . . . . . 13
+ 2.8. Unnecessary dynamic update messages . . . . . . . . . . . 13
+ 2.8.1. Recommendation . . . . . . . . . . . . . . . . . . . . 14
+ 2.9. Queries for domain names resembling IPv4 addresses . . . . 14
+ 2.9.1. Recommendation . . . . . . . . . . . . . . . . . . . . 14
+ 2.10. Misdirected recursive queries . . . . . . . . . . . . . . 15
+ 2.10.1. Recommendation . . . . . . . . . . . . . . . . . . . . 15
+ 2.11. Suboptimal name server selection algorithm . . . . . . . . 15
+ 2.11.1. Recommendation . . . . . . . . . . . . . . . . . . . . 16
+ 3. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 17
+ 4. IANA considerations . . . . . . . . . . . . . . . . . . . . . 18
+ 5. Security considerations . . . . . . . . . . . . . . . . . . . 19
+ 6. Internationalization considerations . . . . . . . . . . . . . 20
+ 7. Informative References . . . . . . . . . . . . . . . . . . . . 20
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 21
+ Intellectual Property and Copyright Statements . . . . . . . . . . 22
+
+
+
+
+
+
+
+
+
+
+
+
+Larson & Barber Expires August 14, 2006 [Page 2]
+
+Internet-Draft Observed DNS Resolution Misbehavior February 2006
+
+
+1. Introduction
+
+ Observation of query traffic received by two root name servers and
+ the thirteen com/net TLD name servers has revealed that a large
+ proportion of the total traffic often consists of "requeries". A
+ requery is the same question (<QNAME, QTYPE, QCLASS>) asked
+ repeatedly at an unexpectedly high rate. We have observed requeries
+ from both a single IP address and multiple IP addresses (i.e., the
+ same query received simultaneously from multiple IP addresses).
+
+ By analyzing requery events we have found that the cause of the
+ duplicate traffic is almost always a deficient iterative resolver,
+ stub resolver or application implementation combined with an
+ operational anomaly. The implementation deficiencies we have
+ identified to date include well-intentioned recovery attempts gone
+ awry, insufficient caching of failures, early abort when multiple
+ levels of indirection must be followed, and aggressive retry by stub
+ resolvers or applications. Anomalies that we have seen trigger
+ requery events include lame delegations, unusual glue records, and
+ anything that makes all authoritative name servers for a zone
+ unreachable (DoS attacks, crashes, maintenance, routing failures,
+ congestion, etc.).
+
+ In the following sections, we provide a detailed explanation of the
+ observed behavior and recommend changes that will reduce the requery
+ rate. None of the changes recommended affects the core DNS protocol
+ specification; instead, this document consists of guidelines to
+ implementors of iterative resolvers.
+
+1.1. A note about terminology in this memo
+
+ To recast an old saying about standards, the nice thing about DNS
+ terms is that there are so many of them to choose from. Writing or
+ talking about DNS can be difficult and cause confusion resulting from
+ a lack of agreed-upon terms for its various components. Further
+ complicating matters are implementations that combine multiple roles
+ into one piece of software, which makes naming the result
+ problematic. An example is the entity that accepts recursive
+ queries, issues iterative queries as necessary to resolve the initial
+ recursive query, caches responses it receives, and which is also able
+ to answer questions about certain zones authoritatively. This entity
+ is an iterative resolver combined with an authoritative name server
+ and is often called a "recursive name server" or a "caching name
+ server".
+
+ This memo is concerned principally with the behavior of iterative
+ resolvers, which are typically found as part of a recursive name
+ server. This memo uses the more precise term "iterative resolver",
+
+
+
+Larson & Barber Expires August 14, 2006 [Page 3]
+
+Internet-Draft Observed DNS Resolution Misbehavior February 2006
+
+
+ because the focus is usually on that component. In instances where
+ the name server role of this entity requires mentioning, this memo
+ uses the term "recursive name server". As an example of the
+ difference, the name server component of a recursive name server
+ receives DNS queries and the iterative resolver component sends
+ queries.
+
+ The advent of IPv6 requires mentioning AAAA records as well as A
+ records when discussing glue. To avoid continuous repetition and
+ qualification, this memo uses the general term "address record" to
+ encompass both A and AAAA records when a particular situation is
+ relevant to both types.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Larson & Barber Expires August 14, 2006 [Page 4]
+
+Internet-Draft Observed DNS Resolution Misbehavior February 2006
+
+
+2. Observed iterative resolver misbehavior
+
+2.1. Aggressive requerying for delegation information
+
+ There can be times when every name server in a zone's NS RRset is
+ unreachable (e.g., during a network outage), unavailable (e.g., the
+ name server process is not running on the server host) or
+ misconfigured (e.g., the name server is not authoritative for the
+ given zone, also known as "lame"). Consider an iterative resolver
+ that attempts to resolve a query for a domain name in such a zone and
+ discovers that none of the zone's name servers can provide an answer.
+ We have observed a recursive name server implementation whose
+ iterative resolver then verifies the zone's NS RRset in its cache by
+ querying for the zone's delegation information: it sends a query for
+ the zone's NS RRset to one of the parent zone's name servers. (Note
+ that queries with QTYPE=NS are not required by the standard
+ resolution algorithm described in section 4.3.2 of RFC 1034 [2].
+ These NS queries represent this implementation's addition to that
+ algorithm.)
+
+ For example, suppose that "example.com" has the following NS RRset:
+
+ example.com. IN NS ns1.example.com.
+ example.com. IN NS ns2.example.com.
+
+ Upon receipt of a query for "www.example.com" and assuming that
+ neither "ns1.example.com" nor "ns2.example.com" can provide an
+ answer, this iterative resolver implementation immediately queries a
+ "com" zone name server for the "example.com" NS RRset to verify it
+ has the proper delegation information. This implementation performs
+ this query to a zone's parent zone for each recursive query it
+ receives that fails because of a completely unresponsive set of name
+ servers for the target zone. Consider the effect when a popular zone
+ experiences a catastrophic failure of all its name servers: now every
+ recursive query for domain names in that zone sent to this recursive
+ name server implementation results in a query to the failed zone's
+ parent name servers. On one occasion when several dozen popular
+ zones became unreachable, the query load on the com/net name servers
+ increased by 50%.
+
+ We believe this verification query is not reasonable. Consider the
+ circumstances: When an iterative resolver is resolving a query for a
+ domain name in a zone it has not previously searched, it uses the
+ list of name servers in the referral from the target zone's parent.
+ If on its first attempt to search the target zone, none of the name
+ servers in the referral is reachable, a verification query to the
+ parent would be pointless: this query to the parent would come so
+ quickly on the heels of the referral that it would be almost certain
+
+
+
+Larson & Barber Expires August 14, 2006 [Page 5]
+
+Internet-Draft Observed DNS Resolution Misbehavior February 2006
+
+
+ to contain the same list of name servers. The chance of discovering
+ any new information is slim.
+
+ The other possibility is that the iterative resolver successfully
+ contacts one of the target zone's name servers and then caches the NS
+ RRset from the authority section of a response, the proper behavior
+ according to section 5.4.1 of RFC 2181 [3], because the NS RRset from
+ the target zone is more trustworthy than delegation information from
+ the parent zone. If, while processing a subsequent recursive query,
+ the iterative resolver discovers that none of the name servers
+ specified in the cached NS RRset is available or authoritative,
+ querying the parent would be wrong. An NS RRset from the parent zone
+ would now be less trustworthy than data already in the cache.
+
+ For this query of the parent zone to be useful, the target zone's
+ entire set of name servers would have to change AND the former set of
+ name servers would have to be deconfigured or decommissioned AND the
+ delegation information in the parent zone would have to be updated
+ with the new set of name servers, all within the TTL of the target
+ zone's NS RRset. We believe this scenario is uncommon:
+ administrative best practices dictate that changes to a zone's set of
+ name servers happen gradually when at all possible, with servers
+ removed from the NS RRset left authoritative for the zone as long as
+ possible. The scenarios that we can envision that would benefit from
+ the parent requery behavior do not outweigh its damaging effects.
+
+ This section should not be understood to claim that all queries to a
+ zone's parent are bad. In some cases, such queries are not only
+ reasonable but required. Consider the situation when required
+ information, such as the address of a name server (i.e., the address
+ record corresponding to the RDATA of an NS record), has timed out of
+ an iterative resolver's cache before the corresponding NS record. If
+ the name of the name server is below the apex of the zone, then the
+ name server's address record is only available as glue in the parent
+ zone. For example, consider this NS record:
+
+ example.com. IN NS ns.example.com.
+
+ If a cache has this NS record but not the address record for
+ "ns.example.com", it is unable to contact the "example.com" zone
+ directly and must query the "com" zone to obtain the address record.
+ Note, however, that such a query would not have QTYPE=NS according to
+ the standard resolution algorithm.
+
+2.1.1. Recommendation
+
+ An iterative resolver MUST NOT send a query for the NS RRset of a
+ non-responsive zone to any of the name servers for that zone's parent
+
+
+
+Larson & Barber Expires August 14, 2006 [Page 6]
+
+Internet-Draft Observed DNS Resolution Misbehavior February 2006
+
+
+ zone. For the purposes of this injunction, a non-responsive zone is
+ defined as a zone for which every name server listed in the zone's NS
+ RRset:
+
+ 1. is not authoritative for the zone (i.e., lame), or,
+
+ 2. returns a server failure response (RCODE=2), or,
+
+ 3. is dead or unreachable according to section 7.2 of RFC 2308 [4].
+
+2.2. Repeated queries to lame servers
+
+ Section 2.1 describes a catastrophic failure: when every name server
+ for a zone is unable to provide an answer for one reason or another.
+ A more common occurrence is when a subset of a zone's name servers
+ are unavailable or misconfigured. Different failure modes have
+ different expected durations. Some symptoms indicate problems that
+ are potentially transient; for example, various types of ICMP
+ unreachable messages because a name server process is not running or
+ a host or network is unreachable, or a complete lack of a response to
+ a query. Such responses could be the result of a host rebooting or
+ temporary outages; these events don't necessarily require any human
+ intervention and can be reasonably expected to be temporary.
+
+ Other symptoms clearly indicate a condition requiring human
+ intervention, such as lame server: if a name server is misconfigured
+ and not authoritative for a zone delegated to it, it is reasonable to
+ assume that this condition has potential to last longer than
+ unreachability or unresponsiveness. Consequently, repeated queries
+ to known lame servers are not useful. In this case of a condition
+ with potential to persist for a long time, a better practice would be
+ to maintain a list of known lame servers and avoid querying them
+ repeatedly in a short interval.
+
+ It should also be noted, however, that some authoritative name server
+ implementations appear to be lame only for queries of certain types
+ as described in RFC 4074 [5]. In this case, it makes sense to retry
+ the "lame" servers for other types of queries, particularly when all
+ known authoritative name servers appear to be "lame".
+
+2.2.1. Recommendation
+
+ Iterative resolvers SHOULD cache name servers that they discover are
+ not authoritative for zones delegated to them (i.e. lame servers).
+ If this caching is performed, lame servers MUST be cached against the
+ specific query tuple <zone name, class, server IP address>. Zone
+ name can be derived from the owner name of the NS record that was
+ referenced to query the name server that was discovered to be lame.
+
+
+
+Larson & Barber Expires August 14, 2006 [Page 7]
+
+Internet-Draft Observed DNS Resolution Misbehavior February 2006
+
+
+ Implementations that perform lame server caching MUST refrain from
+ sending queries to known lame servers based on a time interval from
+ when the server is discovered to be lame. A minimum interval of
+ thirty minutes is RECOMMENDED.
+
+ An exception to this recommendation occurs if all name servers for a
+ zone are marked lame. In that case, the iterative resolver SHOULD
+ temporarily ignore the servers' lameness status and query one or more
+ servers. This behavior is a workaround for the type-specific
+ lameness issue described in the previous section.
+
+ Implementors should take care not to make lame server avoidance logic
+ overly broad: note that a name server could be lame for a parent zone
+ but not a child zone, e.g., lame for "example.com" but properly
+ authoritative for "sub.example.com". Therefore a name server should
+ not be automatically considered lame for subzones. In the case
+ above, even if a name server is known to be lame for "example.com",
+ it should be queried for QNAMEs at or below "sub.example.com" if an
+ NS record indicates it should be authoritative for that zone.
+
+2.3. Inability to follow multiple levels of indirection
+
+ Some iterative resolver implementations are unable to follow
+ sufficient levels of indirection. For example, consider the
+ following delegations:
+
+ foo.example. IN NS ns1.example.com.
+ foo.example. IN NS ns2.example.com.
+
+ example.com. IN NS ns1.test.example.net.
+ example.com. IN NS ns2.test.example.net.
+
+ test.example.net. IN NS ns1.test.example.net.
+ test.example.net. IN NS ns2.test.example.net.
+
+ An iterative resolver resolving the name "www.foo.example" must
+ follow two levels of indirection, first obtaining address records for
+ "ns1.test.example.net" or "ns2.test.example.net" in order to obtain
+ address records for "ns1.example.com" or "ns2.example.com" in order
+ to query those name servers for the address records of
+ "www.foo.example". While this situation may appear contrived, we
+ have seen multiple similar occurrences and expect more as new generic
+ top-level domains (gTLDs) become active. We anticipate many zones in
+ new gTLDs will use name servers in existing gTLDs, increasing the
+ number of delegations using out-of-zone name servers.
+
+
+
+
+
+
+Larson & Barber Expires August 14, 2006 [Page 8]
+
+Internet-Draft Observed DNS Resolution Misbehavior February 2006
+
+
+2.3.1. Recommendation
+
+ Clearly constructing a delegation that relies on multiple levels of
+ indirection is not a good administrative practice. However, the
+ practice is widespread enough to require that iterative resolvers be
+ able to cope with it. Iterative resolvers SHOULD be able to handle
+ arbitrary levels of indirection resulting from out-of-zone name
+ servers. Iterative resolvers SHOULD implement a level-of-effort
+ counter to avoid loops or otherwise performing too much work in
+ resolving pathological cases.
+
+ A best practice that avoids this entire issue of indirection is to
+ name one or more of a zone's name servers in the zone itself. For
+ example, if the zone is named "example.com", consider naming some of
+ the name servers "ns{1,2,...}.example.com" (or similar).
+
+2.4. Aggressive retransmission when fetching glue
+
+ When an authoritative name server responds with a referral, it
+ includes NS records in the authority section of the response.
+ According to the algorithm in section 4.3.2 of RFC 1034 [2], the name
+ server should also "put whatever addresses are available into the
+ additional section, using glue RRs if the addresses are not available
+ from authoritative data or the cache." Some name server
+ implementations take this address inclusion a step further with a
+ feature called "glue fetching". A name server that implements glue
+ fetching attempts to include address records for every NS record in
+ the authority section. If necessary, the name server issues multiple
+ queries of its own to obtain any missing address records.
+
+ Problems with glue fetching can arise in the context of
+ "authoritative-only" name servers, which only serve authoritative
+ data and ignore requests for recursion. Such an entity will not
+ normally generate any queries of its own. Instead it answers non-
+ recursive queries from iterative resolvers looking for information in
+ zones it serves. With glue fetching enabled, however, an
+ authoritative server invokes an iterative resolver to look up an
+ unknown address record to complete the additional section of a
+ response.
+
+ We have observed situations where the iterative resolver of a glue-
+ fetching name server can send queries that reach other name servers,
+ but is apparently prevented from receiving the responses. For
+ example, perhaps the name server is authoritative-only and therefore
+ its administrators expect it to receive only queries and not
+ responses. Perhaps unaware of glue fetching and presuming that the
+ name server's iterative resolver will generate no queries, its
+ administrators place the name server behind a network device that
+
+
+
+Larson & Barber Expires August 14, 2006 [Page 9]
+
+Internet-Draft Observed DNS Resolution Misbehavior February 2006
+
+
+ prevents it from receiving responses. If this is the case, all glue-
+ fetching queries will go answered.
+
+ We have observed name server implementations whose iterative
+ resolvers retry excessively when glue-fetching queries are
+ unanswered. A single com/net name server has received hundreds of
+ queries per second from a single such source. Judging from the
+ specific queries received and based on additional analysis, we
+ believe these queries result from overly aggressive glue fetching.
+
+2.4.1. Recommendation
+
+ Implementers whose name servers support glue fetching SHOULD take
+ care to avoid sending queries at excessive rates. Implementations
+ SHOULD support throttling logic to detect when queries are sent but
+ no responses are received.
+
+2.5. Aggressive retransmission behind firewalls
+
+ A common occurrence and one of the largest sources of repeated
+ queries at the com/net and root name servers appears to result from
+ resolvers behind misconfigured firewalls. In this situation, an
+ iterative resolver is apparently allowed to send queries through a
+ firewall to other name servers, but not receive the responses. The
+ result is more queries than necessary because of retransmission, all
+ of which are useless because the responses are never received. Just
+ as with the glue-fetching scenario described in Section 2.4, the
+ queries are sometimes sent at excessive rates. To make matters
+ worse, sometimes the responses, sent in reply to legitimate queries,
+ trigger an alarm on the originator's intrusion detection system. We
+ are frequently contacted by administrators responding to such alarms
+ who believe our name servers are attacking their systems.
+
+ Not only do some resolvers in this situation retransmit queries at an
+ excessive rate, but they continue to do so for days or even weeks.
+ This scenario could result from an organization with multiple
+ recursive name servers, only a subset of whose iterative resolvers'
+ traffic is improperly filtered in this manner. Stub resolvers in the
+ organization could be configured to query multiple recursive name
+ servers. Consider the case where a stub resolver queries a filtered
+ recursive name server first. The iterative resolver of this
+ recursive name server sends one or more queries whose replies are
+ filtered, so it can't respond to the stub resolver, which times out.
+ Then the stub resolver retransmits to a recursive name server that is
+ able to provide an answer. Since resolution ultimately succeeds the
+ underlying problem might not be recognized or corrected. A popular
+ stub resolver implementation has a very aggressive retransmission
+ schedule, including simultaneous queries to multiple recursive name
+
+
+
+Larson & Barber Expires August 14, 2006 [Page 10]
+
+Internet-Draft Observed DNS Resolution Misbehavior February 2006
+
+
+ servers, which could explain how such a situation could persist
+ without being detected.
+
+2.5.1. Recommendation
+
+ The most obvious recommendation is that administrators SHOULD take
+ care not to place iterative resolvers behind a firewall that allows
+ queries to pass through but not the resulting replies.
+
+ Iterative resolvers SHOULD take care to avoid sending queries at
+ excessive rates. Implementations SHOULD support throttling logic to
+ detect when queries are sent but no responses are received.
+
+2.6. Misconfigured NS records
+
+ Sometimes a zone administrator forgets to add the trailing dot on the
+ domain names in the RDATA of a zone's NS records. Consider this
+ fragment of the zone file for "example.com":
+
+ $ORIGIN example.com.
+ example.com. 3600 IN NS ns1.example.com ; Note missing
+ example.com. 3600 IN NS ns2.example.com ; trailing dots
+
+ The zone's authoritative servers will parse the NS RDATA as
+ "ns1.example.com.example.com" and "ns2.example.com.example.com" and
+ return NS records with this incorrect RDATA in responses, including
+ typically the authority section of every response containing records
+ from the "example.com" zone.
+
+ Now consider a typical sequence of queries. An iterative resolver
+ attempting to resolve address records for "www.example.com" with no
+ cached information for this zone will query a "com" authoritative
+ server. The "com" server responds with a referral to the
+ "example.com" zone, consisting of NS records with valid RDATA and
+ associated glue records. (This example assumes that the
+ "example.com" zone delegation information is correct in the "com"
+ zone.) The iterative resolver caches the NS RRset from the "com"
+ server and follows the referral by querying one of the "example.com"
+ authoritative servers. This server responds with the
+ "www.example.com" address record in the answer section and,
+ typically, the "example.com" NS records in the authority section and,
+ if space in the message remains, glue address records in the
+ additional section. According to Section 5.4 of RFC 2181 [3], NS
+ records in the authority section of an authoritative answer are more
+ trustworthy than NS records from the authority section of a non-
+ authoritative answer. Thus the "example.com" NS RRset just received
+ from the "example.com" authoritative server overrides the
+ "example.com" NS RRset received moments ago from the "com"
+
+
+
+Larson & Barber Expires August 14, 2006 [Page 11]
+
+Internet-Draft Observed DNS Resolution Misbehavior February 2006
+
+
+ authoritative server.
+
+ But the "example.com" zone contains the erroneous NS RRset as shown
+ in the example above. Subsequent queries for names in "example.com"
+ will cause the iterative resolver to attempt to use the incorrect NS
+ records and so it will try to resolve the nonexistent names
+ "ns1.example.com.example.com" and "ns2.example.com.example.com". In
+ this example, since all of the zone's name servers are named in the
+ zone itself (i.e., "ns1.example.com.example.com" and
+ "ns2.example.com.example.com" both end in "example.com") and all are
+ bogus, the iterative resolver cannot reach any "example.com" name
+ servers. Therefore attempts to resolve these names result in address
+ record queries to the "com" authoritative servers. Queries for such
+ obviously bogus glue address records occur frequently at the com/net
+ name servers.
+
+2.6.1. Recommendation
+
+ An authoritative server can detect this situation. A trailing dot
+ missing from an NS record's RDATA always results by definition in a
+ name server name that exists somewhere under the apex of the zone the
+ NS record appears in. Note that further levels of delegation are
+ possible, so a missing trailing dot could inadvertently create a name
+ server name that actually exists in a subzone.
+
+ An authoritative name server SHOULD issue a warning when one of a
+ zone's NS records references a name server below the zone's apex when
+ a corresponding address record does not exist in the zone AND there
+ are no delegated subzones where the address record could exist.
+
+2.7. Name server records with zero TTL
+
+ Sometimes a popular com/net subdomain's zone is configured with a TTL
+ of zero on the zone's NS records, which prohibits these records from
+ being cached and will result in a higher query volume to the zone's
+ authoritative servers. The zone's administrator should understand
+ the consequences of such a configuration and provision resources
+ accordingly. A zero TTL on the zone's NS RRset, however, carries
+ additional consequences beyond the zone itself: if an iterative
+ resolver cannot cache a zone's NS records because of a zero TTL, it
+ will be forced to query that zone's parent's name servers each time
+ it resolves a name in the zone. The com/net authoritative servers do
+ see an increased query load when a popular com/net subdomain's zone
+ is configured with a TTL of zero on the zone's NS records.
+
+ A zero TTL on an RRset expected to change frequently is extreme but
+ permissible. A zone's NS RRset is a special case, however, because
+ changes to it must be coordinated with the zone's parent. In most
+
+
+
+Larson & Barber Expires August 14, 2006 [Page 12]
+
+Internet-Draft Observed DNS Resolution Misbehavior February 2006
+
+
+ zone parent/child relationships we are aware of, there is typically
+ some delay involved in effecting changes. Further, changes to the
+ set of a zone's authoritative name servers (and therefore to the
+ zone's NS RRset) are typically relatively rare: providing reliable
+ authoritative service requires a reasonably stable set of servers.
+ Therefore an extremely low or zero TTL on a zone's NS RRset rarely
+ makes sense, except in anticipation of an upcoming change. In this
+ case, when the zone's administrator has planned a change and does not
+ want iterative resolvers throughout the Internet to cache the NS
+ RRset for a long period of time, a low TTL is reasonable.
+
+2.7.1. Recommendation
+
+ Because of the additional load placed on a zone's parent's
+ authoritative servers resulting from a zero TTL on a zone's NS RRset,
+ under such circumstances authoritative name servers SHOULD issue a
+ warning when loading a zone.
+
+2.8. Unnecessary dynamic update messages
+
+ The UPDATE message specified in RFC 2136 [6] allows an authorized
+ agent to update a zone's data on an authoritative name server using a
+ DNS message sent over the network. Consider the case of an agent
+ desiring to add a particular resource record. Because of zone cuts,
+ the agent does not necessarily know the proper zone to which the
+ record should be added. The dynamic update process requires that the
+ agent determine the appropriate zone so the UPDATE message can be
+ sent to one of the zone's authoritative servers (typically the
+ primary master as specified in the zone's SOA MNAME field).
+
+ The appropriate zone to update is the closest enclosing zone, which
+ cannot be determined only by inspecting the domain name of the record
+ to be updated, since zone cuts can occur anywhere. One way to
+ determine the closest enclosing zone entails walking up the name
+ space tree by sending repeated UPDATE messages until success. For
+ example, consider an agent attempting to add an address record with
+ the name "foo.bar.example.com". The agent could first attempt to
+ update the "foo.bar.example.com" zone. If the attempt failed, the
+ update could be directed to the "bar.example.com" zone, then the
+ "example.com" zone, then the "com" zone, and finally the root zone.
+
+ A popular dynamic agent follows this algorithm. The result is many
+ UPDATE messages received by the root name servers, the com/net
+ authoritative servers, and presumably other TLD authoritative
+ servers. A valid question is why the algorithm proceeds to send
+ updates all the way to TLD and root name servers. This behavior is
+ not entirely unreasonable: in enterprise DNS architectures with an
+ "internal root" design, there could conceivably be private, non-
+
+
+
+Larson & Barber Expires August 14, 2006 [Page 13]
+
+Internet-Draft Observed DNS Resolution Misbehavior February 2006
+
+
+ public TLD or root zones that would be the appropriate targets for a
+ dynamic update.
+
+ A significant deficiency with this algorithm is that knowledge of a
+ given UPDATE message's failure is not helpful in directing future
+ UPDATE messages to the appropriate servers. A better algorithm would
+ be to find the closest enclosing zone by walking up the name space
+ with queries for SOA or NS rather than "probing" with UPDATE
+ messages. Once the appropriate zone is found, an UPDATE message can
+ be sent. In addition, the results of these queries can be cached to
+ aid in determining closest enclosing zones for future updates. Once
+ the closest enclosing zone is determined with this method, the update
+ will either succeed or fail and there is no need to send further
+ updates to higher-level zones. The important point is that walking
+ up the tree with queries yields cacheable information, whereas
+ walking up the tree by sending UPDATE messages does not.
+
+2.8.1. Recommendation
+
+ Dynamic update agents SHOULD send SOA or NS queries to progressively
+ higher-level names to find the closest enclosing zone for a given
+ name to update. Only after the appropriate zone is found should the
+ client send an UPDATE message to one of the zone's authoritative
+ servers. Update clients SHOULD NOT "probe" using UPDATE messages by
+ walking up the tree to progressively higher-level zones.
+
+2.9. Queries for domain names resembling IPv4 addresses
+
+ The root name servers receive a significant number of A record
+ queries where the QNAME looks like an IPv4 address. The source of
+ these queries is unknown. It could be attributed to situations where
+ a user believes an application will accept either a domain name or an
+ IP address in a given configuration option. The user enters an IP
+ address, but the application assumes any input is a domain name and
+ attempts to resolve it, resulting in an A record lookup. There could
+ also be applications that produce such queries in a misguided attempt
+ to reverse map IP addresses.
+
+ These queries result in Name Error (RCODE=3) responses. An iterative
+ resolver can negatively cache such responses, but each response
+ requires a separate cache entry, i.e., a negative cache entry for the
+ domain name "192.0.2.1" does not prevent a subsequent query for the
+ domain name "192.0.2.2".
+
+2.9.1. Recommendation
+
+ It would be desirable for the root name servers not to have to answer
+ these queries: they unnecessarily consume CPU resources and network
+
+
+
+Larson & Barber Expires August 14, 2006 [Page 14]
+
+Internet-Draft Observed DNS Resolution Misbehavior February 2006
+
+
+ bandwidth. A possible solution is to delegate these numeric TLDs
+ from the root zone to a separate set of servers to absorb the
+ traffic. The "black hole servers" used by the AS 112 Project [8],
+ which are currently delegated the in-addr.arpa zones corresponding to
+ RFC 1918 [7] private use address space, would be a possible choice to
+ receive these delegations. Of course, the proper and usual root zone
+ change procedures would have to be followed to make such a change to
+ the root zone.
+
+2.10. Misdirected recursive queries
+
+ The root name servers receive a significant number of recursive
+ queries (i.e., queries with the RD bit set in the header). Since
+ none of the root servers offers recursion, the servers' response in
+ such a situation ignores the request for recursion and the response
+ probably does not contain the data the querier anticipated. Some of
+ these queries result from users configuring stub resolvers to query a
+ root server. (This situation is not hypothetical: we have received
+ complaints from users when this configuration does not work as
+ hoped.) Of course, users should not direct stub resolvers to use
+ name servers that do not offer recursion, but we are not aware of any
+ stub resolver implementation that offers any feedback to the user
+ when so configured, aside from simply "not working".
+
+2.10.1. Recommendation
+
+ When the IP address of a name server that supposedly offers recursion
+ is configured in a stub resolver using an interactive user interface,
+ the resolver could send a test query to verify that the server indeed
+ supports recursion (i.e., verify that the response has the RA bit set
+ in the header). The user could be immediately notified if the server
+ is non-recursive.
+
+ The stub resolver could also report an error, either through a user
+ interface or in a log file, if the queried server does not support
+ recursion. Error reporting SHOULD be throttled to avoid a
+ notification or log message for every response from a non-recursive
+ server.
+
+2.11. Suboptimal name server selection algorithm
+
+ An entire document could be devoted to the topic of problems with
+ different implementations of the recursive resolution algorithm. The
+ entire process of recursion is woefully under specified, requiring
+ each implementor to design an algorithm. Sometimes implementors make
+ poor design choices that could be avoided if a suggested algorithm
+ and best practices were documented, but that is a topic for another
+ document.
+
+
+
+Larson & Barber Expires August 14, 2006 [Page 15]
+
+Internet-Draft Observed DNS Resolution Misbehavior February 2006
+
+
+ Some deficiencies cause significant operational impact and are
+ therefore worth mentioning here. One of these is name server
+ selection by an iterative resolver. When an iterative resolver wants
+ to contact one of a zone's authoritative name servers, how does it
+ choose from the NS records listed in the zone's NS RRset? If the
+ selection mechanism is suboptimal, queries are not spread evenly
+ among a zone's authoritative servers. The details of the selection
+ mechanism are up to the implementor, but we offer some suggestions.
+
+2.11.1. Recommendation
+
+ This list is not conclusive, but reflects the changes that would
+ produce the most impact in terms of reducing disproportionate query
+ load among a zone's authoritative servers. I.e., these changes would
+ help spread the query load evenly.
+
+ o Do not make assumptions based on NS RRset order: all NS RRs SHOULD
+ be treated equally. (In the case of the "com" zone, for example,
+ most of the root servers return the NS record for "a.gtld-
+ servers.net" first in the authority section of referrals.
+ Apparently as a result, this server receives disproportionately
+ more traffic than the other 12 authoritative servers for "com".)
+
+ o Use all NS records in an RRset. (For example, we are aware of
+ implementations that hard-coded information for a subset of the
+ root servers.)
+
+ o Maintain state and favor the best-performing of a zone's
+ authoritative servers. A good definition of performance is
+ response time. Non-responsive servers can be penalized with an
+ extremely high response time.
+
+ o Do not lock onto the best-performing of a zone's name servers. An
+ iterative resolver SHOULD periodically check the performance of
+ all of a zone's name servers to adjust its determination of the
+ best-performing one.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Larson & Barber Expires August 14, 2006 [Page 16]
+
+Internet-Draft Observed DNS Resolution Misbehavior February 2006
+
+
+3. Acknowledgments
+
+ The authors would like to thank the following people for their
+ comments that improved this document: Andras Salamon, Dave Meyer,
+ Doug Barton, Jaap Akkerhuis, Jinmei Tatuya, John Brady, Kevin Darcy,
+ Olafur Gudmundsson, Pekka Savola, Peter Koch and Rob Austein. We
+ apologize if we have omitted anyone; any oversight was unintentional.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Larson & Barber Expires August 14, 2006 [Page 17]
+
+Internet-Draft Observed DNS Resolution Misbehavior February 2006
+
+
+4. IANA considerations
+
+ There are no new IANA considerations introduced by this memo.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Larson & Barber Expires August 14, 2006 [Page 18]
+
+Internet-Draft Observed DNS Resolution Misbehavior February 2006
+
+
+5. Security considerations
+
+ The iterative resolver misbehavior discussed in this document exposes
+ the root and TLD name servers to increased risk of both intentional
+ and unintentional denial of service attacks.
+
+ We believe that implementation of the recommendations offered in this
+ document will reduce the amount of unnecessary traffic seen at root
+ and TLD name servers, thus reducing the opportunity for an attacker
+ to use such queries to his or her advantage.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Larson & Barber Expires August 14, 2006 [Page 19]
+
+Internet-Draft Observed DNS Resolution Misbehavior February 2006
+
+
+6. Internationalization considerations
+
+ There are no new internationalization considerations introduced by
+ this memo.
+
+7. Informative References
+
+ [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
+ Levels", BCP 14, RFC 2119, March 1997.
+
+ [2] Mockapetris, P., "Domain names - concepts and facilities",
+ STD 13, RFC 1034, November 1987.
+
+ [3] Elz, R. and R. Bush, "Clarifications to the DNS Specification",
+ RFC 2181, July 1997.
+
+ [4] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
+ RFC 2308, March 1998.
+
+ [5] Morishita, Y. and T. Jinmei, "Common Misbehavior Against DNS
+ Queries for IPv6 Addresses", RFC 4074, May 2005.
+
+ [6] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound, "Dynamic
+ Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
+ April 1997.
+
+ [7] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and E.
+ Lear, "Address Allocation for Private Internets", BCP 5,
+ RFC 1918, February 1996.
+
+ [8] <http://www.as112.net>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Larson & Barber Expires August 14, 2006 [Page 20]
+
+Internet-Draft Observed DNS Resolution Misbehavior February 2006
+
+
+Authors' Addresses
+
+ Matt Larson
+ VeriSign, Inc.
+ 21345 Ridgetop Circle
+ Dulles, VA 20166-6503
+ USA
+
+ Email: mlarson@verisign.com
+
+
+ Piet Barber
+ VeriSign, Inc.
+ 21345 Ridgetop Circle
+ Dulles, VA 20166-6503
+ USA
+
+ Email: pbarber@verisign.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Larson & Barber Expires August 14, 2006 [Page 21]
+
+Internet-Draft Observed DNS Resolution Misbehavior February 2006
+
+
+Intellectual Property Statement
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+
+Disclaimer of Validity
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Copyright Statement
+
+ Copyright (C) The Internet Society (2006). This document is subject
+ to the rights, licenses and restrictions contained in BCP 78, and
+ except as set forth therein, the authors retain all their rights.
+
+
+Acknowledgment
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+Larson & Barber Expires August 14, 2006 [Page 22]
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-08.txt b/contrib/bind9/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-08.txt
new file mode 100644
index 0000000..8ca68a8
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-08.txt
@@ -0,0 +1,2016 @@
+
+
+
+DNSOP O. Kolkman
+Internet-Draft R. Gieben
+Obsoletes: 2541 (if approved) NLnet Labs
+Expires: September 7, 2006 March 6, 2006
+
+
+ DNSSEC Operational Practices
+ draft-ietf-dnsop-dnssec-operational-practices-08.txt
+
+Status of this Memo
+
+ By submitting this Internet-Draft, each author represents that any
+ applicable patent or other IPR claims of which he or she is aware
+ have been or will be disclosed, and any of which he or she becomes
+ aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF), its areas, and its working groups. Note that
+ other groups may also distribute working documents as Internet-
+ Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ The list of current Internet-Drafts can be accessed at
+ http://www.ietf.org/ietf/1id-abstracts.txt.
+
+ The list of Internet-Draft Shadow Directories can be accessed at
+ http://www.ietf.org/shadow.html.
+
+ This Internet-Draft will expire on September 7, 2006.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2006).
+
+Abstract
+
+ This document describes a set of practices for operating the DNS with
+ security extensions (DNSSEC). The target audience is zone
+ administrators deploying DNSSEC.
+
+ The document discusses operational aspects of using keys and
+ signatures in the DNS. It discusses issues as key generation, key
+ storage, signature generation, key rollover and related policies.
+
+
+
+
+Kolkman & Gieben Expires September 7, 2006 [Page 1]
+
+Internet-Draft DNSSEC Operational Practices March 2006
+
+
+ This document obsoletes RFC 2541, as it covers more operational
+ ground and gives more up to date requirements with respect to key
+ sizes and the new DNSSEC specification.
+
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
+ 1.1. The Use of the Term 'key' . . . . . . . . . . . . . . . . 4
+ 1.2. Time Definitions . . . . . . . . . . . . . . . . . . . . . 5
+ 2. Keeping the Chain of Trust Intact . . . . . . . . . . . . . . 5
+ 3. Keys Generation and Storage . . . . . . . . . . . . . . . . . 6
+ 3.1. Zone and Key Signing Keys . . . . . . . . . . . . . . . . 6
+ 3.1.1. Motivations for the KSK and ZSK Separation . . . . . . 7
+ 3.1.2. KSKs for High Level Zones . . . . . . . . . . . . . . 8
+ 3.2. Key Generation . . . . . . . . . . . . . . . . . . . . . . 8
+ 3.3. Key Effectivity Period . . . . . . . . . . . . . . . . . . 9
+ 3.4. Key Algorithm . . . . . . . . . . . . . . . . . . . . . . 9
+ 3.5. Key Sizes . . . . . . . . . . . . . . . . . . . . . . . . 10
+ 3.6. Private Key Storage . . . . . . . . . . . . . . . . . . . 12
+ 4. Signature generation, Key Rollover and Related Policies . . . 12
+ 4.1. Time in DNSSEC . . . . . . . . . . . . . . . . . . . . . . 12
+ 4.1.1. Time Considerations . . . . . . . . . . . . . . . . . 13
+ 4.2. Key Rollovers . . . . . . . . . . . . . . . . . . . . . . 14
+ 4.2.1. Zone Signing Key Rollovers . . . . . . . . . . . . . . 15
+ 4.2.2. Key Signing Key Rollovers . . . . . . . . . . . . . . 19
+ 4.2.3. Difference Between ZSK and KSK Rollovers . . . . . . . 20
+ 4.2.4. Automated Key Rollovers . . . . . . . . . . . . . . . 21
+ 4.3. Planning for Emergency Key Rollover . . . . . . . . . . . 22
+ 4.3.1. KSK Compromise . . . . . . . . . . . . . . . . . . . . 22
+ 4.3.2. ZSK Compromise . . . . . . . . . . . . . . . . . . . . 24
+ 4.3.3. Compromises of Keys Anchored in Resolvers . . . . . . 24
+ 4.4. Parental Policies . . . . . . . . . . . . . . . . . . . . 24
+ 4.4.1. Initial Key Exchanges and Parental Policies
+ Considerations . . . . . . . . . . . . . . . . . . . . 24
+ 4.4.2. Storing Keys or Hashes? . . . . . . . . . . . . . . . 25
+ 4.4.3. Security Lameness . . . . . . . . . . . . . . . . . . 25
+ 4.4.4. DS Signature Validity Period . . . . . . . . . . . . . 26
+ 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26
+ 6. Security Considerations . . . . . . . . . . . . . . . . . . . 27
+ 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 27
+ 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 27
+ 8.1. Normative References . . . . . . . . . . . . . . . . . . . 27
+ 8.2. Informative References . . . . . . . . . . . . . . . . . . 28
+ Appendix A. Terminology . . . . . . . . . . . . . . . . . . . . . 29
+ Appendix B. Zone Signing Key Rollover Howto . . . . . . . . . . . 30
+ Appendix C. Typographic Conventions . . . . . . . . . . . . . . . 31
+ Appendix D. Document Details and Changes . . . . . . . . . . . . 33
+
+
+
+Kolkman & Gieben Expires September 7, 2006 [Page 2]
+
+Internet-Draft DNSSEC Operational Practices March 2006
+
+
+ D.1. draft-ietf-dnsop-dnssec-operational-practices-00 . . . . . 33
+ D.2. draft-ietf-dnsop-dnssec-operational-practices-01 . . . . . 33
+ D.3. draft-ietf-dnsop-dnssec-operational-practices-02 . . . . . 33
+ D.4. draft-ietf-dnsop-dnssec-operational-practices-03 . . . . . 33
+ D.5. draft-ietf-dnsop-dnssec-operational-practices-04 . . . . . 34
+ D.6. draft-ietf-dnsop-dnssec-operational-practices-05 . . . . . 34
+ D.7. draft-ietf-dnsop-dnssec-operational-practices-06 . . . . . 34
+ D.8. draft-ietf-dnsop-dnssec-operational-practices-07 . . . . . 34
+ D.9. draft-ietf-dnsop-dnssec-operational-practices-08 . . . . . 34
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 35
+ Intellectual Property and Copyright Statements . . . . . . . . . . 36
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Expires September 7, 2006 [Page 3]
+
+Internet-Draft DNSSEC Operational Practices March 2006
+
+
+1. Introduction
+
+ This document describes how to run a DNSSEC (DNS SECure) enabled
+ environment. It is intended for operators who have knowledge of the
+ DNS (see RFC 1034 [1] and RFC 1035 [2]) and want deploy DNSSEC. See
+ RFC 4033 [4] for an introduction into DNSSEC and RFC 4034 [5] for the
+ newly introduced Resource Records and finally RFC 4035 [6] for the
+ protocol changes.
+
+ During workshops and early operational deployment tests, operators
+ and system administrators have gained experience about operating the
+ DNS with security extensions (DNSSEC). This document translates
+ these experiences into a set of practices for zone administrators.
+ At the time of writing, there exists very little experience with
+ DNSSEC in production environments; this document should therefore
+ explicitly not be seen as representing 'Best Current Practices'.
+
+ The procedures herein are focused on the maintenance of signed zones
+ (i.e. signing and publishing zones on authoritative servers). It is
+ intended that maintenance of zones such as re-signing or key
+ rollovers be transparent to any verifying clients on the Internet.
+
+ The structure of this document is as follows. In Section 2 we
+ discuss the importance of keeping the "chain of trust" intact.
+ Aspects of key generation and storage of private keys are discussed
+ in Section 3; the focus in this section is mainly on the private part
+ of the key(s). Section 4 describes considerations concerning the
+ public part of the keys. Since these public keys appear in the DNS
+ one has to take into account all kinds of timing issues, which are
+ discussed in Section 4.1. Section 4.2 and Section 4.3 deal with the
+ rollover, or supercession, of keys. Finally Section 4.4 discusses
+ considerations on how parents deal with their children's public keys
+ in order to maintain chains of trust.
+
+ The typographic conventions used in this document are explained in
+ Appendix C.
+
+ Since this is a document with operational suggestions and there are
+ no protocol specifications, the RFC 2119 [9] language does not apply.
+
+ This document obsoletes RFC 2541 [12].
+
+1.1. The Use of the Term 'key'
+
+ It is assumed that the reader is familiar with the concept of
+ asymmetric keys on which DNSSEC is based (Public Key Cryptography
+ [18]). Therefore, this document will use the term 'key' rather
+ loosely. Where it is written that 'a key is used to sign data' it is
+
+
+
+Kolkman & Gieben Expires September 7, 2006 [Page 4]
+
+Internet-Draft DNSSEC Operational Practices March 2006
+
+
+ assumed that the reader understands that it is the private part of
+ the key pair that is used for signing. It is also assumed that the
+ reader understands that the public part of the key pair is published
+ in the DNSKEY resource record and that it is the public part that is
+ used in key exchanges.
+
+1.2. Time Definitions
+
+ In this document we will be using a number of time related terms.
+ The following definitions apply:
+ o "Signature validity period"
+ The period that a signature is valid. It starts at the time
+ specified in the signature inception field of the RRSIG RR and
+ ends at the time specified in the expiration field of the RRSIG
+ RR.
+ o "Signature publication period"
+ Time after which a signature (made with a specific key) is
+ replaced with a new signature (made with the same key). This
+ replacement takes place by publishing the relevant RRSIG in the
+ master zone file.
+ After one stops publishing an RRSIG in a zone it may take a
+ while before the RRSIG has expired from caches and has actually
+ been removed from the DNS.
+ o "Key effectivity period"
+ The period during which a key pair is expected to be effective.
+ This period is defined as the time between the first inception
+ time stamp and the last expiration date of any signature made
+ with this key, regardless of any discontinuity in the use of
+ the key.
+ The key effectivity period can span multiple signature validity
+ periods.
+ o "Maximum/Minimum Zone Time to Live (TTL)"
+ The maximum or minimum value of the TTLs from the complete set
+ of RRs in a zone. Note that the minimum TTL is not the same as
+ the MINIMUM field in the SOA RR. See [11] for more
+ information.
+
+
+2. Keeping the Chain of Trust Intact
+
+ Maintaining a valid chain of trust is important because broken chains
+ of trust will result in data being marked as Bogus (as defined in [4]
+ section 5), which may cause entire (sub)domains to become invisible
+ to verifying clients. The administrators of secured zones have to
+ realize that their zone is, to verifying clients, part of a chain of
+ trust.
+
+ As mentioned in the introduction, the procedures herein are intended
+
+
+
+Kolkman & Gieben Expires September 7, 2006 [Page 5]
+
+Internet-Draft DNSSEC Operational Practices March 2006
+
+
+ to ensure that maintenance of zones, such as re-signing or key
+ rollovers, will be transparent to the verifying clients on the
+ Internet.
+
+ Administrators of secured zones will have to keep in mind that data
+ published on an authoritative primary server will not be immediately
+ seen by verifying clients; it may take some time for the data to be
+ transferred to other secondary authoritative nameservers and clients
+ may be fetching data from caching non-authoritative servers. In this
+ light it is good to note that the time for a zone transfer from
+ master to slave is negligible when using NOTIFY [8] and IXFR [7],
+ increasing by reliance on AXFR, and more if you rely on the SOA
+ timing parameters for zone refresh.
+
+ For the verifying clients it is important that data from secured
+ zones can be used to build chains of trust regardless of whether the
+ data came directly from an authoritative server, a caching nameserver
+ or some middle box. Only by carefully using the available timing
+ parameters can a zone administrator assure that the data necessary
+ for verification can be obtained.
+
+ The responsibility for maintaining the chain of trust is shared by
+ administrators of secured zones in the chain of trust. This is most
+ obvious in the case of a 'key compromise' when a trade off between
+ maintaining a valid chain of trust and replacing the compromised keys
+ as soon as possible must be made. Then zone administrators will have
+ to make a trade off, between keeping the chain of trust intact -
+ thereby allowing for attacks with the compromised key - or to
+ deliberately break the chain of trust and making secured sub domains
+ invisible to security aware resolvers. Also see Section 4.3.
+
+
+3. Keys Generation and Storage
+
+ This section describes a number of considerations with respect to the
+ security of keys. It deals with the generation, effectivity period,
+ size and storage of private keys.
+
+3.1. Zone and Key Signing Keys
+
+ The DNSSEC validation protocol does not distinguish between different
+ types of DNSKEYs. All DNSKEYs can be used during the validation. In
+ practice operators use Key Signing and Zone Signing Keys and use the
+ so-called (Secure Entry Point) SEP [3] flag to distinguish between
+ them during operations. The dynamics and considerations are
+ discussed below.
+
+ To make zone re-signing and key rollover procedures easier to
+
+
+
+Kolkman & Gieben Expires September 7, 2006 [Page 6]
+
+Internet-Draft DNSSEC Operational Practices March 2006
+
+
+ implement, it is possible to use one or more keys as Key Signing Keys
+ (KSK). These keys will only sign the apex DNSKEY RRSet in a zone.
+ Other keys can be used to sign all the RRSets in a zone and are
+ referred to as Zone Signing Keys (ZSK). In this document we assume
+ that KSKs are the subset of keys that are used for key exchanges with
+ the parent and potentially for configuration as trusted anchors - the
+ SEP keys. In this document we assume a one-to-one mapping between
+ KSK and SEP keys and we assume the SEP flag to be set on all KSKs.
+
+3.1.1. Motivations for the KSK and ZSK Separation
+
+ Differentiating between the KSK and ZSK functions has several
+ advantages:
+
+ o No parent/child interaction is required when ZSKs are updated.
+ o The KSK can be made stronger (i.e. using more bits in the key
+ material). This has little operational impact since it is only
+ used to sign a small fraction of the zone data. Also the KSK is
+ only used to verify the zone's key set, not for other RRSets in
+ the zone.
+ o As the KSK is only used to sign a key set, which is most probably
+ updated less frequently than other data in the zone, it can be
+ stored separately from and in a safer location than the ZSK.
+ o A KSK can have a longer key effectivity period.
+
+ For almost any method of key management and zone signing the KSK is
+ used less frequently than the ZSK. Once a key set is signed with the
+ KSK all the keys in the key set can be used as ZSK. If a ZSK is
+ compromised, it can be simply dropped from the key set. The new key
+ set is then re-signed with the KSK.
+
+ Given the assumption that for KSKs the SEP flag is set, the KSK can
+ be distinguished from a ZSK by examining the flag field in the DNSKEY
+ RR. If the flag field is an odd number it is a KSK. If it is an
+ even number it is a ZSK.
+
+ The zone signing key can be used to sign all the data in a zone on a
+ regular basis. When a zone signing key is to be rolled, no
+ interaction with the parent is needed. This allows for "Signature
+ Validity Periods" on the order of days.
+
+ The key signing key is only to be used to sign the DNSKEY RRs in a
+ zone. If a key signing key is to be rolled over, there will be
+ interactions with parties other than the zone administrator. These
+ can include the registry of the parent zone or administrators of
+ verifying resolvers that have the particular key configured as secure
+ entry points. Hence, the key effectivity period of these keys can
+ and should be made much longer. Although, given a long enough key,
+
+
+
+Kolkman & Gieben Expires September 7, 2006 [Page 7]
+
+Internet-Draft DNSSEC Operational Practices March 2006
+
+
+ the Key Effectivity Period can be on the order of years we suggest
+ planning for a key effectivity of the order of a few months so that a
+ key rollover remains an operational routine.
+
+3.1.2. KSKs for High Level Zones
+
+ Higher level zones are generally more sensitive than lower level
+ zones. Anyone controlling or breaking the security of a zone thereby
+ obtains authority over all of its sub domains (except in the case of
+ resolvers that have locally configured the public key of a sub
+ domain, in which case this, and only this, sub domain wouldn't be
+ affected by the compromise of the parent zone). Therefore, extra
+ care should be taken with high level zones and strong keys should
+ used.
+
+ The root zone is the most critical of all zones. Someone controlling
+ or compromising the security of the root zone would control the
+ entire DNS name space of all resolvers using that root zone (except
+ in the case of resolvers that have locally configured the public key
+ of a sub domain). Therefore, the utmost care must be taken in the
+ securing of the root zone. The strongest and most carefully handled
+ keys should be used. The root zone private key should always be kept
+ off line.
+
+ Many resolvers will start at a root server for their access to and
+ authentication of DNS data. Securely updating the trust anchors in
+ an enormous population of resolvers around the world will be
+ extremely difficult.
+
+3.2. Key Generation
+
+ Careful generation of all keys is a sometimes overlooked but
+ absolutely essential element in any cryptographically secure system.
+ The strongest algorithms used with the longest keys are still of no
+ use if an adversary can guess enough to lower the size of the likely
+ key space so that it can be exhaustively searched. Technical
+ suggestions for the generation of random keys will be found in RFC
+ 4086 [15]. One should carefully assess if the random number
+ generator used during key generation adheres to these suggestions.
+
+ Keys with a long effectivity period are particularly sensitive as
+ they will represent a more valuable target and be subject to attack
+ for a longer time than short period keys. It is strongly recommended
+ that long term key generation occur off-line in a manner isolated
+ from the network via an air gap or, at a minimum, high level secure
+ hardware.
+
+
+
+
+
+Kolkman & Gieben Expires September 7, 2006 [Page 8]
+
+Internet-Draft DNSSEC Operational Practices March 2006
+
+
+3.3. Key Effectivity Period
+
+ For various reasons keys in DNSSEC need to be changed once in a
+ while. The longer a key is in use, the greater the probability that
+ it will have been compromised through carelessness, accident,
+ espionage, or cryptanalysis. Furthermore when key rollovers are too
+ rare an event, they will not become part of the operational habit and
+ there is risk that nobody on-site will remember the procedure for
+ rollover when the need is there.
+
+ From a purely operational perspective a reasonable key effectivity
+ period for Key Signing Keys is 13 months, with the intent to replace
+ them after 12 months. An intended key effectivity period of a month
+ is reasonable for Zone Signing Keys.
+
+ For key sizes that matches these effectivity periods see Section 3.5.
+
+ As argued in Section 3.1.2 securely updating trust anchors will be
+ extremely difficult. On the other hand the "operational habit"
+ argument does also apply to trust anchor reconfiguration. If a short
+ key-effectivity period is used and the trust anchor configuration has
+ to be revisited on a regular basis the odds that the configuration
+ tends to be forgotten is smaller. The trade-off is against a system
+ that is so dynamic that administrators of the validating clients will
+ not be able to follow the modifications.
+
+ Key effectivity periods can be made very short, as in the order of a
+ few minutes. But when replacing keys one has to take the
+ considerations from Section 4.1 and Section 4.2 into account.
+
+3.4. Key Algorithm
+
+ There are currently three different types of algorithms that can be
+ used in DNSSEC: RSA, DSA and elliptic curve cryptography. The latter
+ is fairly new and has yet to be standardized for usage in DNSSEC.
+
+ RSA has been developed in an open and transparent manner. As the
+ patent on RSA expired in 2000, its use is now also free.
+
+ DSA has been developed by NIST. The creation of signatures takes
+ roughly the same time as with RSA, but is 10 to 40 times as slow for
+ verification [18].
+
+ We suggest the use of RSA/SHA-1 as the preferred algorithm for the
+ key. The current known attacks on RSA can be defeated by making your
+ key longer. As the MD5 hashing algorithm is showing (theoretical)
+ cracks, we recommend the usage of SHA-1.
+
+
+
+
+Kolkman & Gieben Expires September 7, 2006 [Page 9]
+
+Internet-Draft DNSSEC Operational Practices March 2006
+
+
+ At the time of publication it is known that the SHA-1 hash has
+ cryptanalysis issues. There is work in progress on addressing these
+ issues. We recommend the use of public key algorithms based on
+ hashes stronger than SHA-1, e.g. SHA-256, as soon as these
+ algorithms are available in protocol specifications (See [20] and
+ [21] ) and implementations.
+
+3.5. Key Sizes
+
+ When choosing key sizes, zone administrators will need to take into
+ account how long a key will be used, how much data will be signed
+ during the key publication period (See Section 8.10 of [18]) and,
+ optionally, how large the key size of the parent is. As the chain of
+ trust really is "a chain", there is not much sense in making one of
+ the keys in the chain several times larger then the others. As
+ always, it's the weakest link that defines the strength of the entire
+ chain. Also see Section 3.1.1 for a discussion of how keys serving
+ different roles (ZSK v. KSK) may need different key sizes.
+
+ Generating a key of the correct size is a difficult problem, RFC 3766
+ [14] tries to deal with that problem. The first part of the
+ selection procedure in Section 1 of the RFC states:
+
+ 1. Determine the attack resistance necessary to satisfy the
+ security requirements of the application. Do this by
+ estimating the minimum number of computer operations that
+ the attacker will be forced to do in order to compromise
+ the security of the system and then take the logarithm base
+ two of that number. Call that logarithm value "n".
+
+ A 1996 report recommended 90 bits as a good all-around choice
+ for system security. The 90 bit number should be increased
+ by about 2/3 bit/year, or about 96 bits in 2005.
+
+ [14] goes on to explain how this number "n" can be used to calculate
+ the key sizes in public key cryptography. This culminated in the
+ table given below (slightly modified for our purpose):
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Expires September 7, 2006 [Page 10]
+
+Internet-Draft DNSSEC Operational Practices March 2006
+
+
+ +-------------+-----------+--------------+
+ | System | | |
+ | requirement | Symmetric | RSA or DSA |
+ | for attack | key size | modulus size |
+ | resistance | (bits) | (bits) |
+ | (bits) | | |
+ +-------------+-----------+--------------+
+ | 70 | 70 | 947 |
+ | 80 | 80 | 1228 |
+ | 90 | 90 | 1553 |
+ | 100 | 100 | 1926 |
+ | 150 | 150 | 4575 |
+ | 200 | 200 | 8719 |
+ | 250 | 250 | 14596 |
+ +-------------+-----------+--------------+
+
+ The key sizes given are rather large. This is because these keys are
+ resilient against a trillionaire attacker. Assuming this rich
+ attacker will not attack your key and that the key is rolled over
+ once a year, we come to the following recommendations about KSK
+ sizes; 1024 bits low value domains, 1300 for medium value and 2048
+ for the high value domains.
+
+ Whether a domain is of low, medium, high value depends solely on the
+ views of the zone owner. One could for instance view leaf nodes in
+ the DNS as of low value and TLDs or the root zone of high value. The
+ suggested key sizes should be safe for the next 5 years.
+
+ As ZSKs can be rolled over more easily (and thus more often) the key
+ sizes can be made smaller. But as said in the introduction of this
+ paragraph, making the ZSKs' key sizes too small (in relation to the
+ KSKs' sizes) doesn't make much sense. Try to limit the difference in
+ size to about 100 bits.
+
+ Note that nobody can see into the future, and that these key sizes
+ are only provided here as a guide. Further information can be found
+ in [17] and Section 7.5 of [18]. It should be noted though that [17]
+ is already considered overly optimistic about what key sizes are
+ considered safe.
+
+ One final note concerning key sizes. Larger keys will increase the
+ sizes of the RRSIG and DNSKEY records and will therefore increase the
+ chance of DNS UDP packet overflow. Also the time it takes to
+ validate and create RRSIGs increases with larger keys, so don't
+ needlessly double your key sizes.
+
+
+
+
+
+
+Kolkman & Gieben Expires September 7, 2006 [Page 11]
+
+Internet-Draft DNSSEC Operational Practices March 2006
+
+
+3.6. Private Key Storage
+
+ It is recommended that, where possible, zone private keys and the
+ zone file master copy that is to be signed, be kept and used in off-
+ line, non-network connected, physically secure machines only.
+ Periodically an application can be run to add authentication to a
+ zone by adding RRSIG and NSEC RRs. Then the augmented file can be
+ transferred.
+
+ When relying on dynamic update to manage a signed zone [10], be aware
+ that at least one private key of the zone will have to reside on the
+ master server. This key is only as secure as the amount of exposure
+ the server receives to unknown clients and the security of the host.
+ Although not mandatory one could administer the DNS in the following
+ way. The master that processes the dynamic updates is unavailable
+ from generic hosts on the Internet, it is not listed in the NS RR
+ set, although its name appears in the SOA RRs MNAME field. The
+ nameservers in the NS RR set are able to receive zone updates through
+ NOTIFY, IXFR, AXFR or an out-of-band distribution mechanism. This
+ approach is known as the "hidden master" setup.
+
+ The ideal situation is to have a one way information flow to the
+ network to avoid the possibility of tampering from the network.
+ Keeping the zone master file on-line on the network and simply
+ cycling it through an off-line signer does not do this. The on-line
+ version could still be tampered with if the host it resides on is
+ compromised. For maximum security, the master copy of the zone file
+ should be off net and should not be updated based on an unsecured
+ network mediated communication.
+
+ In general keeping a zone-file off-line will not be practical and the
+ machines on which zone files are maintained will be connected to a
+ network. Operators are advised to take security measures to shield
+ unauthorized access to the master copy.
+
+ For dynamically updated secured zones [10] both the master copy and
+ the private key that is used to update signatures on updated RRs will
+ need to be on-line.
+
+
+4. Signature generation, Key Rollover and Related Policies
+
+4.1. Time in DNSSEC
+
+ Without DNSSEC all times in DNS are relative. The SOA fields
+ REFRESH, RETRY and EXPIRATION are timers used to determine the time
+ elapsed after a slave server synchronized with a master server. The
+ Time to Live (TTL) value and the SOA RR minimum TTL parameter [11]
+
+
+
+Kolkman & Gieben Expires September 7, 2006 [Page 12]
+
+Internet-Draft DNSSEC Operational Practices March 2006
+
+
+ are used to determine how long a forwarder should cache data after it
+ has been fetched from an authoritative server. By using a signature
+ validity period, DNSSEC introduces the notion of an absolute time in
+ the DNS. Signatures in DNSSEC have an expiration date after which
+ the signature is marked as invalid and the signed data is to be
+ considered Bogus.
+
+4.1.1. Time Considerations
+
+ Because of the expiration of signatures, one should consider the
+ following:
+ o We suggest the Maximum Zone TTL of your zone data to be a fraction
+ of your signature validity period.
+ If the TTL would be of similar order as the signature validity
+ period, then all RRSets fetched during the validity period
+ would be cached until the signature expiration time. Section
+ 7.1 of [4] suggests that "the resolver may use the time
+ remaining before expiration of the signature validity period of
+ a signed RRSet as an upper bound for the TTL". As a result
+ query load on authoritative servers would peak at signature
+ expiration time, as this is also the time at which records
+ simultaneously expire from caches.
+ To avoid query load peaks we suggest the TTL on all the RRs in
+ your zone to be at least a few times smaller than your
+ signature validity period.
+ o We suggest the Signature Publication Period to end at least one
+ Maximum Zone TTL duration before the end of the Signature Validity
+ Period.
+ Re-signing a zone shortly before the end of the signature
+ validity period may cause simultaneous expiration of data from
+ caches. This in turn may lead to peaks in the load on
+ authoritative servers.
+ o We suggest the minimum zone TTL to be long enough to both fetch
+ and verify all the RRs in the trust chain. In workshop
+ environments it has been demonstrated [19] that a low TTL (under 5
+ to 10 minutes) caused disruptions because of the following two
+ problems:
+ 1. During validation, some data may expire before the
+ validation is complete. The validator should be able to keep
+ all data, until is completed. This applies to all RRs needed
+ to complete the chain of trust: DSs, DNSKEYs, RRSIGs, and the
+ final answers i.e. the RRSet that is returned for the initial
+ query.
+ 2. Frequent verification causes load on recursive nameservers.
+ Data at delegation points, DSs, DNSKEYs and RRSIGs benefit from
+ caching. The TTL on those should be relatively long.
+
+
+
+
+
+Kolkman & Gieben Expires September 7, 2006 [Page 13]
+
+Internet-Draft DNSSEC Operational Practices March 2006
+
+
+ o Slave servers will need to be able to fetch newly signed zones
+ well before the RRSIGs in the zone served by the slave server pass
+ their signature expiration time.
+ When a slave server is out of sync with its master and data in
+ a zone is signed by expired signatures it may be better for the
+ slave server not to give out any answer.
+ Normally a slave server that is not able to contact a master
+ server for an extended period will expire a zone. When that
+ happens the server will respond differently to queries for that
+ zone. Some servers issue SERVFAIL while others turn off the
+ 'AA' bit in the answers. The time of expiration is set in the
+ SOA record and is relative to the last successful refresh
+ between the master and the slave server. There exists no
+ coupling between the signature expiration of RRSIGs in the zone
+ and the expire parameter in the SOA.
+ If the server serves a DNSSEC zone then it may well happen that
+ the signatures expire well before the SOA expiration timer
+ counts down to zero. It is not possible to completely prevent
+ this from happening by tweaking the SOA parameters.
+ However, the effects can be minimized where the SOA expiration
+ time is equal or shorter than the signature validity period.
+ The consequence of an authoritative server not being able to
+ update a zone, whilst that zone includes expired signatures, is
+ that non-secure resolvers will continue to be able to resolve
+ data served by the particular slave servers while security
+ aware resolvers will experience problems because of answers
+ being marked as Bogus.
+ We suggest the SOA expiration timer being approximately one
+ third or one fourth of the signature validity period. It will
+ allow problems with transfers from the master server to be
+ noticed before the actual signature times out.
+ We also suggest that operators of nameservers that supply
+ secondary services develop 'watch dogs' to spot upcoming
+ signature expirations in zones they slave, and take appropriate
+ action.
+ When determining the value for the expiration parameter one has
+ to take the following into account: What are the chances that
+ all my secondaries expire the zone; How quickly can I reach an
+ administrator of secondary servers to load a valid zone? All
+ these arguments are not DNSSEC specific but may influence the
+ choice of your signature validity intervals.
+
+4.2. Key Rollovers
+
+ A DNSSEC key cannot be used forever (see Section 3.3). So key
+ rollovers -- or supercessions, as they are sometimes called -- are a
+ fact of life when using DNSSEC. Zone administrators who are in the
+ process of rolling their keys have to take into account that data
+
+
+
+Kolkman & Gieben Expires September 7, 2006 [Page 14]
+
+Internet-Draft DNSSEC Operational Practices March 2006
+
+
+ published in previous versions of their zone still lives in caches.
+ When deploying DNSSEC, this becomes an important consideration;
+ ignoring data that may be in caches may lead to loss of service for
+ clients.
+
+ The most pressing example of this occurs when zone material signed
+ with an old key is being validated by a resolver which does not have
+ the old zone key cached. If the old key is no longer present in the
+ current zone, this validation fails, marking the data Bogus.
+ Alternatively, an attempt could be made to validate data which is
+ signed with a new key against an old key that lives in a local cache,
+ also resulting in data being marked Bogus.
+
+4.2.1. Zone Signing Key Rollovers
+
+ For zone signing key rollovers there are two ways to make sure that
+ during the rollover data still cached can be verified with the new
+ key sets or newly generated signatures can be verified with the keys
+ still in caches. One schema, described in Section 4.2.1.2, uses
+ double signatures; the other uses key pre-publication
+ (Section 4.2.1.1). The pros, cons and recommendations are described
+ in Section 4.2.1.3.
+
+4.2.1.1. Pre-publish Key Rollover
+
+ This section shows how to perform a ZSK rollover without the need to
+ sign all the data in a zone twice - the so-called "pre-publish
+ rollover".This method has advantages in the case of a key compromise.
+ If the old key is compromised, the new key has already been
+ distributed in the DNS. The zone administrator is then able to
+ quickly switch to the new key and remove the compromised key from the
+ zone. Another major advantage is that the zone size does not double,
+ as is the case with the double signature ZSK rollover. A small
+ "HOWTO" for this kind of rollover can be found in Appendix B.
+
+ Pre-publish Key Rollover involves four stages as follows:
+
+ initial new DNSKEY new RRSIGs DNSKEY removal
+
+ SOA0 SOA1 SOA2 SOA3
+ RRSIG10(SOA0) RRSIG10(SOA1) RRSIG11(SOA2) RRSIG11(SOA3)
+
+ DNSKEY1 DNSKEY1 DNSKEY1 DNSKEY1
+ DNSKEY10 DNSKEY10 DNSKEY10 DNSKEY11
+ DNSKEY11 DNSKEY11
+ RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) RRSIG1(DNSKEY) RRSIG1 (DNSKEY)
+ RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG11(DNSKEY) RRSIG11(DNSKEY)
+
+
+
+
+Kolkman & Gieben Expires September 7, 2006 [Page 15]
+
+Internet-Draft DNSSEC Operational Practices March 2006
+
+
+ initial: Initial version of the zone: DNSKEY 1 is the key signing
+ key. DNSKEY 10 is used to sign all the data of the zone, the zone
+ signing key.
+ new DNSKEY: DNSKEY 11 is introduced into the key set. Note that no
+ signatures are generated with this key yet, but this does not
+ secure against brute force attacks on the public key. The minimum
+ duration of this pre-roll phase is the time it takes for the data
+ to propagate to the authoritative servers plus TTL value of the
+ key set.
+ new RRSIGs: At the "new RRSIGs" stage (SOA serial 2) DNSKEY 11 is
+ used to sign the data in the zone exclusively (i.e. all the
+ signatures from DNSKEY 10 are removed from the zone). DNSKEY 10
+ remains published in the key set. This way data that was loaded
+ into caches from version 1 of the zone can still be verified with
+ key sets fetched from version 2 of the zone.
+ The minimum time that the key set including DNSKEY 10 is to be
+ published is the time that it takes for zone data from the
+ previous version of the zone to expire from old caches i.e. the
+ time it takes for this zone to propagate to all authoritative
+ servers plus the Maximum Zone TTL value of any of the data in the
+ previous version of the zone.
+ DNSKEY removal: DNSKEY 10 is removed from the zone. The key set, now
+ only containing DNSKEY 1 and DNSKEY 11 is re-signed with the
+ DNSKEY 1.
+
+ The above scheme can be simplified by always publishing the "future"
+ key immediately after the rollover. The scheme would look as follows
+ (we show two rollovers); the future key is introduced in "new DNSKEY"
+ as DNSKEY 12 and again a newer one, numbered 13, in "new DNSKEY
+ (II)":
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Expires September 7, 2006 [Page 16]
+
+Internet-Draft DNSSEC Operational Practices March 2006
+
+
+ initial new RRSIGs new DNSKEY
+
+ SOA0 SOA1 SOA2
+ RRSIG10(SOA0) RRSIG11(SOA1) RRSIG11(SOA2)
+
+ DNSKEY1 DNSKEY1 DNSKEY1
+ DNSKEY10 DNSKEY10 DNSKEY11
+ DNSKEY11 DNSKEY11 DNSKEY12
+ RRSIG1(DNSKEY) RRSIG1 (DNSKEY) RRSIG1(DNSKEY)
+ RRSIG10(DNSKEY) RRSIG11(DNSKEY) RRSIG11(DNSKEY)
+
+
+ new RRSIGs (II) new DNSKEY (II)
+
+ SOA3 SOA4
+ RRSIG12(SOA3) RRSIG12(SOA4)
+
+ DNSKEY1 DNSKEY1
+ DNSKEY11 DNSKEY12
+ DNSKEY12 DNSKEY13
+ RRSIG1(DNSKEY) RRSIG1(DNSKEY)
+ RRSIG12(DNSKEY) RRSIG12(DNSKEY)
+
+
+ Pre-Publish Key Rollover, showing two rollovers.
+
+ Note that the key introduced in the "new DNSKEY" phase is not used
+ for production yet; the private key can thus be stored in a
+ physically secure manner and does not need to be 'fetched' every time
+ a zone needs to be signed.
+
+4.2.1.2. Double Signature Zone Signing Key Rollover
+
+ This section shows how to perform a ZSK key rollover using the double
+ zone data signature scheme, aptly named "double sig rollover".
+
+ During the "new DNSKEY" stage the new version of the zone file will
+ need to propagate to all authoritative servers and the data that
+ exists in (distant) caches will need to expire, requiring at least
+ the maximum Zone TTL.
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Expires September 7, 2006 [Page 17]
+
+Internet-Draft DNSSEC Operational Practices March 2006
+
+
+ Double Signature Zone Signing Key Rollover involves three stages as
+ follows:
+
+ initial new DNSKEY DNSKEY removal
+
+ SOA0 SOA1 SOA2
+ RRSIG10(SOA0) RRSIG10(SOA1) RRSIG11(SOA2)
+ RRSIG11(SOA1)
+
+ DNSKEY1 DNSKEY1 DNSKEY1
+ DNSKEY10 DNSKEY10 DNSKEY11
+ DNSKEY11
+ RRSIG1(DNSKEY) RRSIG1(DNSKEY) RRSIG1(DNSKEY)
+ RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG11(DNSKEY)
+ RRSIG11(DNSKEY)
+
+ initial: Initial Version of the zone: DNSKEY 1 is the key signing
+ key. DNSKEY 10 is used to sign all the data of the zone, the zone
+ signing key.
+ new DNSKEY: At the "New DNSKEY" stage (SOA serial 1) DNSKEY 11 is
+ introduced into the key set and all the data in the zone is signed
+ with DNSKEY 10 and DNSKEY 11. The rollover period will need to
+ continue until all data from version 0 of the zone has expired
+ from remote caches. This will take at least the maximum Zone TTL
+ of version 0 of the zone.
+ DNSKEY removal: DNSKEY 10 is removed from the zone. All the
+ signatures from DNSKEY 10 are removed from the zone. The key set,
+ now only containing DNSKEY 11, is re-signed with DNSKEY 1.
+
+ At every instance, RRSIGs from the previous version of the zone can
+ be verified with the DNSKEY RRSet from the current version and the
+ other way around. The data from the current version can be verified
+ with the data from the previous version of the zone. The duration of
+ the "new DNSKEY" phase and the period between rollovers should be at
+ least the Maximum Zone TTL.
+
+ Making sure that the "new DNSKEY" phase lasts until the signature
+ expiration time of the data in initial version of the zone is
+ recommended. This way all caches are cleared of the old signatures.
+ However, this duration could be considerably longer than the Maximum
+ Zone TTL, making the rollover a lengthy procedure.
+
+ Note that in this example we assumed that the zone was not modified
+ during the rollover. New data can be introduced in the zone as long
+ as it is signed with both keys.
+
+
+
+
+
+
+Kolkman & Gieben Expires September 7, 2006 [Page 18]
+
+Internet-Draft DNSSEC Operational Practices March 2006
+
+
+4.2.1.3. Pros and Cons of the Schemes
+
+ Pre-publish Key Rollover: This rollover does not involve signing the
+ zone data twice. Instead, before the actual rollover, the new key
+ is published in the key set and thus available for cryptanalysis
+ attacks. A small disadvantage is that this process requires four
+ steps. Also the pre-publish scheme involves more parental work
+ when used for KSK rollovers as explained in Section 4.2.3.
+ Double Signature Zone-signing Key Rollover: The drawback of this
+ signing scheme is that during the rollover the number of
+ signatures in your zone doubles, this may be prohibitive if you
+ have very big zones. An advantage is that it only requires three
+ steps.
+
+4.2.2. Key Signing Key Rollovers
+
+ For the rollover of a key signing key the same considerations as for
+ the rollover of a zone signing key apply. However we can use a
+ double signature scheme to guarantee that old data (only the apex key
+ set) in caches can be verified with a new key set and vice versa.
+ Since only the key set is signed with a KSK, zone size considerations
+ do not apply.
+
+
+ initial new DNSKEY DS change DNSKEY removal
+ Parent:
+ SOA0 --------> SOA1 -------->
+ RRSIGpar(SOA0) --------> RRSIGpar(SOA1) -------->
+ DS1 --------> DS2 -------->
+ RRSIGpar(DS) --------> RRSIGpar(DS) -------->
+
+
+ Child:
+ SOA0 SOA1 --------> SOA2
+ RRSIG10(SOA0) RRSIG10(SOA1) --------> RRSIG10(SOA2)
+ -------->
+ DNSKEY1 DNSKEY1 --------> DNSKEY2
+ DNSKEY2 -------->
+ DNSKEY10 DNSKEY10 --------> DNSKEY10
+ RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) --------> RRSIG2 (DNSKEY)
+ RRSIG2 (DNSKEY) -------->
+ RRSIG10(DNSKEY) RRSIG10(DNSKEY) --------> RRSIG10(DNSKEY)
+
+ Stages of Deployment for Key Signing Key Rollover.
+
+
+
+
+
+
+
+Kolkman & Gieben Expires September 7, 2006 [Page 19]
+
+Internet-Draft DNSSEC Operational Practices March 2006
+
+
+ initial: Initial version of the zone. The parental DS points to
+ DNSKEY1. Before the rollover starts the child will have to verify
+ what the TTL is of the DS RR that points to DNSKEY1 - it is needed
+ during the rollover and we refer to the value as TTL_DS.
+ new DNSKEY: During the "new DNSKEY" phase the zone administrator
+ generates a second KSK, DNSKEY2. The key is provided to the
+ parent and the child will have to wait until a new DS RR has been
+ generated that points to DNSKEY2. After that DS RR has been
+ published on all servers authoritative for the parent's zone, the
+ zone administrator has to wait at least TTL_DS to make sure that
+ the old DS RR has expired from caches.
+ DS change: The parent replaces DS1 with DS2.
+ DNSKEY removal: DNSKEY1 has been removed.
+
+ The scenario above puts the responsibility for maintaining a valid
+ chain of trust with the child. It also is based on the premises that
+ the parent only has one DS RR (per algorithm) per zone. An
+ alternative mechanism has been considered. Using an established
+ trust relation, the interaction can be performed in-band, and the
+ removal of the keys by the child can possibly be signaled by the
+ parent. In this mechanism there are periods where there are two DS
+ RRs at the parent. Since at the moment of writing the protocol for
+ this interaction has not been developed, further discussion is out of
+ scope for this document.
+
+4.2.3. Difference Between ZSK and KSK Rollovers
+
+ Note that KSK rollovers and ZSK rollovers are different in the sense
+ that a KSK rollover requires interaction with the parent (and
+ possibly replacing of trust anchors) and the ensuing delay while
+ waiting for it.
+
+ A zone key rollover can be handled in two different ways: pre-publish
+ (Section Section 4.2.1.1) and double signature (Section
+ Section 4.2.1.2).
+
+ As the KSK is used to validate the key set and because the KSK is not
+ changed during a ZSK rollover, a cache is able to validate the new
+ key set of the zone. The pre-publish method would also work for a
+ KSK rollover. The records that are to be pre-published are the
+ parental DS RRs. The pre-publish method has some drawbacks for KSKs.
+ We first describe the rollover scheme and then indicate these
+ drawbacks.
+
+
+
+
+
+
+
+
+Kolkman & Gieben Expires September 7, 2006 [Page 20]
+
+Internet-Draft DNSSEC Operational Practices March 2006
+
+
+ initial new DS new DNSKEY DS/DNSKEY removal
+ Parent:
+ SOA0 SOA1 --------> SOA2
+ RRSIGpar(SOA0) RRSIGpar(SOA1) --------> RRSIGpar(SOA2)
+ DS1 DS1 --------> DS2
+ DS2 -------->
+ RRSIGpar(DS) RRSIGpar(DS) --------> RRSIGpar(DS)
+
+
+
+ Child:
+ SOA0 --------> SOA1 SOA1
+ RRSIG10(SOA0) --------> RRSIG10(SOA1) RRSIG10(SOA1)
+ -------->
+ DNSKEY1 --------> DNSKEY2 DNSKEY2
+ -------->
+ DNSKEY10 --------> DNSKEY10 DNSKEY10
+ RRSIG1 (DNSKEY) --------> RRSIG2(DNSKEY) RRSIG2 (DNSKEY)
+ RRSIG10(DNSKEY) --------> RRSIG10(DNSKEY) RRSIG10(DNSKEY)
+
+ Stages of Deployment for a Pre-publish Key Signing Key rollover.
+
+ When the child zone wants to roll it notifies the parent during the
+ "new DS" phase and submits the new key (or the corresponding DS) to
+ the parent. The parent publishes DS1 and DS2, pointing to DNSKEY1
+ and DNSKEY2 respectively. During the rollover ("new DNSKEY" phase),
+ which can take place as soon as the new DS set propagated through the
+ DNS, the child replaces DNSKEY1 with DNSKEY2. Immediately after that
+ ("DS/DNSKEY removal" phase) it can notify the parent that the old DS
+ record can be deleted.
+
+ The drawbacks of this scheme are that during the "new DS" phase the
+ parent cannot verify the match between the DS2 RR and DNSKEY2 using
+ the DNS -- as DNSKEY2 is not yet published. Besides, we introduce a
+ "security lame" key (See Section 4.4.3). Finally the child-parent
+ interaction consists of two steps. The "double signature" method
+ only needs one interaction.
+
+4.2.4. Automated Key Rollovers
+
+ As keys must be renewed periodically, there is some motivation to
+ automate the rollover process. Consider that:
+
+ o ZSK rollovers are easy to automate as only the child zone is
+ involved.
+ o A KSK rollover needs interaction between parent and child. Data
+ exchange is needed to provide the new keys to the parent,
+ consequently, this data must be authenticated and integrity must
+
+
+
+Kolkman & Gieben Expires September 7, 2006 [Page 21]
+
+Internet-Draft DNSSEC Operational Practices March 2006
+
+
+ be guaranteed in order to avoid attacks on the rollover.
+
+4.3. Planning for Emergency Key Rollover
+
+ This section deals with preparation for a possible key compromise.
+ Our advice is to have a documented procedure ready for when a key
+ compromise is suspected or confirmed.
+
+ When the private material of one of your keys is compromised it can
+ be used for as long as a valid trust chain exists. A trust chain
+ remains intact for:
+ o as long as a signature over the compromised key in the trust chain
+ is valid,
+ o as long as a parental DS RR (and signature) points to the
+ compromised key,
+ o as long as the key is anchored in a resolver and is used as a
+ starting point for validation (this is generally the hardest to
+ update).
+
+ While a trust chain to your compromised key exists, your name-space
+ is vulnerable to abuse by anyone who has obtained illegitimate
+ possession of the key. Zone operators have to make a trade off if
+ the abuse of the compromised key is worse than having data in caches
+ that cannot be validated. If the zone operator chooses to break the
+ trust chain to the compromised key, data in caches signed with this
+ key cannot be validated. However, if the zone administrator chooses
+ to take the path of a regular roll-over, the malicious key holder can
+ spoof data so that it appears to be valid.
+
+4.3.1. KSK Compromise
+
+ A zone containing a DNSKEY RRSet with a compromised KSK is vulnerable
+ as long as the compromised KSK is configured as trust anchor or a
+ parental DS points to it.
+
+ A compromised KSK can be used to sign the key set of an attacker's
+ zone. That zone could be used to poison the DNS.
+
+ Therefore when the KSK has been compromised, the trust anchor or the
+ parental DS, should be replaced as soon as possible. It is local
+ policy whether to break the trust chain during the emergency
+ rollover. The trust chain would be broken when the compromised KSK
+ is removed from the child's zone while the parent still has a DS
+ pointing to the compromised KSK (the assumption is that there is only
+ one DS at the parent. If there are multiple DSs this does not apply
+ -- however the chain of trust of this particular key is broken).
+
+ Note that an attacker's zone still uses the compromised KSK and the
+
+
+
+Kolkman & Gieben Expires September 7, 2006 [Page 22]
+
+Internet-Draft DNSSEC Operational Practices March 2006
+
+
+ presence of a parental DS would cause the data in this zone to appear
+ as valid. Removing the compromised key would cause the attacker's
+ zone to appear as valid and the child's zone as Bogus. Therefore we
+ advise not to remove the KSK before the parent has a DS to a new KSK
+ in place.
+
+4.3.1.1. Keeping the Chain of Trust Intact
+
+ If we follow this advice the timing of the replacement of the KSK is
+ somewhat critical. The goal is to remove the compromised KSK as soon
+ as the new DS RR is available at the parent. And also make sure that
+ the signature made with a new KSK over the key set with the
+ compromised KSK in it expires just after the new DS appears at the
+ parent. Thus removing the old cruft in one swoop.
+
+ The procedure is as follows:
+ 1. Introduce a new KSK into the key set, keep the compromised KSK in
+ the key set.
+ 2. Sign the key set, with a short validity period. The validity
+ period should expire shortly after the DS is expected to appear
+ in the parent and the old DSs have expired from caches.
+ 3. Upload the DS for this new key to the parent.
+ 4. Follow the procedure of the regular KSK rollover: Wait for the DS
+ to appear in the authoritative servers and then wait as long as
+ the TTL of the old DS RRs. If necessary re-sign the DNSKEY RRSet
+ and modify/extend the expiration time.
+ 5. Remove the compromised DNSKEY RR from the zone and re-sign the
+ key set using your "normal" validity interval.
+
+ An additional danger of a key compromise is that the compromised key
+ could be used to facilitate a legitimate DNSKEY/DS rollover and/or
+ nameserver changes at the parent. When that happens the domain may
+ be in dispute. An authenticated out-of-band and secure notify
+ mechanism to contact a parent is needed in this case.
+
+ Note that this is only a problem when the DNSKEY and or DS records
+ are used for authentication at the parent.
+
+4.3.1.2. Breaking the Chain of Trust
+
+ There are two methods to break the chain of trust. The first method
+ causes the child zone to appear as 'Bogus' to validating resolvers.
+ The other causes the the child zone to appear as 'insecure'. These
+ are described below.
+
+ In the method that causes the child zone to appear as 'Bogus' to
+ validating resolvers, the child zone replaces the current KSK with a
+ new one and resigns the key set. Next it sends the DS of the new key
+
+
+
+Kolkman & Gieben Expires September 7, 2006 [Page 23]
+
+Internet-Draft DNSSEC Operational Practices March 2006
+
+
+ to the parent. Only after the parent has placed the new DS in the
+ zone, the child's chain of trust is repaired.
+
+ An alternative method of breaking the chain of trust is by removing
+ the DS RRs from the parent zone altogether. As a result the child
+ zone would become insecure.
+
+4.3.2. ZSK Compromise
+
+ Primarily because there is no parental interaction required when a
+ ZSK is compromised, the situation is less severe than with a KSK
+ compromise. The zone must still be re-signed with a new ZSK as soon
+ as possible. As this is a local operation and requires no
+ communication between the parent and child this can be achieved
+ fairly quickly. However, one has to take into account that just as
+ with a normal rollover the immediate disappearance of the old
+ compromised key may lead to verification problems. Also note that as
+ long as the RRSIG over the compromised ZSK is not expired the zone
+ may be still at risk.
+
+4.3.3. Compromises of Keys Anchored in Resolvers
+
+ A key can also be pre-configured in resolvers. For instance, if
+ DNSSEC is successfully deployed the root key may be pre-configured in
+ most security aware resolvers.
+
+ If trust-anchor keys are compromised, the resolvers using these keys
+ should be notified of this fact. Zone administrators may consider
+ setting up a mailing list to communicate the fact that a SEP key is
+ about to be rolled over. This communication will of course need to
+ be authenticated e.g. by using digital signatures.
+
+ End-users faced with the task of updating an anchored key should
+ always validate the new key. New keys should be authenticated out-
+ of-band, for example, looking them up on an SSL secured announcement
+ website.
+
+4.4. Parental Policies
+
+4.4.1. Initial Key Exchanges and Parental Policies Considerations
+
+ The initial key exchange is always subject to the policies set by the
+ parent. When designing a key exchange policy one should take into
+ account that the authentication and authorization mechanisms used
+ during a key exchange should be as strong as the authentication and
+ authorization mechanisms used for the exchange of delegation
+ information between parent and child. I.e. there is no implicit need
+ in DNSSEC to make the authentication process stronger than it was in
+
+
+
+Kolkman & Gieben Expires September 7, 2006 [Page 24]
+
+Internet-Draft DNSSEC Operational Practices March 2006
+
+
+ DNS.
+
+ Using the DNS itself as the source for the actual DNSKEY material,
+ with an out-of-band check on the validity of the DNSKEY, has the
+ benefit that it reduces the chances of user error. A DNSKEY query
+ tool can make use of the SEP bit [3] to select the proper key from a
+ DNSSEC key set; thereby reducing the chance that the wrong DNSKEY is
+ sent. It can validate the self-signature over a key; thereby
+ verifying the ownership of the private key material. Fetching the
+ DNSKEY from the DNS ensures that the chain of trust remains intact
+ once the parent publishes the DS RR indicating the child is secure.
+
+ Note: the out-of-band verification is still needed when the key-
+ material is fetched via the DNS. The parent can never be sure
+ whether the DNSKEY RRs have been spoofed or not.
+
+4.4.2. Storing Keys or Hashes?
+
+ When designing a registry system one should consider which of the
+ DNSKEYs and/or the corresponding DSs to store. Since a child zone
+ might wish to have a DS published using a message digest algorithm
+ not yet understood by the registry, the registry can't count on being
+ able to generate the DS record from a raw DNSKEY. Thus, we recommend
+ that registry systems at least support storing DS records.
+
+ It may also be useful to store DNSKEYs, since having them may help
+ during troubleshooting and, as long as the child's chosen message
+ digest is supported, the overhead of generating DS records from them
+ is minimal. Having an out-of-band mechanism, such as a registry
+ directory (e.g. Whois), to find out which keys are used to generate
+ DS Resource Records for specific owners and/or zones may also help
+ with troubleshooting.
+
+ The storage considerations also relate to the design of the customer
+ interface and the method by which data is transferred between
+ registrant and registry; Will the child zone administrator be able to
+ upload DS RRs with unknown hash algorithms or does the interface only
+ allow DNSKEYs? In the registry-registrar model one can use the
+ DNSSEC EPP protocol extension [16] which allows transfer of DS RRs
+ and optionally DNSKEY RRs.
+
+4.4.3. Security Lameness
+
+ Security Lameness is defined as what happens when a parent has a DS
+ RR pointing to a non-existing DNSKEY RR. When this happens the
+ child's zone may be marked as "Bogus" by verifying DNS clients.
+
+ As part of a comprehensive delegation check the parent could, at key
+
+
+
+Kolkman & Gieben Expires September 7, 2006 [Page 25]
+
+Internet-Draft DNSSEC Operational Practices March 2006
+
+
+ exchange time, verify that the child's key is actually configured in
+ the DNS. However if a parent does not understand the hashing
+ algorithm used by child the parental checks are limited to only
+ comparing the key id.
+
+ Child zones should be very careful removing DNSKEY material,
+ specifically SEP keys, for which a DS RR exists.
+
+ Once a zone is "security lame", a fix (e.g. removing a DS RR) will
+ take time to propagate through the DNS.
+
+4.4.4. DS Signature Validity Period
+
+ Since the DS can be replayed as long as it has a valid signature, a
+ short signature validity period over the DS minimizes the time a
+ child is vulnerable in the case of a compromise of the child's
+ KSK(s). A signature validity period that is too short introduces the
+ possibility that a zone is marked Bogus in case of a configuration
+ error in the signer. There may not be enough time to fix the
+ problems before signatures expire. Something as mundane as operator
+ unavailability during weekends shows the need for DS signature
+ validity periods longer than 2 days. We recommend an absolute
+ minimum for a DS signature validity period of a few days.
+
+ The maximum signature validity period of the DS record depends on how
+ long child zones are willing to be vulnerable after a key compromise.
+ On the other hand shortening the DS signature validity interval
+ increases the operational risk for the parent. Therefore the parent
+ may have policy to use a signature validity interval that is
+ considerably longer than the child would hope for.
+
+ A compromise between the operational constraints of the parent and
+ minimizing damage for the child may result in a DS signature validity
+ period somewhere between the order of a week to order of months.
+
+ In addition to the signature validity period, which sets a lower
+ bound on the number of times the zone owner will need to sign the
+ zone data and which sets an upper bound to the time a child is
+ vulnerable after key compromise, there is the TTL value on the DS
+ RRs. Shortening the TTL means that the authoritative servers will
+ see more queries. But on the other hand, a short TTL lowers the
+ persistence of DS RRSets in caches thereby increases the speed with
+ which updated DS RRSets propagate through the DNS.
+
+
+5. IANA Considerations
+
+ This overview document introduces no new IANA considerations.
+
+
+
+Kolkman & Gieben Expires September 7, 2006 [Page 26]
+
+Internet-Draft DNSSEC Operational Practices March 2006
+
+
+6. Security Considerations
+
+ DNSSEC adds data integrity to the DNS. This document tries to assess
+ the operational considerations to maintain a stable and secure DNSSEC
+ service. Not taking into account the 'data propagation' properties
+ in the DNS will cause validation failures and may make secured zones
+ unavailable to security aware resolvers.
+
+
+7. Acknowledgments
+
+ Most of the ideas in this draft were the result of collective efforts
+ during workshops, discussions and try outs.
+
+ At the risk of forgetting individuals who were the original
+ contributors of the ideas we would like to acknowledge people who
+ were actively involved in the compilation of this document. In
+ random order: Rip Loomis, Olafur Gudmundsson, Wesley Griffin, Michael
+ Richardson, Scott Rose, Rick van Rein, Tim McGinnis, Gilles Guette
+ Olivier Courtay, Sam Weiler, Jelte Jansen, Niall O'Reilly, Holger
+ Zuleger, Ed Lewis, Hilarie Orman, Marcos Sanz and Peter Koch.
+
+ Some material in this document has been copied from RFC 2541 [12].
+
+ Mike StJohns designed the key exchange between parent and child
+ mentioned in the last paragraph of Section 4.2.2
+
+ Section 4.2.4 was supplied by G. Guette and O. Courtay.
+
+ Emma Bretherick, Adrian Bedford and Lindy Foster corrected many of
+ the spelling and style issues.
+
+ Kolkman and Gieben take the blame for introducing all miscakes(SIC).
+
+ Kolkman was employed by the RIPE NCC while working on this document.
+
+
+8. References
+
+8.1. Normative References
+
+ [1] Mockapetris, P., "Domain names - concepts and facilities",
+ STD 13, RFC 1034, November 1987.
+
+ [2] Mockapetris, P., "Domain names - implementation and
+ specification", STD 13, RFC 1035, November 1987.
+
+ [3] Kolkman, O., Schlyter, J., and E. Lewis, "Domain Name System KEY
+
+
+
+Kolkman & Gieben Expires September 7, 2006 [Page 27]
+
+Internet-Draft DNSSEC Operational Practices March 2006
+
+
+ (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag",
+ RFC 3757, May 2004.
+
+ [4] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "DNS Security Introduction and Requirements", RFC 4033,
+ March 2005.
+
+ [5] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "Resource Records for the DNS Security Extensions", RFC 4034,
+ March 2005.
+
+ [6] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "Protocol Modifications for the DNS Security Extensions",
+ RFC 4035, March 2005.
+
+8.2. Informative References
+
+ [7] Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995,
+ August 1996.
+
+ [8] Vixie, P., "A Mechanism for Prompt Notification of Zone Changes
+ (DNS NOTIFY)", RFC 1996, August 1996.
+
+ [9] Bradner, S., "Key words for use in RFCs to Indicate Requirement
+ Levels", BCP 14, RFC 2119, March 1997.
+
+ [10] Eastlake, D., "Secure Domain Name System Dynamic Update",
+ RFC 2137, April 1997.
+
+ [11] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
+ RFC 2308, March 1998.
+
+ [12] Eastlake, D., "DNS Security Operational Considerations",
+ RFC 2541, March 1999.
+
+ [13] Gudmundsson, O., "Delegation Signer (DS) Resource Record (RR)",
+ RFC 3658, December 2003.
+
+ [14] Orman, H. and P. Hoffman, "Determining Strengths For Public
+ Keys Used For Exchanging Symmetric Keys", BCP 86, RFC 3766,
+ April 2004.
+
+ [15] Eastlake, D., Schiller, J., and S. Crocker, "Randomness
+ Requirements for Security", BCP 106, RFC 4086, June 2005.
+
+ [16] Hollenbeck, S., "Domain Name System (DNS) Security Extensions
+ Mapping for the Extensible Provisioning Protocol (EPP)",
+ RFC 4310, December 2005.
+
+
+
+Kolkman & Gieben Expires September 7, 2006 [Page 28]
+
+Internet-Draft DNSSEC Operational Practices March 2006
+
+
+ [17] Lenstra, A. and E. Verheul, "Selecting Cryptographic Key
+ Sizes", The Journal of Cryptology 14 (255-293), 2001.
+
+ [18] Schneier, B., "Applied Cryptography: Protocols, Algorithms, and
+ Source Code in C", ISBN (hardcover) 0-471-12845-7, ISBN
+ (paperback) 0-471-59756-2, Published by John Wiley & Sons Inc.,
+ 1996.
+
+ [19] Rose, S., "NIST DNSSEC workshop notes", June 2001.
+
+ [20] Jansen, J., "Use of RSA/SHA-256 DNSKEY and RRSIG Resource
+ Records in DNSSEC", draft-ietf-dnsext-dnssec-rsasha256-00.txt
+ (work in progress), January 2006.
+
+ [21] Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer (DS)
+ Resource Records (RRs)", draft-ietf-dnsext-ds-sha256-04.txt
+ (work in progress), January 2006.
+
+
+Appendix A. Terminology
+
+ In this document there is some jargon used that is defined in other
+ documents. In most cases we have not copied the text from the
+ documents defining the terms but given a more elaborate explanation
+ of the meaning. Note that these explanations should not be seen as
+ authoritative.
+
+ Anchored Key: A DNSKEY configured in resolvers around the globe.
+ This key is hard to update, hence the term anchored.
+ Bogus: Also see Section 5 of [4]. An RRSet in DNSSEC is marked
+ "Bogus" when a signature of a RRSet does not validate against a
+ DNSKEY.
+ Key Signing Key or KSK: A Key Signing Key (KSK) is a key that is used
+ exclusively for signing the apex key set. The fact that a key is
+ a KSK is only relevant to the signing tool.
+ Key size: The term 'key size' can be substituted by 'modulus size'
+ throughout the document. It is mathematically more correct to use
+ modulus size, but as this is a document directed at operators we
+ feel more at ease with the term key size.
+ Private and Public Keys: DNSSEC secures the DNS through the use of
+ public key cryptography. Public key cryptography is based on the
+ existence of two (mathematically related) keys, a public key and a
+ private key. The public keys are published in the DNS by use of
+ the DNSKEY Resource Record (DNSKEY RR). Private keys should
+ remain private.
+
+
+
+
+
+
+Kolkman & Gieben Expires September 7, 2006 [Page 29]
+
+Internet-Draft DNSSEC Operational Practices March 2006
+
+
+ Key Rollover: A key rollover (also called key supercession in some
+ environments) is the act of replacing one key pair by another at
+ the end of a key effectivity period.
+ Secure Entry Point key or SEP Key: A KSK that has a parental DS
+ record pointing to it or is configured as a trust anchor.
+ Although not required by the protocol we recommend that the SEP
+ flag [3] is set on these keys.
+ Self-signature: This is only applies to signatures over DNSKEYs; a
+ signature made with DNSKEY x, over DNSKEY x is called a self-
+ signature. Note: without further information self-signatures
+ convey no trust, they are useful to check the authenticity of the
+ DNSKEY, i.e. they can be used as a hash.
+ Singing the Zone File: The term used for the event where an
+ administrator joyfully signs its zone file while producing melodic
+ sound patterns.
+ Signer: The system that has access to the private key material and
+ signs the Resource Record sets in a zone. A signer may be
+ configured to sign only parts of the zone e.g. only those RRSets
+ for which existing signatures are about to expire.
+ Zone Signing Key or ZSK: A Zone Signing Key (ZSK) is a key that is
+ used for signing all data in a zone. The fact that a key is a ZSK
+ is only relevant to the signing tool.
+ Zone Administrator: The 'role' that is responsible for signing a zone
+ and publishing it on the primary authoritative server.
+
+
+Appendix B. Zone Signing Key Rollover Howto
+
+ Using the pre-published signature scheme and the most conservative
+ method to assure oneself that data does not live in caches, here
+ follows the "HOWTO".
+ Step 0: The preparation: Create two keys and publish both in your key
+ set. Mark one of the keys as "active" and the other as
+ "published". Use the "active" key for signing your zone data.
+ Store the private part of the "published" key, preferably off-
+ line.
+ The protocol does not provide for attributes to mark a key as
+ active or published. This is something you have to do on your
+ own, through the use of a notebook or key management tool.
+ Step 1: Determine expiration: At the beginning of the rollover make a
+ note of the highest expiration time of signatures in your zone
+ file created with the current key marked as "active".
+ Wait until the expiration time marked in Step 1 has passed
+ Step 2: Then start using the key that was marked as "published" to
+ sign your data i.e. mark it as "active". Stop using the key that
+ was marked as "active", mark it as "rolled".
+
+
+
+
+
+Kolkman & Gieben Expires September 7, 2006 [Page 30]
+
+Internet-Draft DNSSEC Operational Practices March 2006
+
+
+ Step 3: It is safe to engage in a new rollover (Step 1) after at
+ least one "signature validity period".
+
+
+Appendix C. Typographic Conventions
+
+ The following typographic conventions are used in this document:
+ Key notation: A key is denoted by DNSKEYx, where x is a number or an
+ identifier, x could be thought of as the key id.
+ RRSet notations: RRs are only denoted by the type. All other
+ information - owner, class, rdata and TTL - is left out. Thus:
+ "example.com 3600 IN A 192.0.2.1" is reduced to "A". RRSets are a
+ list of RRs. A example of this would be: "A1, A2", specifying the
+ RRSet containing two "A" records. This could again be abbreviated
+ to just "A".
+ Signature notation: Signatures are denoted as RRSIGx(RRSet), which
+ means that RRSet is signed with DNSKEYx.
+ Zone representation: Using the above notation we have simplified the
+ representation of a signed zone by leaving out all unnecessary
+ details such as the names and by representing all data by "SOAx"
+ SOA representation: SOAs are represented as SOAx, where x is the
+ serial number.
+ Using this notation the following signed zone:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Expires September 7, 2006 [Page 31]
+
+Internet-Draft DNSSEC Operational Practices March 2006
+
+
+ example.net. 86400 IN SOA ns.example.net. bert.example.net. (
+ 2006022100 ; serial
+ 86400 ; refresh ( 24 hours)
+ 7200 ; retry ( 2 hours)
+ 3600000 ; expire (1000 hours)
+ 28800 ) ; minimum ( 8 hours)
+ 86400 RRSIG SOA 5 2 86400 20130522213204 (
+ 20130422213204 14 example.net.
+ cmL62SI6iAX46xGNQAdQ... )
+ 86400 NS a.iana-servers.net.
+ 86400 NS b.iana-servers.net.
+ 86400 RRSIG NS 5 2 86400 20130507213204 (
+ 20130407213204 14 example.net.
+ SO5epiJei19AjXoUpFnQ ... )
+ 86400 DNSKEY 256 3 5 (
+ EtRB9MP5/AvOuVO0I8XDxy0... ) ; id = 14
+ 86400 DNSKEY 257 3 5 (
+ gsPW/Yy19GzYIY+Gnr8HABU... ) ; id = 15
+ 86400 RRSIG DNSKEY 5 2 86400 20130522213204 (
+ 20130422213204 14 example.net.
+ J4zCe8QX4tXVGjV4e1r9... )
+ 86400 RRSIG DNSKEY 5 2 86400 20130522213204 (
+ 20130422213204 15 example.net.
+ keVDCOpsSeDReyV6O... )
+ 86400 RRSIG NSEC 5 2 86400 20130507213204 (
+ 20130407213204 14 example.net.
+ obj3HEp1GjnmhRjX... )
+ a.example.net. 86400 IN TXT "A label"
+ 86400 RRSIG TXT 5 3 86400 20130507213204 (
+ 20130407213204 14 example.net.
+ IkDMlRdYLmXH7QJnuF3v... )
+ 86400 NSEC b.example.com. TXT RRSIG NSEC
+ 86400 RRSIG NSEC 5 3 86400 20130507213204 (
+ 20130407213204 14 example.net.
+ bZMjoZ3bHjnEz0nIsPMM... )
+ ...
+
+ is reduced to the following representation:
+
+ SOA2006022100
+ RRSIG14(SOA2006022100)
+ DNSKEY14
+ DNSKEY15
+
+ RRSIG14(KEY)
+ RRSIG15(KEY)
+
+ The rest of the zone data has the same signature as the SOA record,
+
+
+
+Kolkman & Gieben Expires September 7, 2006 [Page 32]
+
+Internet-Draft DNSSEC Operational Practices March 2006
+
+
+ i.e a RRSIG created with DNSKEY 14.
+
+
+Appendix D. Document Details and Changes
+
+ This section is to be removed by the RFC editor if and when the
+ document is published.
+
+ $Id: draft-ietf-dnsop-dnssec-operational-practices.xml,v 1.31.2.14
+ 2005/03/21 15:51:41 dnssec Exp $
+
+D.1. draft-ietf-dnsop-dnssec-operational-practices-00
+
+ Submission as working group document. This document is a modified
+ and updated version of draft-kolkman-dnssec-operational-practices-00.
+
+D.2. draft-ietf-dnsop-dnssec-operational-practices-01
+
+ changed the definition of "Bogus" to reflect the one in the protocol
+ draft.
+
+ Bad to Bogus
+
+ Style and spelling corrections
+
+ KSK - SEP mapping made explicit.
+
+ Updates from Sam Weiler added
+
+D.3. draft-ietf-dnsop-dnssec-operational-practices-02
+
+ Style and errors corrected.
+
+ Added Automatic rollover requirements from I-D.ietf-dnsop-key-
+ rollover-requirements.
+
+D.4. draft-ietf-dnsop-dnssec-operational-practices-03
+
+ Added the definition of Key effectivity period and used that term
+ instead of Key validity period.
+
+ Modified the order of the sections, based on a suggestion by Rip
+ Loomis.
+
+ Included parts from RFC 2541 [12]. Most of its ground was already
+ covered. This document obsoletes RFC 2541 [12]. Section 3.1.2
+ deserves some review as it in contrast to RFC 2541 does _not_ give
+ recomendations about root-zone keys.
+
+
+
+Kolkman & Gieben Expires September 7, 2006 [Page 33]
+
+Internet-Draft DNSSEC Operational Practices March 2006
+
+
+ added a paragraph to Section 4.4.4
+
+D.5. draft-ietf-dnsop-dnssec-operational-practices-04
+
+ Somewhat more details added about the pre-publish KSK rollover. Also
+ moved that subsection down a bit.
+
+ Editorial and content nits that came in during wg last call were
+ fixed.
+
+D.6. draft-ietf-dnsop-dnssec-operational-practices-05
+
+ Applied some another set of comments that came in _after_ the the
+ WGLC.
+
+ Applied comments from Hilarie Orman and made a referece to RFC 3766.
+ Deleted of a lot of key length discussion and took over the
+ recommendations from RFC 3766.
+
+ Reworked all the heading of the rollover figures
+
+D.7. draft-ietf-dnsop-dnssec-operational-practices-06
+
+ One comment from Scott Rose applied.
+
+ Marcos Sanz gave a lots of editorial nits. Almost all are
+ incorporated.
+
+D.8. draft-ietf-dnsop-dnssec-operational-practices-07
+
+ Peter Koch's comments applied.
+
+ SHA-1/SHA-256 remarks added
+
+D.9. draft-ietf-dnsop-dnssec-operational-practices-08
+
+ IESG comments applied. Added headers and some captions to the tables
+ and applied all the nits.
+
+ IESG DISCUSS comments applied
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Expires September 7, 2006 [Page 34]
+
+Internet-Draft DNSSEC Operational Practices March 2006
+
+
+Authors' Addresses
+
+ Olaf M. Kolkman
+ NLnet Labs
+ Kruislaan 419
+ Amsterdam 1098 VA
+ The Netherlands
+
+ Email: olaf@nlnetlabs.nl
+ URI: http://www.nlnetlabs.nl
+
+
+ Miek Gieben
+ NLnet Labs
+ Kruislaan 419
+ Amsterdam 1098 VA
+ The Netherlands
+
+ Email: miek@nlnetlabs.nl
+ URI: http://www.nlnetlabs.nl
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Expires September 7, 2006 [Page 35]
+
+Internet-Draft DNSSEC Operational Practices March 2006
+
+
+Intellectual Property Statement
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+
+Disclaimer of Validity
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Copyright Statement
+
+ Copyright (C) The Internet Society (2006). This document is subject
+ to the rights, licenses and restrictions contained in BCP 78, and
+ except as set forth therein, the authors retain all their rights.
+
+
+Acknowledgment
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+Kolkman & Gieben Expires September 7, 2006 [Page 36]
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsop-serverid-06.txt b/contrib/bind9/doc/draft/draft-ietf-dnsop-serverid-06.txt
new file mode 100644
index 0000000..c6ec7e4
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsop-serverid-06.txt
@@ -0,0 +1,618 @@
+
+
+
+
+Network Working Group S. Woolf
+Internet-Draft Internet Systems Consortium, Inc.
+Expires: September 6, 2006 D. Conrad
+ Nominum, Inc.
+ March 5, 2006
+
+
+ Requirements for a Mechanism Identifying a Name Server Instance
+ draft-ietf-dnsop-serverid-06
+
+Status of this Memo
+
+ By submitting this Internet-Draft, each author represents that any
+ applicable patent or other IPR claims of which he or she is aware
+ have been or will be disclosed, and any of which he or she becomes
+ aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF), its areas, and its working groups. Note that
+ other groups may also distribute working documents as Internet-
+ Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ The list of current Internet-Drafts can be accessed at
+ http://www.ietf.org/ietf/1id-abstracts.txt.
+
+ The list of Internet-Draft Shadow Directories can be accessed at
+ http://www.ietf.org/shadow.html.
+
+ This Internet-Draft will expire on September 6, 2006.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2006).
+
+Abstract
+
+ With the increased use of DNS anycast, load balancing, and other
+ mechanisms allowing more than one DNS name server to share a single
+ IP address, it is sometimes difficult to tell which of a pool of name
+ servers has answered a particular query. A standardized mechanism to
+ determine the identity of a name server responding to a particular
+ query would be useful, particularly as a diagnostic aid for
+ administrators. Existing ad hoc mechanisms for addressing this need
+
+
+
+Woolf & Conrad Expires September 6, 2006 [Page 1]
+
+Internet-Draft Serverid March 2006
+
+
+ have some shortcomings, not the least of which is the lack of prior
+ analysis of exactly how such a mechanism should be designed and
+ deployed. This document describes the existing convention used in
+ some widely deployed implementations of the DNS protocol, including
+ advantages and disadvantages, and discusses some attributes of an
+ improved mechanism.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Woolf & Conrad Expires September 6, 2006 [Page 2]
+
+Internet-Draft Serverid March 2006
+
+
+1. Introduction and Rationale
+
+ Identifying which name server is responding to queries is often
+ useful, particularly in attempting to diagnose name server
+ difficulties. This is most obviously useful for authoritative
+ nameservers in the attempt to diagnose the source or prevalence of
+ inaccurate data, but can also conceivably be useful for caching
+ resolvers in similar and other situations. Furthermore, the ability
+ to identify which server is responding to a query has become more
+ useful as DNS has become more critical to more Internet users, and as
+ network and server deployment topologies have become more complex.
+
+ The traditional means for determining which of several possible
+ servers is answering a query has traditionally been based on the use
+ of the server's IP address as a unique identifier. However, the
+ modern Internet has seen the deployment of various load balancing,
+ fault-tolerance, or attack-resistance schemes such as shared use of
+ unicast IP addresses as documented in [RFC3258]. An unfortunate side
+ effect of these schemes has been to make the use of IP addresses as
+ identifiers somewhat problematic. Specifically, a dedicated DNS
+ query may not go to the same server as answered a previous query,
+ even though sent to the same IP address. Non-DNS methods such as
+ ICMP ping, TCP connections, or non-DNS UDP packets (such as those
+ generated by tools like "traceroute"), etc., may well be even less
+ certain to reach the same server as the one which receives the DNS
+ queries.
+
+ There is a well-known and frequently-used technique for determining
+ an identity for a nameserver more specific than the possibly-non-
+ unique "server that answered the query I sent to IP address XXX".
+ The widespread use of the existing convention suggests a need for a
+ documented, interoperable means of querying the identity of a
+ nameserver that may be part of an anycast or load-balancing cluster.
+ At the same time, however, it also has some drawbacks that argue
+ against standardizing it as it's been practiced so far.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Woolf & Conrad Expires September 6, 2006 [Page 3]
+
+Internet-Draft Serverid March 2006
+
+
+2. Existing Conventions
+
+ For some time, the commonly deployed Berkeley Internet Name Domain
+ implementation of the DNS protocol suite from the Internet Systems
+ Consortium [BIND] has supported a way of identifying a particular
+ server via the use of a standards-compliant, if somewhat unusual, DNS
+ query. Specifically, a query to a recent BIND server for a TXT
+ resource record in class 3 (CHAOS) for the domain name
+ "HOSTNAME.BIND." will return a string that can be configured by the
+ name server administrator to provide a unique identifier for the
+ responding server. (The value defaults to the result of a
+ gethostname() call). This mechanism, which is an extension of the
+ BIND convention of using CHAOS class TXT RR queries to sub-domains of
+ the "BIND." domain for version information, has been copied by
+ several name server vendors.
+
+ A refinement to the BIND-based mechanism, which dropped the
+ implementation-specific string, replaces ".BIND" with ".SERVER".
+ Thus the query string to learn the unique name of a server may be
+ queried as "ID.SERVER".
+
+ (For reference, the other well-known name used by recent versions of
+ BIND within the CHAOS class "BIND." domain is "VERSION.BIND." A
+ query for a CHAOS TXT RR for this name will return an
+ administratively defined string which defaults to the version of the
+ server responding. This is, however, not generally implemented by
+ other vendors.)
+
+2.1. Advantages
+
+ There are several valuable attributes to this mechanism, which
+ account for its usefulness.
+
+ 1. The "HOSTNAME.BIND" or "ID.SERVER" query response mechanism is
+ within the DNS protocol itself. An identification mechanism that
+ relies on the DNS protocol is more likely to be successful
+ (although not guaranteed) in going to the same system as a
+ "normal" DNS query.
+
+ 2. Since the identity information is requested and returned within
+ the DNS protocol, it doesn't require allowing any other query
+ mechanism to the server, such as holes in firewalls for
+ otherwise-unallowed ICMP Echo requests. Thus it is likely to
+ reach the same server over a path subject to the same routing,
+ resource, and security policy as the query, without any special
+ exceptions to site security policy.
+
+
+
+
+
+Woolf & Conrad Expires September 6, 2006 [Page 4]
+
+Internet-Draft Serverid March 2006
+
+
+ 3. It is simple to configure. An administrator can easily turn on
+ this feature and control the results of the relevant query.
+
+ 4. It allows the administrator complete control of what information
+ is given out in the response, minimizing passive leakage of
+ implementation or configuration details. Such details are often
+ considered sensitive by infrastructure operators.
+
+ 5. Hypothetically, since it's an ordinary DNS record and the
+ relevant DNSSEC RRs are class independent, the id.server response
+ RR could be signed, which has the advantages described in
+ [RFC4033].
+
+2.2. Disadvantages
+
+ At the same time, there are some serious drawbacks to the CHAOS/TXT
+ query mechanism that argue against standardizing it as it currently
+ operates.
+
+ 1. It requires an additional query to correlate between the answer
+ to a DNS query under normal conditions and the supposed identity
+ of the server receiving the query. There are a number of
+ situations in which this simply isn't reliable.
+
+ 2. It reserves an entire class in the DNS (CHAOS) for what amounts
+ to one zone. While CHAOS class is defined in [RFC1034] and
+ [RFC1035], it's not clear that supporting it solely for this
+ purpose is a good use of the namespace or of implementation
+ effort.
+
+ 3. The initial and still common form, using .BIND, is implementation
+ specific. BIND is one DNS implementation. At the time of this
+ writing, it is probably the most prevalent for authoritative
+ servers. This does not justify standardizing on its ad hoc
+ solution to a problem shared across many operators and
+ implementors. Meanwhile, the proposed refinement changes the
+ string but preserves the ad hoc CHAOS/TXT mechanism.
+
+ 4. There is no convention or shared understanding of what
+ information an answer to such a query for a server identity could
+ or should include, including a possible encoding or
+ authentication mechanism.
+
+ The first of the listed disadvantages may be technically the most
+ serious. It argues for an attempt to design a good answer to the
+ problem that "I need to know what nameserver is answering my
+ queries", not simply a convenient one.
+
+
+
+
+Woolf & Conrad Expires September 6, 2006 [Page 5]
+
+Internet-Draft Serverid March 2006
+
+
+2.3. Characteristics of an Implementation Neutral Convention
+
+ The discussion above of advantages and disadvantages to the
+ HOSTNAME.BIND mechanism suggest some requirements for a better
+ solution to the server identification problem. These are summarized
+ here as guidelines for any effort to provide appropriate protocol
+ extensions:
+
+ 1. The mechanism adopted must be in-band for the DNS protocol. That
+ is, it needs to allow the query for the server's identifying
+ information to be part of a normal, operational query. It should
+ also permit a separate, dedicated query for the server's
+ identifying information. But it should preserve the ability of
+ the CHAOS/TXT query-based mechanism to work through firewalls and
+ in other situations where only DNS can be relied upon to reach
+ the server of interest.
+
+ 2. The new mechanism should not require dedicated namespaces or
+ other reserved values outside of the existing protocol mechanisms
+ for these, i.e. the OPT pseudo-RR. In particular, it should not
+ propagate the existing drawback of requiring support for a CLASS
+ and top level domain in the authoritative server (or the querying
+ tool) to be useful.
+
+ 3. Support for the identification functionality should be easy to
+ implement and easy to enable. It must be easy to disable and
+ should lend itself to access controls on who can query for it.
+
+ 4. It should be possible to return a unique identifier for a server
+ without requiring the exposure of information that may be non-
+ public and considered sensitive by the operator, such as a
+ hostname or unicast IP address maintained for administrative
+ purposes.
+
+ 5. It should be possible to authenticate the received data by some
+ mechanism analogous to those provided by DNSSEC. In this
+ context, the need could be met by including encryption options in
+ the specification of a new mechanism.
+
+ 6. The identification mechanism should not be implementation-
+ specific.
+
+
+
+
+
+
+
+
+
+
+Woolf & Conrad Expires September 6, 2006 [Page 6]
+
+Internet-Draft Serverid March 2006
+
+
+3. IANA Considerations
+
+ This document proposes no specific IANA action. Protocol extensions,
+ if any, to meet the requirements described are out of scope for this
+ document. A proposed extension, specified and adopted by normal IETF
+ process, is described in [NSID], including relevant IANA action.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Woolf & Conrad Expires September 6, 2006 [Page 7]
+
+Internet-Draft Serverid March 2006
+
+
+4. Security Considerations
+
+ Providing identifying information as to which server is responding to
+ a particular query from a particular location in the Internet can be
+ seen as information leakage and thus a security risk. This motivates
+ the suggestion above that a new mechanism for server identification
+ allow the administrator to disable the functionality altogether or
+ partially restrict availability of the data. It also suggests that
+ the serverid data should not be readily correlated with a hostname or
+ unicast IP address that may be considered private to the nameserver
+ operator's management infrastructure.
+
+ Propagation of protocol or service meta-data can sometimes expose the
+ application to denial of service or other attack. As DNS is a
+ critically important infrastructure service for the production
+ Internet, extra care needs to be taken against this risk for
+ designers, implementors, and operators of a new mechanism for server
+ identification.
+
+ Both authentication and confidentiality of serverid data are
+ potentially of interest to administrators-- that is, operators may
+ wish to make serverid data available and reliable to themselves and
+ their chosen associates only. This would imply both an ability to
+ authenticate it to themselves and keep it private from arbitrary
+ other parties. This led to Characteristics 4 and 5 of an improved
+ solution.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Woolf & Conrad Expires September 6, 2006 [Page 8]
+
+Internet-Draft Serverid March 2006
+
+
+5. Acknowledgements
+
+ The technique for host identification documented here was initially
+ implemented by Paul Vixie of the Internet Software Consortium in the
+ Berkeley Internet Name Daemon package. Comments and questions on
+ earlier drafts were provided by Bob Halley, Brian Wellington, Andreas
+ Gustafsson, Ted Hardie, Chris Yarnell, Randy Bush, and members of the
+ ICANN Root Server System Advisory Committee. The newest version
+ takes a significantly different direction from previous versions,
+ owing to discussion among contributors to the DNSOP working group and
+ others, particularly Olafur Gudmundsson, Ed Lewis, Bill Manning, Sam
+ Weiler, and Rob Austein.
+
+6. References
+
+ [1] Mockapetris, P., "Domain Names - Concepts and Facilities",
+ RFC 1034, STD 0013, November 1987.
+
+ [2] Mockapetris, P., "Domain Names - Implementation and
+ Specification", RFC 1035, STD 0013, November 1987.
+
+ [3] Hardie, T., "Distributing Authoritative Name Servers via Shared
+ Unicast Addresses", RFC 3258, April 2002.
+
+ [4] ISC, "BIND 9 Configuration Reference".
+
+ [5] Austein, S., "DNS Name Server Identifier Option (NSID)",
+ Internet Drafts http://www.ietf.org/internet-drafts/
+ draft-ietf-dnsext-nsid-01.txt, January 2006.
+
+ [6] Arends, R., Austein, S., Larson, M., Massey, D., and S. Rose,
+ "DNS Security Introduction and Requirements", RFC 4033,
+ March 2005.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Woolf & Conrad Expires September 6, 2006 [Page 9]
+
+Internet-Draft Serverid March 2006
+
+
+Authors' Addresses
+
+ Suzanne Woolf
+ Internet Systems Consortium, Inc.
+ 950 Charter Street
+ Redwood City, CA 94063
+ US
+
+ Phone: +1 650 423-1333
+ Email: woolf@isc.org
+ URI: http://www.isc.org/
+
+
+ David Conrad
+ Nominum, Inc.
+ 2385 Bay Road
+ Redwood City, CA 94063
+ US
+
+ Phone: +1 1 650 381 6003
+ Email: david.conrad@nominum.com
+ URI: http://www.nominum.com/
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Woolf & Conrad Expires September 6, 2006 [Page 10]
+
+Internet-Draft Serverid March 2006
+
+
+Intellectual Property Statement
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+
+Disclaimer of Validity
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Copyright Statement
+
+ Copyright (C) The Internet Society (2006). This document is subject
+ to the rights, licenses and restrictions contained in BCP 78, and
+ except as set forth therein, the authors retain all their rights.
+
+
+Acknowledgment
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+Woolf & Conrad Expires September 6, 2006 [Page 11]
+
+
diff --git a/contrib/bind9/doc/draft/draft-schlitt-spf-classic-02.txt b/contrib/bind9/doc/draft/draft-schlitt-spf-classic-02.txt
new file mode 100644
index 0000000..3bd9594
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-schlitt-spf-classic-02.txt
@@ -0,0 +1,3136 @@
+
+
+
+Network Working Group M. Wong
+Internet-Draft W. Schlitt
+Expires: December 8, 2005 June 6, 2005
+
+
+Sender Policy Framework (SPF) for Authorizing Use of Domains in E-MAIL,
+ version 1
+ draft-schlitt-spf-classic-02
+
+Status of this Memo
+
+ By submitting this Internet-Draft, each author represents that any
+ applicable patent or other IPR claims of which he or she is aware
+ have been or will be disclosed, and any of which he or she becomes
+ aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF), its areas, and its working groups. Note that
+ other groups may also distribute working documents as Internet-
+ Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ The list of current Internet-Drafts can be accessed at
+ http://www.ietf.org/ietf/1id-abstracts.txt.
+
+ The list of Internet-Draft Shadow Directories can be accessed at
+ http://www.ietf.org/shadow.html.
+
+ This Internet-Draft will expire on December 8, 2005.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2005).
+
+Abstract
+
+ E-mail on the Internet can be forged in a number of ways. In
+ particular, existing protocols place no restriction on what a sending
+ host can use as the reverse-path of a message or the domain given on
+ the SMTP HELO/EHLO commands. This document describes version 1 of
+ the SPF protocol, whereby a domain may explicitly authorize the hosts
+ that are allowed to use its domain name, and a receiving host may
+ check such authorization.
+
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 1]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
+ 1.1. State of this draft . . . . . . . . . . . . . . . . . . . 4
+ 1.2. Protocol Status . . . . . . . . . . . . . . . . . . . . . 5
+ 1.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5
+ 2. Operation . . . . . . . . . . . . . . . . . . . . . . . . . . 6
+ 2.1. The HELO Identity . . . . . . . . . . . . . . . . . . . . 6
+ 2.2. The MAIL FROM Identity . . . . . . . . . . . . . . . . . . 6
+ 2.3. Publishing Authorization . . . . . . . . . . . . . . . . . 6
+ 2.4. Checking Authorization . . . . . . . . . . . . . . . . . . 7
+ 2.5. Interpreting the Result . . . . . . . . . . . . . . . . . 8
+ 2.5.1. None . . . . . . . . . . . . . . . . . . . . . . . . . 8
+ 2.5.2. Neutral . . . . . . . . . . . . . . . . . . . . . . . 9
+ 2.5.3. Pass . . . . . . . . . . . . . . . . . . . . . . . . . 9
+ 2.5.4. Fail . . . . . . . . . . . . . . . . . . . . . . . . . 9
+ 2.5.5. SoftFail . . . . . . . . . . . . . . . . . . . . . . . 9
+ 2.5.6. TempError . . . . . . . . . . . . . . . . . . . . . . 10
+ 2.5.7. PermError . . . . . . . . . . . . . . . . . . . . . . 10
+ 3. SPF Records . . . . . . . . . . . . . . . . . . . . . . . . . 11
+ 3.1. Publishing . . . . . . . . . . . . . . . . . . . . . . . . 11
+ 3.1.1. DNS Resource Record Types . . . . . . . . . . . . . . 11
+ 3.1.2. Multiple DNS Records . . . . . . . . . . . . . . . . . 12
+ 3.1.3. Multiple Strings in a Single DNS record . . . . . . . 12
+ 3.1.4. Record Size . . . . . . . . . . . . . . . . . . . . . 12
+ 3.1.5. Wildcard Records . . . . . . . . . . . . . . . . . . . 13
+ 4. The check_host() Function . . . . . . . . . . . . . . . . . . 14
+ 4.1. Arguments . . . . . . . . . . . . . . . . . . . . . . . . 14
+ 4.2. Results . . . . . . . . . . . . . . . . . . . . . . . . . 14
+ 4.3. Initial Processing . . . . . . . . . . . . . . . . . . . . 14
+ 4.4. Record Lookup . . . . . . . . . . . . . . . . . . . . . . 15
+ 4.5. Selecting Records . . . . . . . . . . . . . . . . . . . . 15
+ 4.6. Record Evaluation . . . . . . . . . . . . . . . . . . . . 15
+ 4.6.1. Term Evaluation . . . . . . . . . . . . . . . . . . . 16
+ 4.6.2. Mechanisms . . . . . . . . . . . . . . . . . . . . . . 16
+ 4.6.3. Modifiers . . . . . . . . . . . . . . . . . . . . . . 17
+ 4.7. Default Result . . . . . . . . . . . . . . . . . . . . . . 17
+ 4.8. Domain Specification . . . . . . . . . . . . . . . . . . . 17
+ 5. Mechanism Definitions . . . . . . . . . . . . . . . . . . . . 19
+ 5.1. "all" . . . . . . . . . . . . . . . . . . . . . . . . . . 19
+ 5.2. "include" . . . . . . . . . . . . . . . . . . . . . . . . 20
+ 5.3. "a" . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
+ 5.4. "mx" . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
+ 5.5. "ptr" . . . . . . . . . . . . . . . . . . . . . . . . . . 22
+ 5.6. "ip4" and "ip6" . . . . . . . . . . . . . . . . . . . . . 23
+ 5.7. "exists" . . . . . . . . . . . . . . . . . . . . . . . . . 24
+ 6. Modifier Definitions . . . . . . . . . . . . . . . . . . . . . 25
+ 6.1. redirect: Redirected Query . . . . . . . . . . . . . . . . 25
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 2]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+ 6.2. exp: Explanation . . . . . . . . . . . . . . . . . . . . . 26
+ 7. The Received-SPF header field . . . . . . . . . . . . . . . . 28
+ 8. Macros . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
+ 8.1. Macro definitions . . . . . . . . . . . . . . . . . . . . 30
+ 8.2. Expansion Examples . . . . . . . . . . . . . . . . . . . . 33
+ 9. Implications . . . . . . . . . . . . . . . . . . . . . . . . . 34
+ 9.1. Sending Domains . . . . . . . . . . . . . . . . . . . . . 34
+ 9.2. Mailing Lists . . . . . . . . . . . . . . . . . . . . . . 34
+ 9.3. Forwarding Services and Aliases . . . . . . . . . . . . . 34
+ 9.4. Mail Services . . . . . . . . . . . . . . . . . . . . . . 36
+ 9.5. MTA Relays . . . . . . . . . . . . . . . . . . . . . . . . 37
+ 10. Security Considerations . . . . . . . . . . . . . . . . . . . 38
+ 10.1. Processing Limits . . . . . . . . . . . . . . . . . . . . 38
+ 10.2. SPF-Authorized E-Mail May Be UBE . . . . . . . . . . . . . 39
+ 10.3. Spoofed DNS and IP Data . . . . . . . . . . . . . . . . . 40
+ 10.4. Cross-User Forgery . . . . . . . . . . . . . . . . . . . . 40
+ 10.5. Untrusted Information Sources . . . . . . . . . . . . . . 40
+ 10.6. Privacy Exposure . . . . . . . . . . . . . . . . . . . . . 41
+ 11. Contributors and Acknowledgements . . . . . . . . . . . . . . 42
+ 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 43
+ 12.1. The SPF DNS Record Type . . . . . . . . . . . . . . . . . 43
+ 12.2. The Received-SPF mail header . . . . . . . . . . . . . . . 43
+ 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 44
+ 13.1. Normative References . . . . . . . . . . . . . . . . . . . 44
+ 13.2. Informative References . . . . . . . . . . . . . . . . . . 44
+ Appendix A. Collected ABNF . . . . . . . . . . . . . . . . . . . 46
+ Appendix B. Extended Examples . . . . . . . . . . . . . . . . . . 48
+ B.1. Simple Examples . . . . . . . . . . . . . . . . . . . . . 48
+ B.2. Multiple Domain Example . . . . . . . . . . . . . . . . . 49
+ B.3. DNSBL Style Example . . . . . . . . . . . . . . . . . . . 50
+ B.4. Multiple Requirements Example . . . . . . . . . . . . . . 50
+ Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 51
+ C.1. Changes in Version -02 . . . . . . . . . . . . . . . . . . 51
+ C.2. Changes in Version -01 . . . . . . . . . . . . . . . . . . 52
+ Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 55
+ Intellectual Property and Copyright Statements . . . . . . . . . . 56
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 3]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+1. Introduction
+
+ The current e-mail infrastructure has the property that any host
+ injecting mail into the mail system can identify itself as any domain
+ name it wants. Hosts can do this at a variety of levels: in
+ particular, the session, the envelope, and the mail headers. While
+ this feature is desirable in some circumstances, it is a major
+ obstacle to reducing Unsolicited Bulk E-mail (UBE, aka "spam").
+ Furthermore, many domain name holders are understandably concerned
+ about the ease with which other entities may make use of their domain
+ names, often with malicious intent.
+
+ This document defines a protocol by which domain owners may authorize
+ hosts to use their domain name in the "MAIL FROM" or "HELO" identity.
+ Compliant domain holders publish SPF records specifying which hosts
+ are permitted to use their names, and compliant mail receivers use
+ the published SPF records to test the authorization of sending MTAs
+ using a given "HELO" or "MAIL FROM" identity during a mail
+ transaction.
+
+ An additional benefit to mail receivers is that after the use of an
+ identity is verified, local policy decisions about the mail can be
+ made based on the sender's domain, rather than the host's IP address.
+ This is advantageous because reputation of domain names is likely to
+ be more accurate than reputation of host IP addresses. Furthermore,
+ if a claimed identity fails verification, local policy can take
+ stronger action against such e-mail, such as rejecting it.
+
+1.1. State of this draft
+
+ This draft version attempts to resolve all known issues and address
+ all comments received from the IESG review of 2005/02/17, as well
+ reviews from the namedroppers, ietf-smtp, ietf-822 and spf-discuss
+ mailing lists both in January and in May.
+
+ Please check the Change log in Appendix C before proposing changes,
+ as it is possible that your idea has already been discussed. Please
+ post comments on the spf-discuss@v2.listbox.com mailing list or
+ e-mail them directly to the author.
+
+ I am sorry for the length of this I-D; I have not had time to make it
+ shorter.
+
+ RFC Editor Note: Please remove this section for the final publication
+ of the document. It has been inspired by
+ draft-ietf-tools-draft-submission-09.txt.
+
+
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 4]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+1.2. Protocol Status
+
+ SPF has been in development since the Summer of 2003, and has seen
+ deployment beyond the developers beginning in December, 2003. The
+ design of SPF slowly evolved until the spring of 2004 and has since
+ stabilized. There have been quite a number of forms of SPF, some
+ written up as documents, some submitted as Internet Drafts, and many
+ discussed and debated in development forums.
+
+ The goal of this document is to clearly document the protocol defined
+ by earlier draft specifications of SPF as used in existing
+ implementations. This conception of SPF is sometimes called "SPF
+ Classic". It is understood that particular implementations and
+ deployments may differ from, and build upon, this work. It is hoped
+ that we have nonetheless captured the common understanding of SPF
+ version 1.
+
+1.3. Terminology
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC2119].
+
+ This document is concerned with the portion of a mail message
+ commonly called "envelope sender", "return path", "reverse path",
+ "bounce address", "2821 FROM", or "MAIL FROM". Since these terms are
+ either not well defined, or often used casually, this document
+ defines the "MAIL FROM" identity in Section 2.2. Note that other
+ terms that may superficially look like the common terms, such as
+ "reverse-path", are used only with the defined meanings from
+ normative documents.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 5]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+2. Operation
+
+2.1. The HELO Identity
+
+ The "HELO" identity derives from either the SMTP HELO or EHLO command
+ (see [RFC2821]). These commands supply the SMTP client (sending
+ host) for the SMTP session. Note that requirements for the domain
+ presented in the EHLO or HELO command are not always clear to the
+ sending party, and SPF clients must be prepared for the "HELO"
+ identity to be malformed or an IP address literal. At the time of
+ this writing, many legitimate e-mails are delivered with invalid HELO
+ domains.
+
+ It is RECOMMENDED that SPF clients check not only the "MAIL FROM"
+ identity, but also separately check the "HELO" identity by applying
+ the check_host() function (Section 4) to the "HELO" identity as the
+ <sender>.
+
+2.2. The MAIL FROM Identity
+
+ The "MAIL FROM" identity derives from the SMTP MAIL command (see
+ [RFC2821]). This command supplies the "reverse-path" for a message,
+ which generally consists of the sender mailbox, and is the mailbox to
+ which notification messages are to be sent if there are problems
+ delivering the message.
+
+ [RFC2821] allows the reverse-path to be null (see Section 4.5.5). In
+ this case, there is no explicit sender mailbox, and such a message
+ can be assumed to be a notification message from the mail system
+ itself. When the reverse-path is null, this document defines the
+ "MAIL FROM" identity to be the mailbox composed of the localpart
+ "postmaster" and the "HELO" identity (which may or may not have been
+ checked separately before).
+
+ SPF clients MUST check the "MAIL FROM" identity. SPF clients check
+ the "MAIL FROM" identity by applying the check_host() function to the
+ "MAIL FROM" identity as the <sender>.
+
+2.3. Publishing Authorization
+
+ An SPF-compliant domain MUST publish a valid SPF record as described
+ in Section 3. This record authorizes the use of the domain name in
+ the "HELO" and "MAIL FROM" identities by the MTAs it specifies.
+
+ If domain owners choose to publish SPF records, it is RECOMMENDED
+ that they end in "-all", or redirect to other records that do, so
+ that a definitive determination of authorization can be made.
+
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 6]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+ Domain holders may publish SPF records that explicitly authorize no
+ hosts if mail should never originate using that domain.
+
+ When changing SPF records, care must be taken to ensure that there is
+ a transition period so that the old policy remains valid until all
+ legitimate e-mail has been checked.
+
+2.4. Checking Authorization
+
+ A mail receiver can perform a set of SPF checks for each mail message
+ it receives. An SPF check tests the authorization of a client host
+ to emit mail with a given identity. Typically, such checks are done
+ by a receiving MTA, but can be performed elsewhere in the mail
+ processing chain so long as the required information is available and
+ reliable. At least the "MAIL FROM" identity MUST be checked, but it
+ is RECOMMENDED that the "HELO" identity also be checked beforehand.
+
+ Without explicit approval of the domain owner, checking other
+ identities against SPF version 1 records is NOT RECOMMENDED because
+ there are cases that are known to give incorrect results. For
+ example, almost all mailing lists rewrite the "MAIL FROM" identity
+ (see Section 9.2), but some do not change any other identities in the
+ message. The scenario described in Section 9.3.1.2 is another
+ example. Documents that define other identities should define the
+ method for explicit approval.
+
+ It is possible that mail receivers will use the SPF check as part of
+ a larger set of tests on incoming mail. The results of other tests
+ may influence whether or not a particular SPF check is performed.
+ For example, finding the sending host's IP address on a local white
+ list may cause all other tests to be skipped and all mail from that
+ host to be accepted.
+
+ When a mail receiver decides to perform an SPF check, it MUST use a
+ correctly-implemented check_host() function (Section 4) evaluated
+ with the correct parameters. While the test as a whole is optional,
+ once it has been decided to perform a test it must be performed as
+ specified so that the correct semantics are preserved between
+ publisher and receiver.
+
+ To make the test, the mail receiver MUST evaluate the check_host()
+ function with the arguments set as follows:
+
+ <ip> - the IP address of the SMTP client that is emitting the
+ mail, either IPv4 or IPv6.
+
+
+
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 7]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+ <domain> - the domain portion of the "MAIL FROM" or "HELO" identity.
+
+ <sender> - the "MAIL FROM" or "HELO" identity.
+
+ Note that the <domain> argument may not be a well-formed domain name.
+ For example, if the reverse-path was null, then the EHLO/HELO domain
+ is used, with its associated problems (see Section 2.1). In these
+ cases, check_host() is defined in Section 4.3 to return a "None"
+ result.
+
+ While invalid, malformed, or non-existent domains cause SPF checks to
+ return "None" because no SPF record can be found, it has long been
+ the policy of many MTAs to reject e-mail from such domains,
+ especially in the case of invalid "MAIL FROM". In order to prevent
+ the circumvention of SPF records, rejecting e-mail from invalid
+ domains should be considered.
+
+ Implementations must take care to correctly extract the <domain> from
+ the data given with the SMTP MAIL FROM command as many MTAs will
+ still accept such things as source routes (see [RFC2821] appendix C),
+ the %-hack (see [RFC1123]), and bang paths (see [RFC1983]). These
+ archaic features have been maliciously used to bypass security
+ systems.
+
+2.5. Interpreting the Result
+
+ This section describes how software that performs the authorization
+ should interpret the results of the check_host() function. The
+ authorization check SHOULD be performed during the processing of the
+ SMTP transaction that sends the mail. This allows errors to be
+ returned directly to the sending server by way of SMTP replies.
+
+ Performing the authorization after the SMTP transaction has finished
+ may cause problems, such as: 1) It may be difficult to accurately
+ extract the required information from potentially deceptive headers.
+ 2) Legitimate e-mail may fail because the sender's policy may have
+ since changed.
+
+ Generating non-delivery notifications to forged identities that have
+ failed the authorization check is generally abusive and against the
+ explicit wishes of the identity owner.
+
+2.5.1. None
+
+ A result of "None" means that no records were published by the
+ domain, or that no checkable sender domain could be determined from
+ the given identity. The checking software cannot ascertain whether
+ the client host is authorized or not.
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 8]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+2.5.2. Neutral
+
+ The domain owner has explicitly stated that they cannot or do not
+ want to assert whether the IP address is authorized or not. A
+ "Neutral" result MUST be treated exactly like the "None" result; the
+ distinction exists only for informational purposes. Treating
+ "Neutral" more harshly than "None" will discourage domain owners from
+ testing the use of SPF records (see Section 9.1).
+
+2.5.3. Pass
+
+ A "Pass" result means that the client is authorized to inject mail
+ with the given identity. The domain can now, in the sense of
+ reputation, be considered responsible for sending the message.
+ Further policy checks can now proceed with confidence in the
+ legitimate use of the identity.
+
+2.5.4. Fail
+
+ A "Fail" result is an explicit statement that the client is not
+ authorized to use the domain in the given identity. The checking
+ software can choose to mark the mail based on this, or to reject the
+ mail outright.
+
+ If the checking software chooses to reject the mail during the SMTP
+ transaction, then it SHOULD use an SMTP reply code of 550 (see
+ [RFC2821]) and, if supported, the 5.7.1 Delivery Status Notification
+ (DSN) code (see [RFC3464]), in addition to an appropriate reply text.
+ The check_host() function may return either a default explanation
+ string, or one from the domain that published the SPF records (see
+ Section 6.2). If the information doesn't originate with the checking
+ software, it should be made clear that the text is provided by the
+ sender's domain. For example:
+
+ 550-5.7.1 SPF MAIL FROM check failed:
+ 550-5.7.1 The domain example.com explains:
+ 550 5.7.1 Please see http://www.example.com/mailpolicy.html
+
+2.5.5. SoftFail
+
+ A "SoftFail" result should be treated as somewhere between a "Fail"
+ and a "Neutral". The domain believes the host isn't authorized but
+ isn't willing to make that strong of a statement. Receiving software
+ SHOULD NOT reject the message based solely on this result, but MAY
+ subject the message to closer scrutiny than normal.
+
+ The domain owner wants to discourage the use of this host and so they
+ desire limited feedback when a "SoftFail" result occurs. For
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 9]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+ example, the recipient's MUA could highlight the "SoftFail" status,
+ or the receiving MTA could give the sender a message using a
+ technique called "greylisting" whereby the MTA can issue an SMTP
+ reply code of 451 (4.3.0 DSN code) with a note the first time the
+ message is received, but accept it the second time.
+
+2.5.6. TempError
+
+ A "TempError" result means that the SPF client encountered a
+ transient error while performing the check. Checking software can
+ choose to accept or temporarily reject the message. If the message
+ is rejected during the SMTP transaction for this reason, the software
+ SHOULD use an SMTP reply code of 451 and, if supported, the 4.4.3 DSN
+ code.
+
+2.5.7. PermError
+
+ A "PermError" result means that the domain's published records
+ couldn't be correctly interpreted. This signals an error condition
+ that requires manual intervention to be resolved, as opposed to the
+ TempError result. Be aware that if the domain owner uses macros
+ (Section 8), it is possible that this result is due to the checked
+ identities having an unexpected format.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 10]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+3. SPF Records
+
+ An SPF record is a DNS Resource Record (RR) that declares which hosts
+ are, and are not, authorized to use a domain name for the "HELO" and
+ "MAIL FROM" identities. Loosely, the record partitions all hosts
+ into permitted and not-permitted sets. (Though some hosts might fall
+ into neither category.)
+
+ The SPF record is a single string of text. An example record is:
+
+ v=spf1 +mx a:colo.example.com/28 -all
+
+ This record has a version of "spf1" and three directives: "+mx",
+ "a:colo.example.com/28" (the + is implied), and "-all".
+
+3.1. Publishing
+
+ Domain owners wishing to be SPF compliant must publish SPF records
+ for the hosts that are used in the "MAIL FROM" and "HELO" identities.
+ The SPF records are placed in the DNS tree at the host name it
+ pertains to, not a subdomain under it, such as is done with SRV
+ records. This is the same whether the TXT or SPF RR type is used.
+
+ The example above in Section 3 might be published via this lines in a
+ domain zone file:
+
+ example.com. TXT "v=spf1 +mx a:colo.example.com/28 -all"
+ smtp-out.example.com. TXT "v=spf1 a -all"
+
+ When publishing via TXT records, beware of other TXT records
+ published there for other purposes. They may cause problems with
+ size limits (see Section 3.1.4).
+
+3.1.1. DNS Resource Record Types
+
+ This document defines a new DNS RR of type SPF, type code to be
+ determined. The format of this type is identical to the TXT RR
+ [RFC1035]. For either type, the character content of the record is
+ encoded as [US-ASCII].
+
+ RFC Editor Note: Please add the DNS RR type code once it has been
+ allocated by the IANA.
+
+ It is recognized that the current practice (using a TXT record) is
+ not optimal, but it is necessary because there are a number of DNS
+ server and resolver implementations in common use that cannot handle
+ the new RR type. The two-record-type scheme provides a forward path
+ to the better solution of using an RR type reserved for this purpose.
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 11]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+ An SPF-compliant domain name SHOULD have SPF records of both RR
+ types. A compliant domain name MUST have a record of at least one
+ type. If a domain has records of both types, they MUST have
+ identical content. For example, instead of just publishing one
+ record as in Section 3.1 above, it is better to publish:
+
+ example.com. IN TXT "v=spf1 +mx a:colo.example.com/28 -all"
+ example.com. IN SPF "v=spf1 +mx a:colo.example.com/28 -all"
+
+ Example RRs in this document are shown with the TXT record type,
+ however they could be published with the SPF type or with both types.
+
+3.1.2. Multiple DNS Records
+
+ A domain name MUST NOT have multiple records that would cause an
+ authorization check to select more than one record. See Section 4.5
+ for the selection rules.
+
+3.1.3. Multiple Strings in a Single DNS record
+
+ As defined in [RFC1035] sections 3.3.14 and 3.3, a single text DNS
+ record (either TXT and SPF RR types) can be composed of more than one
+ string. If a published record contains multiple strings, then the
+ record MUST be treated as if those strings are concatenated together
+ without adding spaces. For example:
+
+ IN TXT "v=spf1 .... first" "second string..."
+
+ MUST be treated as equivalent to
+
+ IN TXT "v=spf1 .... firstsecond string..."
+
+ SPF or TXT records containing multiple strings are useful in order to
+ construct records which would exceed the 255 byte maximum length of a
+ string within a single TXT or SPF RR record.
+
+3.1.4. Record Size
+
+ The published SPF record for a given domain name SHOULD remain small
+ enough that the results of a query for it will fit within 512 octets.
+ This will keep even older DNS implementations from falling over to
+ TCP. Since the answer size is dependent on many things outside the
+ scope of this document, it is only possible to give this guideline:
+ If the combined length of the DNS name and the text of all the
+ records of a given type (TXT or SPF) is under 450 characters, then
+ DNS answers should fit in UDP packets. Note that when computing the
+ sizes for queries of the TXT format, one must take into account any
+ other TXT records published at the domain name. Records that are too
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 12]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+ long to fit in a single UDP packet MAY be silently ignored by SPF
+ clients.
+
+3.1.5. Wildcard Records
+
+ Use of wildcard records for publishing is not recommended. Care must
+ be taken if wildcard records are used. If a domain publishes
+ wildcard MX records, it may want to publish wildcard declarations,
+ subject to the same requirements and problems. In particular, the
+ declaration must be repeated for any host that has any RR records at
+ all, and for subdomains thereof. For example, the example given in
+ [RFC1034], Section 4.3.3, could be extended with:
+
+ X.COM. MX 10 A.X.COM
+ X.COM. TXT "v=spf1 a:A.X.COM -all"
+
+ *.X.COM. MX 10 A.X.COM
+ *.X.COM. TXT "v=spf1 a:A.X.COM -all"
+
+ A.X.COM. A 1.2.3.4
+ A.X.COM. MX 10 A.X.COM
+ A.X.COM. TXT "v=spf1 a:A.X.COM -all"
+
+ *.A.X.COM. MX 10 A.X.COM
+ *.A.X.COM. TXT "v=spf1 a:A.X.COM -all"
+
+ Notice that SPF records must be repeated twice for every name within
+ the domain: once for the name, and once with a wildcard to cover the
+ tree under the name.
+
+ Use of wildcards is discouraged in general as they cause every name
+ under the domain to exist and queries against arbitrary names will
+ never return RCODE 3 (Name Error).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 13]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+4. The check_host() Function
+
+ The check_host() function fetches SPF records, parses them, and
+ interprets them to determine whether a particular host is or is not
+ permitted to send mail with a given identity. Mail receivers that
+ perform this check MUST correctly evaluate the check_host() function
+ as described here.
+
+ Implementations MAY use a different algorithm than the canonical
+ algorithm defined here, so long as the results are the same in all
+ cases.
+
+4.1. Arguments
+
+ The function check_host() takes these arguments:
+
+ <ip> - the IP address of the SMTP client that is emitting the
+ mail, either IPv4 or IPv6.
+
+ <domain> - the domain that provides the sought-after authorization
+ information; initially the domain portion of the "MAIL FROM"
+ or "HELO" identity.
+
+ <sender> - the "MAIL FROM" or "HELO" identity.
+
+ The domain portion of <sender> will usually be the same as the
+ <domain> argument when check_host() is initially evaluated. However,
+ this will generally not be true for recursive evaluations (see
+ Section 5.2 below).
+
+ Actual implementations of the check_host() function may need
+ additional arguments.
+
+4.2. Results
+
+ The function check_host() can return one of several results described
+ in Section 2.5. Based on the result, the action to be taken is
+ determined by the local policies of the receiver.
+
+4.3. Initial Processing
+
+ If the <domain> is malformed (label longer than 63 characters, zero
+ length label not at the end, etc.), is not a fully qualified domain
+ name, or if the DNS lookup returns "domain does not exist" (RCODE 3),
+ check_host() immediately returns the result "None".
+
+ If the <sender> has no localpart, substitute the string "postmaster"
+ for the localpart.
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 14]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+4.4. Record Lookup
+
+ In accordance with how the records are published, see Section 3.1
+ above, a DNS query needs to be made for the <domain> name, querying
+ for either RR type TXT, SPF, or both. If both SPF and TXT RRs are
+ looked up, the queries MAY be done in parallel.
+
+ If the DNS lookup returns a server failure (RCODE 2), or other error
+ (RCODE other than 0 or 3), or the query times out, check_host() exits
+ immediately with the result "TempError".
+
+4.5. Selecting Records
+
+ Records begin with a version section:
+
+ record = version terms *SP
+ version = "v=spf1"
+
+ Starting with the set of records that were returned by the lookup,
+ record selection proceeds in three steps:
+
+ 1. Records that do not begin with a version section of exactly
+ "v=spf1" are discarded. Note that the version section is
+ terminated either by a SP character or the end of the record. A
+ record with a version section of "v=spf10" does not match and
+ must be discarded.
+
+ 2. If there are both SPF and TXT records in the set and if they are
+ not all identical, return a "PermError".
+
+ 3. If any records of type SPF are in the set, then all records of
+ type TXT are discarded.
+
+ After the above steps, there should be exactly one record remaining
+ and evaluation can proceed. If there are two or more records
+ remaining, then check_host() exits immediately with the result of
+ "PermError".
+
+ If no matching records are returned, an SPF client MUST assume that
+ the domain makes no SPF declarations. SPF processing MUST stop and
+ return "None".
+
+4.6. Record Evaluation
+
+ After one SPF record has been selected, the check_host() function
+ parses and interprets it to find a result for the current test. If
+ there are any syntax errors, check_host() returns immediately with
+ the result "PermError".
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 15]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+ Implementations MAY choose to parse the entire record first and
+ return "PermError" if the record is not syntactically well formed.
+ However, in all cases, any syntax errors anywhere in the record MUST
+ be detected.
+
+4.6.1. Term Evaluation
+
+ There are two types of terms: mechanisms and modifiers. A record
+ contains an ordered list of these as specified in the following ABNF.
+
+ terms = *( 1*SP ( directive / modifier ) )
+
+ directive = [ qualifier ] mechanism
+ qualifier = "+" / "-" / "?" / "~"
+ mechanism = ( all / include
+ / A / MX / PTR / IP4 / IP6 / exists )
+ modifier = redirect / explanation / unknown-modifier
+ unknown-modifier = name "=" macro-string
+
+ name = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." )
+
+ Most mechanisms allow a ":" or "/" character after the name.
+
+ Modifiers always contain an equals ('=') character immediately after
+ the name, and before any ":" or "/" characters that may be part of
+ the macro-string.
+
+ Terms that do not contain any of "=", ":" or "/" are mechanisms, as
+ defined in Section 5.
+
+ As per the definition of the ABNF notation in [I-D.crocker-abnf-
+ rfc2234bis], mechanism and modifier names are case-insensitive.
+
+4.6.2. Mechanisms
+
+ Each mechanism is considered in turn from left to right. If there
+ are no more mechanisms, the result is specified in Section 4.7.
+
+ When a mechanism is evaluated, one of three things can happen: it can
+ match, it can not match, or it can throw an exception.
+
+ If it matches, processing ends and the qualifier value is returned as
+ the result of that record. If it does not match, processing
+ continues with the next mechanism. If it throws an exception,
+ mechanism processing ends and the exception value is returned.
+
+ The possible qualifiers, and the results they return are:
+
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 16]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+ "+" Pass
+ "-" Fail
+ "~" SoftFail
+ "?" Neutral
+
+ The qualifier is optional and defaults to "+".
+
+ When a mechanism matches and the qualifier is "-", then a "Fail"
+ result is returned and the explanation string is computed as
+ described in Section 6.2.
+
+ The specific mechanisms are described in Section 5.
+
+4.6.3. Modifiers
+
+ Modifiers are not mechanisms: they do not return match or not-match.
+ Instead they provide additional information. While modifiers do not
+ directly affect the evaluation of the record, the "redirect" modifier
+ has an effect after all the mechanisms have been evaluated.
+
+4.7. Default Result
+
+ If none of the mechanisms match and there is no "redirect" modifier,
+ then the check_host() returns a result of "Neutral", just as if
+ "?all" were specified as the last directive. If there is a
+ "redirect" modifier, check_host() proceeds as defined in Section 6.1.
+
+ Note that records SHOULD always either use a "redirect" modifier or
+ an "all" mechanism to explicitly terminate processing.
+
+ For example:
+
+ v=spf1 +mx -all
+ or
+ v=spf1 +mx redirect=_spf.example.com
+
+4.8. Domain Specification
+
+ Several of these mechanisms and modifiers have a <domain-spec>
+ section. The <domain-spec> string is macro expanded (see Section 8).
+ The resulting string is the common presentation form of a fully-
+ qualified DNS name: a series of labels separated by periods. This
+ domain is called the <target-name> in the rest of this document.
+
+ Note: The result of the macro expansion is not subject to any further
+ escaping. Hence, this facility cannot produce all characters that
+ are legal in a DNS label (e.g. the control characters). However,
+ this facility is powerful enough to express legal host names, and
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 17]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+ common utility labels (such as "_spf") that are used in DNS.
+
+ For several mechanisms, the <domain-spec> is optional. If it is not
+ provided, the <domain> is used as the <target-name>.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 18]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+5. Mechanism Definitions
+
+ This section defines two types of mechanisms.
+
+ Basic mechanisms contribute to the language framework. They do not
+ specify a particular type of authorization scheme.
+
+ all
+ include
+
+ Designated sender mechanisms are used to designate a set of <ip>
+ addresses as being permitted or not permitted to use the <domain> for
+ sending mail.
+
+ a
+ mx
+ ptr
+ ip4
+ ip6
+ exists
+
+ The following conventions apply to all mechanisms that perform a
+ comparison between <ip> and an IP address at any point:
+
+ If no CIDR-length is given in the directive, then <ip> and the IP
+ address are compared for equality.
+
+ If a CIDR-length is specified, then only the specified number of
+ high-order bits of <ip> and the IP address are compared for equality.
+
+ When any mechanism fetches host addresses to compare with <ip>, when
+ <ip> is an IPv4 address, A records are fetched, when <ip> is an IPv6
+ address, AAAA records are fetched. Even if the SMTP connection is
+ via IPv6, an IPv4-mapped IPv6 IP address (see [RFC3513] section
+ 2.5.5) MUST still be considered an IPv4 address.
+
+ Several mechanisms rely on information fetched from DNS. For these
+ DNS queries, except where noted, if the DNS server returns an error
+ (RCODE other than 0 or 3) or the query times out, the mechanism
+ throws the exception "TempError". If the server returns "domain does
+ not exist" (RCODE 3), then evaluation of the mechanism continues as
+ if the server returned no error (RCODE 0) and zero answer records.
+
+5.1. "all"
+
+ all = "all"
+
+ The "all" mechanism is a test that always matches. It is used as the
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 19]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+ rightmost mechanism in a record to provide an explicit default.
+
+ For example:
+
+ v=spf1 a mx -all
+
+ Mechanisms after "all" will never be tested. Any "redirect" modifier
+ (Section 6.1) has no effect when there is an "all" mechanism.
+
+5.2. "include"
+
+ include = "include" ":" domain-spec
+
+ The "include" mechanism triggers a recursive evaluation of
+ check_host(). The domain-spec is expanded as per Section 8. Then
+ check_host() is evaluated with the resulting string as the <domain>.
+ The <ip> and <sender> arguments remain the same as in the current
+ evaluation of check_host().
+
+ In hindsight, the name "include" was poorly chosen. Only the
+ evaluated result of the referenced SPF record is used, rather than
+ acting as if the referenced SPF record was literally included in the
+ first. For example, evaluating a "-all" directive in the referenced
+ record does not terminate the overall processing and does not
+ necessarily result in an overall "Fail". (Better names for this
+ mechanism would have been "if-pass", "on-pass", etc.)
+
+ The "include" mechanism makes it possible for one domain to designate
+ multiple administratively-independent domains. For example, a vanity
+ domain "example.net" might send mail using the servers of
+ administratively-independent domains example.com and example.org.
+
+ Example.net could say
+
+ IN TXT "v=spf1 include:example.com include:example.org -all"
+
+ This would direct check_host() to, in effect, check the records of
+ example.com and example.org for a "Pass" result. Only if the host
+ were not permitted for either of those domains would the result be
+ "Fail".
+
+ Whether this mechanism matches, does not match, or throws an error,
+ depends on the result of the recursive evaluation of check_host():
+
+
+
+
+
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 20]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+ +---------------------------------+---------------------------------+
+ | A recursive check_host() result | Causes the "include" mechanism |
+ | of: | to: |
+ +---------------------------------+---------------------------------+
+ | Pass | match |
+ | | |
+ | Fail | not match |
+ | | |
+ | SoftFail | not match |
+ | | |
+ | Neutral | not match |
+ | | |
+ | TempError | throw TempError |
+ | | |
+ | PermError | throw PermError |
+ | | |
+ | None | throw PermError |
+ +---------------------------------+---------------------------------+
+
+ The "include" mechanism is intended for crossing administrative
+ boundaries. While it is possible to use includes to consolidate
+ multiple domains that share the same set of designated hosts, domains
+ are encouraged to use redirects where possible, and to minimize the
+ number of includes within a single administrative domain. For
+ example, if example.com and example.org were managed by the same
+ entity, and if the permitted set of hosts for both domains were
+ "mx:example.com", it would be possible for example.org to specify
+ "include:example.com", but it would be preferable to specify
+ "redirect=example.com" or even "mx:example.com".
+
+5.3. "a"
+
+ This mechanism matches if <ip> is one of the <target-name>'s IP
+ addresses.
+
+ A = "a" [ ":" domain-spec ] [ dual-cidr-length ]
+
+ An address lookup is done on the <target-name>. The <ip> is compared
+ to the returned address(es). If any address matches, the mechanism
+ matches.
+
+5.4. "mx"
+
+ This mechanism matches if <ip> is one of the MX hosts for a domain
+ name.
+
+ MX = "mx" [ ":" domain-spec ] [ dual-cidr-length ]
+
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 21]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+ check_host() first performs an MX lookup on the <target-name>. Then
+ it performs an address lookup on each MX name returned. The <ip> is
+ compared to each returned IP address. To prevent DoS attacks, more
+ than 10 MX names MUST NOT be looked up during the evaluation of an
+ "mx" mechanism (see Section 10). If any address matches, the
+ mechanism matches.
+
+ Note regarding implicit MXes: If the <target-name> has no MX records,
+ check_host() MUST NOT pretend the target is its single MX, and MUST
+ NOT default to an A lookup on the <target-name> directly. This
+ behavior breaks with the legacy "implicit MX" rule. See [RFC2821]
+ Section 5. If such behavior is desired, the publisher should specify
+ an "a" directive.
+
+5.5. "ptr"
+
+ This mechanism tests whether the DNS reverse mapping for <ip> exists
+ and correctly points to a domain name within a particular domain.
+
+ PTR = "ptr" [ ":" domain-spec ]
+
+ First the <ip>'s name is looked up using this procedure: perform a
+ DNS reverse-mapping for <ip>, looking up the corresponding PTR record
+ in "in-addr.arpa." if the address is an IPv4 one and in "ip6.arpa."
+ if it is an IPv6 address. For each record returned, validate the
+ domain name by looking up its IP address. To prevent DoS attacks,
+ more than 10 PTR names MUST NOT be looked up during the evaluation of
+ a "ptr" mechanism (see Section 10). If <ip> is among the returned IP
+ addresses, then that domain name is validated. In pseudocode:
+
+ sending-domain_names := ptr_lookup(sending-host_IP);
+ if more than 10 sending-domain_names are found, use at most 10.
+ for each name in (sending-domain_names) {
+ IP_addresses := a_lookup(name);
+ if the sending-domain_IP is one of the IP_addresses {
+ validated-sending-domain_names += name;
+ }
+ }
+
+ Check all validated domain names to see if they end in the
+ <target-name> domain. If any do, this mechanism matches. If no
+ validated domain name can be found, or if none of the validated
+ domain names end in the <target-name>, this mechanism fails to match.
+ If a DNS error occurs while doing the PTR RR lookup, then this
+ mechanism fails to match. If a DNS error occurs while doing an A RR
+ lookup, then that domain name is skipped and the search continues.
+
+
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 22]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+ Pseudocode:
+
+ for each name in (validated-sending-domain_names) {
+ if name ends in <domain-spec>, return match.
+ if name is <domain-spec>, return match.
+ }
+ return no-match.
+
+ This mechanism matches if the <target-name> is either an ancestor of
+ a validated domain name, or if the <target-name> and a validated
+ domain name are the same. For example: "mail.example.com" is within
+ the domain "example.com", but "mail.bad-example.com" is not.
+
+ Note: Use of this mechanism is discouraged because it is slow, is not
+ as reliable as other mechanisms in cases of DNS errors and it places
+ a large burden on the arpa name servers. If used, proper PTR records
+ must be in place for the domain's hosts and the "ptr" mechanism
+ should be one of the last mechanisms checked.
+
+5.6. "ip4" and "ip6"
+
+ These mechanisms test whether <ip> is contained within a given IP
+ network.
+
+ IP4 = "ip4" ":" ip4-network [ ip4-cidr-length ]
+ IP6 = "ip6" ":" ip6-network [ ip6-cidr-length ]
+
+ ip4-cidr-length = "/" 1*DIGIT
+ ip6-cidr-length = "/" 1*DIGIT
+ dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ]
+
+ ip4-network = qnum "." qnum "." qnum "." qnum
+ qnum = DIGIT ; 0-9
+ / %x31-39 DIGIT ; 10-99
+ / "1" 2DIGIT ; 100-199
+ / "2" %x30-34 DIGIT ; 200-249
+ / "25" %x30-35 ; 250-255
+ ; as per conventional dotted quad notation. e.g. 192.0.2.0
+ ip6-network = <as per [RFC 3513], section 2.2>
+ ; e.g. 2001:DB8::CD30
+
+ The <ip> is compared to the given network. If CIDR-length high-order
+ bits match, the mechanism matches.
+
+ If ip4-cidr-length is omitted it is taken to be "/32". If
+ ip6-cidr-length is omitted it is taken to be "/128". It is not
+ permitted to omit parts of the IP address instead of using CIDR
+ notations. That is, use 192.0.2.0/24 instead of 192.0.2.
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 23]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+5.7. "exists"
+
+ This mechanism is used to construct an arbitrary domain name that is
+ used for a DNS A record query. It allows for complicated schemes
+ involving arbitrary parts of the mail envelope to determine what is
+ permitted.
+
+ exists = "exists" ":" domain-spec
+
+ The domain-spec is expanded as per Section 8. The resulting domain
+ name is used for a DNS A RR lookup. If any A record is returned,
+ this mechanism matches. The lookup type is 'A' even when the
+ connection type is IPv6.
+
+ Domains can use this mechanism to specify arbitrarily complex
+ queries. For example, suppose example.com publishes the record:
+
+ v=spf1 exists:%{ir}.%{l1r+-}._spf.%{d} -all
+
+ The <target-name> might expand to
+ "1.2.0.192.someuser._spf.example.com". This makes fine-grained
+ decisions possible at the level of the user and client IP address.
+
+ This mechanism enables queries that mimic the style of tests that
+ existing anti-spam DNS blacklists (DNSBL) use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 24]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+6. Modifier Definitions
+
+ Modifiers are name/value pairs that provide additional information.
+ Modifiers always have an "=" separating the name and the value.
+
+ The modifiers defined in this document ("redirect" and "exp") MAY
+ appear anywhere in the record, but SHOULD appear at the end, after
+ all mechanisms. Ordering of these two modifiers does not matter.
+ These two modifiers MUST NOT appear in a record more than once each.
+ If they do, then check_host() exits with a result of "PermError".
+
+ Unrecognized modifiers MUST be ignored no matter where in a record,
+ or how often. This allows implementations of this document to
+ gracefully handle records with modifiers that are defined in other
+ specifications.
+
+6.1. redirect: Redirected Query
+
+ If all mechanisms fail to match, and a "redirect" modifier is
+ present, then processing proceeds as follows:
+
+ redirect = "redirect" "=" domain-spec
+
+ The domain-spec portion of the redirect section is expanded as per
+ the macro rules in Section 8. Then check_host() is evaluated with
+ the resulting string as the <domain>. The <ip> and <sender>
+ arguments remain the same as current evaluation of check_host().
+
+ The result of this new evaluation of check_host() is then considered
+ the result of the current evaluation with the exception that if no
+ SPF record is found, or if the target-name is malformed, the result
+ is a "PermError" rather than "None".
+
+ Note that the newly-queried domain may itself specify redirect
+ processing.
+
+ This facility is intended for use by organizations that wish to apply
+ the same record to multiple domains. For example:
+
+ la.example.com. TXT "v=spf1 redirect=_spf.example.com"
+ ny.example.com. TXT "v=spf1 redirect=_spf.example.com"
+ sf.example.com. TXT "v=spf1 redirect=_spf.example.com"
+ _spf.example.com. TXT "v=spf1 mx:example.com -all"
+
+ In this example, mail from any of the three domains is described by
+ the same record. This can be an administrative advantage.
+
+ Note: In general, the domain "A" cannot reliably use a redirect to
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 25]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+ another domain "B" not under the same administrative control. Since
+ the <sender> stays the same, there is no guarantee that the record at
+ domain "B" will correctly work for mailboxes in domain "A",
+ especially if domain "B" uses mechanisms involving localparts. An
+ "include" directive may be more appropriate.
+
+ For clarity it is RECOMMENDED that any "redirect" modifier appear as
+ the very last term in a record.
+
+6.2. exp: Explanation
+
+ explanation = "exp" "=" domain-spec
+
+ If check_host() results in a "Fail" due to a mechanism match (such as
+ "-all"), and the "exp" modifier is present, then the explanation
+ string returned is computed as described below. If no "exp" modifier
+ is present, then either a default explanation string or an empty
+ explanation string may be returned.
+
+ The <domain-spec> is macro expanded (see Section 8) and becomes the
+ <target-name>. The DNS TXT record for the <target-name> is fetched.
+
+ If <domain-spec> is empty, or there are any DNS processing errors
+ (any RCODE other than 0), or if no records are returned, or if more
+ than one record is returned, or if there are syntax errors in the
+ explanation string, then proceed as if no exp modifier was given.
+
+ The fetched TXT record's strings are concatenated with no spaces, and
+ then treated as an <explain-string> which is macro-expanded. This
+ final result is the explanation string. Implementations MAY limit
+ the length of the resulting explanation string to allow for other
+ protocol constraints and/or reasonable processing limits. Since the
+ explanation string is intended for an SMTP response and [RFC2821]
+ section 2.4 says that responses are in [US-ASCII], the explanation
+ string is also limited to US-ASCII.
+
+ Software evaluating check_host() can use this string to communicate
+ information from the publishing domain in the form of a short message
+ or URL. Software SHOULD make it clear that the explanation string
+ comes from a third party. For example, it can prepend the macro
+ string "%{o} explains: " to the explanation, such as shown in
+ Section 2.5.4.
+
+ Suppose example.com has this record:
+
+ v=spf1 mx -all exp=explain._spf.%{d}
+
+ Here are some examples of possible explanation TXT records at
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 26]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+ explain._spf.example.com:
+ "Mail from example.com should only be sent by its own servers."
+ -- a simple, constant message
+
+ "%{i} is not one of %{d}'s designated mail servers."
+ -- a message with a little more info, including the IP address
+ that failed the check
+
+ "See http://%{d}/why.html?s=%{S}&i=%{I}"
+ -- a complicated example that constructs a URL with the
+ arguments to check_host() so that a web page can be
+ generated with detailed, custom instructions
+
+ Note: During recursion into an "include" mechanism, an exp= modifier
+ from the <target-name> MUST NOT be used. In contrast, when executing
+ a "redirect" modifier, an exp= modifier from the original domain MUST
+ NOT be used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 27]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+7. The Received-SPF header field
+
+ It is RECOMMENDED that SMTP receivers record the result of SPF
+ processing in the message headers. If an SMTP receiver chooses to do
+ so, it SHOULD use the "Received-SPF" header defined here for each
+ identity that was checked. This information is intended for the
+ recipient. (Information intended for the sender is described in
+ Section 6.2, Explanation.)
+
+ The Received-SPF header is a trace field (see [RFC2822] section
+ 3.6.7) and SHOULD be prepended to existing headers, above the
+ Received: header that is generated by the SMTP receiver. It MUST
+ appear above any other Received-SPF headers in the message. The
+ header has the format:
+
+ header = "Received-SPF:" [CFWS] result FWS [comment FWS]
+ [ key-value-list ] CRLF
+
+ result = "Pass" / "Fail" / "SoftFail" / "Neutral" /
+ "None" / "TempError" / "PermError"
+
+ key-value-list = key-value-pair *( ";" [CFWS] key-value-pair )
+ [";"]
+
+ key-value-pair = key [CFWS] "=" ( dot-atom / quoted-string )
+
+ key = "client-ip" / "envelope-from" / "helo" /
+ "problem" / "receiver" / "identity" /
+ mechanism / "x-" name / name
+
+ identity = "mailfrom" ; for the "MAIL FROM" identity
+ / "helo" ; for the "HELO" identity
+ / name ; other identities
+
+ dot-atom = <unquoted word as per [RFC2822]>
+ quoted-string = <quoted string as per [RFC2822]>
+ comment = <comment string as per [RFC2822]>
+ CFWS = <comment or folding white space as per [RFC2822]>
+ FWS = <folding white space as per [RFC2822]>
+ CRLF = <standard end-of-line token as per [RFC2822]>
+
+ The header SHOULD include a "(...)" style <comment> after the result,
+ conveying supporting information for the result, such as <ip>,
+ <sender> and <domain>.
+
+ The following key-value pairs are designed for later machine parsing.
+ SPF clients SHOULD give enough information so that the SPF results
+ can be verified. That is, at least the "client-ip", "helo", and, if
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 28]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+ the "MAIL FROM" identity was checked, the "envelope-from".
+
+ client-ip the IP address of the SMTP client
+
+ envelope-from the envelope sender mailbox
+
+ helo the host name given in the HELO or EHLO command
+
+ mechanism the mechanism that matched (if no mechanisms matched,
+ substitute the word "default".)
+
+ problem if an error was returned, details about the error
+
+ receiver the host name of the SPF client
+
+ identity the identity that was checked, see the <identity> ABNF
+ rule.
+
+ Other keys may be defined by SPF clients. Until a new key name
+ becomes widely accepted, new key names should start with "x-".
+
+ SPF clients MUST make sure that the Received-SPF header does not
+ contain invalid characters, is not excessively long, and does not
+ contain malicious data that has been provided by the sender.
+
+ Examples of various header styles that could be generated:
+
+ Received-SPF: Pass (mybox.example.org: domain of
+ myname@example.com designates 192.0.2.1 as permitted sender)
+ receiver=mybox.example.org; client-ip=192.0.2.1;
+ envelope-from=<myname@example.com>; helo=foo.example.com;
+
+
+ Received-SPF: Fail (mybox.example.org: domain of
+ myname@example.com does not designate
+ 192.0.2.1 as permitted sender)
+ identity=mailfrom; client-ip=192.0.2.1;
+ envelope-from=<myname@example.com>;
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 29]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+8. Macros
+
+8.1. Macro definitions
+
+ Many mechanisms and modifiers perform macro expansion on part of the
+ term.
+
+ domain-spec = macro-string domain-end
+ domain-end = ( "." toplabel ) / macro-expand
+
+ toplabel = ALPHA / ALPHA *[ alphanum / "-" ] alphanum
+ ; LDH rule (See [RFC3696])
+ alphanum = ALPHA / DIGIT
+
+ explain-string = *( macro-string / SP )
+
+ macro-string = *( macro-expand / macro-literal )
+ macro-expand = ( "%{" macro-letter transformers *delimiter "}" )
+ / "%%" / "%_" / "%-"
+ macro-literal = %x21-24 / %x26-7E
+ ; visible characters except "%"
+ macro-letter = "s" / "l" / "o" / "d" / "i" / "p" / "h" /
+ "c" / "r" / "t"
+ transformers = *DIGIT [ "r" ]
+ delimiter = "." / "-" / "+" / "," / "/" / "_" / "="
+
+ A literal "%" is expressed by "%%".
+
+ "%_" expands to a single " " space.
+ "%-" expands to a URL-encoded space, viz. "%20".
+
+ The following macro letters are expanded in term arguments:
+
+ s = <sender>
+ l = local-part of <sender>
+ o = domain of <sender>
+ d = <domain>
+ i = <ip>
+ p = the validated domain name of <ip>
+ v = the string "in-addr" if <ip> is ipv4, or "ip6" if <ip> is ipv6
+ h = HELO/EHLO domain
+
+ The following macro letters are only allowed in "exp" text:
+
+ c = SMTP client IP (easily readable format)
+ r = domain name of host performing the check
+ t = current timestamp
+
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 30]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+ A '%' character not followed by a '{', '%', '-', or '_' character is
+ a syntax error. So,
+
+ -exists:%(ir).sbl.spamhaus.example.org
+
+ is incorrect and will cause check_host() to return a "PermError".
+ Instead, say
+
+ -exists:%{ir}.sbl.spamhaus.example.org
+
+ Optional transformers are:
+
+ *DIGIT = zero or more digits
+ 'r' = reverse value, splitting on dots by default
+
+ If transformers or delimiters are provided, the replacement value for
+ a macro letter is split into parts. After performing any reversal
+ operation and/or removal of left-hand parts, the parts are rejoined
+ using "." and not the original splitting characters.
+
+ By default, strings are split on "." (dots). Note that no special
+ treatment is given to leading, trailing or consecutive delimiters,
+ and so the list of parts may contain empty strings. Macros may
+ specify delimiter characters which are used instead of ".".
+
+ The 'r' transformer indicates a reversal operation: if the client IP
+ address were 192.0.2.1, the macro %{i} would expand to "192.0.2.1"
+ and the macro %{ir} would expand to "1.2.0.192".
+
+ The DIGIT transformer indicates the number of right-hand parts to
+ use, after optional reversal. If a DIGIT is specified, the value
+ MUST be nonzero. If no DIGITs are specified, or if the value
+ specifies more parts than are available, all the available parts are
+ used. If the DIGIT was 5, and only 3 parts were available, the macro
+ interpreter would pretend the DIGIT was 3. Implementations MUST
+ support at least a value of 128, as that is the maximum number of
+ labels in a domain name.
+
+ The "s" macro expands to the <sender> argument. It is an e-mail
+ address with a localpart, an "@" character, and a domain. The "l"
+ macro expands to just the localpart. The "o" macro expands to just
+ the domain part. Note that these values remain the same during
+ recursive and chained evaluations due to "include" and/or "redirect".
+ Note also that if the original <sender> had no localpart, the
+ localpart was set to "postmaster" in initial processing (see
+ Section 4.3).
+
+ For IPv4 addresses, both the "i" and "c" macros expand to the
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 31]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+ standard dotted-quad format.
+
+ For IPv6 addresses, the "i" macro expands to a dot-format address; it
+ is intended for use in %{ir}. The "c" macro may expand to any of the
+ hexadecimal colon-format addresses specified in [RFC3513] section
+ 2.2. It is intended for humans to read.
+
+ The "p" macro expands to the validated domain name of <ip>. The
+ procedure for finding the validated domain name is defined in
+ Section 5.5. If the <domain> is present in the list of validated
+ domains, it SHOULD be used. Otherwise, if a subdomain of the
+ <domain> is present, it SHOULD be used. Otherwise, any name from the
+ list may be used. If there are no validated domain names or if a DNS
+ error occurs, the string "unknown" is used.
+
+ The "r" macro expands to the name of the receiving MTA. This SHOULD
+ be a fully qualified domain name, but if one does not exist (as when
+ the checking is done by a MUA) or if policy restrictions dictate
+ otherwise, the word "unknown" SHOULD be substituted. The domain name
+ may be different than the name found in the MX record that the client
+ MTA used to locate the receiving MTA.
+
+ The "t" macro expands to the decimal representation of the
+ approximate number of seconds since the Epoch (Midnight, January 1st,
+ 1970, UTC). This is the same value as is returned by the POSIX
+ time() function in most standards-compliant libraries.
+
+ When the result of macro expansion is used in a domain name query, if
+ the expanded domain name exceeds 253 characters (the maximum length
+ of a domain name), the left side is truncated to fit, by removing
+ successive domain labels until the total length does not exceed 253
+ characters.
+
+ Uppercased macros expand exactly as their lower case equivalents, and
+ are then URL escaped. URL escaping must be performed for characters
+ not in the "uric" set, which is defined in [RFC3986].
+
+ Note: Care must be taken so that macro expansion for legitimate
+ e-mail does not exceed the 63 character limit on DNS labels. The
+ localpart of e-mail addresses, in particular, can have more than 63
+ characters between dots.
+
+ Note: Domains should avoid using the "s", "l", "o", or "h" macros in
+ conjunction with any mechanism directive. While these macros are
+ powerful and allow per-user records to be published, they severely
+ limit the ability of implementations to cache results of check_host()
+ and they reduce the effectiveness of DNS caches.
+
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 32]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+ Implementations should be aware that if no directive processed during
+ the evaluation of check_host() contains an "s", "l", "o" or "h"
+ macro, then the results of the evaluation can be cached on the basis
+ of <domain> and <ip> alone for as long as the shortest TTL of all the
+ DNS records involved.
+
+8.2. Expansion Examples
+
+ The <sender> is strong-bad@email.example.com.
+ The IPv4 SMTP client IP is 192.0.2.3.
+ The IPv6 SMTP client IP is 2001:DB8::CB01.
+ The PTR domain name of the client IP is mx.example.org.
+
+
+ macro expansion
+ ------- ----------------------------
+ %{s} strong-bad@email.example.com
+ %{o} email.example.com
+ %{d} email.example.com
+ %{d4} email.example.com
+ %{d3} email.example.com
+ %{d2} example.com
+ %{d1} com
+ %{dr} com.example.email
+ %{d2r} example.email
+ %{l} strong-bad
+ %{l-} strong.bad
+ %{lr} strong-bad
+ %{lr-} bad.strong
+ %{l1r-} strong
+
+ macro-string expansion
+ --------------------------------------------------------------------
+ %{ir}.%{v}._spf.%{d2} 3.2.0.192.in-addr._spf.example.com
+ %{lr-}.lp._spf.%{d2} bad.strong.lp._spf.example.com
+
+ %{lr-}.lp.%{ir}.%{v}._spf.%{d2}
+ bad.strong.lp.3.2.0.192.in-addr._spf.example.com
+
+ %{ir}.%{v}.%{l1r-}.lp._spf.%{d2}
+ 3.2.0.192.in-addr.strong.lp._spf.example.com
+
+ %{d2}.trusted-domains.example.net
+ example.com.trusted-domains.example.net
+
+ IPv6:
+ %{ir}.%{v}._spf.%{d2} 1.0.B.C.0.0.0.0.
+ 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.B.D.0.1.0.0.2.ip6._spf.example.com
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 33]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+9. Implications
+
+ This section outlines the major implications that adoption of this
+ document will have on various entities involved in Internet e-mail.
+ It is intended to make clear to the reader where this document
+ knowingly affects the operation of such entities. This section is
+ not a "how-to" manual, nor a "best practices" document, and is not a
+ comprehensive list of what such entities should do in light of this
+ document.
+
+ This section is non-normative.
+
+9.1. Sending Domains
+
+ Domains that wish to be compliant with this specification will need
+ to determine the list of hosts that they allow to use their domain
+ name in the "HELO" and "MAIL FROM" identities. It is recognized that
+ forming such a list is not just a simple technical exercise, but
+ involves policy decisions with both technical and administrative
+ considerations.
+
+ It can be helpful to publish records that include a "tracking
+ exists:" mechanism. By looking at the name server logs, a rough list
+ may then be generated. For example:
+
+ v=spf1 exists:_h.%{h}._l.%{l}._o.%{o}._i.%{i}._spf.%{d} ?all
+
+9.2. Mailing Lists
+
+ Mailing lists must be aware of how they re-inject mail that is sent
+ to the list. Mailing lists MUST comply with the requirements in
+ [RFC2821] Section 3.10 and [RFC1123] Section 5.3.6 that say that the
+ reverse-path MUST be changed to be the mailbox of a person or other
+ entity who administers the list. While the reasons for changing the
+ reverse-path are many and long standing, SPF adds enforcement to this
+ requirement.
+
+ In practice, almost all mailing list software in use already complies
+ with this requirement. Mailing lists that do not comply may or may
+ not encounter problems depending on how access to the list is
+ restricted. Such lists that are entirely internal to a domain (only
+ people in the domain can send to or receive from the list) are not
+ affected.
+
+9.3. Forwarding Services and Aliases
+
+ Forwarding services take mail that is received at a mailbox and
+ direct it to some external mailbox. At the time of this writing, the
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 34]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+ near-universal practice of such services is to use the original "MAIL
+ FROM" of a message when re-injecting it for delivery to the external
+ mailbox. [RFC1123] and [RFC2821] describe this action as an "alias"
+ rather than a "mail list". This means the external mailbox's MTA
+ sees all such mail in a connection from a host of the forwarding
+ service, and so the "MAIL FROM" identity will not, in general, pass
+ authorization.
+
+ There are three places that techniques can be used to ameliorate this
+ problem.
+
+ 1. The beginning, when e-mail is first sent.
+
+ 1. "Neutral" results could be given for IP addresses that may be
+ forwarders, instead of "Fail" results. For example:
+
+ "v=spf1 mx -exists:%{ir}.sbl.spamhaus.example.org ?all"
+
+ This would cause a lookup on an anti-spam DNS blocklist
+ (DNSBL) and cause a result of "Fail" only for e-mail coming
+ from listed sources. All other e-mail, including e-mail sent
+ through forwarders, would receive a "Neutral" result. By
+ checking the DNSBL after the known good sources, problems
+ with incorrect listing on the DNSBL are greatly reduced.
+
+ 2. The "MAIL FROM" identity could have additional information in
+ the localpart that cryptographically identifies the mail as
+ coming from an authorized source. In this case, such an SPF
+ record could be used:
+
+ "v=spf1 mx exists:%{l}._spf_verify.%{d} -all"
+
+ Then, a specialized DNS server can be set up to serve the
+ _spf_verify subdomain which validates the localpart. While
+ this requires an extra DNS lookup, this only happens when the
+ e-mail would otherwise be rejected as not coming from a known
+ good source.
+
+ Note that due to the 63 character limit for domain labels,
+ this approach only works reliably if the localpart signature
+ scheme is guaranteed either to only produce localparts with a
+ maximum of 63 characters or to gracefully handle truncated
+ localparts.
+
+ 3. Similarly, a specialized DNS server could be set up that will
+ rate-limit the e-mail coming from unexpected IP addresses.
+
+
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 35]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+ "v=spf1 mx exists:%{ir}._spf_rate.%{d} -all"
+
+ 4. SPF allows the creation of per-user policies for special
+ cases. For example, the following SPF record and appropriate
+ wildcard DNS records can be used:
+
+ "v=spf1 mx redirect=%{l1r+}._at_.%{o}._spf.%{d}"
+
+ 2. The middle, when e-mail is forwarded.
+
+ 1. Forwarding services can solve the problem by rewriting the
+ "MAIL FROM" to be in their own domain. This means that mail
+ bounced from the external mailbox will have to be re-bounced
+ by the forwarding service. Various schemes to do this exist
+ though they vary widely in complexity and resource
+ requirements on the part of the forwarding service.
+
+ 2. Several popular MTAs can be forced from "alias" semantics to
+ "mailing list" semantics by configuring an additional alias
+ with "owner-" prepended to the original alias name (e.g. an
+ alias of "friends: george@example.com, fred@example.org"
+ would need another alias of the form "owner-friends:
+ localowner").
+
+ 3. The end, when e-mail is received.
+
+ 1. If the owner of the external mailbox wishes to trust the
+ forwarding service, they can direct the external mailbox's
+ MTA to skip SPF tests when the client host belongs to the
+ forwarding service.
+
+ 2. Tests against other identities, such as the "HELO" identity,
+ may be used to override a failed test against the "MAIL FROM"
+ identity.
+
+ 3. For larger domains, it may not be possible to have a complete
+ or accurate list of forwarding services used by the owners of
+ the domain's mailboxes. In such cases, whitelists of
+ generally-recognized forwarding services could be employed.
+
+9.4. Mail Services
+
+ Service providers that offer mail services to third-party domains,
+ such as sending of bulk mail, may have to adjust their setup in light
+ of the authorization check described in this document. If the "MAIL
+ FROM" identity used for such e-mail uses the domain of the service
+ provider, then the provider needs only to ensure that their sending
+ host is authorized by their own SPF record, if any.
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 36]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+ If the "MAIL FROM" identity does not use the mail service provider's
+ domain, then extra care must be taken. The SPF record format has
+ several options for the third party domain to authorize the service
+ provider's MTAs to send mail on its behalf. For mail service
+ providers, such as ISPs, that have a wide variety of customers using
+ the same MTA, steps should be taken to prevent cross-customer forgery
+ (see Section 10.4).
+
+9.5. MTA Relays
+
+ The authorization check generally precludes the use of arbitrary MTA
+ relays between sender and receiver of an e-mail message.
+
+ Within an organization, MTA relays can be effectively deployed.
+ However, for purposes of this document, such relays are effectively
+ transparent. The SPF authorization check is a check between border
+ MTAs of different domains.
+
+ For mail senders, this means that published SPF records must
+ authorize any MTAs that actually send across the Internet. Usually,
+ these are just the border MTAs as internal MTAs simply forward mail
+ to these MTAs for delivery.
+
+ Mail receivers will generally want to perform the authorization check
+ at the border MTAs, specifically including all secondary MXes. This
+ allows mail that fails to be rejected during the SMTP session rather
+ than bounced. Internal MTAs then do not perform the authorization
+ test. To perform the authorization test other than at the border,
+ the host that first transferred the message to the organization must
+ be determined, which can be difficult to extract from headers.
+ Testing other than at the border is not recommended.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 37]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+10. Security Considerations
+
+10.1. Processing Limits
+
+ As with most aspects of e-mail, there are a number of ways that
+ malicious parties could use the protocol as an avenue for a Denial-
+ of-Service (DoS) attack. The processing limits outlined here are
+ designed to prevent attacks such as:
+
+ o A malicious party could create an SPF record with many references
+ to a victim's domain and send many e-mails to different SPF
+ clients; those SPF clients would then create a DoS attack. In
+ effect, the SPF clients are being used to amplify the attacker's
+ bandwidth by using fewer bytes in the SMTP session than are used
+ by the DNS queries. Using SPF clients also allows the attacker to
+ hide the true source of the attack.
+
+ o While implementations of check_host() are supposed to limit the
+ number of DNS lookups, malicious domains could publish records
+ that exceed these limits in an attempt to waste computation effort
+ at their targets when they send them mail. Malicious domains
+ could also design SPF records that cause particular
+ implementations to use excessive memory or CPU usage, or to
+ trigger bugs.
+
+ o Malicious parties could send a large volume of mail purporting to
+ come from the intended target to a wide variety of legitimate mail
+ hosts. These legitimate machines would then present a DNS load on
+ the target as they fetched the relevant records.
+
+ Of these, the case of a third party referenced in the SPF record is
+ the easiest for a DoS attack to effectively exploit. As a result,
+ limits that may seem reasonable for an individual mail server can
+ still allow an unreasonable amount of bandwidth amplification.
+ Therefore the processing limits need to be quite low.
+
+ SPF implementations MUST limit the number of mechanisms and modifiers
+ that do DNS lookups to at most 10 per SPF check, including any
+ lookups caused by the use of the "include" mechanism or the
+ "redirect" modifier. If this number is exceeded during a check, a
+ PermError MUST be returned. The "include", "a", "mx", "ptr", and
+ "exists" mechanisms as well as the "redirect" modifier do count
+ against this limit. The "all", "ip4" and "ip6" mechanisms do not
+ require DNS lookups and therefore do not count against this limit.
+ The "exp" modifier does not count against this limit because the DNS
+ lookup to fetch the explanation string occurs after the SPF record
+ has been evaluated.
+
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 38]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+ When evaluating the "mx" and "ptr" mechanisms, or the %{p} macro,
+ there MUST be a limit of no more than 10 MX or PTR RRs looked up and
+ checked.
+
+ SPF implementations SHOULD limit the total amount of data obtained
+ from the DNS queries. For example, when DNS over TCP or EDNS0 are
+ available, there may need to be an explicit limit to how much data
+ will be accepted to prevent excessive bandwidth usage or memory
+ usage, and DoS attacks.
+
+ MTAs or other processors MAY also impose a limit on the maximum
+ amount of elapsed time to evaluate check_host(). Such a limit SHOULD
+ allow at least 20 seconds. If such a limit is exceeded, the result
+ of authorization SHOULD be "TempError".
+
+ Domains publishing records SHOULD try to keep the number of "include"
+ mechanisms and chained "redirect" modifiers to a minimum. Domains
+ SHOULD also try to minimize the amount of other DNS information
+ needed to evaluate a record. This can be done by choosing directives
+ that require less DNS information and placing lower-cost mechanisms
+ earlier in the SPF record.
+
+ For example, consider a domain set up as:
+
+ example.com. IN MX 10 mx.example.com.
+ mx.example.com. IN A 192.0.2.1
+ a.example.com. IN TXT "v=spf1 mx:example.com -all"
+ b.example.com. IN TXT "v=spf1 a:mx.example.com -all"
+ c.example.com. IN TXT "v=spf1 ip4:192.0.2.1 -all"
+
+ Evaluating check_host() for the domain "a.example.com" requires the
+ MX records for "example.com", and then the A records for the listed
+ hosts. Evaluating for "b.example.com" only requires the A records.
+ Evaluating for "c.example.com" requires none.
+
+ However, there may be administrative considerations: using "a" over
+ "ip4" allows hosts to be renumbered easily. Using "mx" over "a"
+ allows the set of mail hosts to be changed easily.
+
+10.2. SPF-Authorized E-Mail May Be UBE
+
+ The "MAIL FROM" and "HELO" identity authorizations must not be
+ construed to provide more assurance than they do. It is entirely
+ possible for a malicious sender to inject a message using their own
+ domain in the identities used by SPF, to have that domain's SPF
+ record authorize the sending host, and yet the message content can
+ easily claim other identities in the headers. Unless the user or the
+ MUA takes care to note that the authorized identity does not match
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 39]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+ the other more commonly-presented identities (such as the From:
+ header), the user may be lulled into a false sense of security.
+
+10.3. Spoofed DNS and IP Data
+
+ There are two aspects of this protocol that malicious parties could
+ exploit to undermine the validity of the check_host() function:
+
+ o The evaluation of check_host() relies heavily on DNS. A malicious
+ attacker could attack the DNS infrastructure and cause
+ check_host() to see spoofed DNS data, and then return incorrect
+ results. This could include returning "Pass" for an <ip> value
+ where the actual domain's record would evaluate to "Fail". See
+ [RFC3833] for a description of the DNS weaknesses.
+
+ o The client IP address, <ip>, is assumed to be correct. A
+ malicious attacker could spoof TCP sequence numbers to make mail
+ appear to come from a permitted host for a domain that the
+ attacker is impersonating.
+
+10.4. Cross-User Forgery
+
+ By definition, SPF policies just map domain names to sets of
+ authorized MTAs, not whole e-mail addresses to sets of authorized
+ users. Although the "l" macro (Section 8) provides a limited way to
+ define individual sets of authorized MTAs for specific e-mail
+ addresses, it is generally impossible to verify, through SPF, the use
+ of specific e-mail addresses by individual users of the same MTA.
+
+ It is up to mail services and their MTAs to directly prevent cross-
+ user forgery: based on SMTP AUTH ([RFC2554]), users should be
+ restricted to using only those e-mail addresses that are actually
+ under their control (see [I-D.gellens-submit-bis] section 6.1).
+ Another means to verify the identity of individual users is message
+ cryptography such as PGP ([RFC2440]) or S/MIME ([RFC3851]).
+
+10.5. Untrusted Information Sources
+
+ SPF uses information supplied by third parties, such as the "HELO"
+ domain name, the "MAIL FROM" address, and SPF records. This
+ information is then passed to the receiver in the Received-SPF: mail
+ headers and possibly returned to the client MTA in the form of an
+ SMTP rejection message. This information must be checked for invalid
+ characters and excessively long lines.
+
+ When the authorization check fails, an explanation string may be
+ included in the reject response. Both the sender and the rejecting
+ receiver need to be aware that the explanation was determined by the
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 40]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+ publisher of the SPF record checked and, in general, not the
+ receiver. The explanation may contain malicious URLs, or it may be
+ offensive or misleading.
+
+ This is probably less of a concern than it may initially seem since
+ such messages are returned to the sender, and the explanation strings
+ come from the sender policy published by the domain in the identity
+ claimed by that very sender. As long as the DSN is not redirected to
+ someone other than the actual sender, the only people who see
+ malicious explanation strings are people whose messages claim to be
+ from domains that publish such strings in their SPF records. In
+ practice DSNs can be misdirected, such as when an MTA accepts an
+ e-mail and then later generates a DSN to a forged address, or when an
+ e-mail forwarder does not direct the DSN back to the original sender.
+
+10.6. Privacy Exposure
+
+ Checking SPF records causes DNS queries to be sent to the domain
+ owner. These DNS queries, especially if they are caused by the
+ "exists" mechanism, can contain information about who is sending
+ e-mail and likely to which MTA the e-mail is being sent to. This can
+ introduce some privacy concerns, which may be more or less of an
+ issue depending on local laws and the relationship between the domain
+ owner and the person sending the e-mail.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 41]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+11. Contributors and Acknowledgements
+
+ This document is largely based on the work of Meng Weng Wong and Mark
+ Lentczner. While, as this section acknowledges, many people have
+ contributed to this document, a very large portion of the writing and
+ editing are due to Meng and Mark.
+
+ This design owes a debt of parentage to [RMX] by Hadmut Danisch and
+ to [DMP] by Gordon Fecyk. The idea of using a DNS record to check
+ the legitimacy of an e-mail address traces its ancestry farther back
+ through messages on the namedroppers mailing list by Paul Vixie
+ [Vixie] (based on suggestion by Jim Miller) and by David Green
+ [Green].
+
+ Philip Gladstone contributed the concept of macros to the
+ specification, multiplying the expressiveness of the language and
+ making per-user and per-IP lookups possible.
+
+ The authors would also like to thank the literally hundreds of
+ individuals who have participated in the development of this design.
+ They are far too numerous to name, but they include:
+
+ The folks on the spf-discuss mailing list.
+ The folks on the SPAM-L mailing list.
+ The folks on the IRTF ASRG mailing list.
+ The folks on the IETF MARID mailing list.
+ The folks on #perl.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 42]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+12. IANA Considerations
+
+12.1. The SPF DNS Record Type
+
+ The IANA needs to assign a new Resource Record Type and Qtype from
+ the DNS Parameters Registry for the SPF RR type.
+
+12.2. The Received-SPF mail header
+
+ Per [RFC3864], the "Received-SPF:" header field is added to the IANA
+ Permanent Message Header Field Registry. The following is the
+ registration template:
+
+ Header field name: Received-SPF
+ Applicable protocol: mail ([RFC2822])
+ Status: standard
+ (Note to RFC Editor: Replace the status with the final
+ determination by the IESG)
+ Author/Change controller: IETF
+ Specification document(s): this Internet Draft
+ (Note to RFC Editor: Replace this with RFC YYYY (RFC number of
+ this spec))
+ Related information:
+ Requesting SPF Council review of any proposed changes and
+ additions to this field is recommended. For information about SPF
+ Council see http://spf.mehnle.net/
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 43]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+13. References
+
+13.1 Normative References
+
+ [RFC1035] Mockapetris, P., "Domain names - implementation and
+ specification", STD 13, RFC 1035, November 1987.
+
+ [RFC1123] Braden, R., "Requirements for Internet Hosts - Application
+ and Support", STD 3, RFC 1123, October 1989.
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [I-D.crocker-abnf-rfc2234bis]
+ Crocker, D. and P. Overell, "Augmented BNF for Syntax
+ Specifications: ABNF", draft-crocker-abnf-rfc2234bis-00
+ (work in progress), March 2005.
+
+ [RFC2821] Klensin, J., "Simple Mail Transfer Protocol", RFC 2821,
+ April 2001.
+
+ [RFC2822] Resnick, P., "Internet Message Format", RFC 2822,
+ April 2001.
+
+ [RFC3464] Moore, K. and G. Vaudreuil, "An Extensible Message Format
+ for Delivery Status Notifications", RFC 3464,
+ January 2003.
+
+ [RFC3513] Hinden, R. and S. Deering, "Internet Protocol Version 6
+ (IPv6) Addressing Architecture", RFC 3513, April 2003.
+
+ [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration
+ Procedures for Message Header Fields", BCP 90, RFC 3864,
+ September 2004.
+
+ [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
+ Resource Identifier (URI): Generic Syntax", STD 66,
+ RFC 3986, January 2005.
+
+ [US-ASCII]
+ American National Standards Institute (formerly United
+ States of America Standards Institute), "USA Code for
+ Information Interchange, X3.4", 1968.
+
+ ANSI X3.4-1968 has been replaced by newer versions with
+ slight modifications, but the 1968 version remains
+ definitive for the Internet.
+
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 44]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+13.2 Informative References
+
+ [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
+ STD 13, RFC 1034, November 1987.
+
+ [RFC1983] Malkin, G., "Internet Users' Glossary", RFC 1983,
+ August 1996.
+
+ [RFC2440] Callas, J., Donnerhacke, L., Finney, H., and R. Thayer,
+ "OpenPGP Message Format", RFC 2440, November 1998.
+
+ [I-D.gellens-submit-bis]
+ Gellens, R. and J. Klensin, "Message Submission for Mail",
+ draft-gellens-submit-bis-02 (work in progress),
+ April 2005.
+
+ [RFC2554] Myers, J., "SMTP Service Extension for Authentication",
+ RFC 2554, March 1999.
+
+ [RFC3696] Klensin, J., "Application Techniques for Checking and
+ Transformation of Names", RFC 3696, February 2004.
+
+ [RFC3833] Atkins, D. and R. Austein, "Threat Analysis of the Domain
+ Name System (DNS)", RFC 3833, August 2004.
+
+ [RFC3851] Ramsdell, B., "Secure/Multipurpose Internet Mail
+ Extensions (S/MIME) Version 3.1 Message Specification",
+ RFC 3851, July 2004.
+
+ [RMX] Danish, H., "The RMX DNS RR Type for light weight sender
+ authentication", October 2003.
+
+ Work In Progress
+
+ [DMP] Fecyk, G., "Designated Mailers Protocol", December 2003.
+
+ Work In Progress
+
+ [Vixie] Vixie, P., "Repudiating MAIL FROM", 2002.
+
+ [Green] Green, D., "Domain-Authorized SMTP Mail", 2002.
+
+
+
+
+
+
+
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 45]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+Appendix A. Collected ABNF
+
+ This section is normative and any discrepancies with the ABNF
+ fragments in the preceding text are to be resolved in favor of this
+ grammar.
+
+ See [I-D.crocker-abnf-rfc2234bis] for ABNF notation. Please note
+ that as per this ABNF definition, literal text strings (those in
+ quotes) are case-insensitive. Hence, "mx" matches "mx", "MX", "mX"
+ and "Mx".
+
+ record = version terms *SP
+ version = "v=spf1"
+
+ terms = *( 1*SP ( directive / modifier ) )
+
+ directive = [ qualifier ] mechanism
+ qualifier = "+" / "-" / "?" / "~"
+ mechanism = ( all / include
+ / A / MX / PTR / IP4 / IP6 / exists )
+
+ all = "all"
+ include = "include" ":" domain-spec
+ A = "a" [ ":" domain-spec ] [ dual-cidr-length ]
+ MX = "mx" [ ":" domain-spec ] [ dual-cidr-length ]
+ PTR = "ptr" [ ":" domain-spec ]
+ IP4 = "ip4" ":" ip4-network [ ip4-cidr-length ]
+ IP6 = "ip6" ":" ip6-network [ ip6-cidr-length ]
+ exists = "exists" ":" domain-spec
+
+ modifier = redirect / explanation / unknown-modifier
+ redirect = "redirect" "=" domain-spec
+ explanation = "exp" "=" domain-spec
+ unknown-modifier = name "=" macro-string
+
+ ip4-cidr-length = "/" 1*DIGIT
+ ip6-cidr-length = "/" 1*DIGIT
+ dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ]
+
+ ip4-network = qnum "." qnum "." qnum "." qnum
+ qnum = DIGIT ; 0-9
+ / %x31-39 DIGIT ; 10-99
+ / "1" 2DIGIT ; 100-199
+ / "2" %x30-34 DIGIT ; 200-249
+ / "25" %x30-35 ; 250-255
+ ; conventional dotted quad notation. e.g. 192.0.2.0
+ ip6-network = <as per [RFC 3513], section 2.2>
+ ; e.g. 2001:DB8::CD30
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 46]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+ domain-spec = macro-string domain-end
+ domain-end = ( "." toplabel ) / macro-expand
+ toplabel = ALPHA / ALPHA *[ alphanum / "-" ] alphanum
+ ; LDH rule (See [RFC3696])
+ alphanum = ALPHA / DIGIT
+
+ explain-string = *( macro-string / SP )
+
+ macro-string = *( macro-expand / macro-literal )
+ macro-expand = ( "%{" macro-letter transformers *delimiter "}" )
+ / "%%" / "%_" / "%-"
+ macro-literal = %x21-24 / %x26-7E
+ ; visible characters except "%"
+ macro-letter = "s" / "l" / "o" / "d" / "i" / "p" / "h" /
+ "c" / "r" / "t"
+ transformers = *DIGIT [ "r" ]
+ delimiter = "." / "-" / "+" / "," / "/" / "_" / "="
+
+ name = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." )
+
+ header = "Received-SPF:" [CFWS] result FWS [comment FWS]
+ [ key-value-list ] CRLF
+
+ result = "Pass" / "Fail" / "SoftFail" / "Neutral" /
+ "None" / "TempError" / "PermError"
+
+ key-value-list = key-value-pair *( ";" [CFWS] key-value-pair )
+ [";"]
+
+ key-value-pair = key [CFWS] "=" ( dot-atom / quoted-string )
+
+ key = "client-ip" / "envelope-from" / "helo" /
+ "problem" / "receiver" / "identity" /
+ mechanism / "x-" name / name
+
+ identity = "mailfrom" ; for the "MAIL FROM" identity
+ / "helo" ; for the "HELO" identity
+ / name ; other identities
+
+ dot-atom = <unquoted word as per [RFC2822]>
+ quoted-string = <quoted string as per [RFC2822]>
+ comment = <comment string as per [RFC2822]>
+ CFWS = <comment or folding white space as per [RFC2822]>
+ FWS = <folding white space as per [RFC2822]>
+ CRLF = <standard end-of-line token as per [RFC2822]>
+
+
+
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 47]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+Appendix B. Extended Examples
+
+ These examples are based on the following DNS setup:
+
+ ; A domain with two mail servers, two hosts
+ ; and two servers at the domain name
+ $ORIGIN example.com.
+ @ MX 10 mail-a
+ MX 20 mail-b
+ A 192.0.2.10
+ A 192.0.2.11
+ amy A 192.0.2.65
+ bob A 192.0.2.66
+ mail-a A 192.0.2.129
+ mail-b A 192.0.2.130
+ www CNAME example.com.
+
+ ; A related domain
+ $ORIGIN example.org.
+ @ MX 10 mail-c
+ mail-c A 192.0.2.140
+
+ ; The reverse IP for those addresses
+ $ORIGIN 2.0.192.in-addr.arpa.
+ 10 PTR example.com.
+ 11 PTR example.com.
+ 65 PTR amy.example.com.
+ 66 PTR bob.example.com.
+ 129 PTR mail-a.example.com.
+ 130 PTR mail-b.example.com.
+ 140 PTR mail-c.example.org.
+
+ ; A rogue reverse IP domain that claims to be
+ ; something it's not
+ $ORIGIN 0.0.10.in-addr.arpa.
+ 4 PTR bob.example.com.
+
+B.1. Simple Examples
+
+ These examples show various possible published records for
+ example.com and which values if <ip> would cause check_host() to
+ return "Pass". Note that <domain> is "example.com".
+
+ v=spf1 +all
+ -- any <ip> passes
+
+ v=spf1 a -all
+ -- hosts 192.0.2.10 and 192.0.2.11 pass
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 48]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+ v=spf1 a:example.org -all
+ -- no sending hosts pass since example.org has no A records
+
+ v=spf1 mx -all
+ -- sending hosts 192.0.2.129 and 192.0.2.130 pass
+
+ v=spf1 mx:example.org -all
+ -- sending host 192.0.2.140 passes
+
+ v=spf1 mx mx:example.org -all
+ -- sending hosts 192.0.2.129, 192.0.2.130, and 192.0.2.140 pass
+
+ v=spf1 mx/30 mx:example.org/30 -all
+ -- any sending host in 192.0.2.128/30 or 192.0.2.140/30 passes
+
+ v=spf1 ptr -all
+ -- sending host 192.0.2.65 passes (reverse DNS is valid and is in
+ example.com)
+ -- sending host 192.0.2.140 fails (reverse DNS is valid, but not
+ in example.com)
+ -- sending host 10.0.0.4 fails (reverse IP is not valid)
+
+ v=spf1 ip4:192.0.2.128/28 -all
+ -- sending host 192.0.2.65 fails
+ -- sending host 192.0.2.129 passes
+
+B.2. Multiple Domain Example
+
+ These examples show the effect of related records:
+
+ example.org: "v=spf1 include:example.com include:example.net -all"
+
+ This record would be used if mail from example.org actually came
+ through servers at example.com and example.net. Example.org's
+ designated servers are the union of example.com's and example.net's
+ designated servers.
+
+ la.example.org: "v=spf1 redirect=example.org"
+ ny.example.org: "v=spf1 redirect=example.org"
+ sf.example.org: "v=spf1 redirect=example.org"
+
+ These records allow a set of domains that all use the same mail
+ system to make use of that mail system's record. In this way, only
+ the mail system's record needs to be updated when the mail setup
+ changes. These domains' records never have to change.
+
+
+
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 49]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+B.3. DNSBL Style Example
+
+ Imagine that, in addition to the domain records listed above, there
+ are these:
+
+ $ORIGIN _spf.example.com.
+ mary.mobile-users A 127.0.0.2
+ fred.mobile-users A 127.0.0.2
+ 15.15.168.192.joel.remote-users A 127.0.0.2
+ 16.15.168.192.joel.remote-users A 127.0.0.2
+
+ The following records describe users at example.com who mail from
+ arbitrary servers, or who mail from personal servers.
+
+ example.com:
+
+ v=spf1 mx
+ include:mobile-users._spf.%{d}
+ include:remote-users._spf.%{d}
+ -all
+
+ mobile-users._spf.example.com:
+
+ v=spf1 exists:%{l1r+}.%{d}
+
+ remote-users._spf.example.com:
+
+ v=spf1 exists:%{ir}.%{l1r+}.%{d}
+
+B.4. Multiple Requirements Example
+
+ Say that your sender policy requires that both the IP address is
+ within a certain range and that the reverse DNS for the IP matches.
+ This can be done several ways, including:
+
+ example.com. SPF ( "v=spf1 "
+ "-include:ip4._spf.%{d} "
+ "-include:ptr._spf.%{d} "
+ "+all" )
+ ip4._spf.example.com. SPF "v=spf1 -ip4:192.0.2.0/24 +all"
+ ptr._spf.example.com. SPF "v=spf1 -ptr +all"
+
+ This example shows how the "-include" mechanism can be useful, how an
+ SPF record that ends in "+all" can be very restrictive and the use of
+ De Morgan's Law.
+
+
+
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 50]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+Appendix C. Change Log
+
+ RFC Editor Note: This section is to be removed during the final
+ publication of the document.
+
+C.1. Changes in Version -02
+
+ o The abstract notes that SPF-classic covers both the HELO and MAIL
+ FROM identities. (ietf-822 review)
+
+ o In section 2.3 "Publishing Authorization", it now makes it clear
+ that publishing is optional. (ietf-smtp review)
+
+ o The definition of the "SoftFail" result have been recast from
+ Receiver Policy to Sender Policy.
+
+ o The definitions of Neutral, Pass and PermError have been updated/
+ clarified to more correctly reflect the semantics of
+ draft-mengwong-spf-01.
+
+ o A note to the RFC editor was made indicating that the SPF DNS RR
+ type number should be added to the draft once the IANA has made an
+ allocation.
+
+ o The ip4-network ABNF has been fixed to give the ABNF of the
+ dotted-quad format, rather than just using words to explain it.
+
+ o The ABNF for the Received-SPF header now shows that it ends with a
+ CRLF. (ietf-822 review)
+
+ o The new, optional, "scope" keyword-value pair has been renamed to
+ "identity".
+
+ o The "exp=" modifier no longer counts toward the DoS DNS lookup
+ limits.
+
+ o In section 10.5 "Untrusted Information Sources", the explanation
+ about explanation strings going to only the sender has been fixed
+ to note that, in some cases, it can go to other people. (ietf-822
+ review)
+
+ o Sections 3.1.2 and 3.1.3 were updated to make the distinction
+ between "multiple TXT RRs" and "multiple strings within a TXT"
+ clearer. (ietf-822 review)
+
+ o A normative reference to US-ASCII has been added.
+
+
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 51]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+ o Text describing how to lookup and process the SPF records has been
+ removed from section 3.1.1 "DNS Resource Record Types" and merged
+ into similar text in sections 4.4 "Record Lookup" and 4.5
+ "Selecting Records"
+
+ o Section 4.5 "Selecting Records" has been updated to give an
+ algorithm that says to return a PermError when it discovers that
+ SPF and TXT records don't match.
+
+ o In section 6.1 "redirect: Redirected Query", the semantics have
+ been changed to specify a result of PermError instead of None in
+ cases where the target domain does not have any SPF records. It
+ makes no sense to return None, that is "no SPF records found",
+ when SPF records were found.
+
+ o In section 6.2 "exp: Explanation", it is explained that the record
+ must be in US-ASCII due to requirements of RFC2821.
+
+ o In section 6.2 "exp: Explanation", the duplicate warning about
+ source being from a third party was deleted.
+
+ o A note has been added to section 9.3.1.2 warning about domain
+ labels being over 63 characters.
+
+ o The "prefix" ABNF rule was renamed to "qualifier" to reflect the
+ semantics of the rule, rather than the syntax.
+
+C.2. Changes in Version -01
+
+ o IETF boilerplate was updated to BCP 79.
+
+ o A version number was added to the title. (IESG review)
+
+ o Many grammatical, typographical and spelling errors were
+ corrected, along with rephrasing sentences to make the intent and
+ meaning clearer.
+
+ o Sections have been re-ordered in so that they conform to the
+ instructions2authors.txt document. All required sections and
+ arrangements are included, and only the "Security Considerations"
+ section is not in the suggested order. Since the Security
+ Considerations is such an important part of the spec, it has been
+ moved before the Acknowledgement section.
+
+ o The HELO identity checking has been changed from "MAY" to
+ "RECOMMENDED".
+
+
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 52]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+ o The e-mail receiver policy definition on how to handle HELO
+ checking was removed. It was copied incorrectly from
+ draft-mengwong-spf-01, changing its meaning.
+
+ o A note was added that when changing SPF records, there needs to be
+ a transitional period to prevent incorrect results.
+
+ o The RECOMMENDATION not to use other identities with version 1 SPF
+ records has been clarified. Example cases where checking other
+ identities will cause incorrect results have been cited. (IESG
+ review)
+
+ o The "zone cut" method of determining if there is an SPF record at
+ the top of the zone has been removed. It wasn't implemented very
+ often and could not always be easily done. (IESG/namedroppers'
+ review)
+
+ o A note was added that receivers should consider rejecting e-mail
+ for non-existent domains in order to prevent circumvention of SPF
+ policies. This is due to the remove of "zone cuts".
+ (namedroppers' review)
+
+ o The RECOMMENDATION to perform SPF checks during the SMTP session
+ has been clarified and strengthened.
+
+ o Note added about the consequences of treating "Neutral" results
+ worse than "None".
+
+ o The suggested e-mail receiver policy when a "PermError" is
+ encountered has been changed to be, effectively, the same
+ semantics as were in draft-mengwong-spf-01. (MAAWG review)
+
+ o ABNF cleaned up to pass Bill Fenner's checker and not just the one
+ at http://www.apps.ietf.org/abnf.html
+
+ o A few host names/IP addresses were fixed to use appropriate ones
+ for I-Ds.
+
+ o A definition of what to should be done if there are syntax errors
+ in the explanation string was added. (E.g. use the default.)
+
+ o Section 10 "Security Considerations" has been broken up into
+ subsections and reorganized.
+
+ o Section 7.1 "Process Limits" has been merged into the similar
+ language in the "Security Considerations" section.
+
+
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 53]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+ o The ABNF for the Received-SPF e-mail header has been made to be
+ more compatible with draft-mengwong-spf-01. It was fixed to
+ require whitespace when needed and to show where the suggested
+ comment should be added to the header.
+
+ o The IANA Considerations section now has the required information
+ to document the Received-SPF header.
+
+ o A new, optional, "scope" keyword has added to the Received-SPF
+ header.
+
+ o The non-normative Section 9.3 "Forwarding Services and Aliases"
+ has been expanded to more thoroughly cover the subject.
+
+ o New Security Considerations sections on "Privacy Exposure" and
+ "Cross-User Forgery" have been added.
+
+ o A new example of an SPF policy with a non-obvious implementation
+ has been added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 54]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+Authors' Addresses
+
+ Meng Weng Wong
+ Singapore
+
+ Email: mengwong+spf@pobox.com
+ URI: http://spf.pobox.com/
+
+
+ Wayne Schlitt
+ 4615 Meredeth #9
+ Lincoln Nebraska, NE 68506
+ United States of America
+
+ Email: wayne@schlitt.net
+ URI: http://www.schlitt.net/spf/
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 55]
+
+Internet-Draft Sender Policy Framework (SPF) June 2005
+
+
+Intellectual Property Statement
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+
+Disclaimer of Validity
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Copyright Statement
+
+ Copyright (C) The Internet Society (2005). This document is subject
+ to the rights, licenses and restrictions contained in BCP 78, and
+ except as set forth therein, the authors retain all their rights.
+
+
+Acknowledgment
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+Wong & Schlitt Expires December 8, 2005 [Page 56]
+
diff --git a/contrib/bind9/doc/misc/Makefile.in b/contrib/bind9/doc/misc/Makefile.in
index 81f13be..4251994 100644
--- a/contrib/bind9/doc/misc/Makefile.in
+++ b/contrib/bind9/doc/misc/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2001 Internet Software Consortium.
#
# Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.1.12.3 2004/03/08 09:04:25 marka Exp $
+# $Id: Makefile.in,v 1.3.18.2 2007/01/30 23:52:53 marka Exp $
srcdir = @srcdir@
VPATH = @srcdir@
@@ -30,7 +30,18 @@ doc man:: ${MANOBJS}
docclean manclean maintainer-clean::
rm -f options
-options: ../../bin/tests/cfg_test
- ../../bin/tests/cfg_test --named --grammar | \
- ${PERL} ${srcdir}/format-options.pl >options || \
- rm -f options
+# Do not make options depend on ../../bin/tests/cfg_test, doing so
+# will cause excessively clever versions of make to attempt to build
+# that program right here, right now, if it is missing, which will
+# cause make doc to bomb.
+
+CFG_TEST = ../../bin/tests/cfg_test
+
+options: FORCE
+ if test -x ${CFG_TEST} && \
+ ${CFG_TEST} --named --grammar | \
+ ${PERL} ${srcdir}/format-options.pl >$@.new ; then \
+ mv -f $@.new $@ ; \
+ else \
+ rm -f $@.new ; \
+ fi
diff --git a/contrib/bind9/doc/misc/dnssec b/contrib/bind9/doc/misc/dnssec
index 79d91cf..4451e6c 100644
--- a/contrib/bind9/doc/misc/dnssec
+++ b/contrib/bind9/doc/misc/dnssec
@@ -81,4 +81,4 @@ future as we consider them inferior to the use of TSIG or SIG(0) to
ensure the integrity of zone transfers.
-$Id: dnssec,v 1.14.2.6.4.4 2004/03/08 09:04:25 marka Exp $
+$Id: dnssec,v 1.19 2004/03/05 05:04:53 marka Exp $
diff --git a/contrib/bind9/doc/misc/format-options.pl b/contrib/bind9/doc/misc/format-options.pl
index 5f0975a..70b334e 100644
--- a/contrib/bind9/doc/misc/format-options.pl
+++ b/contrib/bind9/doc/misc/format-options.pl
@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: format-options.pl,v 1.1.206.1 2004/03/06 13:16:19 marka Exp $
+# $Id: format-options.pl,v 1.2 2004/03/05 05:04:53 marka Exp $
print <<END;
diff --git a/contrib/bind9/doc/misc/ipv6 b/contrib/bind9/doc/misc/ipv6
index dd96cd2..aeba275 100644
--- a/contrib/bind9/doc/misc/ipv6
+++ b/contrib/bind9/doc/misc/ipv6
@@ -110,4 +110,4 @@ RELEVANT RFCs
3542: Advanced Sockets Application Program Interface (API) for IPv6
-$Id: ipv6,v 1.5.206.4 2004/08/10 04:28:15 jinmei Exp $
+$Id: ipv6,v 1.6.18.3 2004/08/10 04:28:41 jinmei Exp $
diff --git a/contrib/bind9/doc/misc/migration b/contrib/bind9/doc/misc/migration
index af9fccb..6660e8f 100644
--- a/contrib/bind9/doc/misc/migration
+++ b/contrib/bind9/doc/misc/migration
@@ -252,4 +252,4 @@ necessary, the umask should be set explicitly in the script used to
start the named process.
-$Id: migration,v 1.37.2.3.2.3 2004/11/22 22:33:09 marka Exp $
+$Id: migration,v 1.45.18.1 2004/11/22 22:32:19 marka Exp $
diff --git a/contrib/bind9/doc/misc/migration-4to9 b/contrib/bind9/doc/misc/migration-4to9
index fa75bac..008cbed 100644
--- a/contrib/bind9/doc/misc/migration-4to9
+++ b/contrib/bind9/doc/misc/migration-4to9
@@ -2,7 +2,7 @@ Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
Copyright (C) 2001 Internet Software Consortium.
See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
-$Id: migration-4to9,v 1.3.206.1 2004/03/06 13:16:19 marka Exp $
+$Id: migration-4to9,v 1.4 2004/03/05 05:04:53 marka Exp $
BIND 4 to BIND 9 Migration Notes
diff --git a/contrib/bind9/doc/misc/options b/contrib/bind9/doc/misc/options
index 01546b7..a17c522 100644
--- a/contrib/bind9/doc/misc/options
+++ b/contrib/bind9/doc/misc/options
@@ -50,6 +50,7 @@ options {
use-ixfr <boolean>;
version ( <quoted_string> | none );
flush-zones-on-shutdown <boolean>;
+ allow-query-cache { <address_match_element>; ... };
allow-recursion { <address_match_element>; ... };
allow-v6-synthesis { <address_match_element>; ... }; // obsolete
sortlist { <address_match_element>; ... };
@@ -81,25 +82,41 @@ options {
dual-stack-servers [ port <integer> ] { ( <quoted_string> [port
<integer>] | <ipv4_address> [port <integer>] | <ipv6_address> [port <integer>] ); ... };
edns-udp-size <integer>;
+ max-udp-size <integer>;
root-delegation-only [ exclude { <quoted_string>; ... } ];
disable-algorithms <string> { <string>; ... };
dnssec-enable <boolean>;
+ dnssec-validation <boolean>;
dnssec-lookaside <string> trust-anchor <string>;
dnssec-must-be-secure <string> <boolean>;
+ dnssec-accept-expired <boolean>;
+ ixfr-from-differences <ixfrdiff>;
+ acache-enable <boolean>;
+ acache-cleaning-interval <integer>;
+ max-acache-size <size_no_default>;
+ clients-per-query <integer>;
+ max-clients-per-query <integer>;
+ empty-server <string>;
+ empty-contact <string>;
+ empty-zones-enable <boolean>;
+ disable-empty-zone <string>;
+ zero-no-soa-ttl-cache <boolean>;
allow-query { <address_match_element>; ... };
allow-transfer { <address_match_element>; ... };
+ allow-update { <address_match_element>; ... };
allow-update-forwarding { <address_match_element>; ... };
allow-notify { <address_match_element>; ... };
+ masterfile-format ( text | raw );
notify <notifytype>;
notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
also-notify [ port <integer> ] { ( <ipv4_address> | <ipv6_address>
) [ port <integer> ]; ... };
+ notify-delay <integer>;
dialup <dialuptype>;
forward ( first | only );
forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
[ port <integer> ]; ... };
- ixfr-from-differences <boolean>;
maintain-ixfr-base <boolean>; // obsolete
max-ixfr-log-size <size>; // obsolete
max-journal-size <size_no_default>;
@@ -122,12 +139,21 @@ options {
use-alt-transfer-source <boolean>;
zone-statistics <boolean>;
key-directory <quoted_string>;
+ check-wildcard <boolean>;
+ check-integrity <boolean>;
+ check-mx ( fail | warn | ignore );
+ check-mx-cname ( fail | warn | ignore );
+ check-srv-cname ( fail | warn | ignore );
+ check-sibling <boolean>;
+ zero-no-soa-ttl <boolean>;
+ update-check-ksk <boolean>;
};
controls {
inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | *
) ] allow { <address_match_element>; ... } [ keys { <string>; ... } ];
- unix <unsupported>; // not implemented
+ unix <quoted_string> perm <integer> owner <integer> group <integer>
+ [ keys { <string>; ... } ];
};
acl <string> { <address_match_element>; ... };
@@ -160,8 +186,8 @@ view <string> <optional_class> {
zone <string> <optional_class> {
type ( master | slave | stub | hint | forward |
delegation-only );
- allow-update { <address_match_element>; ... };
file <quoted_string>;
+ journal <quoted_string>;
ixfr-base <quoted_string>; // obsolete
ixfr-tmp-file <quoted_string>; // obsolete
masters [ port <integer> ] { ( <masters> | <ipv4_address>
@@ -169,14 +195,17 @@ view <string> <optional_class> {
pubkey <integer> <integer> <integer> <quoted_string>; //
obsolete
update-policy { ( grant | deny ) <string> ( name |
- subdomain | wildcard | self ) <string> <rrtypelist>; ... };
+ subdomain | wildcard | self | selfsub | selfwild ) <string> <rrtypelist>; ... };
database <string>;
delegation-only <boolean>;
check-names ( fail | warn | ignore );
+ ixfr-from-differences <boolean>;
allow-query { <address_match_element>; ... };
allow-transfer { <address_match_element>; ... };
+ allow-update { <address_match_element>; ... };
allow-update-forwarding { <address_match_element>; ... };
allow-notify { <address_match_element>; ... };
+ masterfile-format ( text | raw );
notify <notifytype>;
notify-source ( <ipv4_address> | * ) [ port ( <integer> | *
) ];
@@ -184,11 +213,11 @@ view <string> <optional_class> {
| * ) ];
also-notify [ port <integer> ] { ( <ipv4_address> |
<ipv6_address> ) [ port <integer> ]; ... };
+ notify-delay <integer>;
dialup <dialuptype>;
forward ( first | only );
forwarders [ port <integer> ] { ( <ipv4_address> |
<ipv6_address> ) [ port <integer> ]; ... };
- ixfr-from-differences <boolean>;
maintain-ixfr-base <boolean>; // obsolete
max-ixfr-log-size <size>; // obsolete
max-journal-size <size_no_default>;
@@ -213,8 +242,19 @@ view <string> <optional_class> {
use-alt-transfer-source <boolean>;
zone-statistics <boolean>;
key-directory <quoted_string>;
+ check-wildcard <boolean>;
+ check-integrity <boolean>;
+ check-mx ( fail | warn | ignore );
+ check-mx-cname ( fail | warn | ignore );
+ check-srv-cname ( fail | warn | ignore );
+ check-sibling <boolean>;
+ zero-no-soa-ttl <boolean>;
+ update-check-ksk <boolean>;
+ };
+ dlz <string> {
+ database <string>;
};
- server <netaddr> {
+ server <netprefix> {
bogus <boolean>;
provide-ixfr <boolean>;
request-ixfr <boolean>;
@@ -223,6 +263,14 @@ view <string> <optional_class> {
transfer-format ( many-answers | one-answer );
keys <server_key>;
edns <boolean>;
+ edns-udp-size <integer>;
+ max-udp-size <integer>;
+ notify-source ( <ipv4_address> | * ) [ port ( <integer> | *
+ ) ];
+ notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer>
+ | * ) ];
+ query-source <querysource4>;
+ query-source-v6 <querysource6>;
transfer-source ( <ipv4_address> | * ) [ port ( <integer> |
* ) ];
transfer-source-v6 ( <ipv6_address> | * ) [ port (
@@ -230,6 +278,7 @@ view <string> <optional_class> {
};
trusted-keys { <string> <integer> <integer> <integer>
<quoted_string>; ... };
+ allow-query-cache { <address_match_element>; ... };
allow-recursion { <address_match_element>; ... };
allow-v6-synthesis { <address_match_element>; ... }; // obsolete
sortlist { <address_match_element>; ... };
@@ -261,25 +310,41 @@ view <string> <optional_class> {
dual-stack-servers [ port <integer> ] { ( <quoted_string> [port
<integer>] | <ipv4_address> [port <integer>] | <ipv6_address> [port <integer>] ); ... };
edns-udp-size <integer>;
+ max-udp-size <integer>;
root-delegation-only [ exclude { <quoted_string>; ... } ];
disable-algorithms <string> { <string>; ... };
dnssec-enable <boolean>;
+ dnssec-validation <boolean>;
dnssec-lookaside <string> trust-anchor <string>;
dnssec-must-be-secure <string> <boolean>;
+ dnssec-accept-expired <boolean>;
+ ixfr-from-differences <ixfrdiff>;
+ acache-enable <boolean>;
+ acache-cleaning-interval <integer>;
+ max-acache-size <size_no_default>;
+ clients-per-query <integer>;
+ max-clients-per-query <integer>;
+ empty-server <string>;
+ empty-contact <string>;
+ empty-zones-enable <boolean>;
+ disable-empty-zone <string>;
+ zero-no-soa-ttl-cache <boolean>;
allow-query { <address_match_element>; ... };
allow-transfer { <address_match_element>; ... };
+ allow-update { <address_match_element>; ... };
allow-update-forwarding { <address_match_element>; ... };
allow-notify { <address_match_element>; ... };
+ masterfile-format ( text | raw );
notify <notifytype>;
notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
also-notify [ port <integer> ] { ( <ipv4_address> | <ipv6_address>
) [ port <integer> ]; ... };
+ notify-delay <integer>;
dialup <dialuptype>;
forward ( first | only );
forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
[ port <integer> ]; ... };
- ixfr-from-differences <boolean>;
maintain-ixfr-base <boolean>; // obsolete
max-ixfr-log-size <size>; // obsolete
max-journal-size <size_no_default>;
@@ -302,6 +367,15 @@ view <string> <optional_class> {
use-alt-transfer-source <boolean>;
zone-statistics <boolean>;
key-directory <quoted_string>;
+ check-wildcard <boolean>;
+ check-integrity <boolean>;
+ check-mx ( fail | warn | ignore );
+ check-mx-cname ( fail | warn | ignore );
+ check-srv-cname ( fail | warn | ignore );
+ check-sibling <boolean>;
+ zero-no-soa-ttl <boolean>;
+ update-check-ksk <boolean>;
+ database <string>;
};
lwres {
@@ -319,32 +393,35 @@ key <string> {
zone <string> <optional_class> {
type ( master | slave | stub | hint | forward | delegation-only );
- allow-update { <address_match_element>; ... };
file <quoted_string>;
+ journal <quoted_string>;
ixfr-base <quoted_string>; // obsolete
ixfr-tmp-file <quoted_string>; // obsolete
masters [ port <integer> ] { ( <masters> | <ipv4_address> [port
<integer>] | <ipv6_address> [port <integer>] ) [ key <string> ]; ... };
pubkey <integer> <integer> <integer> <quoted_string>; // obsolete
update-policy { ( grant | deny ) <string> ( name | subdomain |
- wildcard | self ) <string> <rrtypelist>; ... };
+ wildcard | self | selfsub | selfwild ) <string> <rrtypelist>; ... };
database <string>;
delegation-only <boolean>;
check-names ( fail | warn | ignore );
+ ixfr-from-differences <boolean>;
allow-query { <address_match_element>; ... };
allow-transfer { <address_match_element>; ... };
+ allow-update { <address_match_element>; ... };
allow-update-forwarding { <address_match_element>; ... };
allow-notify { <address_match_element>; ... };
+ masterfile-format ( text | raw );
notify <notifytype>;
notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
also-notify [ port <integer> ] { ( <ipv4_address> | <ipv6_address>
) [ port <integer> ]; ... };
+ notify-delay <integer>;
dialup <dialuptype>;
forward ( first | only );
forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
[ port <integer> ]; ... };
- ixfr-from-differences <boolean>;
maintain-ixfr-base <boolean>; // obsolete
max-ixfr-log-size <size>; // obsolete
max-journal-size <size_no_default>;
@@ -367,9 +444,21 @@ zone <string> <optional_class> {
use-alt-transfer-source <boolean>;
zone-statistics <boolean>;
key-directory <quoted_string>;
+ check-wildcard <boolean>;
+ check-integrity <boolean>;
+ check-mx ( fail | warn | ignore );
+ check-mx-cname ( fail | warn | ignore );
+ check-srv-cname ( fail | warn | ignore );
+ check-sibling <boolean>;
+ zero-no-soa-ttl <boolean>;
+ update-check-ksk <boolean>;
};
-server <netaddr> {
+dlz <string> {
+ database <string>;
+};
+
+server <netprefix> {
bogus <boolean>;
provide-ixfr <boolean>;
request-ixfr <boolean>;
@@ -378,6 +467,12 @@ server <netaddr> {
transfer-format ( many-answers | one-answer );
keys <server_key>;
edns <boolean>;
+ edns-udp-size <integer>;
+ max-udp-size <integer>;
+ notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
+ notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
+ query-source <querysource4>;
+ query-source-v6 <querysource6>;
transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
};
diff --git a/contrib/bind9/doc/misc/rfc-compliance b/contrib/bind9/doc/misc/rfc-compliance
index 6a3fac1..4c87c66 100644
--- a/contrib/bind9/doc/misc/rfc-compliance
+++ b/contrib/bind9/doc/misc/rfc-compliance
@@ -2,7 +2,7 @@ Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
Copyright (C) 2001 Internet Software Consortium.
See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
-$Id: rfc-compliance,v 1.3.206.1 2004/03/06 13:16:20 marka Exp $
+$Id: rfc-compliance,v 1.4 2004/03/05 05:04:53 marka Exp $
BIND 9 is striving for strict compliance with IETF standards. We
believe this release of BIND 9 complies with the following RFCs, with
diff --git a/contrib/bind9/doc/misc/roadmap b/contrib/bind9/doc/misc/roadmap
index 72021b8..f63a469 100644
--- a/contrib/bind9/doc/misc/roadmap
+++ b/contrib/bind9/doc/misc/roadmap
@@ -2,7 +2,7 @@ Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
Copyright (C) 2000, 2001 Internet Software Consortium.
See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
-$Id: roadmap,v 1.1.206.1 2004/03/06 13:16:20 marka Exp $
+$Id: roadmap,v 1.2 2004/03/05 05:04:54 marka Exp $
Road Map to the BIND 9 Source Tree
diff --git a/contrib/bind9/doc/misc/sdb b/contrib/bind9/doc/misc/sdb
index 0de0ab8..552028a 100644
--- a/contrib/bind9/doc/misc/sdb
+++ b/contrib/bind9/doc/misc/sdb
@@ -166,4 +166,4 @@ Future Directions
A future release may support dynamic loading of sdb drivers.
-$Id: sdb,v 1.5.206.1 2004/03/06 13:16:20 marka Exp $
+$Id: sdb,v 1.6 2004/03/05 05:04:54 marka Exp $
diff --git a/contrib/bind9/doc/rfc/index b/contrib/bind9/doc/rfc/index
index 5c588db..947827e 100644
--- a/contrib/bind9/doc/rfc/index
+++ b/contrib/bind9/doc/rfc/index
@@ -101,3 +101,8 @@
4035: Protocol Modifications for the DNS Security Extensions
4074: Common Misbehavior Against DNS Queries for IPv6 Addresses
4159: Deprecation of "ip6.int"
+4193: Unique Local IPv6 Unicast Addresses
+4255: Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
+4343: Domain Name System (DNS) Case Insensitivity Clarification
+4367: What's in a Name: False Assumptions about DNS Names
+4431: The DNSSEC Lookaside Validation (DLV) DNS Resource Record
diff --git a/contrib/bind9/doc/rfc/rfc4193.txt b/contrib/bind9/doc/rfc/rfc4193.txt
new file mode 100644
index 0000000..17e2c0b
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc4193.txt
@@ -0,0 +1,899 @@
+
+
+
+
+
+
+Network Working Group R. Hinden
+Request for Comments: 4193 Nokia
+Category: Standards Track B. Haberman
+ JHU-APL
+ October 2005
+
+
+ Unique Local IPv6 Unicast Addresses
+
+Status of This Memo
+
+ This document specifies an Internet standards track protocol for the
+ Internet community, and requests discussion and suggestions for
+ improvements. Please refer to the current edition of the "Internet
+ Official Protocol Standards" (STD 1) for the standardization state
+ and status of this protocol. Distribution of this memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2005).
+
+Abstract
+
+ This document defines an IPv6 unicast address format that is globally
+ unique and is intended for local communications, usually inside of a
+ site. These addresses are not expected to be routable on the global
+ Internet.
+
+Table of Contents
+
+ 1. Introduction ....................................................2
+ 2. Acknowledgements ................................................3
+ 3. Local IPv6 Unicast Addresses ....................................3
+ 3.1. Format .....................................................3
+ 3.1.1. Background ..........................................4
+ 3.2. Global ID ..................................................4
+ 3.2.1. Locally Assigned Global IDs .........................5
+ 3.2.2. Sample Code for Pseudo-Random Global ID Algorithm ...5
+ 3.2.3. Analysis of the Uniqueness of Global IDs ............6
+ 3.3. Scope Definition ...........................................6
+ 4. Operational Guidelines ..........................................7
+ 4.1. Routing ....................................................7
+ 4.2. Renumbering and Site Merging ...............................7
+ 4.3. Site Border Router and Firewall Packet Filtering ...........8
+ 4.4. DNS Issues .................................................8
+ 4.5. Application and Higher Level Protocol Issues ...............9
+ 4.6. Use of Local IPv6 Addresses for Local Communication ........9
+ 4.7. Use of Local IPv6 Addresses with VPNs .....................10
+
+
+
+Hinden & Haberman Standards Track [Page 1]
+
+RFC 4193 Unique Local IPv6 Unicast Addresses October 2005
+
+
+ 5. Global Routing Considerations ..................................11
+ 5.1. From the Standpoint of the Internet .......................11
+ 5.2. From the Standpoint of a Site .............................11
+ 6. Advantages and Disadvantages ...................................12
+ 6.1. Advantages ................................................12
+ 6.2. Disadvantages .............................................13
+ 7. Security Considerations ........................................13
+ 8. IANA Considerations ............................................13
+ 9. References .....................................................13
+ 9.1. Normative References ......................................13
+ 9.2. Informative References ....................................14
+
+1. Introduction
+
+ This document defines an IPv6 unicast address format that is globally
+ unique and is intended for local communications [IPV6]. These
+ addresses are called Unique Local IPv6 Unicast Addresses and are
+ abbreviated in this document as Local IPv6 addresses. They are not
+ expected to be routable on the global Internet. They are routable
+ inside of a more limited area such as a site. They may also be
+ routed between a limited set of sites.
+
+ Local IPv6 unicast addresses have the following characteristics:
+
+ - Globally unique prefix (with high probability of uniqueness).
+
+ - Well-known prefix to allow for easy filtering at site
+ boundaries.
+
+ - Allow sites to be combined or privately interconnected without
+ creating any address conflicts or requiring renumbering of
+ interfaces that use these prefixes.
+
+ - Internet Service Provider independent and can be used for
+ communications inside of a site without having any permanent or
+ intermittent Internet connectivity.
+
+ - If accidentally leaked outside of a site via routing or DNS,
+ there is no conflict with any other addresses.
+
+ - In practice, applications may treat these addresses like global
+ scoped addresses.
+
+ This document defines the format of Local IPv6 addresses, how to
+ allocate them, and usage considerations including routing, site
+ border routers, DNS, application support, VPN usage, and guidelines
+ for how to use for local communication inside a site.
+
+
+
+
+Hinden & Haberman Standards Track [Page 2]
+
+RFC 4193 Unique Local IPv6 Unicast Addresses October 2005
+
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC2119].
+
+2. Acknowledgements
+
+ The underlying idea of creating Local IPv6 addresses described in
+ this document has been proposed a number of times by a variety of
+ people. The authors of this document do not claim exclusive credit.
+ Credit goes to Brian Carpenter, Christian Huitema, Aidan Williams,
+ Andrew White, Charlie Perkins, and many others. The authors would
+ also like to thank Brian Carpenter, Charlie Perkins, Harald
+ Alvestrand, Keith Moore, Margaret Wasserman, Shannon Behrens, Alan
+ Beard, Hans Kruse, Geoff Huston, Pekka Savola, Christian Huitema, Tim
+ Chown, Steve Bellovin, Alex Zinin, Tony Hain, Bill Fenner, Sam
+ Hartman, and Elwyn Davies for their comments and suggestions on this
+ document.
+
+3. Local IPv6 Unicast Addresses
+
+3.1. Format
+
+ The Local IPv6 addresses are created using a pseudo-randomly
+ allocated global ID. They have the following format:
+
+ | 7 bits |1| 40 bits | 16 bits | 64 bits |
+ +--------+-+------------+-----------+----------------------------+
+ | Prefix |L| Global ID | Subnet ID | Interface ID |
+ +--------+-+------------+-----------+----------------------------+
+
+ Where:
+
+ Prefix FC00::/7 prefix to identify Local IPv6 unicast
+ addresses.
+
+ L Set to 1 if the prefix is locally assigned.
+ Set to 0 may be defined in the future. See
+ Section 3.2 for additional information.
+
+ Global ID 40-bit global identifier used to create a
+ globally unique prefix. See Section 3.2 for
+ additional information.
+
+ Subnet ID 16-bit Subnet ID is an identifier of a subnet
+ within the site.
+
+ Interface ID 64-bit Interface ID as defined in [ADDARCH].
+
+
+
+
+Hinden & Haberman Standards Track [Page 3]
+
+RFC 4193 Unique Local IPv6 Unicast Addresses October 2005
+
+
+3.1.1. Background
+
+ There were a range of choices available when choosing the size of the
+ prefix and Global ID field length. There is a direct tradeoff
+ between having a Global ID field large enough to support foreseeable
+ future growth and not using too much of the IPv6 address space
+ needlessly. A reasonable way of evaluating a specific field length
+ is to compare it to a projected 2050 world population of 9.3 billion
+ [POPUL] and the number of resulting /48 prefixes per person. A range
+ of prefix choices is shown in the following table:
+
+ Prefix Global ID Number of Prefixes % of IPv6
+ Length /48 Prefixes per Person Address Space
+
+ /11 37 137,438,953,472 15 0.049%
+ /10 38 274,877,906,944 30 0.098%
+ /9 39 549,755,813,888 59 0.195%
+ /8 40 1,099,511,627,776 118 0.391%
+ /7 41 2,199,023,255,552 236 0.781%
+ /6 42 4,398,046,511,104 473 1.563%
+
+ A very high utilization ratio of these allocations can be assumed
+ because the Global ID field does not require internal structure, and
+ there is no reason to be able to aggregate the prefixes.
+
+ The authors believe that a /7 prefix resulting in a 41-bit Global ID
+ space (including the L bit) is a good choice. It provides for a
+ large number of assignments (i.e., 2.2 trillion) and at the same time
+ uses less than .8% of the total IPv6 address space. It is unlikely
+ that this space will be exhausted. If more than this were to be
+ needed, then additional IPv6 address space could be allocated for
+ this purpose.
+
+3.2. Global ID
+
+ The allocation of Global IDs is pseudo-random [RANDOM]. They MUST
+ NOT be assigned sequentially or with well-known numbers. This is to
+ ensure that there is not any relationship between allocations and to
+ help clarify that these prefixes are not intended to be routed
+ globally. Specifically, these prefixes are not designed to
+ aggregate.
+
+ This document defines a specific local method to allocate Global IDs,
+ indicated by setting the L bit to 1. Another method, indicated by
+ clearing the L bit, may be defined later. Apart from the allocation
+ method, all Local IPv6 addresses behave and are treated identically.
+
+
+
+
+
+Hinden & Haberman Standards Track [Page 4]
+
+RFC 4193 Unique Local IPv6 Unicast Addresses October 2005
+
+
+ The local assignments are self-generated and do not need any central
+ coordination or assignment, but have an extremely high probability of
+ being unique.
+
+3.2.1. Locally Assigned Global IDs
+
+ Locally assigned Global IDs MUST be generated with a pseudo-random
+ algorithm consistent with [RANDOM]. Section 3.2.2 describes a
+ suggested algorithm. It is important that all sites generating
+ Global IDs use a functionally similar algorithm to ensure there is a
+ high probability of uniqueness.
+
+ The use of a pseudo-random algorithm to generate Global IDs in the
+ locally assigned prefix gives an assurance that any network numbered
+ using such a prefix is highly unlikely to have that address space
+ clash with any other network that has another locally assigned prefix
+ allocated to it. This is a particularly useful property when
+ considering a number of scenarios including networks that merge,
+ overlapping VPN address space, or hosts mobile between such networks.
+
+3.2.2. Sample Code for Pseudo-Random Global ID Algorithm
+
+ The algorithm described below is intended to be used for locally
+ assigned Global IDs. In each case the resulting global ID will be
+ used in the appropriate prefix as defined in Section 3.2.
+
+ 1) Obtain the current time of day in 64-bit NTP format [NTP].
+
+ 2) Obtain an EUI-64 identifier from the system running this
+ algorithm. If an EUI-64 does not exist, one can be created from
+ a 48-bit MAC address as specified in [ADDARCH]. If an EUI-64
+ cannot be obtained or created, a suitably unique identifier,
+ local to the node, should be used (e.g., system serial number).
+
+ 3) Concatenate the time of day with the system-specific identifier
+ in order to create a key.
+
+ 4) Compute an SHA-1 digest on the key as specified in [FIPS, SHA1];
+ the resulting value is 160 bits.
+
+ 5) Use the least significant 40 bits as the Global ID.
+
+ 6) Concatenate FC00::/7, the L bit set to 1, and the 40-bit Global
+ ID to create a Local IPv6 address prefix.
+
+ This algorithm will result in a Global ID that is reasonably unique
+ and can be used to create a locally assigned Local IPv6 address
+ prefix.
+
+
+
+Hinden & Haberman Standards Track [Page 5]
+
+RFC 4193 Unique Local IPv6 Unicast Addresses October 2005
+
+
+3.2.3. Analysis of the Uniqueness of Global IDs
+
+ The selection of a pseudo random Global ID is similar to the
+ selection of an SSRC identifier in RTP/RTCP defined in Section 8.1 of
+ [RTP]. This analysis is adapted from that document.
+
+ Since Global IDs are chosen randomly (and independently), it is
+ possible that separate networks have chosen the same Global ID. For
+ any given network, with one or more random Global IDs, that has
+ inter-connections to other such networks, having a total of N such
+ IDs, the probability that two or more of these IDs will collide can
+ be approximated using the formula:
+
+ P = 1 - exp(-N**2 / 2**(L+1))
+
+ where P is the probability of collision, N is the number of
+ interconnected Global IDs, and L is the length of the Global ID.
+
+ The following table shows the probability of a collision for a range
+ of connections using a 40-bit Global ID field.
+
+ Connections Probability of Collision
+
+ 2 1.81*10^-12
+ 10 4.54*10^-11
+ 100 4.54*10^-09
+ 1000 4.54*10^-07
+ 10000 4.54*10^-05
+
+ Based on this analysis, the uniqueness of locally generated Global
+ IDs is adequate for sites planning a small to moderate amount of
+ inter-site communication using locally generated Global IDs.
+
+3.3. Scope Definition
+
+ By default, the scope of these addresses is global. That is, they
+ are not limited by ambiguity like the site-local addresses defined in
+ [ADDARCH]. Rather, these prefixes are globally unique, and as such,
+ their applicability is greater than site-local addresses. Their
+ limitation is in the routability of the prefixes, which is limited to
+ a site and any explicit routing agreements with other sites to
+ propagate them (also see Section 4.1). Also, unlike site-locals, a
+ site may have more than one of these prefixes and use them at the
+ same time.
+
+
+
+
+
+
+
+Hinden & Haberman Standards Track [Page 6]
+
+RFC 4193 Unique Local IPv6 Unicast Addresses October 2005
+
+
+4. Operational Guidelines
+
+ The guidelines in this section do not require any change to the
+ normal routing and forwarding functionality in an IPv6 host or
+ router. These are configuration and operational usage guidelines.
+
+4.1. Routing
+
+ Local IPv6 addresses are designed to be routed inside of a site in
+ the same manner as other types of unicast addresses. They can be
+ carried in any IPv6 routing protocol without any change.
+
+ It is expected that they would share the same Subnet IDs with
+ provider-based global unicast addresses, if they were being used
+ concurrently [GLOBAL].
+
+ The default behavior of exterior routing protocol sessions between
+ administrative routing regions must be to ignore receipt of and not
+ advertise prefixes in the FC00::/7 block. A network operator may
+ specifically configure prefixes longer than FC00::/7 for inter-site
+ communication.
+
+ If BGP is being used at the site border with an ISP, the default BGP
+ configuration must filter out any Local IPv6 address prefixes, both
+ incoming and outgoing. It must be set both to keep any Local IPv6
+ address prefixes from being advertised outside of the site as well as
+ to keep these prefixes from being learned from another site. The
+ exception to this is if there are specific /48 or longer routes
+ created for one or more Local IPv6 prefixes.
+
+ For link-state IGPs, it is suggested that a site utilizing IPv6 local
+ address prefixes be contained within one IGP domain or area. By
+ containing an IPv6 local address prefix to a single link-state area
+ or domain, the distribution of prefixes can be controlled.
+
+4.2. Renumbering and Site Merging
+
+ The use of Local IPv6 addresses in a site results in making
+ communication that uses these addresses independent of renumbering a
+ site's provider-based global addresses.
+
+ When merging multiple sites, the addresses created with these
+ prefixes are unlikely to need to be renumbered because all of the
+ addresses have a high probability of being unique. Routes for each
+ specific prefix would have to be configured to allow routing to work
+ correctly between the formerly separate sites.
+
+
+
+
+
+Hinden & Haberman Standards Track [Page 7]
+
+RFC 4193 Unique Local IPv6 Unicast Addresses October 2005
+
+
+4.3. Site Border Router and Firewall Packet Filtering
+
+ While no serious harm will be done if packets with these addresses
+ are sent outside of a site via a default route, it is recommended
+ that routers be configured by default to keep any packets with Local
+ IPv6 addresses from leaking outside of the site and to keep any site
+ prefixes from being advertised outside of their site.
+
+ Site border routers and firewalls should be configured to not forward
+ any packets with Local IPv6 source or destination addresses outside
+ of the site, unless they have been explicitly configured with routing
+ information about specific /48 or longer Local IPv6 prefixes. This
+ will ensure that packets with Local IPv6 destination addresses will
+ not be forwarded outside of the site via a default route. The
+ default behavior of these devices should be to install a "reject"
+ route for these prefixes. Site border routers should respond with
+ the appropriate ICMPv6 Destination Unreachable message to inform the
+ source that the packet was not forwarded. [ICMPV6]. This feedback is
+ important to avoid transport protocol timeouts.
+
+ Routers that maintain peering arrangements between Autonomous Systems
+ throughout the Internet should obey the recommendations for site
+ border routers, unless configured otherwise.
+
+4.4. DNS Issues
+
+ At the present time, AAAA and PTR records for locally assigned local
+ IPv6 addresses are not recommended to be installed in the global DNS.
+
+ For background on this recommendation, one of the concerns about
+ adding AAAA and PTR records to the global DNS for locally assigned
+ Local IPv6 addresses stems from the lack of complete assurance that
+ the prefixes are unique. There is a small possibility that the same
+ locally assigned IPv6 Local addresses will be used by two different
+ organizations both claiming to be authoritative with different
+ contents. In this scenario, it is likely there will be a connection
+ attempt to the closest host with the corresponding locally assigned
+ IPv6 Local address. This may result in connection timeouts,
+ connection failures indicated by ICMP Destination Unreachable
+ messages, or successful connections to the wrong host. Due to this
+ concern, adding AAAA records for these addresses to the global DNS is
+ thought to be unwise.
+
+ Reverse (address-to-name) queries for locally assigned IPv6 Local
+ addresses MUST NOT be sent to name servers for the global DNS, due to
+ the load that such queries would create for the authoritative name
+ servers for the ip6.arpa zone. This form of query load is not
+ specific to locally assigned Local IPv6 addresses; any current form
+
+
+
+Hinden & Haberman Standards Track [Page 8]
+
+RFC 4193 Unique Local IPv6 Unicast Addresses October 2005
+
+
+ of local addressing creates additional load of this kind, due to
+ reverse queries leaking out of the site. However, since allowing
+ such queries to escape from the site serves no useful purpose, there
+ is no good reason to make the existing load problems worse.
+
+ The recommended way to avoid sending such queries to nameservers for
+ the global DNS is for recursive name server implementations to act as
+ if they were authoritative for an empty d.f.ip6.arpa zone and return
+ RCODE 3 for any such query. Implementations that choose this
+ strategy should allow it to be overridden, but returning an RCODE 3
+ response for such queries should be the default, both because this
+ will reduce the query load problem and also because, if the site
+ administrator has not set up the reverse tree corresponding to the
+ locally assigned IPv6 Local addresses in use, returning RCODE 3 is in
+ fact the correct answer.
+
+4.5. Application and Higher Level Protocol Issues
+
+ Application and other higher level protocols can treat Local IPv6
+ addresses in the same manner as other types of global unicast
+ addresses. No special handling is required. This type of address
+ may not be reachable, but that is no different from other types of
+ IPv6 global unicast address. Applications need to be able to handle
+ multiple addresses that may or may not be reachable at any point in
+ time. In most cases, this complexity should be hidden in APIs.
+
+ From a host's perspective, the difference between Local IPv6 and
+ other types of global unicast addresses shows up as different
+ reachability and could be handled by default in that way. In some
+ cases, it is better for nodes and applications to treat them
+ differently from global unicast addresses. A starting point might be
+ to give them preference over global unicast, but fall back to global
+ unicast if a particular destination is found to be unreachable. Much
+ of this behavior can be controlled by how they are allocated to nodes
+ and put into the DNS. However, it is useful if a host can have both
+ types of addresses and use them appropriately.
+
+ Note that the address selection mechanisms of [ADDSEL], and in
+ particular the policy override mechanism replacing default address
+ selection, are expected to be used on a site where Local IPv6
+ addresses are configured.
+
+4.6. Use of Local IPv6 Addresses for Local Communication
+
+ Local IPv6 addresses, like global scope unicast addresses, are only
+ assigned to nodes if their use has been enabled (via IPv6 address
+ autoconfiguration [ADDAUTO], DHCPv6 [DHCP6], or manually). They are
+
+
+
+
+Hinden & Haberman Standards Track [Page 9]
+
+RFC 4193 Unique Local IPv6 Unicast Addresses October 2005
+
+
+ not created automatically in the way that IPv6 link-local addresses
+ are and will not appear or be used unless they are purposely
+ configured.
+
+ In order for hosts to autoconfigure Local IPv6 addresses, routers
+ have to be configured to advertise Local IPv6 /64 prefixes in router
+ advertisements, or a DHCPv6 server must have been configured to
+ assign them. In order for a node to learn the Local IPv6 address of
+ another node, the Local IPv6 address must have been installed in a
+ naming system (e.g., DNS, proprietary naming system, etc.) For these
+ reasons, controlling their usage in a site is straightforward.
+
+ To limit the use of Local IPv6 addresses the following guidelines
+ apply:
+
+ - Nodes that are to only be reachable inside of a site: The local
+ DNS should be configured to only include the Local IPv6
+ addresses of these nodes. Nodes with only Local IPv6 addresses
+ must not be installed in the global DNS.
+
+ - Nodes that are to be limited to only communicate with other
+ nodes in the site: These nodes should be set to only
+ autoconfigure Local IPv6 addresses via [ADDAUTO] or to only
+ receive Local IPv6 addresses via [DHCP6]. Note: For the case
+ where both global and Local IPv6 prefixes are being advertised
+ on a subnet, this will require a switch in the devices to only
+ autoconfigure Local IPv6 addresses.
+
+ - Nodes that are to be reachable from inside of the site and from
+ outside of the site: The DNS should be configured to include
+ the global addresses of these nodes. The local DNS may be
+ configured to also include the Local IPv6 addresses of these
+ nodes.
+
+ - Nodes that can communicate with other nodes inside of the site
+ and outside of the site: These nodes should autoconfigure global
+ addresses via [ADDAUTO] or receive global address via [DHCP6].
+ They may also obtain Local IPv6 addresses via the same
+ mechanisms.
+
+4.7. Use of Local IPv6 Addresses with VPNs
+
+ Local IPv6 addresses can be used for inter-site Virtual Private
+ Networks (VPN) if appropriate routes are set up. Because the
+ addresses are unique, these VPNs will work reliably and without the
+ need for translation. They have the additional property that they
+ will continue to work if the individual sites are renumbered or
+ merged.
+
+
+
+Hinden & Haberman Standards Track [Page 10]
+
+RFC 4193 Unique Local IPv6 Unicast Addresses October 2005
+
+
+5. Global Routing Considerations
+
+ Section 4.1 provides operational guidelines that forbid default
+ routing of local addresses between sites. Concerns were raised to
+ the IPv6 working group and to the IETF as a whole that sites may
+ attempt to use local addresses as globally routed provider-
+ independent addresses. This section describes why using local
+ addresses as globally-routed provider-independent addresses is
+ unadvisable.
+
+5.1. From the Standpoint of the Internet
+
+ There is a mismatch between the structure of IPv6 local addresses and
+ the normal IPv6 wide area routing model. The /48 prefix of an IPv6
+ local addresses fits nowhere in the normal hierarchy of IPv6 unicast
+ addresses. Normal IPv6 unicast addresses can be routed
+ hierarchically down to physical subnet (link) level and only have to
+ be flat-routed on the physical subnet. IPv6 local addresses would
+ have to be flat-routed even over the wide area Internet.
+
+ Thus, packets whose destination address is an IPv6 local address
+ could be routed over the wide area only if the corresponding /48
+ prefix were carried by the wide area routing protocol in use, such as
+ BGP. This contravenes the operational assumption that long prefixes
+ will be aggregated into many fewer short prefixes, to limit the table
+ size and convergence time of the routing protocol. If a network uses
+ both normal IPv6 addresses [ADDARCH] and IPv6 local addresses, these
+ types of addresses will certainly not aggregate with each other,
+ since they differ from the most significant bit onwards. Neither
+ will IPv6 local addresses aggregate with each other, due to their
+ random bit patterns. This means that there would be a very
+ significant operational penalty for attempting to use IPv6 local
+ address prefixes generically with currently known wide area routing
+ technology.
+
+5.2. From the Standpoint of a Site
+
+ There are a number of design factors in IPv6 local addresses that
+ reduce the likelihood that IPv6 local addresses will be used as
+ arbitrary global unicast addresses. These include:
+
+ - The default rules to filter packets and routes make it very
+ difficult to use IPv6 local addresses for arbitrary use across
+ the Internet. For a site to use them as general purpose unicast
+ addresses, it would have to make sure that the default rules
+ were not being used by all other sites and intermediate ISPs
+ used for their current and future communication.
+
+
+
+
+Hinden & Haberman Standards Track [Page 11]
+
+RFC 4193 Unique Local IPv6 Unicast Addresses October 2005
+
+
+ - They are not mathematically guaranteed to be unique and are not
+ registered in public databases. Collisions, while highly
+ unlikely, are possible and a collision can compromise the
+ integrity of the communications. The lack of public
+ registration creates operational problems.
+
+ - The addresses are allocated randomly. If a site had multiple
+ prefixes that it wanted to be used globally, the cost of
+ advertising them would be very high because they could not be
+ aggregated.
+
+ - They have a long prefix (i.e., /48) so a single local address
+ prefix doesn't provide enough address space to be used
+ exclusively by the largest organizations.
+
+6. Advantages and Disadvantages
+
+6.1. Advantages
+
+ This approach has the following advantages:
+
+ - Provides Local IPv6 prefixes that can be used independently of
+ any provider-based IPv6 unicast address allocations. This is
+ useful for sites not always connected to the Internet or sites
+ that wish to have a distinct prefix that can be used to localize
+ traffic inside of the site.
+
+ - Applications can treat these addresses in an identical manner as
+ any other type of global IPv6 unicast addresses.
+
+ - Sites can be merged without any renumbering of the Local IPv6
+ addresses.
+
+ - Sites can change their provider-based IPv6 unicast address
+ without disrupting any communication that uses Local IPv6
+ addresses.
+
+ - Well-known prefix that allows for easy filtering at site
+ boundary.
+
+ - Can be used for inter-site VPNs.
+
+ - If accidently leaked outside of a site via routing or DNS, there
+ is no conflict with any other addresses.
+
+
+
+
+
+
+
+Hinden & Haberman Standards Track [Page 12]
+
+RFC 4193 Unique Local IPv6 Unicast Addresses October 2005
+
+
+6.2. Disadvantages
+
+ This approach has the following disadvantages:
+
+ - Not possible to route Local IPv6 prefixes on the global Internet
+ with current routing technology. Consequentially, it is
+ necessary to have the default behavior of site border routers to
+ filter these addresses.
+
+ - There is a very low probability of non-unique locally assigned
+ Global IDs being generated by the algorithm in Section 3.2.3.
+ This risk can be ignored for all practical purposes, but it
+ leads to a theoretical risk of clashing address prefixes.
+
+7. Security Considerations
+
+ Local IPv6 addresses do not provide any inherent security to the
+ nodes that use them. They may be used with filters at site
+ boundaries to keep Local IPv6 traffic inside of the site, but this is
+ no more or less secure than filtering any other type of global IPv6
+ unicast addresses.
+
+ Local IPv6 addresses do allow for address-based security mechanisms,
+ including IPsec, across end to end VPN connections.
+
+8. IANA Considerations
+
+ The IANA has assigned the FC00::/7 prefix to "Unique Local Unicast".
+
+9. References
+
+9.1. Normative References
+
+ [ADDARCH] Hinden, R. and S. Deering, "Internet Protocol Version 6
+ (IPv6) Addressing Architecture", RFC 3513, April 2003.
+
+ [FIPS] "Federal Information Processing Standards Publication",
+ (FIPS PUB) 180-1, Secure Hash Standard, 17 April 1995.
+
+ [GLOBAL] Hinden, R., Deering, S., and E. Nordmark, "IPv6 Global
+ Unicast Address Format", RFC 3587, August 2003.
+
+ [ICMPV6] Conta, A. and S. Deering, "Internet Control Message
+ Protocol (ICMPv6) for the Internet Protocol Version 6
+ (IPv6) Specification", RFC 2463, December 1998.
+
+
+
+
+
+
+Hinden & Haberman Standards Track [Page 13]
+
+RFC 4193 Unique Local IPv6 Unicast Addresses October 2005
+
+
+ [IPV6] Deering, S. and R. Hinden, "Internet Protocol, Version 6
+ (IPv6) Specification", RFC 2460, December 1998.
+
+ [NTP] Mills, D., "Network Time Protocol (Version 3)
+ Specification, Implementation and Analysis", RFC 1305,
+ March 1992.
+
+ [RANDOM] Eastlake, D., 3rd, Schiller, J., and S. Crocker,
+ "Randomness Requirements for Security", BCP 106, RFC 4086,
+ June 2005.
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [SHA1] Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm 1
+ (SHA1)", RFC 3174, September 2001.
+
+9.2. Informative References
+
+ [ADDAUTO] Thomson, S. and T. Narten, "IPv6 Stateless Address
+ Autoconfiguration", RFC 2462, December 1998.
+
+ [ADDSEL] Draves, R., "Default Address Selection for Internet
+ Protocol version 6 (IPv6)", RFC 3484, February 2003.
+
+ [DHCP6] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and
+ M. Carney, "Dynamic Host Configuration Protocol for IPv6
+ (DHCPv6)", RFC 3315, July 2003.
+
+ [POPUL] Population Reference Bureau, "World Population Data Sheet
+ of the Population Reference Bureau 2002", August 2002.
+
+ [RTP] Schulzrinne, H., Casner, S., Frederick, R., and V.
+ Jacobson, "RTP: A Transport Protocol for Real-Time
+ Applications", STD 64, RFC 3550, July 2003.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hinden & Haberman Standards Track [Page 14]
+
+RFC 4193 Unique Local IPv6 Unicast Addresses October 2005
+
+
+Authors' Addresses
+
+ Robert M. Hinden
+ Nokia
+ 313 Fairchild Drive
+ Mountain View, CA 94043
+ USA
+
+ Phone: +1 650 625-2004
+ EMail: bob.hinden@nokia.com
+
+
+ Brian Haberman
+ Johns Hopkins University
+ Applied Physics Lab
+ 11100 Johns Hopkins Road
+ Laurel, MD 20723
+ USA
+
+ Phone: +1 443 778 1319
+ EMail: brian@innovationslab.net
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hinden & Haberman Standards Track [Page 15]
+
+RFC 4193 Unique Local IPv6 Unicast Addresses October 2005
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2005).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at ietf-
+ ipr@ietf.org.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+
+
+
+Hinden & Haberman Standards Track [Page 16]
+
diff --git a/contrib/bind9/doc/rfc/rfc4255.txt b/contrib/bind9/doc/rfc/rfc4255.txt
new file mode 100644
index 0000000..f350b7a
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc4255.txt
@@ -0,0 +1,507 @@
+
+
+
+
+
+
+Network Working Group J. Schlyter
+Request for Comments: 4255 OpenSSH
+Category: Standards Track W. Griffin
+ SPARTA
+ January 2006
+
+
+ Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
+
+Status of This Memo
+
+ This document specifies an Internet standards track protocol for the
+ Internet community, and requests discussion and suggestions for
+ improvements. Please refer to the current edition of the "Internet
+ Official Protocol Standards" (STD 1) for the standardization state
+ and status of this protocol. Distribution of this memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2006).
+
+Abstract
+
+ This document describes a method of verifying Secure Shell (SSH) host
+ keys using Domain Name System Security (DNSSEC). The document
+ defines a new DNS resource record that contains a standard SSH key
+ fingerprint.
+
+Table of Contents
+
+ 1. Introduction ....................................................2
+ 2. SSH Host Key Verification .......................................2
+ 2.1. Method .....................................................2
+ 2.2. Implementation Notes .......................................2
+ 2.3. Fingerprint Matching .......................................3
+ 2.4. Authentication .............................................3
+ 3. The SSHFP Resource Record .......................................3
+ 3.1. The SSHFP RDATA Format .....................................4
+ 3.1.1. Algorithm Number Specification ......................4
+ 3.1.2. Fingerprint Type Specification ......................4
+ 3.1.3. Fingerprint .........................................5
+ 3.2. Presentation Format of the SSHFP RR ........................5
+ 4. Security Considerations .........................................5
+ 5. IANA Considerations .............................................6
+ 6. Normative References ............................................7
+ 7. Informational References ........................................7
+ 8. Acknowledgements ................................................8
+
+
+
+
+Schlyter & Griffin Standards Track [Page 1]
+
+RFC 4255 DNS and SSH Fingerprints January 2006
+
+
+1. Introduction
+
+ The SSH [6] protocol provides secure remote login and other secure
+ network services over an insecure network. The security of the
+ connection relies on the server authenticating itself to the client
+ as well as the user authenticating itself to the server.
+
+ If a connection is established to a server whose public key is not
+ already known to the client, a fingerprint of the key is presented to
+ the user for verification. If the user decides that the fingerprint
+ is correct and accepts the key, the key is saved locally and used for
+ verification for all following connections. While some security-
+ conscious users verify the fingerprint out-of-band before accepting
+ the key, many users blindly accept the presented key.
+
+ The method described here can provide out-of-band verification by
+ looking up a fingerprint of the server public key in the DNS [1][2]
+ and using DNSSEC [5] to verify the lookup.
+
+ In order to distribute the fingerprint using DNS, this document
+ defines a new DNS resource record, "SSHFP", to carry the fingerprint.
+
+ Basic understanding of the DNS system [1][2] and the DNS security
+ extensions [5] is assumed by this document.
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in RFC 2119 [3].
+
+2. SSH Host Key Verification
+
+2.1. Method
+
+ Upon connection to an SSH server, the SSH client MAY look up the
+ SSHFP resource record(s) for the host it is connecting to. If the
+ algorithm and fingerprint of the key received from the SSH server
+ match the algorithm and fingerprint of one of the SSHFP resource
+ record(s) returned from DNS, the client MAY accept the identity of
+ the server.
+
+2.2. Implementation Notes
+
+ Client implementors SHOULD provide a configurable policy used to
+ select the order of methods used to verify a host key. This document
+ defines one method: Fingerprint storage in DNS. Another method
+ defined in the SSH Architecture [6] uses local files to store keys
+ for comparison. Other methods that could be defined in the future
+ might include storing fingerprints in LDAP or other databases. A
+
+
+
+Schlyter & Griffin Standards Track [Page 2]
+
+RFC 4255 DNS and SSH Fingerprints January 2006
+
+
+ configurable policy will allow administrators to determine which
+ methods they want to use and in what order the methods should be
+ prioritized. This will allow administrators to determine how much
+ trust they want to place in the different methods.
+
+ One specific scenario for having a configurable policy is where
+ clients do not use fully qualified host names to connect to servers.
+ In this scenario, the implementation SHOULD verify the host key
+ against a local database before verifying the key via the fingerprint
+ returned from DNS. This would help prevent an attacker from
+ injecting a DNS search path into the local resolver and forcing the
+ client to connect to a different host.
+
+2.3. Fingerprint Matching
+
+ The public key and the SSHFP resource record are matched together by
+ comparing algorithm number and fingerprint.
+
+ The public key algorithm and the SSHFP algorithm number MUST
+ match.
+
+ A message digest of the public key, using the message digest
+ algorithm specified in the SSHFP fingerprint type, MUST match the
+ SSHFP fingerprint.
+
+2.4. Authentication
+
+ A public key verified using this method MUST NOT be trusted if the
+ SSHFP resource record (RR) used for verification was not
+ authenticated by a trusted SIG RR.
+
+ Clients that do validate the DNSSEC signatures themselves SHOULD use
+ standard DNSSEC validation procedures.
+
+ Clients that do not validate the DNSSEC signatures themselves MUST
+ use a secure transport (e.g., TSIG [9], SIG(0) [10], or IPsec [8])
+ between themselves and the entity performing the signature
+ validation.
+
+3. The SSHFP Resource Record
+
+ The SSHFP resource record (RR) is used to store a fingerprint of an
+ SSH public host key that is associated with a Domain Name System
+ (DNS) name.
+
+ The RR type code for the SSHFP RR is 44.
+
+
+
+
+
+Schlyter & Griffin Standards Track [Page 3]
+
+RFC 4255 DNS and SSH Fingerprints January 2006
+
+
+3.1. The SSHFP RDATA Format
+
+ The RDATA for a SSHFP RR consists of an algorithm number, fingerprint
+ type and the fingerprint of the public host key.
+
+ 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | algorithm | fp type | /
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ /
+ / /
+ / fingerprint /
+ / /
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+3.1.1. Algorithm Number Specification
+
+ This algorithm number octet describes the algorithm of the public
+ key. The following values are assigned:
+
+ Value Algorithm name
+ ----- --------------
+ 0 reserved
+ 1 RSA
+ 2 DSS
+
+ Reserving other types requires IETF consensus [4].
+
+3.1.2. Fingerprint Type Specification
+
+ The fingerprint type octet describes the message-digest algorithm
+ used to calculate the fingerprint of the public key. The following
+ values are assigned:
+
+ Value Fingerprint type
+ ----- ----------------
+ 0 reserved
+ 1 SHA-1
+
+ Reserving other types requires IETF consensus [4].
+
+ For interoperability reasons, as few fingerprint types as possible
+ should be reserved. The only reason to reserve additional types is
+ to increase security.
+
+
+
+
+
+
+
+Schlyter & Griffin Standards Track [Page 4]
+
+RFC 4255 DNS and SSH Fingerprints January 2006
+
+
+3.1.3. Fingerprint
+
+ The fingerprint is calculated over the public key blob as described
+ in [7].
+
+ The message-digest algorithm is presumed to produce an opaque octet
+ string output, which is placed as-is in the RDATA fingerprint field.
+
+3.2. Presentation Format of the SSHFP RR
+
+ The RDATA of the presentation format of the SSHFP resource record
+ consists of two numbers (algorithm and fingerprint type) followed by
+ the fingerprint itself, presented in hex, e.g.:
+
+ host.example. SSHFP 2 1 123456789abcdef67890123456789abcdef67890
+
+ The use of mnemonics instead of numbers is not allowed.
+
+4. Security Considerations
+
+ Currently, the amount of trust a user can realistically place in a
+ server key is proportional to the amount of attention paid to
+ verifying that the public key presented actually corresponds to the
+ private key of the server. If a user accepts a key without verifying
+ the fingerprint with something learned through a secured channel, the
+ connection is vulnerable to a man-in-the-middle attack.
+
+ The overall security of using SSHFP for SSH host key verification is
+ dependent on the security policies of the SSH host administrator and
+ DNS zone administrator (in transferring the fingerprint), detailed
+ aspects of how verification is done in the SSH implementation, and in
+ the client's diligence in accessing the DNS in a secure manner.
+
+ One such aspect is in which order fingerprints are looked up (e.g.,
+ first checking local file and then SSHFP). We note that, in addition
+ to protecting the first-time transfer of host keys, SSHFP can
+ optionally be used for stronger host key protection.
+
+ If SSHFP is checked first, new SSH host keys may be distributed by
+ replacing the corresponding SSHFP in DNS.
+
+ If SSH host key verification can be configured to require SSHFP,
+ SSH host key revocation can be implemented by removing the
+ corresponding SSHFP from DNS.
+
+
+
+
+
+
+
+Schlyter & Griffin Standards Track [Page 5]
+
+RFC 4255 DNS and SSH Fingerprints January 2006
+
+
+ As stated in Section 2.2, we recommend that SSH implementors provide
+ a policy mechanism to control the order of methods used for host key
+ verification. One specific scenario for having a configurable policy
+ is where clients use unqualified host names to connect to servers.
+ In this case, we recommend that SSH implementations check the host
+ key against a local database before verifying the key via the
+ fingerprint returned from DNS. This would help prevent an attacker
+ from injecting a DNS search path into the local resolver and forcing
+ the client to connect to a different host.
+
+ A different approach to solve the DNS search path issue would be for
+ clients to use a trusted DNS search path, i.e., one not acquired
+ through DHCP or other autoconfiguration mechanisms. Since there is
+ no way with current DNS lookup APIs to tell whether a search path is
+ from a trusted source, the entire client system would need to be
+ configured with this trusted DNS search path.
+
+ Another dependency is on the implementation of DNSSEC itself. As
+ stated in Section 2.4, we mandate the use of secure methods for
+ lookup and that SSHFP RRs are authenticated by trusted SIG RRs. This
+ is especially important if SSHFP is to be used as a basis for host
+ key rollover and/or revocation, as described above.
+
+ Since DNSSEC only protects the integrity of the host key fingerprint
+ after it is signed by the DNS zone administrator, the fingerprint
+ must be transferred securely from the SSH host administrator to the
+ DNS zone administrator. This could be done manually between the
+ administrators or automatically using secure DNS dynamic update [11]
+ between the SSH server and the nameserver. We note that this is no
+ different from other key enrollment situations, e.g., a client
+ sending a certificate request to a certificate authority for signing.
+
+5. IANA Considerations
+
+ IANA has allocated the RR type code 44 for SSHFP from the standard RR
+ type space.
+
+ IANA has opened a new registry for the SSHFP RR type for public key
+ algorithms. The defined types are:
+
+ 0 is reserved
+ 1 is RSA
+ 2 is DSA
+
+ Adding new reservations requires IETF consensus [4].
+
+
+
+
+
+
+Schlyter & Griffin Standards Track [Page 6]
+
+RFC 4255 DNS and SSH Fingerprints January 2006
+
+
+ IANA has opened a new registry for the SSHFP RR type for fingerprint
+ types. The defined types are:
+
+ 0 is reserved
+ 1 is SHA-1
+
+ Adding new reservations requires IETF consensus [4].
+
+6. Normative References
+
+ [1] Mockapetris, P., "Domain names - concepts and facilities", STD
+ 13, RFC 1034, November 1987.
+
+ [2] Mockapetris, P., "Domain names - implementation and
+ specification", STD 13, RFC 1035, November 1987.
+
+ [3] Bradner, S., "Key words for use in RFCs to Indicate Requirement
+ Levels", BCP 14, RFC 2119, March 1997.
+
+ [4] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
+ Considerations Section in RFCs", BCP 26, RFC 2434, October
+ 1998.
+
+ [5] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "DNS Security Introduction and Requirements", RFC 4033, March
+ 2005.
+
+ Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "Resource Records for the DNS Security Extensions", RFC 4034,
+ March 2005.
+
+ Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "Protocol Modifications for the DNS Security Extensions", RFC
+ 4035, March 2005.
+
+ [6] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
+ Protocol Architecture", RFC 4251, January 2006.
+
+ [7] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
+ Transport Layer Protocol", RFC 4253, January 2006.
+
+7. Informational References
+
+ [8] Thayer, R., Doraswamy, N., and R. Glenn, "IP Security Document
+ Roadmap", RFC 2411, November 1998.
+
+
+
+
+
+
+Schlyter & Griffin Standards Track [Page 7]
+
+RFC 4255 DNS and SSH Fingerprints January 2006
+
+
+ [9] Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
+ Wellington, "Secret Key Transaction Authentication for DNS
+ (TSIG)", RFC 2845, May 2000.
+
+ [10] Eastlake 3rd, D., "DNS Request and Transaction Signatures
+ ( SIG(0)s )", RFC 2931, September 2000.
+
+ [11] Wellington, B., "Secure Domain Name System (DNS) Dynamic
+ Update", RFC 3007, November 2000.
+
+8. Acknowledgements
+
+ The authors gratefully acknowledge, in no particular order, the
+ contributions of the following persons:
+
+ Martin Fredriksson
+
+ Olafur Gudmundsson
+
+ Edward Lewis
+
+ Bill Sommerfeld
+
+Authors' Addresses
+
+ Jakob Schlyter
+ OpenSSH
+ 812 23rd Avenue SE
+ Calgary, Alberta T2G 1N8
+ Canada
+
+ EMail: jakob@openssh.com
+ URI: http://www.openssh.com/
+
+
+ Wesley Griffin
+ SPARTA
+ 7075 Samuel Morse Drive
+ Columbia, MD 21046
+ USA
+
+ EMail: wgriffin@sparta.com
+ URI: http://www.sparta.com/
+
+
+
+
+
+
+
+
+Schlyter & Griffin Standards Track [Page 8]
+
+RFC 4255 DNS and SSH Fingerprints January 2006
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2006).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is provided by the IETF
+ Administrative Support Activity (IASA).
+
+
+
+
+
+
+
+Schlyter & Griffin Standards Track [Page 9]
+
diff --git a/contrib/bind9/doc/rfc/rfc4343.txt b/contrib/bind9/doc/rfc/rfc4343.txt
new file mode 100644
index 0000000..621420a
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc4343.txt
@@ -0,0 +1,563 @@
+
+
+
+
+
+
+Network Working Group D. Eastlake 3rd
+Request for Comments: 4343 Motorola Laboratories
+Updates: 1034, 1035, 2181 January 2006
+Category: Standards Track
+
+
+ Domain Name System (DNS) Case Insensitivity Clarification
+
+Status of This Memo
+
+ This document specifies an Internet standards track protocol for the
+ Internet community, and requests discussion and suggestions for
+ improvements. Please refer to the current edition of the "Internet
+ Official Protocol Standards" (STD 1) for the standardization state
+ and status of this protocol. Distribution of this memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2006).
+
+Abstract
+
+ Domain Name System (DNS) names are "case insensitive". This document
+ explains exactly what that means and provides a clear specification
+ of the rules. This clarification updates RFCs 1034, 1035, and 2181.
+
+Table of Contents
+
+ 1. Introduction ....................................................2
+ 2. Case Insensitivity of DNS Labels ................................2
+ 2.1. Escaping Unusual DNS Label Octets ..........................2
+ 2.2. Example Labels with Escapes ................................3
+ 3. Name Lookup, Label Types, and CLASS .............................3
+ 3.1. Original DNS Label Types ...................................4
+ 3.2. Extended Label Type Case Insensitivity Considerations ......4
+ 3.3. CLASS Case Insensitivity Considerations ....................4
+ 4. Case on Input and Output ........................................5
+ 4.1. DNS Output Case Preservation ...............................5
+ 4.2. DNS Input Case Preservation ................................5
+ 5. Internationalized Domain Names ..................................6
+ 6. Security Considerations .........................................6
+ 7. Acknowledgements ................................................7
+ Normative References................................................7
+ Informative References..............................................8
+
+
+
+
+
+
+
+Eastlake 3rd Standards Track [Page 1]
+
+RFC 4343 DNS Case Insensitivity Clarification January 2006
+
+
+1. Introduction
+
+ The Domain Name System (DNS) is the global hierarchical replicated
+ distributed database system for Internet addressing, mail proxy, and
+ other information. Each node in the DNS tree has a name consisting
+ of zero or more labels [STD13, RFC1591, RFC2606] that are treated in
+ a case insensitive fashion. This document clarifies the meaning of
+ "case insensitive" for the DNS. This clarification updates RFCs
+ 1034, 1035 [STD13], and [RFC2181].
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC2119].
+
+2. Case Insensitivity of DNS Labels
+
+ DNS was specified in the era of [ASCII]. DNS names were expected to
+ look like most host names or Internet email address right halves (the
+ part after the at-sign, "@") or to be numeric, as in the in-addr.arpa
+ part of the DNS name space. For example,
+
+ foo.example.net.
+ aol.com.
+ www.gnu.ai.mit.edu.
+ or 69.2.0.192.in-addr.arpa.
+
+ Case-varied alternatives to the above [RFC3092] would be DNS names
+ like
+
+ Foo.ExamplE.net.
+ AOL.COM.
+ WWW.gnu.AI.mit.EDU.
+ or 69.2.0.192.in-ADDR.ARPA.
+
+ However, the individual octets of which DNS names consist are not
+ limited to valid ASCII character codes. They are 8-bit bytes, and
+ all values are allowed. Many applications, however, interpret them
+ as ASCII characters.
+
+2.1. Escaping Unusual DNS Label Octets
+
+ In Master Files [STD13] and other human-readable and -writable ASCII
+ contexts, an escape is needed for the byte value for period (0x2E,
+ ".") and all octet values outside of the inclusive range from 0x21
+ ("!") to 0x7E ("~"). That is to say, 0x2E and all octet values in
+ the two inclusive ranges from 0x00 to 0x20 and from 0x7F to 0xFF.
+
+
+
+
+
+Eastlake 3rd Standards Track [Page 2]
+
+RFC 4343 DNS Case Insensitivity Clarification January 2006
+
+
+ One typographic convention for octets that do not correspond to an
+ ASCII printing graphic is to use a back-slash followed by the value
+ of the octet as an unsigned integer represented by exactly three
+ decimal digits.
+
+ The same convention can be used for printing ASCII characters so that
+ they will be treated as a normal label character. This includes the
+ back-slash character used in this convention itself, which can be
+ expressed as \092 or \\, and the special label separator period
+ ("."), which can be expressed as and \046 or \. It is advisable to
+ avoid using a backslash to quote an immediately following non-
+ printing ASCII character code to avoid implementation difficulties.
+
+ A back-slash followed by only one or two decimal digits is undefined.
+ A back-slash followed by four decimal digits produces two octets, the
+ first octet having the value of the first three digits considered as
+ a decimal number, and the second octet being the character code for
+ the fourth decimal digit.
+
+2.2. Example Labels with Escapes
+
+ The first example below shows embedded spaces and a period (".")
+ within a label. The second one shows a 5-octet label where the
+ second octet has all bits zero, the third is a backslash, and the
+ fourth octet has all bits one.
+
+ Donald\032E\.\032Eastlake\0323rd.example.
+ and a\000\\\255z.example.
+
+3. Name Lookup, Label Types, and CLASS
+
+ According to the original DNS design decision, comparisons on name
+ lookup for DNS queries should be case insensitive [STD13]. That is
+ to say, a lookup string octet with a value in the inclusive range
+ from 0x41 to 0x5A, the uppercase ASCII letters, MUST match the
+ identical value and also match the corresponding value in the
+ inclusive range from 0x61 to 0x7A, the lowercase ASCII letters. A
+ lookup string octet with a lowercase ASCII letter value MUST
+ similarly match the identical value and also match the corresponding
+ value in the uppercase ASCII letter range.
+
+ (Historical note: The terms "uppercase" and "lowercase" were invented
+ after movable type. The terms originally referred to the two font
+ trays for storing, in partitioned areas, the different physical type
+ elements. Before movable type, the nearest equivalent terms were
+ "majuscule" and "minuscule".)
+
+
+
+
+
+Eastlake 3rd Standards Track [Page 3]
+
+RFC 4343 DNS Case Insensitivity Clarification January 2006
+
+
+ One way to implement this rule would be to subtract 0x20 from all
+ octets in the inclusive range from 0x61 to 0x7A before comparing
+ octets. Such an operation is commonly known as "case folding", but
+ implementation via case folding is not required. Note that the DNS
+ case insensitivity does NOT correspond to the case folding specified
+ in [ISO-8859-1] or [ISO-8859-2]. For example, the octets 0xDD (\221)
+ and 0xFD (\253) do NOT match, although in other contexts, where they
+ are interpreted as the upper- and lower-case version of "Y" with an
+ acute accent, they might.
+
+3.1. Original DNS Label Types
+
+ DNS labels in wire-encoded names have a type associated with them.
+ The original DNS standard [STD13] had only two types: ASCII labels,
+ with a length from zero to 63 octets, and indirect (or compression)
+ labels, which consist of an offset pointer to a name location
+ elsewhere in the wire encoding on a DNS message. (The ASCII label of
+ length zero is reserved for use as the name of the root node of the
+ name tree.) ASCII labels follow the ASCII case conventions described
+ herein and, as stated above, can actually contain arbitrary byte
+ values. Indirect labels are, in effect, replaced by the name to
+ which they point, which is then treated with the case insensitivity
+ rules in this document.
+
+3.2. Extended Label Type Case Insensitivity Considerations
+
+ DNS was extended by [RFC2671] so that additional label type numbers
+ would be available. (The only such type defined so far is the BINARY
+ type [RFC2673], which is now Experimental [RFC3363].)
+
+ The ASCII case insensitivity conventions only apply to ASCII labels;
+ that is to say, label type 0x0, whether appearing directly or invoked
+ by indirect labels.
+
+3.3. CLASS Case Insensitivity Considerations
+
+ As described in [STD13] and [RFC2929], DNS has an additional axis for
+ data location called CLASS. The only CLASS in global use at this
+ time is the "IN" (Internet) CLASS.
+
+ The handling of DNS label case is not CLASS dependent. With the
+ original design of DNS, it was intended that a recursive DNS resolver
+ be able to handle new CLASSes that were unknown at the time of its
+ implementation. This requires uniform handling of label case
+ insensitivity. Should it become desirable, for example, to allocate
+ a CLASS with "case sensitive ASCII labels", it would be necessary to
+ allocate a new label type for these labels.
+
+
+
+
+Eastlake 3rd Standards Track [Page 4]
+
+RFC 4343 DNS Case Insensitivity Clarification January 2006
+
+
+4. Case on Input and Output
+
+ While ASCII label comparisons are case insensitive, [STD13] says case
+ MUST be preserved on output and preserved when convenient on input.
+ However, this means less than it would appear, since the preservation
+ of case on output is NOT required when output is optimized by the use
+ of indirect labels, as explained below.
+
+4.1. DNS Output Case Preservation
+
+ [STD13] views the DNS namespace as a node tree. ASCII output is as
+ if a name were marshaled by taking the label on the node whose name
+ is to be output, converting it to a typographically encoded ASCII
+ string, walking up the tree outputting each label encountered, and
+ preceding all labels but the first with a period ("."). Wire output
+ follows the same sequence, but each label is wire encoded, and no
+ periods are inserted. No "case conversion" or "case folding" is done
+ during such output operations, thus "preserving" case. However, to
+ optimize output, indirect labels may be used to point to names
+ elsewhere in the DNS answer. In determining whether the name to be
+ pointed to (for example, the QNAME) is the "same" as the remainder of
+ the name being optimized, the case insensitive comparison specified
+ above is done. Thus, such optimization may easily destroy the output
+ preservation of case. This type of optimization is commonly called
+ "name compression".
+
+4.2. DNS Input Case Preservation
+
+ Originally, DNS data came from an ASCII Master File as defined in
+ [STD13] or a zone transfer. DNS Dynamic update and incremental zone
+ transfers [RFC1995] have been added as a source of DNS data [RFC2136,
+ RFC3007]. When a node in the DNS name tree is created by any of such
+ inputs, no case conversion is done. Thus, the case of ASCII labels
+ is preserved if they are for nodes being created. However, when a
+ name label is input for a node that already exists in DNS data being
+ held, the situation is more complex. Implementations are free to
+ retain the case first loaded for such a label, to allow new input to
+ override the old case, or even to maintain separate copies preserving
+ the input case.
+
+ For example, if data with owner name "foo.bar.example" [RFC3092] is
+ loaded and then later data with owner name "xyz.BAR.example" is
+ input, the name of the label on the "bar.example" node (i.e., "bar")
+ might or might not be changed to "BAR" in the DNS stored data. Thus,
+ later retrieval of data stored under "xyz.bar.example" in this case
+ can use "xyz.BAR.example" in all returned data, use "xyz.bar.example"
+ in all returned data, or even, when more than one RR is being
+ returned, use a mixture of these two capitalizations. This last case
+
+
+
+Eastlake 3rd Standards Track [Page 5]
+
+RFC 4343 DNS Case Insensitivity Clarification January 2006
+
+
+ is unlikely, as optimization of answer length through indirect labels
+ tends to cause only one copy of the name tail ("bar.example" or
+ "BAR.example") to be used for all returned RRs. Note that none of
+ this has any effect on the number or completeness of the RR set
+ returned, only on the case of the names in the RR set returned.
+
+ The same considerations apply when inputting multiple data records
+ with owner names differing only in case. For example, if an "A"
+ record is the first resource record stored under owner name
+ "xyz.BAR.example" and then a second "A" record is stored under
+ "XYZ.BAR.example", the second MAY be stored with the first (lower
+ case initial label) name, the second MAY override the first so that
+ only an uppercase initial label is retained, or both capitalizations
+ MAY be kept in the DNS stored data. In any case, a retrieval with
+ either capitalization will retrieve all RRs with either
+ capitalization.
+
+ Note that the order of insertion into a server database of the DNS
+ name tree nodes that appear in a Master File is not defined so that
+ the results of inconsistent capitalization in a Master File are
+ unpredictable output capitalization.
+
+5. Internationalized Domain Names
+
+ A scheme has been adopted for "internationalized domain names" and
+ "internationalized labels" as described in [RFC3490, RFC3454,
+ RFC3491, and RFC3492]. It makes most of [UNICODE] available through
+ a separate application level transformation from internationalized
+ domain name to DNS domain name and from DNS domain name to
+ internationalized domain name. Any case insensitivity that
+ internationalized domain names and labels have varies depending on
+ the script and is handled entirely as part of the transformation
+ described in [RFC3454] and [RFC3491], which should be seen for
+ further details. This is not a part of the DNS as standardized in
+ STD 13.
+
+6. Security Considerations
+
+ The equivalence of certain DNS label types with case differences, as
+ clarified in this document, can lead to security problems. For
+ example, a user could be confused by believing that two domain names
+ differing only in case were actually different names.
+
+ Furthermore, a domain name may be used in contexts other than the
+ DNS. It could be used as a case sensitive index into some database
+ or file system. Or it could be interpreted as binary data by some
+ integrity or authentication code system. These problems can usually
+ be handled by using a standardized or "canonical" form of the DNS
+
+
+
+Eastlake 3rd Standards Track [Page 6]
+
+RFC 4343 DNS Case Insensitivity Clarification January 2006
+
+
+ ASCII type labels; that is, always mapping the ASCII letter value
+ octets in ASCII labels to some specific pre-chosen case, either
+ uppercase or lower case. An example of a canonical form for domain
+ names (and also a canonical ordering for them) appears in Section 6
+ of [RFC4034]. See also [RFC3597].
+
+ Finally, a non-DNS name may be stored into DNS with the false
+ expectation that case will always be preserved. For example,
+ although this would be quite rare, on a system with case sensitive
+ email address local parts, an attempt to store two Responsible Person
+ (RP) [RFC1183] records that differed only in case would probably
+ produce unexpected results that might have security implications.
+ That is because the entire email address, including the possibly case
+ sensitive local or left-hand part, is encoded into a DNS name in a
+ readable fashion where the case of some letters might be changed on
+ output as described above.
+
+7. Acknowledgements
+
+ The contributions to this document by Rob Austein, Olafur
+ Gudmundsson, Daniel J. Anderson, Alan Barrett, Marc Blanchet, Dana,
+ Andreas Gustafsson, Andrew Main, Thomas Narten, and Scott Seligman
+ are gratefully acknowledged.
+
+Normative References
+
+ [ASCII] ANSI, "USA Standard Code for Information Interchange",
+ X3.4, American National Standards Institute: New York,
+ 1968.
+
+ [RFC1995] Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995,
+ August 1996.
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC2136] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound,
+ "Dynamic Updates in the Domain Name System (DNS
+ UPDATE)", RFC 2136, April 1997.
+
+ [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
+ Specification", RFC 2181, July 1997.
+
+ [RFC3007] Wellington, B., "Secure Domain Name System (DNS) Dynamic
+ Update", RFC 3007, November 2000.
+
+
+
+
+
+
+Eastlake 3rd Standards Track [Page 7]
+
+RFC 4343 DNS Case Insensitivity Clarification January 2006
+
+
+ [RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource Record
+ (RR) Types", RFC 3597, September 2003.
+
+ [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "Resource Records for the DNS Security
+ Extensions", RFC 4034, March 2005.
+
+ [STD13] Mockapetris, P., "Domain names - concepts and
+ facilities", STD 13, RFC 1034, November 1987.
+
+ Mockapetris, P., "Domain names - implementation and
+ specification", STD 13, RFC 1035, November 1987.
+
+Informative References
+
+ [ISO-8859-1] International Standards Organization, Standard for
+ Character Encodings, Latin-1.
+
+ [ISO-8859-2] International Standards Organization, Standard for
+ Character Encodings, Latin-2.
+
+ [RFC1183] Everhart, C., Mamakos, L., Ullmann, R., and P.
+ Mockapetris, "New DNS RR Definitions", RFC 1183, October
+ 1990.
+
+ [RFC1591] Postel, J., "Domain Name System Structure and
+ Delegation", RFC 1591, March 1994.
+
+ [RFC2606] Eastlake 3rd, D. and A. Panitz, "Reserved Top Level DNS
+ Names", BCP 32, RFC 2606, June 1999.
+
+ [RFC2929] Eastlake 3rd, D., Brunner-Williams, E., and B. Manning,
+ "Domain Name System (DNS) IANA Considerations", BCP 42,
+ RFC 2929, September 2000.
+
+ [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
+ 2671, August 1999.
+
+ [RFC2673] Crawford, M., "Binary Labels in the Domain Name System",
+ RFC 2673, August 1999.
+
+ [RFC3092] Eastlake 3rd, D., Manros, C., and E. Raymond, "Etymology
+ of "Foo"", RFC 3092, 1 April 2001.
+
+ [RFC3363] Bush, R., Durand, A., Fink, B., Gudmundsson, O., and T.
+ Hain, "Representing Internet Protocol version 6 (IPv6)
+ Addresses in the Domain Name System (DNS)", RFC 3363,
+ August 2002.
+
+
+
+Eastlake 3rd Standards Track [Page 8]
+
+RFC 4343 DNS Case Insensitivity Clarification January 2006
+
+
+ [RFC3454] Hoffman, P. and M. Blanchet, "Preparation of
+ Internationalized Strings ("stringprep")", RFC 3454,
+ December 2002.
+
+ [RFC3490] Faltstrom, P., Hoffman, P., and A. Costello,
+ "Internationalizing Domain Names in Applications
+ (IDNA)", RFC 3490, March 2003.
+
+ [RFC3491] Hoffman, P. and M. Blanchet, "Nameprep: A Stringprep
+ Profile for Internationalized Domain Names (IDN)", RFC
+ 3491, March 2003.
+
+ [RFC3492] Costello, A., "Punycode: A Bootstring encoding of
+ Unicode for Internationalized Domain Names in
+ Applications (IDNA)", RFC 3492, March 2003.
+
+ [UNICODE] The Unicode Consortium, "The Unicode Standard",
+ <http://www.unicode.org/unicode/standard/standard.html>.
+
+Author's Address
+
+ Donald E. Eastlake 3rd
+ Motorola Laboratories
+ 155 Beaver Street
+ Milford, MA 01757 USA
+
+ Phone: +1 508-786-7554 (w)
+ EMail: Donald.Eastlake@motorola.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake 3rd Standards Track [Page 9]
+
+RFC 4343 DNS Case Insensitivity Clarification January 2006
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2006).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is provided by the IETF
+ Administrative Support Activity (IASA).
+
+
+
+
+
+
+
+Eastlake 3rd Standards Track [Page 10]
+
diff --git a/contrib/bind9/doc/rfc/rfc4367.txt b/contrib/bind9/doc/rfc/rfc4367.txt
new file mode 100644
index 0000000..f066b64
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc4367.txt
@@ -0,0 +1,955 @@
+
+
+
+
+
+
+Network Working Group J. Rosenberg, Ed.
+Request for Comments: 4367 IAB
+Category: Informational February 2006
+
+
+ What's in a Name: False Assumptions about DNS Names
+
+Status of This Memo
+
+ This memo provides information for the Internet community. It does
+ not specify an Internet standard of any kind. Distribution of this
+ memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2006).
+
+Abstract
+
+ The Domain Name System (DNS) provides an essential service on the
+ Internet, mapping structured names to a variety of data, usually IP
+ addresses. These names appear in email addresses, Uniform Resource
+ Identifiers (URIs), and other application-layer identifiers that are
+ often rendered to human users. Because of this, there has been a
+ strong demand to acquire names that have significance to people,
+ through equivalence to registered trademarks, company names, types of
+ services, and so on. There is a danger in this trend; the humans and
+ automata that consume and use such names will associate specific
+ semantics with some names and thereby make assumptions about the
+ services that are, or should be, provided by the hosts associated
+ with the names. Those assumptions can often be false, resulting in a
+ variety of failure conditions. This document discusses this problem
+ in more detail and makes recommendations on how it can be avoided.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Rosenberg Informational [Page 1]
+
+RFC 4367 Name Assumptions February 2006
+
+
+Table of Contents
+
+ 1. Introduction ....................................................2
+ 2. Target Audience .................................................4
+ 3. Modeling Usage of the DNS .......................................4
+ 4. Possible Assumptions ............................................5
+ 4.1. By the User ................................................5
+ 4.2. By the Client ..............................................6
+ 4.3. By the Server ..............................................7
+ 5. Consequences of False Assumptions ...............................8
+ 6. Reasons Why the Assumptions Can Be False ........................9
+ 6.1. Evolution ..................................................9
+ 6.2. Leakage ...................................................10
+ 6.3. Sub-Delegation ............................................10
+ 6.4. Mobility ..................................................12
+ 6.5. Human Error ...............................................12
+ 7. Recommendations ................................................12
+ 8. A Note on RFC 2219 and RFC 2782 ................................13
+ 9. Security Considerations ........................................14
+ 10. Acknowledgements ..............................................14
+ 11. IAB Members ...................................................14
+ 12. Informative References ........................................15
+
+1. Introduction
+
+ The Domain Name System (DNS) [1] provides an essential service on the
+ Internet, mapping structured names to a variety of different types of
+ data. Most often it is used to obtain the IP address of a host
+ associated with that name [2] [1] [3]. However, it can be used to
+ obtain other information, and proposals have been made for nearly
+ everything, including geographic information [4].
+
+ Domain names are most often used in identifiers used by application
+ protocols. The most well known include email addresses and URIs,
+ such as the HTTP URL [5], Real Time Streaming Protocol (RTSP) URL
+ [6], and SIP URI [7]. These identifiers are ubiquitous, appearing on
+ business cards, web pages, street signs, and so on. Because of this,
+ there has been a strong demand to acquire domain names that have
+ significance to people through equivalence to registered trademarks,
+ company names, types of services, and so on. Such identifiers serve
+ many business purposes, including extension of brand, advertising,
+ and so on.
+
+ People often make assumptions about the type of service that is or
+ should be provided by a host associated with that name, based on
+ their expectations and understanding of what the name implies. This,
+ in turn, triggers attempts by organizations to register domain names
+ based on that presumed user expectation. Examples of this are the
+
+
+
+Rosenberg Informational [Page 2]
+
+RFC 4367 Name Assumptions February 2006
+
+
+ various proposals for a Top-Level Domain (TLD) that could be
+ associated with adult content [8], the requests for creation of TLDs
+ associated with mobile devices and services, and even phishing
+ attacks.
+
+ When these assumptions are codified into the behavior of an
+ automaton, such as an application client or server, as a result of
+ implementor choice, management directive, or domain owner policy, the
+ overall system can fail in various ways. This document describes a
+ number of typical ways in which these assumptions can be codified,
+ how they can be wrong, the consequences of those mistakes, and the
+ recommended ways in which they can be avoided.
+
+ Section 4 describes some of the possible assumptions that clients,
+ servers, and people can make about a domain name. In this context,
+ an "assumption" is defined as any behavior that is expected when
+ accessing a service at a domain name, even though the behavior is not
+ explicitly codified in protocol specifications. Frequently, these
+ assumptions involve ignoring parts of a specification based on an
+ assumption that the client or server is deployed in an environment
+ that is more rigid than the specification allows. Section 5
+ overviews some of the consequences of these false assumptions.
+ Generally speaking, these consequences can include a variety of
+ different interoperability failures, user experience failures, and
+ system failures. Section 6 discusses why these assumptions can be
+ false from the very beginning or become false at some point in the
+ future. Most commonly, they become false because the environment
+ changes in unexpected ways over time, and what was a valid assumption
+ before, no longer is. Other times, the assumptions prove wrong
+ because they were based on the belief that a specific community of
+ clients and servers was participating, and an element outside of that
+ community began participating.
+
+ Section 7 then provides some recommendations. These recommendations
+ encapsulate some of the engineering mantras that have been at the
+ root of Internet protocol design for decades. These include:
+
+ Follow the specifications.
+
+ Use the capability negotiation techniques provided in the
+ protocols.
+
+ Be liberal in what you accept, and conservative in what you send.
+ [18]
+
+ Overall, automata should not change their behavior within a protocol
+ based on the domain name, or some component of the domain name, of
+ the host they are communicating with.
+
+
+
+Rosenberg Informational [Page 3]
+
+RFC 4367 Name Assumptions February 2006
+
+
+2. Target Audience
+
+ This document has several audiences. Firstly, it is aimed at
+ implementors who ultimately develop the software that make the false
+ assumptions that are the subject of this document. The
+ recommendations described here are meant to reinforce the engineering
+ guidelines that are often understood by implementors, but frequently
+ forgotten as deadlines near and pressures mount.
+
+ The document is also aimed at technology managers, who often develop
+ the requirements that lead to these false assumptions. For them,
+ this document serves as a vehicle for emphasizing the importance of
+ not taking shortcuts in the scope of applicability of a project.
+
+ Finally, this document is aimed at domain name policy makers and
+ administrators. For them, it points out the perils in establishing
+ domain policies that get codified into the operation of applications
+ running within that domain.
+
+3. Modeling Usage of the DNS
+
+
+ +--------+
+ | |
+ | |
+ | DNS |
+ |Service |
+ | |
+ +--------+
+ ^ |
+ | |
+ | |
+ | |
+ /--\ | |
+ | | | V
+ | | +--------+ +--------+
+ \--/ | | | |
+ | | | | |
+ ---+--- | Client |-------------------->| Server |
+ | | | | |
+ | | | | |
+ /\ +--------+ +--------+
+ / \
+ / \
+
+ User
+ Figure 1
+
+
+
+
+Rosenberg Informational [Page 4]
+
+RFC 4367 Name Assumptions February 2006
+
+
+ Figure 1 shows a simple conceptual model of how the DNS is used by
+ applications. A user of the application obtains an identifier for
+ particular content or service it wishes to obtain. This identifier
+ is often a URL or URI that contains a domain name. The user enters
+ this identifier into its client application (for example, by typing
+ in the URL in a web browser window). The client is the automaton (a
+ software and/or hardware system) that contacts a server for that
+ application in order to provide service to the user. To do that, it
+ contacts a DNS server to resolve the domain name in the identifier to
+ an IP address. It then contacts the server at that IP address. This
+ simple model applies to application protocols such as HTTP [5], SIP
+ [7], RTSP [6], and SMTP [9].
+
+ >From this model, it is clear that three entities in the system can
+ potentially make false assumptions about the service provided by the
+ server. The human user may form expectations relating to the content
+ of the service based on a parsing of the host name from which the
+ content originated. The server might assume that the client
+ connecting to it supports protocols that it does not, can process
+ content that it cannot, or has capabilities that it does not.
+ Similarly, the client might assume that the server supports
+ protocols, content, or capabilities that it does not. Furthermore,
+ applications can potentially contain a multiplicity of humans,
+ clients, and servers, all of which can independently make these false
+ assumptions.
+
+4. Possible Assumptions
+
+ For each of the three elements, there are many types of false
+ assumptions that can be made.
+
+4.1. By the User
+
+ The set of possible assumptions here is nearly boundless. Users
+ might assume that an HTTP URL that looks like a company name maps to
+ a server run by that company. They might assume that an email from a
+ email address in the .gov TLD is actually from a government employee.
+ They might assume that the content obtained from a web server within
+ a TLD labeled as containing adult materials (for example, .sex)
+ actually contains adult content [8]. These assumptions are
+ unavoidable, may all be false, and are not the focus of this
+ document.
+
+
+
+
+
+
+
+
+
+Rosenberg Informational [Page 5]
+
+RFC 4367 Name Assumptions February 2006
+
+
+4.2. By the Client
+
+ Even though the client is an automaton, it can make some of the same
+ assumptions that a human user might make. For example, many clients
+ assume that any host with a hostname that begins with "www" is a web
+ server, even though this assumption may be false.
+
+ In addition, the client concerns itself with the protocols needed to
+ communicate with the server. As a result, it might make assumptions
+ about the operation of the protocols for communicating with the
+ server. These assumptions manifest themselves in an implementation
+ when a standardized protocol negotiation technique defined by the
+ protocol is ignored, and instead, some kind of rule is coded into the
+ software that comes to its own conclusion about what the negotiation
+ would have determined. The result is often a loss of
+ interoperability, degradation in reliability, and worsening of user
+ experience.
+
+ Authentication Algorithm: Though a protocol might support a
+ multiplicity of authentication techniques, a client might assume
+ that a server always supports one that is only optional according
+ to the protocol. For example, a SIP client contacting a SIP
+ server in a domain that is apparently used to identify mobile
+ devices (for example, www.example.cellular) might assume that the
+ server supports the optional Authentication and Key Agreement
+ (AKA) digest technique [10], just because of the domain name that
+ was used to access the server. As another example, a web client
+ might assume that a server with the name https.example.com
+ supports HTTP over Transport Layer Security (TLS) [16].
+
+ Data Formats: Though a protocol might allow a multiplicity of data
+ formats to be sent from the server to the client, the client might
+ assume a specific one, rather than using the content labeling and
+ negotiation capabilities of the underlying protocol. For example,
+ an RTSP client might assume that all audio content delivered to it
+ from media.example.cellular uses a low-bandwidth codec. As
+ another example, a mail client might assume that the contents of
+ messages it retrieves from a mail server at mail.example.cellular
+ are always text, instead of checking the MIME headers [11] in the
+ message in order to determine the actual content type.
+
+ Protocol Extensions: A client may attempt an operation on the server
+ that requires the server to support an optional protocol
+ extension. However, rather than implementing the necessary
+ fallback logic, the client may falsely assume that the extension
+ is supported. As an example, a SIP client that requires reliable
+ provisional responses to its request (RFC 3262 [17]) might assume
+ that this extension is supported on servers in the domain
+
+
+
+Rosenberg Informational [Page 6]
+
+RFC 4367 Name Assumptions February 2006
+
+
+ sip.example.telecom. Furthermore, the client would not implement
+ the fallback behavior defined in RFC 3262, since it would assume
+ that all servers it will communicate with are in this domain and
+ that all therefore support this extension. However, if the
+ assumptions prove wrong, the client is unable to make any phone
+ calls.
+
+ Languages: A client may support facilities for processing text
+ content differently depending on the language of the text. Rather
+ than determining the language from markers in the message from the
+ server, the client might assume a language based on the domain
+ name. This assumption can easily be wrong. For example, a client
+ might assume that any text in a web page retrieved from a server
+ within the .de country code TLD (ccTLD) is in German, and attempt
+ a translation to Finnish. This would fail dramatically if the
+ text was actually in French. Unfortunately, this client behavior
+ is sometimes exhibited because the server has not properly labeled
+ the language of the content in the first place, often because the
+ server assumed such a labeling was not needed. This is an example
+ of how these false assumptions can create vicious cycles.
+
+4.3. By the Server
+
+ The server, like the client, is an automaton. Let us consider one
+ servicing a particular domain -- www.company.cellular, for example.
+ It might assume that all clients connecting to this domain support
+ particular capabilities, rather than using the underlying protocol to
+ make this determination. Some examples include:
+
+ Authentication Algorithm: The server can assume that a client
+ supports a particular, optional, authentication technique, and it
+ therefore does not support the mandatory one.
+
+ Language: The server can serve content in a particular language,
+ based on an assumption that clients accessing the domain speak a
+ particular language, or based on an assumption that clients coming
+ from a particular IP address speak a certain language.
+
+ Data Formats: The server can assume that the client supports a
+ particular set of MIME types and is only capable of sending ones
+ within that set. When it generates content in a protocol
+ response, it ignores any content negotiation headers that were
+ present in the request. For example, a web server might ignore
+ the Accept HTTP header field and send a specific image format.
+
+
+
+
+
+
+
+Rosenberg Informational [Page 7]
+
+RFC 4367 Name Assumptions February 2006
+
+
+ Protocol Extensions: The server might assume that the client supports
+ a particular optional protocol extension, and so it does not
+ support the fallback behavior necessary in the case where the
+ client does not.
+
+ Client Characteristics: The server might assume certain things about
+ the physical characteristics of its clients, such as memory
+ footprint, processing power, screen sizes, screen colors, pointing
+ devices, and so on. Based on these assumptions, it might choose
+ specific behaviors when processing a request. For example, a web
+ server might always assume that clients connect through cell
+ phones, and therefore return content that lacks images and is
+ tuned for such devices.
+
+5. Consequences of False Assumptions
+
+ There are numerous negative outcomes that can arise from the various
+ false assumptions that users, servers, and clients can make. These
+ include:
+
+ Interoperability Failure: In these cases, the client or server
+ assumed some kind of protocol operation, and this assumption was
+ wrong. The result is that the two are unable to communicate, and
+ the user receives some kind of an error. This represents a total
+ interoperability failure, manifesting itself as a lack of service
+ to users of the system. Unfortunately, this kind of failure
+ persists. Repeated attempts over time by the client to access the
+ service will fail. Only a change in the server or client software
+ can fix this problem.
+
+ System Failure: In these cases, the client or server misinterpreted a
+ protocol operation, and this misinterpretation was serious enough
+ to uncover a bug in the implementation. The bug causes a system
+ crash or some kind of outage, either transient or permanent (until
+ user reset). If this failure occurs in a server, not only will
+ the connecting client lose service, but other clients attempting
+ to connect will not get service. As an example, if a web server
+ assumes that content passed to it from a client (created, for
+ example, by a digital camera) is of a particular content type, and
+ it always passes image content to a codec for decompression prior
+ to storage, the codec might crash when it unexpectedly receives an
+ image compressed in a different format. Of course, it might crash
+ even if the Content-Type was correct, but the compressed bitstream
+ was invalid. False assumptions merely introduce additional
+ failure cases.
+
+
+
+
+
+
+Rosenberg Informational [Page 8]
+
+RFC 4367 Name Assumptions February 2006
+
+
+ Poor User Experience: In these cases, the client and server
+ communicate, but the user receives a diminished user experience.
+ For example, if a client on a PC connects to a web site that
+ provides content for mobile devices, the content may be
+ underwhelming when viewed on the PC. Or, a client accessing a
+ streaming media service may receive content of very low bitrate,
+ even though the client supported better codecs. Indeed, if a user
+ wishes to access content from both a cellular device and a PC
+ using a shared address book (that is, an address book shared
+ across multiple devices), the user would need two entries in that
+ address book, and would need to use the right one from the right
+ device. This is a poor user experience.
+
+ Degraded Security: In these cases, a weaker security mechanism is
+ used than the one that ought to have been used. As an example, a
+ server in a domain might assume that it is only contacted by
+ clients with a limited set of authentication algorithms, even
+ though the clients have been recently upgraded to support a
+ stronger set.
+
+6. Reasons Why the Assumptions Can Be False
+
+ Assumptions made by clients and servers about the operation of
+ protocols when contacting a particular domain are brittle, and can be
+ wrong for many reasons. On the server side, many of the assumptions
+ are based on the notion that a domain name will only be given to, or
+ used by, a restricted set of clients. If the holder of the domain
+ name assumes something about those clients, and can assume that only
+ those clients use the domain name, then it can configure or program
+ the server to operate specifically for those clients. Both parts of
+ this assumption can be wrong, as discussed in more detail below.
+
+ On the client side, the notion is similar, being based on the
+ assumption that a server within a particular domain will provide a
+ specific type of service. Sub-delegation and evolution, both
+ discussed below, can make these assumptions wrong.
+
+6.1. Evolution
+
+ The Internet and the devices that access it are constantly evolving,
+ often at a rapid pace. Unfortunately, there is a tendency to build
+ for the here and now, and then worry about the future at a later
+ time. Many of the assumptions above are predicated on
+ characteristics of today's clients and servers. Support for specific
+ protocols, authentication techniques, or content are based on today's
+ standards and today's devices. Even though they may, for the most
+ part, be true, they won't always be. An excellent example is mobile
+ devices. A server servicing a domain accessed by mobile devices
+
+
+
+Rosenberg Informational [Page 9]
+
+RFC 4367 Name Assumptions February 2006
+
+
+ might try to make assumptions about the protocols, protocol
+ extensions, security mechanisms, screen sizes, or processor power of
+ such devices. However, all of these characteristics can and will
+ change over time.
+
+ When they do change, the change is usually evolutionary. The result
+ is that the assumptions remain valid in some cases, but not in
+ others. It is difficult to fix such systems, since it requires the
+ server to detect what type of client is connecting, and what its
+ capabilities are. Unless the system is built and deployed with these
+ capability negotiation techniques built in to begin with, such
+ detection can be extremely difficult. In fact, fixing it will often
+ require the addition of such capability negotiation features that, if
+ they had been in place and used to begin with, would have avoided the
+ problem altogether.
+
+6.2. Leakage
+
+ Servers also make assumptions because of the belief that they will
+ only be accessed by specific clients, and in particular, those that
+ are configured or provisioned to use the domain name. In essence,
+ there is an assumption of community -- that a specific community
+ knows and uses the domain name, while others outside of the community
+ do not.
+
+ The problem is that this notion of community is a false one. The
+ Internet is global. The DNS is global. There is no technical
+ barrier that separates those inside of the community from those
+ outside. The ease with which information propagates across the
+ Internet makes it extremely likely that such domain names will
+ eventually find their way into clients outside of the presumed
+ community. The ubiquitous presence of domain names in various URI
+ formats, coupled with the ease of conveyance of URIs, makes such
+ leakage merely a matter of time. Furthermore, since the DNS is
+ global, and since it can only have one root [12], it becomes possible
+ for clients outside of the community to search and find and use such
+ "special" domain names.
+
+ Indeed, this leakage is a strength of the Internet architecture, not
+ a weakness. It enables global access to services from any client
+ with a connection to the Internet. That, in turn, allows for rapid
+ growth in the number of customers for any particular service.
+
+6.3. Sub-Delegation
+
+ Clients and users make assumptions about domains because of the
+ notion that there is some kind of centralized control that can
+ enforce those assumptions. However, the DNS is not centralized; it
+
+
+
+Rosenberg Informational [Page 10]
+
+RFC 4367 Name Assumptions February 2006
+
+
+ is distributed. If a domain doesn't delegate its sub-domains and has
+ its records within a single zone, it is possible to maintain a
+ centralized policy about operation of its domain. However, once a
+ domain gets sufficiently large that the domain administrators begin
+ to delegate sub-domains to other authorities, it becomes increasingly
+ difficult to maintain any kind of central control on the nature of
+ the service provided in each sub-domain.
+
+ Similarly, the usage of domain names with human semantic connotation
+ tends to lead to a registration of multiple domains in which a
+ particular service is to run. As an example, a service provider with
+ the name "example" might register and set up its services in
+ "example.com", "example.net", and generally example.foo for each foo
+ that is a valid TLD. This, like sub-delegation, results in a growth
+ in the number of domains over which it is difficult to maintain
+ centralized control.
+
+ Not that it is not possible, since there are many examples of
+ successful administration of policies across sub-domains many levels
+ deep. However, it takes an increasing amount of effort to ensure
+ this result, as it requires human intervention and the creation of
+ process and procedure. Automated validation of adherence to policies
+ is very difficult to do, as there is no way to automatically verify
+ many policies that might be put into place.
+
+ A less costly process for providing centralized management of
+ policies is to just hope that any centralized policies are being
+ followed, and then wait for complaints or perform random audits.
+ Those approaches have many problems.
+
+ The invalidation of assumptions due to sub-delegation is discussed in
+ further detail in Section 4.1.3 of [8] and in Section 3.3 of [20].
+
+ As a result of the fragility of policy continuity across sub-
+ delegations, if a client or user assumes some kind of property
+ associated with a TLD (such as ".wifi"), it becomes increasingly more
+ likely with the number of sub-domains that this property will not
+ exist in a server identified by a particular name. For example, in
+ "store.chain.company.provider.wifi", there may be four levels of
+ delegation from ".wifi", making it quite likely that, unless the
+ holder of ".wifi" is working diligently, the properties that the
+ holder of ".wifi" wishes to enforce are not present. These
+ properties may not be present due to human error or due to a willful
+ decision not to adhere to them.
+
+
+
+
+
+
+
+Rosenberg Informational [Page 11]
+
+RFC 4367 Name Assumptions February 2006
+
+
+6.4. Mobility
+
+ One of the primary value propositions of a hostname as an identifier
+ is its persistence. A client can change IP addresses, yet still
+ retain a persistent identifier used by other hosts to reach it.
+ Because their value derives from their persistence, hostnames tend to
+ move with a host not just as it changes IP addresses, but as it
+ changes access network providers and technologies. For this reason,
+ assumptions made about a host based on the presumed access network
+ corresponding to that hostname tend to be wrong over time. As an
+ example, a PC might normally be connected to its broadband provider,
+ and through dynamic DNS have a hostname within the domain of that
+ provider. However, one cannot assume that any host within that
+ network has access over a broadband link; the user could connect
+ their PC over a low-bandwidth wireless access network and still
+ retain its domain name.
+
+6.5. Human Error
+
+ Of course, human error can be the source of errors in any system, and
+ the same is true here. There are many examples relevant to the
+ problem under discussion.
+
+ A client implementation may make the assumption that, just because a
+ DNS SRV record exists for a particular protocol in a particular
+ domain, indicating that the service is available on some port, that
+ the service is, in fact, running there. This assumption could be
+ wrong because the SRV records haven't been updated by the system
+ administrators to reflect the services currently running. As another
+ example, a client might assume that a particular domain policy
+ applies to all sub-domains. However, a system administrator might
+ have omitted to apply the policy to servers running in one of those
+ sub-domains.
+
+7. Recommendations
+
+ Based on these problems, the clear conclusion is that clients,
+ servers, and users should not make assumptions on the nature of the
+ service provided to, or by, a domain. More specifically, however,
+ the following can be said:
+
+ Follow the specifications: When specifications define mandatory
+ baseline procedures and formats, those should be implemented and
+ supported, even if the expectation is that optional procedures
+ will most often be used. For example, if a specification mandates
+ a particular baseline authentication technique, but allows others
+ to be negotiated and used, implementations need to implement the
+ baseline authentication algorithm even if the other ones are used
+
+
+
+Rosenberg Informational [Page 12]
+
+RFC 4367 Name Assumptions February 2006
+
+
+ most of the time. Put more simply, the behavior of the protocol
+ machinery should never change based on the domain name of the
+ host.
+
+ Use capability negotiation: Many protocols are engineered with
+ capability negotiation mechanisms. For example, a content
+ negotiation framework has been defined for protocols using MIME
+ content [13] [14] [15]. SIP allows for clients to negotiate the
+ media types used in the multimedia session, as well as protocol
+ parameters. HTTP allows for clients to negotiate the media types
+ returned in requests for content. When such features are
+ available in a protocol, client and servers should make use of
+ them rather than making assumptions about supported capabilities.
+ A corollary is that protocol designers should include such
+ mechanisms when evolution is expected in the usage of the
+ protocol.
+
+ "Be liberal in what you accept, and conservative in what you send"
+ [18]: This axiom of Internet protocol design is applicable here
+ as well. Implementations should be prepared for the full breadth
+ of what a protocol allows another entity to send, rather than be
+ limiting in what it is willing to receive.
+
+ To summarize -- there is never a need to make assumptions. Rather
+ than doing so, utilize the specifications and the negotiation
+ capabilities they provide, and the overall system will be robust and
+ interoperable.
+
+8. A Note on RFC 2219 and RFC 2782
+
+ Based on the definition of an assumption given here, the behavior
+ hinted at by records in the DNS also represents an assumption. RFC
+ 2219 [19] defines well-known aliases that can be used to construct
+ domain names for reaching various well-known services in a domain.
+ This approach was later followed by the definition of a new resource
+ record, the SRV record [2], which specifies that a particular service
+ is running on a server in a domain. Although both of these
+ mechanisms are useful as a hint that a particular service is running
+ in a domain, both of them represent assumptions that may be false.
+ However, they differ in the set of reasons why those assumptions
+ might be false.
+
+ A client that assumes that "ftp.example.com" is an FTP server may be
+ wrong because the presumed naming convention in RFC 2219 was not
+ known by, or not followed by, the owner of domain.com. With RFC
+ 2782, an SRV record for a particular service would be present only by
+ explicit choice of the domain administrator, and thus a client that
+
+
+
+
+Rosenberg Informational [Page 13]
+
+RFC 4367 Name Assumptions February 2006
+
+
+ assumes that the corresponding host provides this service would be
+ wrong only because of human error in configuration. In this case,
+ the assumption is less likely to be wrong, but it certainly can be.
+
+ The only way to determine with certainty that a service is running on
+ a host is to initiate a connection to the port for that service, and
+ check. Implementations need to be careful not to codify any
+ behaviors that cause failures should the information provided in the
+ record actually be false. This borders on common sense for robust
+ implementations, but it is valuable to raise this point explicitly.
+
+9. Security Considerations
+
+ One of the assumptions that can be made by clients or servers is the
+ availability and usage (or lack thereof) of certain security
+ protocols and algorithms. For example, a client accessing a service
+ in a particular domain might assume a specific authentication
+ algorithm or hash function in the application protocol. It is
+ possible that, over time, weaknesses are found in such a technique,
+ requiring usage of a different mechanism. Similarly, a system might
+ start with an insecure mechanism, and then decide later on to use a
+ secure one. In either case, assumptions made on security properties
+ can result in interoperability failures, or worse yet, providing
+ service in an insecure way, even though the client asked for, and
+ thought it would get, secure service. These kinds of assumptions are
+ fundamentally unsound even if the records themselves are secured with
+ DNSSEC.
+
+10. Acknowledgements
+
+ The IAB would like to thank John Klensin, Keith Moore and Peter Koch
+ for their comments.
+
+11. IAB Members
+
+ Internet Architecture Board members at the time of writing of this
+ document are:
+
+ Bernard Aboba
+
+ Loa Andersson
+
+ Brian Carpenter
+
+ Leslie Daigle
+
+ Patrik Faltstrom
+
+
+
+
+Rosenberg Informational [Page 14]
+
+RFC 4367 Name Assumptions February 2006
+
+
+ Bob Hinden
+
+ Kurtis Lindqvist
+
+ David Meyer
+
+ Pekka Nikander
+
+ Eric Rescorla
+
+ Pete Resnick
+
+ Jonathan Rosenberg
+
+12. Informative References
+
+ [1] Mockapetris, P., "Domain names - concepts and facilities",
+ STD 13, RFC 1034, November 1987.
+
+ [2] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
+ specifying the location of services (DNS SRV)", RFC 2782,
+ February 2000.
+
+ [3] Mealling, M., "Dynamic Delegation Discovery System (DDDS) Part
+ Three: The Domain Name System (DNS) Database", RFC 3403,
+ October 2002.
+
+ [4] Davis, C., Vixie, P., Goodwin, T., and I. Dickinson, "A Means
+ for Expressing Location Information in the Domain Name System",
+ RFC 1876, January 1996.
+
+ [5] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L.,
+ Leach, P., and T. Berners-Lee, "Hypertext Transfer Protocol --
+ HTTP/1.1", RFC 2616, June 1999.
+
+ [6] Schulzrinne, H., Rao, A., and R. Lanphier, "Real Time Streaming
+ Protocol (RTSP)", RFC 2326, April 1998.
+
+ [7] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A.,
+ Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP:
+ Session Initiation Protocol", RFC 3261, June 2002.
+
+ [8] Eastlake, D., ".sex Considered Dangerous", RFC 3675,
+ February 2004.
+
+ [9] Klensin, J., "Simple Mail Transfer Protocol", RFC 2821,
+ April 2001.
+
+
+
+
+Rosenberg Informational [Page 15]
+
+RFC 4367 Name Assumptions February 2006
+
+
+ [10] Niemi, A., Arkko, J., and V. Torvinen, "Hypertext Transfer
+ Protocol (HTTP) Digest Authentication Using Authentication and
+ Key Agreement (AKA)", RFC 3310, September 2002.
+
+ [11] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
+ Extensions (MIME) Part One: Format of Internet Message Bodies",
+ RFC 2045, November 1996.
+
+ [12] Internet Architecture Board, "IAB Technical Comment on the
+ Unique DNS Root", RFC 2826, May 2000.
+
+ [13] Klyne, G., "Indicating Media Features for MIME Content",
+ RFC 2912, September 2000.
+
+ [14] Klyne, G., "A Syntax for Describing Media Feature Sets",
+ RFC 2533, March 1999.
+
+ [15] Klyne, G., "Protocol-independent Content Negotiation
+ Framework", RFC 2703, September 1999.
+
+ [16] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
+
+ [17] Rosenberg, J. and H. Schulzrinne, "Reliability of Provisional
+ Responses in Session Initiation Protocol (SIP)", RFC 3262,
+ June 2002.
+
+ [18] Braden, R., "Requirements for Internet Hosts - Communication
+ Layers", STD 3, RFC 1122, October 1989.
+
+ [19] Hamilton, M. and R. Wright, "Use of DNS Aliases for Network
+ Services", BCP 17, RFC 2219, October 1997.
+
+ [20] Faltstrom, P., "Design Choices When Expanding DNS", Work in
+ Progress, June 2005.
+
+Author's Address
+
+ Jonathan Rosenberg, Editor
+ IAB
+ 600 Lanidex Plaza
+ Parsippany, NJ 07054
+ US
+
+ Phone: +1 973 952-5000
+ EMail: jdrosen@cisco.com
+ URI: http://www.jdrosen.net
+
+
+
+
+
+Rosenberg Informational [Page 16]
+
+RFC 4367 Name Assumptions February 2006
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2006).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is provided by the IETF
+ Administrative Support Activity (IASA).
+
+
+
+
+
+
+
+Rosenberg Informational [Page 17]
+
diff --git a/contrib/bind9/doc/rfc/rfc4431.txt b/contrib/bind9/doc/rfc/rfc4431.txt
new file mode 100644
index 0000000..8b38872
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc4431.txt
@@ -0,0 +1,227 @@
+
+
+
+
+
+
+Network Working Group M. Andrews
+Request for Comments: 4431 Internet Systems Consortium
+Category: Informational S. Weiler
+ SPARTA, Inc.
+ February 2006
+
+
+ The DNSSEC Lookaside Validation (DLV) DNS Resource Record
+
+Status of This Memo
+
+ This memo provides information for the Internet community. It does
+ not specify an Internet standard of any kind. Distribution of this
+ memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2006).
+
+Abstract
+
+ This document defines a new DNS resource record, called the DNSSEC
+ Lookaside Validation (DLV) RR, for publishing DNSSEC trust anchors
+ outside of the DNS delegation chain.
+
+1. Introduction
+
+ DNSSEC [1] [2] [3] authenticates DNS data by building public-key
+ signature chains along the DNS delegation chain from a trust anchor,
+ ideally a trust anchor for the DNS root.
+
+ This document defines a new resource record for publishing such trust
+ anchors outside of the DNS's normal delegation chain. Use of these
+ records by DNSSEC validators is outside the scope of this document,
+ but it is expected that these records will help resolvers validate
+ DNSSEC-signed data from zones whose ancestors either aren't signed or
+ refuse to publish delegation signer (DS) records for their children.
+
+2. DLV Resource Record
+
+ The DLV resource record has exactly the same wire and presentation
+ formats as the DS resource record, defined in RFC 4034, Section 5.
+ It uses the same IANA-assigned values in the algorithm and digest
+ type fields as the DS record. (Those IANA registries are known as
+ the "DNS Security Algorithm Numbers" and "DS RR Type Algorithm
+ Numbers" registries.)
+
+
+
+
+
+Andrews & Weiler Informational [Page 1]
+
+RFC 4431 DLV Resource Record February 2006
+
+
+ The DLV record is a normal DNS record type without any special
+ processing requirements. In particular, the DLV record does not
+ inherit any of the special processing or handling requirements of the
+ DS record type (described in Section 3.1.4.1 of RFC 4035). Unlike
+ the DS record, the DLV record may not appear on the parent's side of
+ a zone cut. A DLV record may, however, appear at the apex of a zone.
+
+3. Security Considerations
+
+ For authoritative servers and resolvers that do not attempt to use
+ DLV RRs as part of DNSSEC validation, there are no particular
+ security concerns -- DLV RRs are just like any other DNS data.
+
+ Software using DLV RRs as part of DNSSEC validation will almost
+ certainly want to impose constraints on their use, but those
+ constraints are best left to be described by the documents that more
+ fully describe the particulars of how the records are used. At a
+ minimum, it would be unwise to use the records without some sort of
+ cryptographic authentication. More likely than not, DNSSEC itself
+ will be used to authenticate the DLV RRs. Depending on how a DLV RR
+ is used, failure to properly authenticate it could lead to
+ significant additional security problems including failure to detect
+ spoofed DNS data.
+
+ RFC 4034, Section 8, describes security considerations specific to
+ the DS RR. Those considerations are equally applicable to DLV RRs.
+ Of particular note, the key tag field is used to help select DNSKEY
+ RRs efficiently, but it does not uniquely identify a single DNSKEY
+ RR. It is possible for two distinct DNSKEY RRs to have the same
+ owner name, the same algorithm type, and the same key tag. An
+ implementation that uses only the key tag to select a DNSKEY RR might
+ select the wrong public key in some circumstances.
+
+ For further discussion of the security implications of DNSSEC, see
+ RFC 4033, RFC 4034, and RFC 4035.
+
+4. IANA Considerations
+
+ IANA has assigned DNS type code 32769 to the DLV resource record from
+ the Specification Required portion of the DNS Resource Record Type
+ registry, as defined in [4].
+
+ The DLV resource record reuses the same algorithm and digest type
+ registries already used for the DS resource record, currently known
+ as the "DNS Security Algorithm Numbers" and "DS RR Type Algorithm
+ Numbers" registries.
+
+
+
+
+
+Andrews & Weiler Informational [Page 2]
+
+RFC 4431 DLV Resource Record February 2006
+
+
+5. Normative References
+
+ [1] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "DNS Security Introduction and Requirements", RFC 4033,
+ March 2005.
+
+ [2] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "Resource Records for the DNS Security Extensions", RFC 4034,
+ March 2005.
+
+ [3] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "Protocol Modifications for the DNS Security Extensions",
+ RFC 4035, March 2005.
+
+ [4] Eastlake, D., Brunner-Williams, E., and B. Manning, "Domain Name
+ System (DNS) IANA Considerations", BCP 42, RFC 2929,
+ September 2000.
+
+Authors' Addresses
+
+ Mark Andrews
+ Internet Systems Consortium
+ 950 Charter St.
+ Redwood City, CA 94063
+ US
+
+ EMail: Mark_Andrews@isc.org
+
+
+ Samuel Weiler
+ SPARTA, Inc.
+ 7075 Samuel Morse Drive
+ Columbia, Maryland 21046
+ US
+
+ EMail: weiler@tislabs.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Andrews & Weiler Informational [Page 3]
+
+RFC 4431 DLV Resource Record February 2006
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2006).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is provided by the IETF
+ Administrative Support Activity (IASA).
+
+
+
+
+
+
+
+Andrews & Weiler Informational [Page 4]
+
OpenPOWER on IntegriCloud